Fix CSRF filter does not work when set it to only post

* refactor: case the existence of config files with if statements

To make it easier to know which parts to delete in the future.

* docs: fix PHPDoc explanation

* fix: bug that CSRF cookie is not sent just by calling csrf_hash()

When the CSRF filter was set to POST method, it did not work.

* refactor: replace deprecated method getHeader()

* refactor: extract method

* refactor: extract method

* refactor: extract method

* refactor: use $this->hash instead of $_COOKIE

* test: fix the timing for setting superglobals

* test: fix Cannot modify header information

ErrorException: Cannot modify header information - headers already sent by ...

* style: vendor/bin/rector process

* refactor: ensure instance

It becomes clear that it is `SecurityConfig`.

Co-authored-by: Abdul Malik Ikhsan <samsonasik@gmail.com>

* refactor: ensure instance

It becomes clear that it is `CookieConfig`.

Co-authored-by: Abdul Malik Ikhsan <samsonasik@gmail.com>

* refactor: when $cookie is null, Cookie::setDefaults($cookie) does nothing

* refactor: extract method

* fix: make private extracted methods

* fix: make private added property

* fix: fallback to the local properties

Takes care when a user removes properties in config classes.

* refactor: use $request instead of $_POST

Co-authored-by: Abdul Malik Ikhsan <samsonasik@gmail.com>

Author: kenjis

app/Config/Security.php

@@ -57,7 +57,7 @@ class Security extends BaseConfig
      * CSRF Regenerate
      * --------------------------------------------------------------------------
      *
-     * Regenerate CSRF Token on every request.
+     * Regenerate CSRF Token on every submission.
      *
      * @var bool
      */

system/Security/Security.php

@@ -17,6 +17,7 @@
 use Config\App;
 use Config\Cookie as CookieConfig;
 use Config\Security as SecurityConfig;
+use Config\Services;
 
 /**
  * Class Security
@@ -77,8 +78,6 @@ class Security implements SecurityInterface
      * Defaults to two hours (in seconds).
      *
      * @var int
-     *
-     * @deprecated
      */
     protected $expires = 7200;
 
@@ -117,6 +116,18 @@ class Security implements SecurityInterface
      */
     protected $samesite = Cookie::SAMESITE_LAX;
 
+    /**
+     * @var RequestInterface
+     */
+    private $request;
+
+    /**
+     * CSRF Cookie Name without Prefix
+     *
+     * @var string
+     */
+    private $rawCookieName;
+
     /**
      * Constructor.
      *
@@ -125,27 +136,46 @@ class Security implements SecurityInterface
      */
     public function __construct(App $config)
     {
-        /** @var SecurityConfig $security */
+        /** @var SecurityConfig|null $security */
         $security = config('Security');
 
         // Store CSRF-related configurations
-        $this->tokenName  = $security->tokenName ?? $config->CSRFTokenName ?? $this->tokenName;
-        $this->headerName = $security->headerName ?? $config->CSRFHeaderName ?? $this->headerName;
-        $this->regenerate = $security->regenerate ?? $config->CSRFRegenerate ?? $this->regenerate;
-        $rawCookieName    = $security->cookieName ?? $config->CSRFCookieName ?? $this->cookieName;
+        if ($security instanceof SecurityConfig) {
+            $this->tokenName     = $security->tokenName ?? $this->tokenName;
+            $this->headerName    = $security->headerName ?? $this->headerName;
+            $this->regenerate    = $security->regenerate ?? $this->regenerate;
+            $this->rawCookieName = $security->cookieName ?? $this->rawCookieName;
+            $this->expires       = $security->expires ?? $this->expires;
+        } else {
+            // `Config/Security.php` is absence
+            $this->tokenName     = $config->CSRFTokenName ?? $this->tokenName;
+            $this->headerName    = $config->CSRFHeaderName ?? $this->headerName;
+            $this->regenerate    = $config->CSRFRegenerate ?? $this->regenerate;
+            $this->rawCookieName = $config->CSRFCookieName ?? $this->rawCookieName;
+            $this->expires       = $config->CSRFExpire ?? $this->expires;
+        }
 
