fix: do not allow Config\Security::$csrfProtection = 'cookie'

kenjis · kenjis · commit 4434177609cf · 2022-08-02T08:14:52.000+09:00
Same-site attakcers can set CSRF token cookie. So CSRF protection
is bypassed.
diff --git a/src/Authentication/Authenticators/Session.php b/src/Authentication/Authenticators/Session.php
@@ -15,11 +15,13 @@
 use CodeIgniter\Shield\Entities\UserIdentity;
 use CodeIgniter\Shield\Exceptions\InvalidArgumentException;
 use CodeIgniter\Shield\Exceptions\LogicException;
+use CodeIgniter\Shield\Exceptions\SecurityException;
 use CodeIgniter\Shield\Models\LoginModel;
 use CodeIgniter\Shield\Models\RememberModel;
 use CodeIgniter\Shield\Models\UserIdentityModel;
 use CodeIgniter\Shield\Models\UserModel;
 use CodeIgniter\Shield\Result;
+use Config\Security;
 use Config\Services;
 use stdClass;
 
@@ -73,6 +75,25 @@ public function __construct(UserModel $provider)
         $this->loginModel        = model(LoginModel::class);
         $this->rememberModel     = model(RememberModel::class);
         $this->userIdentityModel = model(UserIdentityModel::class);
+
+        $this->checkSecurityConfig();
+    }
+
+    /**
+     * Checks less secure Configuration.
+     */
+    private function checkSecurityConfig(): void
+    {
+        /** @var Security $securityConfig */
+        $securityConfig = config('Security');
+
+        if ($securityConfig->csrfProtection === 'cookie') {
+            throw new SecurityException(
+                'Config\Security::$csrfProtection is set to \'cookie\'.'
+                . ' Same-site attackers may bypass the CSRF protection.'
+                . ' Please set it to \'session\'.'
+            );
+        }
     }
 
     /**
diff --git a/src/Exceptions/SecurityException.php b/src/Exceptions/SecurityException.php
@@ -0,0 +1,9 @@
+<?php
+
+namespace CodeIgniter\Shield\Exceptions;
+
+use RuntimeException;
+
+class SecurityException extends RuntimeException
+{
+}
diff --git a/tests/Controllers/RegisterTest.php b/tests/Controllers/RegisterTest.php
@@ -30,7 +30,6 @@ protected function setUp(): void
         parent::setUp();
 
         helper('auth');
-        Factories::reset();
 
         // Add auth routes
         $routes = service('routes');
diff --git a/tests/_support/TestCase.php b/tests/_support/TestCase.php
@@ -33,5 +33,10 @@ protected function setUp(): void
         $config          = config('Auth');
         $config->actions = ['login' => null, 'register' => null];
         Factories::injectMock('config', 'Auth', $config);
+
+        // Set Config\Security::$csrfProtection to 'session'
+        $config                 = config('Security');
+        $config->csrfProtection = 'session';
+        Factories::injectMock('config', 'Security', $config);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -33,5 +33,10 @@ protected function setUp(): void`
`33`	`33`	`$config = config('Auth');`
`34`	`34`	`$config->actions = ['login' => null, 'register' => null];`
`35`	`35`	`Factories::injectMock('config', 'Auth', $config);`
	`36`	`+`
	`37`	`+ // Set Config\Security::$csrfProtection to 'session'`
	`38`	`+ $config = config('Security');`
	`39`	`+ $config->csrfProtection = 'session';`
	`40`	`+ Factories::injectMock('config', 'Security', $config);`
`36`	`41`	`}`
`37`	`42`	`}`