Merge pull request #18644 from nextcloud/harden/csrf_endpoint

Only allow requesting new CSRF tokens if it passes the SameSite Cooki…
This commit is contained in:
Roeland Jago Douma 2020-01-07 13:43:46 +01:00 committed by GitHub
commit 52e4ecd66e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 1 deletions

View file

@ -28,6 +28,7 @@ namespace OC\Core\Controller;
use OC\Security\CSRF\CsrfTokenManager;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\JSONResponse;
use OCP\IRequest;
@ -54,6 +55,10 @@ class CSRFTokenController extends Controller {
* @return JSONResponse
*/
public function index(): JSONResponse {
if (!$this->request->passesStrictCookieCheck()) {
return new JSONResponse([], Http::STATUS_FORBIDDEN);
}
$requestToken = $this->tokenManager->getToken();
return new JSONResponse([

View file

@ -54,7 +54,9 @@ class CSRFTokenControllerTest extends TestCase {
$this->tokenManager);
}
public function testGetToken() {
public function testGetToken(): void {
$this->request->method('passesStrictCookieCheck')->willReturn(true);
$token = $this->createMock(CsrfToken::class);
$this->tokenManager->method('getToken')->willReturn($token);
$token->method('getEncryptedValue')->willReturn('toktok123');
@ -68,4 +70,13 @@ class CSRFTokenControllerTest extends TestCase {
], $response->getData());
}
public function testGetTokenNoStrictSameSiteCookie(): void {
$this->request->method('passesStrictCookieCheck')->willReturn(false);
$response = $this->controller->index();
$this->assertInstanceOf(JSONResponse::class, $response);
$this->assertSame(Http::STATUS_FORBIDDEN, $response->getStatus());
}
}