oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-06-27 16:36:00 +00:00
Code Wiki Activity

Use 400 Bad Request errors for invalid CSRF everywhere

Browse source
This commit is contained in:
Yassine Guedidi 2025-03-23 22:12:08 +01:00
parent 5ea5115a72
commit 677b2986bc
4 changed files with 11 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/Wallabag/ApiBundle/Controller/DeveloperController.php
View file

@ -7,6 +7,7 @@ use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\RedirectResponse; use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\Routing\Annotation\Route; use Symfony\Component\Routing\Annotation\Route;
use Symfony\Contracts\Translation\TranslatorInterface; use Symfony\Contracts\Translation\TranslatorInterface;
use Wallabag\ApiBundle\Entity\Client; use Wallabag\ApiBundle\Entity\Client;
@ -76,7 +77,7 @@ class DeveloperController extends AbstractController
public function deleteClientAction(Request $request, Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator) public function deleteClientAction(Request $request, Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator)
{ {
if (!$this->isCsrfTokenValid('delete-client', $request->request->get('token'))) { if (!$this->isCsrfTokenValid('delete-client', $request->request->get('token'))) {
throw $this->createAccessDeniedException('Bad CSRF token.'); throw new BadRequestHttpException('Bad CSRF token.');
} }
if (null === $this->getUser() || $client->getUser()->getId() !== $this->getUser()->getId()) { if (null === $this->getUser() || $client->getUser()->getId() !== $this->getUser()->getId()) {

14
src/Wallabag/CoreBundle/Controller/ConfigController.php
View file

@ -263,7 +263,7 @@ class ConfigController extends AbstractController
public function disableOtpEmailAction(Request $request) public function disableOtpEmailAction(Request $request)
{ {
if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) { if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) {
throw $this->createAccessDeniedException('Bad CSRF token.'); throw new BadRequestHttpException('Bad CSRF token.');
} }
$user = $this->getUser(); $user = $this->getUser();
@ -287,7 +287,7 @@ class ConfigController extends AbstractController
public function otpEmailAction(Request $request) public function otpEmailAction(Request $request)
{ {
if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) { if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) {
throw $this->createAccessDeniedException('Bad CSRF token.'); throw new BadRequestHttpException('Bad CSRF token.');
} }
$user = $this->getUser(); $user = $this->getUser();
@ -314,7 +314,7 @@ class ConfigController extends AbstractController
public function disableOtpAppAction(Request $request) public function disableOtpAppAction(Request $request)
{ {
if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) { if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) {
throw $this->createAccessDeniedException('Bad CSRF token.'); throw new BadRequestHttpException('Bad CSRF token.');
} }
$user = $this->getUser(); $user = $this->getUser();
@ -340,7 +340,7 @@ class ConfigController extends AbstractController
public function otpAppAction(Request $request, GoogleAuthenticatorInterface $googleAuthenticator) public function otpAppAction(Request $request, GoogleAuthenticatorInterface $googleAuthenticator)
{ {
if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) { if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) {
throw $this->createAccessDeniedException('Bad CSRF token.'); throw new BadRequestHttpException('Bad CSRF token.');
} }
$user = $this->getUser(); $user = $this->getUser();
@ -399,7 +399,7 @@ class ConfigController extends AbstractController
public function otpAppCheckAction(Request $request, GoogleAuthenticatorInterface $googleAuthenticator) public function otpAppCheckAction(Request $request, GoogleAuthenticatorInterface $googleAuthenticator)
{ {
if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) { if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) {
throw $this->createAccessDeniedException('Bad CSRF token.'); throw new BadRequestHttpException('Bad CSRF token.');
} }
$isValid = $googleAuthenticator->checkCode( $isValid = $googleAuthenticator->checkCode(
@ -569,7 +569,7 @@ class ConfigController extends AbstractController
public function resetAction(Request $request, string $type, AnnotationRepository $annotationRepository, EntryRepository $entryRepository) public function resetAction(Request $request, string $type, AnnotationRepository $annotationRepository, EntryRepository $entryRepository)
{ {
if (!$this->isCsrfTokenValid('reset-area', $request->request->get('token'))) { if (!$this->isCsrfTokenValid('reset-area', $request->request->get('token'))) {
throw $this->createAccessDeniedException('Bad CSRF token.'); throw new BadRequestHttpException('Bad CSRF token.');
} }
switch ($type) { switch ($type) {
@ -623,7 +623,7 @@ class ConfigController extends AbstractController
public function deleteAccountAction(Request $request, UserRepository $userRepository, TokenStorageInterface $tokenStorage) public function deleteAccountAction(Request $request, UserRepository $userRepository, TokenStorageInterface $tokenStorage)
{ {
if (!$this->isCsrfTokenValid('delete-account', $request->request->get('token'))) { if (!$this->isCsrfTokenValid('delete-account', $request->request->get('token'))) {
throw $this->createAccessDeniedException('Bad CSRF token.'); throw new BadRequestHttpException('Bad CSRF token.');
} }
$enabledUsers = $userRepository->getSumEnabledUsers(); $enabledUsers = $userRepository->getSumEnabledUsers();

2
tests/Wallabag/ApiBundle/Controller/DeveloperControllerTest.php
View file

@ -105,7 +105,7 @@ class DeveloperControllerTest extends WallabagCoreTestCase
$this->logInAs('bob'); $this->logInAs('bob');
$client->request('POST', '/developer/client/delete/' . $adminApiClient->getId()); $client->request('POST', '/developer/client/delete/' . $adminApiClient->getId());
$this->assertSame(403, $client->getResponse()->getStatusCode()); $this->assertSame(400, $client->getResponse()->getStatusCode());
// Try to remove the admin's client with the good user // Try to remove the admin's client with the good user
$this->logInAs('admin'); $this->logInAs('admin');

2
tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
View file

@ -794,7 +794,7 @@ class ConfigControllerTest extends WallabagCoreTestCase
$this->assertStringNotContainsString('config.form_user.delete.button', $body[0]); $this->assertStringNotContainsString('config.form_user.delete.button', $body[0]);
$client->request('POST', '/account/delete'); $client->request('POST', '/account/delete');
$this->assertSame(403, $client->getResponse()->getStatusCode()); $this->assertSame(400, $client->getResponse()->getStatusCode());
$user = $em $user = $em
->getRepository(User::class) ->getRepository(User::class)