[Security] Implement double-submit CSRF protection

nicolas-grekas · nicolas-grekas · commit 0e8e0da8520d · 2024-08-27T14:50:54.000+02:00
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -237,6 +237,8 @@ private function addFormSection(ArrayNodeDefinition $rootNode, callable $enableI
                             ->children()
                                 ->booleanNode('enabled')->defaultNull()->end() // defaults to framework.csrf_protection.enabled
                                 ->scalarNode('field_name')->defaultValue('_token')->end()
+                                ->scalarNode('header_name')->defaultValue('x-csrf-token')->end()
+                                ->booleanNode('accept_as_fallback')->defaultFalse()->end()
                             ->end()
                         ->end()
                     ->end()
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
@@ -149,6 +149,7 @@
 use Symfony\Component\Security\Core\AuthenticationEvents;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
+use Symfony\Component\Security\Csrf\DoubleSubmitCsrfTokenManager;
 use Symfony\Component\Semaphore\PersistingStoreInterface as SemaphoreStoreInterface;
 use Symfony\Component\Semaphore\Semaphore;
 use Symfony\Component\Semaphore\SemaphoreFactory;
@@ -763,6 +764,12 @@ private function registerFormConfiguration(array $config, ContainerBuilder $cont
 
             $container->setParameter('form.type_extension.csrf.enabled', true);
             $container->setParameter('form.type_extension.csrf.field_name', $config['form']['csrf_protection']['field_name']);
+            $container->setParameter('form.type_extension.csrf.header_name', $config['form']['csrf_protection']['header_name']);
+            $container->setParameter('form.type_extension.csrf.accept_as_fallback', $config['form']['csrf_protection']['accept_as_fallback']);
+
+            if (!$config['form']['csrf_protection']['header_name'] || !class_exists(DoubleSubmitCsrfTokenManager::class)) {
+                $container->setAlias('form.type_extension.csrf.token_manager', 'security.csrf.token_manager');
+            }
         } else {
             $container->setParameter('form.type_extension.csrf.enabled', false);
         }
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/form_csrf.php b/src/Symfony/Bundle/FrameworkBundle/Resources/config/form_csrf.php
@@ -12,18 +12,28 @@
 namespace Symfony\Component\DependencyInjection\Loader\Configurator;
 
 use Symfony\Component\Form\Extension\Csrf\Type\FormTypeCsrfExtension;
+use Symfony\Component\Security\Csrf\DoubleSubmitCsrfTokenManager;
 
 return static function (ContainerConfigurator $container) {
     $container->services()
         ->set('form.type_extension.csrf', FormTypeCsrfExtension::class)
             ->args([
-                service('security.csrf.token_manager'),
+                service('form.type_extension.csrf.token_manager'),
                 param('form.type_extension.csrf.enabled'),
                 param('form.type_extension.csrf.field_name'),
                 service('translator')->nullOnInvalid(),
                 param('validator.translation_domain'),
                 service('form.server_params'),
             ])
             ->tag('form.type_extension')
+
+        ->set('form.type_extension.csrf.token_manager', DoubleSubmitCsrfTokenManager::class)
+            ->args([
+                service('request_stack'),
+                service('logger')->nullOnInvalid(),
+                param('form.type_extension.csrf.header_name'),
+                param('form.type_extension.csrf.accept_as_fallback'),
+            ])
+            ->tag('monolog.logger', ['channel' => 'request'])
     ;
 };
diff --git a/src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php b/src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php
@@ -73,6 +73,7 @@ public function finishView(FormView $view, FormInterface $form, array $options):
             $csrfForm = $factory->createNamed($options['csrf_field_name'], HiddenType::class, $data, [
                 'block_prefix' => 'csrf_token',
                 'mapped' => false,
+                'attr' => ['data--csrf-protection' => true],
             ]);
 
             $view->children[$options['csrf_field_name']] = $csrfForm->createView($view);
diff --git a/src/Symfony/Component/Security/Csrf/CHANGELOG.md b/src/Symfony/Component/Security/Csrf/CHANGELOG.md
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+7.2
+---
+
+ * Add `DoubleSubmitCsrfTokenManager`
+
 6.0
 ---
 
