Protect revoke_token with a CSRF token

2025-06-27 16:36:00 +00:00 · 2025-03-18 23:42:51 +01:00 · 2025-03-18 23:42:51 +01:00 · ac5b5fb379
commit ac5b5fb379
parent d703fa6a3a
3 changed files with 33 additions and 14 deletions
--- a/src/Wallabag/CoreBundle/Controller/ConfigController.php
+++ b/src/Wallabag/CoreBundle/Controller/ConfigController.php
@ -455,22 +455,22 @@ class ConfigController extends AbstractController
    }

    /**
-     * @Route("/revoke-token", name="revoke_token")
+     * @Route("/revoke-token", name="revoke_token", methods={"POST"})
     *
     * @return RedirectResponse|JsonResponse
     */
    public function revokeTokenAction(Request $request)
    {
+        if (!$this->isCsrfTokenValid('revoke-token', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
        $config = $this->getConfig();
        $config->setFeedToken(null);

        $this->entityManager->persist($config);
        $this->entityManager->flush();

-        if ($request->isXmlHttpRequest()) {
-            return new JsonResponse();
-        }
-
        $this->addFlash(
            'notice',
            'flashes.config.notice.feed_token_revoked'
--- a/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
@ -146,7 +146,12 @@

                                            <button type="submit" class="btn-link">{{ 'config.form_feed.token_reset'|trans }}</button>
                                        </form>
-                                        – <a href="{{ path('revoke_token') }}">{{ 'config.form_feed.token_revoke'|trans }}</a>
+                                        –
+                                        <form action="{{ path('revoke_token') }}" method="post" class="inline-block">
+                                            <input type="hidden" name="token" value="{{ csrf_token('revoke-token') }}"/>
+
+                                            <button type="submit" class="btn-link">{{ 'config.form_feed.token_revoke'|trans }}</button>
+                                        </form>
                                    {% else %}
                                        –
                                        <form action="{{ path('generate_token') }}" method="post" class="inline-block">
--- a/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
+++ b/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
@ -343,15 +343,29 @@ class ConfigControllerTest extends WallabagCoreTestCase
        $this->logInAs('admin');
        $client = $this->getTestClient();

-        $client->request(
-            'GET',
-            '/revoke-token',
-            [],
-            [],
-            ['HTTP_X-Requested-With' => 'XMLHttpRequest']
-        );
+        // set the token
+        $em = $client->getContainer()->get(EntityManagerInterface::class);
+        $user = $em
+            ->getRepository(User::class)
+            ->findOneByUsername('admin');

-        $this->assertSame(200, $client->getResponse()->getStatusCode());
+        if (!$user) {
+            $this->markTestSkipped('No user found in db.');
+        }
+
+        $config = $user->getConfig();
+        $config->setFeedToken('abcd1234');
+        $em->persist($config);
+        $em->flush();
+
+        $crawler = $client->request('GET', '/config');
+
+        $client->submit($crawler->selectButton('config.form_feed.token_revoke')->form());
+
+        $crawler = $client->followRedirect();
+
+        $this->assertGreaterThan(1, $body = $crawler->filter('body')->extract(['_text']));
+        $this->assertStringContainsString('config.form_feed.token_create', $body[0]);
    }

    public function testFeedUpdate()