Merge branch 'sw-26689/set-cookie-secure' into '5.7'

mitelg · mitelg · commit 0b03afcc94b0 · 2022-04-29T13:16:10.000Z
SW-26689 - Set secure attribute depending on the shop configuration

See merge request shopware/5/product/shopware!803
diff --git a/engine/Shopware/Components/CSRFTokenValidator.php b/engine/Shopware/Components/CSRFTokenValidator.php
@@ -148,6 +148,8 @@ public function checkFrontendTokenValidation(Enlight_Event_EventArgs $args)
         }
 
         if ($request->isGet() && !$this->isProtected($controller)) {
+            $this->updateCsrfTokenIfNotAvailable($request, $response);
+
             return;
         }
 
@@ -171,32 +173,63 @@ public function checkFrontendTokenValidation(Enlight_Event_EventArgs $args)
 
     public function regenerateToken(Request $request, Response $response): string
     {
-        $context = $this->contextService->getShopContext();
-
-        $name = self::CSRF_SESSION_KEY . $context->getShop()->getId();
-
-        if ($context->getShop()->getParentId() && $this->componentsConfig->get('shareSessionBetweenLanguageShops')) {
-            $name = self::CSRF_SESSION_KEY . $context->getShop()->getParentId();
-        }
+        $shop = $this->contextService->getShopContext()->getShop();
+        $name = $this->getCsrfName();
 
         $token = Random::getAlphanumericString(30);
         $this->container->get('session')->set($name, $token);
-        $response->headers->setCookie(new Cookie($name, $token, 0, '/', null, $request->isSecure(), false));
+
+        $response->headers->clearCookie($name);
+
+        /*
+         * Appending a '/' to the $basePath is not strictly necessary, but it is
+         * done to all cookie base paths in the
+         * `themes/Frontend/Bare/frontend/index/index.tpl` template. It's done
+         * here as well for compatibility reasons.
+         */
+        $response->headers->setCookie(new Cookie(
+            $name,
+            $token,
+            0,
+            sprintf('%s/', $shop->getPath() ?: ''),
+            null,
+            $shop->getSecure(),
+            false
+        ));
 
         return $token;
     }
 
+    private function updateCsrfTokenIfNotAvailable(Request $request, Response $response): void
+    {
+        $name = $this->getCsrfName();
+
+        if ($this->container->get('session')->has($name)) {
+            return;
+        }
+
+        $this->regenerateToken($request, $response);
+    }
+
+    private function getCsrfName(): string
+    {
+        $shop = $this->contextService->getShopContext()->getShop();
+
+        $name = self::CSRF_SESSION_KEY . $shop->getId();
+
+        if ($shop->getParentId() && $this->componentsConfig->get('shareSessionBetweenLanguageShops')) {
+            $name = self::CSRF_SESSION_KEY . $shop->getParentId();
+        }
+
+        return $name;
+    }
+
     /**
      * Check if the submitted CSRF token in cookie or header matches with the token stored in the session
      */
     private function checkRequest(Request $request, Response $response): bool
     {
-        $context = $this->contextService->getShopContext();
-        $name = self::CSRF_SESSION_KEY . $context->getShop()->getId();
-
-        if ($context->getShop()->getParentId() && $this->componentsConfig->get('shareSessionBetweenLanguageShops')) {
-            $name = self::CSRF_SESSION_KEY . $context->getShop()->getParentId();
-        }
+        $name = $this->getCsrfName();
 
         $token = $this->container->get('session')->get($name);
 
diff --git a/tests/Functional/Components/CSRFTokenValidatorTest.php b/tests/Functional/Components/CSRFTokenValidatorTest.php
@@ -47,11 +47,14 @@ class CSRFTokenValidatorTest extends TestCase
 
     public const EXISTING_ACTION_NAME = 'foo';
 
+    private const CSRF_TOKEN_FOR_SHOP_ONE = '__csrf_token-1';
+
     /**
      * @before
      */
     public function enableCsrfInFrontend(): void
     {
+        $this->getContainer()->get('session')->offsetUnset(self::CSRF_TOKEN_FOR_SHOP_ONE);
         Utils::hijackProperty($this->getContainer()->get(CSRFTokenValidator::class), 'isEnabledFrontend', true);
     }
 
@@ -60,6 +63,7 @@ public function enableCsrfInFrontend(): void
      */
     public function disableCsrfInFrontend(): void
     {
+        $this->getContainer()->get('session')->offsetUnset(self::CSRF_TOKEN_FOR_SHOP_ONE);
         Utils::hijackProperty($this->getContainer()->get(CSRFTokenValidator::class), 'isEnabledFrontend', false);
     }
 
@@ -85,7 +89,7 @@ public function testFrontendTokenIsValid(): void
 
         $tokenValidator->checkFrontendTokenValidation($enlightEventArgs);
 
-        static::assertNotNull($this->getContainer()->get('session')->get('__csrf_token-1'));
+        static::assertIsString($this->getContainer()->get('session')->get(self::CSRF_TOKEN_FOR_SHOP_ONE));
         static::assertTrue($incomingRequest->getAttribute('isValidated'));
     }
 