-        /** @var CookieConfig $cookie */
-        $cookie = config('Cookie');
+        $this->configureCookie($config);
 
-        $cookiePrefix     = $cookie->prefix ?? $config->cookiePrefix;
-        $this->cookieName = $cookiePrefix . $rawCookieName;
+        $this->request = Services::request();
 
-        $expires = $security->expires ?? $config->CSRFExpire ?? 7200;
+        $this->generateHash();
+    }
+
+    private function configureCookie(App $config): void
+    {
+        /** @var CookieConfig|null $cookie */
+        $cookie = config('Cookie');
 
-        Cookie::setDefaults($cookie);
-        $this->cookie = new Cookie($rawCookieName, $this->generateHash(), [
-            'expires' => $expires === 0 ? 0 : time() + $expires,
-        ]);
+        if ($cookie instanceof CookieConfig) {
+            $cookiePrefix     = $cookie->prefix;
+            $this->cookieName = $cookiePrefix . $this->rawCookieName;
+            Cookie::setDefaults($cookie);
+        } else {
+            // `Config/Cookie.php` is absence
+            $cookiePrefix     = $config->cookiePrefix;
+            $this->cookieName = $cookiePrefix . $this->rawCookieName;
+        }
     }
 
     /**
@@ -202,26 +232,15 @@ public function verify(RequestInterface $request)
             return $this->sendCookie($request);
         }
 
-        // Does the token exist in POST, HEADER or optionally php:://input - json data.
-        if ($request->hasHeader($this->headerName) && ! empty($request->getHeader($this->headerName)->getValue())) {
-            $tokenName = $request->getHeader($this->headerName)->getValue();
-        } else {
-            $json = json_decode($request->getBody());
-
-            if (! empty($request->getBody()) && ! empty($json) && json_last_error() === JSON_ERROR_NONE) {
-                $tokenName = $json->{$this->tokenName} ?? null;
-            } else {
-                $tokenName = null;
-            }
-        }
-
-        $token = $_POST[$this->tokenName] ?? $tokenName;
+        $token = $this->getPostedToken($request);
 
         // Does the tokens exist in both the POST/POSTed JSON and COOKIE arrays and match?
-        if (! isset($token, $_COOKIE[$this->cookieName]) || ! hash_equals($token, $_COOKIE[$this->cookieName])) {
+        if (! isset($token, $this->hash) || ! hash_equals($this->hash, $token)) {
             throw SecurityException::forDisallowedAction();
         }
 
+        $json = json_decode($request->getBody());
+
         if (isset($_POST[$this->tokenName])) {
             // We kill this since we're done and we don't want to pollute the POST array.
             unset($_POST[$this->tokenName]);
@@ -237,14 +256,31 @@ public function verify(RequestInterface $request)
             unset($_COOKIE[$this->cookieName]);
         }
 
-        $this->cookie = $this->cookie->withValue($this->generateHash());
-        $this->sendCookie($request);
+        $this->generateHash();
 
         log_message('info', 'CSRF token verified.');
 
         return $this;
     }
 
+    private function getPostedToken(RequestInterface $request): ?string
+    {
+        // Does the token exist in POST, HEADER or optionally php:://input - json data.
+        if ($request->hasHeader($this->headerName) && ! empty($request->header($this->headerName)->getValue())) {
+            $tokenName = $request->header($this->headerName)->getValue();
+        } else {
+            $json = json_decode($request->getBody());
+
+            if (! empty($request->getBody()) && ! empty($json) && json_last_error() === JSON_ERROR_NONE) {
+                $tokenName = $json->{$this->tokenName} ?? null;
+            } else {
+                $tokenName = null;
+            }
+        }
+
+        return $request->getPost($this->tokenName) ?? $tokenName;
+    }
+
     /**
      * Returns the CSRF Hash.
      */
@@ -373,19 +409,37 @@ protected function generateHash(): string
             // We don't necessarily want to regenerate it with
             // each page load since a page could contain embedded
             // sub-pages causing this feature to fail
-            if (isset($_COOKIE[$this->cookieName])
-                && is_string($_COOKIE[$this->cookieName])
-                && preg_match('#^[0-9a-f]{32}$#iS', $_COOKIE[$this->cookieName]) === 1
-            ) {
+            if ($this->isHashInCookie()) {
                 return $this->hash = $_COOKIE[$this->cookieName];
             }
 
