Merge branch 'sw-26662/thorw-csrf-exception' into '5.7'

SW-26662 - throw csrf exception

See merge request shopware/5/product/shopware!800

Author: PascalThesing

engine/Shopware/Components/CSRFTokenValidator.php

@@ -161,6 +161,7 @@ public function checkFrontendTokenValidation(Enlight_Event_EventArgs $args)
         }
 
         if (!$this->checkRequest($request, $response)) {
+            $this->regenerateToken($request, $response);
             throw new CSRFTokenValidationException(sprintf('The provided X-CSRF-Token for path "%s" is invalid. Please go back, reload the page and try again.', $request->getRequestUri()));
         }
 
@@ -199,15 +200,17 @@ private function checkRequest(Request $request, Response $response): bool
 
         $token = $this->container->get('session')->get($name);
 
-        $requestToken = $request->get(self::CSRF_TOKEN_ARGUMENT, $request->headers->get(self::CSRF_TOKEN_HEADER));
+        if (!\is_string($token)) {
+            return false;
+        }
 
-        $isValidToken = hash_equals($token, $requestToken);
+        $requestToken = $request->get(self::CSRF_TOKEN_ARGUMENT, $request->headers->get(self::CSRF_TOKEN_HEADER));
 
-        if (!$isValidToken) {
-            $this->regenerateToken($request, $response);
+        if (!\is_string($requestToken)) {
+            return false;
         }
 
-        return $isValidToken;
+        return hash_equals($token, $requestToken);
     }
 
     /**

tests/Functional/Components/CSRFTokenValidatorTest.php

@@ -85,6 +85,7 @@ public function testFrontendTokenIsValid(): void
 
         $tokenValidator->checkFrontendTokenValidation($enlightEventArgs);
 
+        static::assertNotNull($this->getContainer()->get('session')->get('__csrf_token-1'));
         static::assertTrue($incomingRequest->getAttribute('isValidated'));
     }
 
@@ -114,8 +115,60 @@ public function testFrontendTokenValidationThrowsError(): void
             static::assertInstanceOf(CSRFTokenValidationException::class, $e);
         }
 
+        static::assertNotNull($this->getContainer()->get('session')->get('__csrf_token-1'));
         static::assertNotEquals($token, $this->getContainer()->get('session')->get('__csrf_token-1'));
     }
+
+    public function testCsrfExceptionIsThrownWhenNoSession(): void
+    {
+        $tokenValidator = $this->getContainer()->get(CSRFTokenValidator::class);
+        $this->getContainer()->get(ContextServiceInterface::class)->createShopContext(1);
+
+        $controller = new MockController();
+        $incomingRequest = new Enlight_Controller_Request_RequestTestCase();
+        $incomingResponse = new Enlight_Controller_Response_ResponseTestCase();
+        $incomingRequest->setActionName(self::EXISTING_ACTION_NAME);
+        $incomingRequest->setParam(CSRFTokenValidator::CSRF_TOKEN_ARGUMENT, 'NOT_FITTING');
+        $controller->setRequest($incomingRequest);
+        $controller->setResponse($incomingResponse);
+        $enlightEventArgs = new Enlight_Event_EventArgs([
+            'subject' => $controller,
+        ]);
+
+        try {
+            $tokenValidator->checkFrontendTokenValidation($enlightEventArgs);
+        } catch (Throwable $e) {
+            static::assertInstanceOf(CSRFTokenValidationException::class, $e);
+        }
+
+        static::assertNotNull($this->getContainer()->get('session')->get('__csrf_token-1'));
+    }
+
+    public function testCsrfExceptionIsThrownWhenNoRequestCsrfIsSet(): void
+    {
+        $tokenValidator = $this->getContainer()->get(CSRFTokenValidator::class);
+        $this->getContainer()->get(ContextServiceInterface::class)->createShopContext(1);
+        $createRequest = new Enlight_Controller_Request_RequestTestCase();
+        $createResponse = new Enlight_Controller_Response_ResponseTestCase();
+        $tokenValidator->regenerateToken($createRequest, $createResponse);
+
+        $controller = new MockController();
+        $incomingRequest = new Enlight_Controller_Request_RequestTestCase();
+        $incomingResponse = new Enlight_Controller_Response_ResponseTestCase();
+        $controller->setRequest($incomingRequest);
+        $controller->setResponse($incomingResponse);
+        $enlightEventArgs = new Enlight_Event_EventArgs([
+            'subject' => $controller,
+        ]);
+
+        try {
+            $tokenValidator->checkFrontendTokenValidation($enlightEventArgs);
+        } catch (Throwable $e) {
+            static::assertInstanceOf(CSRFTokenValidationException::class, $e);
+        }
+
+        static::assertNotNull($this->getContainer()->get('session')->get('__csrf_token-1'));
+    }
 }
 
 class MockController extends Enlight_Controller_Action implements CSRFGetProtectionAware