@@ -115,8 +119,8 @@ public function testFrontendTokenValidationThrowsError(): void
             static::assertInstanceOf(CSRFTokenValidationException::class, $e);
         }
 
-        static::assertNotNull($this->getContainer()->get('session')->get('__csrf_token-1'));
-        static::assertNotEquals($token, $this->getContainer()->get('session')->get('__csrf_token-1'));
+        static::assertIsString($this->getContainer()->get('session')->get(self::CSRF_TOKEN_FOR_SHOP_ONE));
+        static::assertNotEquals($token, $this->getContainer()->get('session')->get(self::CSRF_TOKEN_FOR_SHOP_ONE));
     }
 
     public function testCsrfExceptionIsThrownWhenNoSession(): void
@@ -141,7 +145,7 @@ public function testCsrfExceptionIsThrownWhenNoSession(): void
             static::assertInstanceOf(CSRFTokenValidationException::class, $e);
         }
 
-        static::assertNotNull($this->getContainer()->get('session')->get('__csrf_token-1'));
+        static::assertIsString($this->getContainer()->get('session')->get(self::CSRF_TOKEN_FOR_SHOP_ONE));
     }
 
     public function testCsrfExceptionIsThrownWhenNoRequestCsrfIsSet(): void
@@ -167,7 +171,51 @@ public function testCsrfExceptionIsThrownWhenNoRequestCsrfIsSet(): void
             static::assertInstanceOf(CSRFTokenValidationException::class, $e);
         }
 
-        static::assertNotNull($this->getContainer()->get('session')->get('__csrf_token-1'));
+        static::assertIsString($this->getContainer()->get('session')->get(self::CSRF_TOKEN_FOR_SHOP_ONE));
+    }
+
+    public function testCsrfTokenIsUpdatedIfItIsNotAvailableInTheSessionAndIsGetRequest(): void
+    {
+        $tokenValidator = $this->getContainer()->get(CSRFTokenValidator::class);
+        $this->getContainer()->get(ContextServiceInterface::class)->createShopContext(1);
+
+        static::assertNull($this->getContainer()->get('session')->get(self::CSRF_TOKEN_FOR_SHOP_ONE));
+
+        $controller = new NotProtectionAwareController();
+        $incomingRequest = new Enlight_Controller_Request_RequestTestCase();
+        $incomingRequest->setMethod('GET');
+        $createResponse = new Enlight_Controller_Response_ResponseTestCase();
+        $controller->setRequest($incomingRequest);
+        $controller->setResponse($createResponse);
+        $enlightEventArgs = new Enlight_Event_EventArgs([
+            'subject' => $controller,
+        ]);
+
+        $tokenValidator->checkFrontendTokenValidation($enlightEventArgs);
+
+        static::assertIsString($this->getContainer()->get('session')->get(self::CSRF_TOKEN_FOR_SHOP_ONE));
+    }
+
+    public function testCsrfTokenIsNotUpdatedIfItIsNotAvailableInTheSession(): void
+    {
+        $tokenValidator = $this->getContainer()->get(CSRFTokenValidator::class);
+        $this->getContainer()->get(ContextServiceInterface::class)->createShopContext(1);
+
+        static::assertNull($this->getContainer()->get('session')->get(self::CSRF_TOKEN_FOR_SHOP_ONE));
+
+        $controller = new MockController();
+        $incomingRequest = new Enlight_Controller_Request_RequestTestCase();
+        $incomingRequest->setMethod('GET');
+        $incomingRequest->setActionName(self::EXISTING_ACTION_NAME);
+        $createResponse = new Enlight_Controller_Response_ResponseTestCase();
+        $controller->setRequest($incomingRequest);
+        $controller->setResponse($createResponse);
+        $enlightEventArgs = new Enlight_Event_EventArgs([
+            'subject' => $controller,
+        ]);
+
+        $this->expectException(CSRFTokenValidationException::class);
+        $tokenValidator->checkFrontendTokenValidation($enlightEventArgs);
     }
 }
 
@@ -180,3 +228,7 @@ public function getCSRFProtectedActions()
         ];
     }
 }
+
+class NotProtectionAwareController extends Enlight_Controller_Action
+{
+}
diff --git a/themes/Frontend/Responsive/frontend/_public/src/js/jquery.csrf-protection.js b/themes/Frontend/Responsive/frontend/_public/src/js/jquery.csrf-protection.js
@@ -174,7 +174,6 @@
                 $.ajax({
                     url: window.csrfConfig.generateUrl,
                     success: function(response, status, xhr) {
-                        me.saveToken(xhr.getResponseHeader('x-csrf-token'));
                         $.publish('plugin/swCsrfProtection/requestToken', [me, me.getToken()]);
                         me.afterInit();
                     }
@@ -183,15 +182,11 @@
         },
 
         /**
-         * Save token into a cookie
+         * @deprecated will be removed with v5.8.0
+         *
          * @param token
          */
-        saveToken: function(token) {
-            var me = this,
-                basePath = window.csrfConfig.basePath || '/';
-
-            document.cookie = me.storageKey + '=' + token + '; path=' + basePath + ($.isSecure() ? '; secure;' : '');
-        },
+        saveToken: function(token) {},
 
         /**
          * Initialize the CSRF protection