             $this->hash = bin2hex(random_bytes(16));
+
+            $this->saveHashInCookie();
         }
 
         return $this->hash;
     }
 
+    private function isHashInCookie(): bool
+    {
+        return isset($_COOKIE[$this->cookieName])
+        && is_string($_COOKIE[$this->cookieName])
+        && preg_match('#^[0-9a-f]{32}$#iS', $_COOKIE[$this->cookieName]) === 1;
+    }
+
+    private function saveHashInCookie()
+    {
+        $this->cookie = new Cookie(
+            $this->rawCookieName,
+            $this->hash,
+            [
+                'expires' => $this->expires === 0 ? 0 : time() + $this->expires,
+            ]
+        );
+        $this->sendCookie($this->request);
+    }
+
     /**
      * CSRF Send Cookie
      *

tests/system/CommonFunctionsTest.php

@@ -22,6 +22,7 @@
 use CodeIgniter\Session\Session;
 use CodeIgniter\Test\CIUnitTestCase;
 use CodeIgniter\Test\Mock\MockIncomingRequest;
+use CodeIgniter\Test\Mock\MockSecurity;
 use CodeIgniter\Test\Mock\MockSession;
 use CodeIgniter\Test\TestLogger;
 use Config\App;
@@ -232,6 +233,8 @@ public function testAppTimezone()
 
     public function testCSRFToken()
     {
+        Services::injectMock('security', new MockSecurity(new App()));
+
         $this->assertSame('csrf_test_name', csrf_token());
     }
 

tests/system/CommonSingleServiceTest.php

@@ -13,6 +13,8 @@
 
 use CodeIgniter\Config\Services;
 use CodeIgniter\Test\CIUnitTestCase;
+use CodeIgniter\Test\Mock\MockSecurity;
+use Config\App;
 use ReflectionClass;
 use ReflectionMethod;
 
@@ -26,6 +28,8 @@ final class CommonSingleServiceTest extends CIUnitTestCase
      */
     public function testSingleServiceWithNoParamsSupplied(string $service): void
     {
+        Services::injectMock('security', new MockSecurity(new App()));
+
         $service1 = single_service($service);
         $service2 = single_service($service);
 
@@ -90,7 +94,7 @@ public static function serviceNamesProvider(): iterable
                 continue;
             }
 
-            yield [$name];
+            yield $name => [$name];
         }
     }
 }

tests/system/Config/ServicesTest.php

@@ -397,6 +397,8 @@ public function testRouter()
 
     public function testSecurity()
     {
+        Services::injectMock('security', new MockSecurity(new App()));
+
         $result = Services::security();
         $this->assertInstanceOf(Security::class, $result);
     }

tests/system/Helpers/SecurityHelperTest.php

@@ -12,6 +12,9 @@
 namespace CodeIgniter\Helpers;
 
 use CodeIgniter\Test\CIUnitTestCase;
+use CodeIgniter\Test\Mock\MockSecurity;
+use Config\App;
+use Tests\Support\Config\Services as Services;
 
 /**
  * @internal
@@ -27,6 +30,8 @@ protected function setUp(): void
 
     public function testSanitizeFilenameSimpleSuccess()
     {
+        Services::injectMock('security', new MockSecurity(new App()));
+
         $this->assertSame('hello.doc', sanitize_filename('hello.doc'));
     }