diff --git a/src/Symfony/Component/Security/Csrf/DoubleSubmitCsrfTokenManager.php b/src/Symfony/Component/Security/Csrf/DoubleSubmitCsrfTokenManager.php
@@ -0,0 +1,185 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Csrf;
+
+use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpKernel\Event\ResponseEvent;
+
+/**
+ * This CSRF token manager uses a combination of cookie and headers to validate non-persistent tokens.
+ *
+ * Double-Submit Validation: A JavaScript snippet on the client side is responsible for performing the
+ * double-submission. If the double-submit information is missing, this will fall back to
+ * using the Origin or Referer headers.
+ *
+ * Fallback Scenarios: If neither double-submit nor Origin/Referer headers are available, it typically
+ * indicates that JavaScript is disabled on the client side (unless the JavaScript snippet was not
+ * properly implemented), or that the Origin header was not sent.
+ *
+ * By default, requests lacking both double-submit and origin information are deemed insecure.
+ *
+ * Security Consistency: When a session is found, a behavioral check is added to ensure that the
+ * validation method does not downgrade from double-submit to origin checks, or from origin checks to
+ * the accept fallback. This prevents attackers from exploiting potentially less secure validation
+ * methods once a more secure method has been confirmed as functional.
+ *
+ * @author Nicolas Grekas <p@tchwork.com>
+ */
+final class DoubleSubmitCsrfTokenManager implements CsrfTokenManagerInterface
+{
+    public const HEADER_NAME = 'x-csrf-token';
+
+    public function __construct(
+        private RequestStack $requestStack,
+        private ?LoggerInterface $logger = null,
+        private string $headerName = self::HEADER_NAME,
+        private bool $acceptAsFallback = false,
+    ) {
+    }
+
+    public function getToken(string $tokenId): CsrfToken
+    {
+        return new CsrfToken($tokenId, $this->headerName);
+    }
+
+    public function refreshToken(string $tokenId): CsrfToken
+    {
+        return new CsrfToken($tokenId, $this->headerName);
+    }
+
+    public function removeToken(string $tokenId): ?string
+    {
+        return null;
+    }
+
+    public function isTokenValid(CsrfToken $token): bool
+    {
+        // This token is not for us
+        if ($token->getValue() !== $this->headerName) {
+            $this->logger?->debug('CSRF validation failed: Unknown CSRF token.');
+
+            return false;
+        }
+
+        if (!$request = $this->requestStack->getCurrentRequest()) {
+            $this->logger?->debug('CSRF validation failed: No request found.');
+
+            return false;
+        }
+
+        if (false === $isValidOrigin = $this->isValidOrigin($request)) {
+            $this->logger?->debug('CSRF validation failed: Origin doesn\'t match.');
+
+            return false;
+        }
+
+        if ($this->isValidDoubleSubmit($request)) {
+            // Mark the request as validated using double-submit info
+            $request->attributes->set($this->headerName, 'double-submit');
+            $this->logger?->debug('CSRF validation accepted using double-submit info.');
+
+            return true;
+        }
+
+        // Opportunistically lookup at the session for a previous CSRF validation strategy
+        $session = $request->hasPreviousSession() ? $request->getSession() : null;
+        $usageIndexValue = $session instanceof Session ? $usageIndexReference = &$session->getUsageIndex() : 0;
+        $usageIndexReference = \PHP_INT_MIN;
+        $csrfProtection = $session?->get($this->headerName);
+        $usageIndexReference = $usageIndexValue;
+
+        // If a previous request was validated using double-submit info, stick to it
+        if ('double-submit' === $csrfProtection) {
+            $this->logger?->debug('CSRF validation failed: double-submit info was used in a previous request but didn\'t pass this time.');
+
+            return false;
+        }
+
+        // If a previous request was validated using origin info, stick to it
+        if ('origin' === $csrfProtection && null === $isValidOrigin) {
+            $this->logger?->debug('CSRF validation failed: origin info was used in a previous request but didn\'t pass this time.');
+
+            return false;
+        }
+
+        if (true === $isValidOrigin) {
+            // Mark the request as validated using origin info
+            $request->attributes->set($this->headerName, 'origin');
+            $this->logger?->debug('CSRF validation accepted using origin info.');
+
+            return true;
+        }
+
+        if ($this->acceptAsFallback) {
+            $this->logger?->debug('CSRF validation accepted despite the absence of double-submit and origin info.');
+
+            return true;
+        }
+
+        $this->logger?->debug('CSRF validation failed: double-submit and origin info not found.');
+
+        return false;
+    }
+
+    public function clearCookie(Request $request, Response $response): void
+    {
+        $cookieName = ($request->isSecure() ? '__Host-' : '').$this->headerName;
+
+        if (!$request->cookies->has($cookieName)) {
+            $response->headers->clearCookie($cookieName, '/', null, $request->isSecure(), false, 'strict');
+        }
+    }
+
+    public function persistStrategy(Request $request): void
+    {
+        if ($request->hasSession(true) && $request->attributes->has($this->headerName)) {
+            $request->getSession()->set($this->headerName, $request->attributes->get($this->headerName));
+        }
+    }
+
+    public function onKernelResponse(ResponseEvent $event): void
+    {
+        if (!$event->isMainRequest()) {
+            return;
+        }
+
+        $this->clearCookie($event->getRequest(), $event->getResponse());
+        $this->persistStrategy($event->getRequest());
+    }
+
+    /**
+     * @return bool|null Whether the origin is valid, null if missing
+     */
+    private function isValidOrigin(Request $request): ?bool
+    {
+        $source = $request->headers->get('Origin') ?? $request->headers->get('Referer') ?? 'null';
+
+        return 'null' === $source ? null : str_starts_with($source.'/', $request->getScheme().'://'.$request->getHttpHost().'/');
+    }
+
+    private function isValidDoubleSubmit(Request $request): bool
+    {
+        $token = $request->headers->get($this->headerName);
+
+        if (!\is_string($token) || \strlen($token) < 32) {
+            return false;
+        }
+
+        $cookieName = ($request->isSecure() ? '__Host-' : '').$this->headerName;
+
+        return $request->cookies->get($cookieName) === $token;
+    }
+}
