fix: move secure cookie check from Security to CookieStore

kenjis · kenjis · commit 27d9984476d1 · 2021-12-08T10:12:36.000+09:00
diff --git a/system/Cookie/CookieStore.php b/system/Cookie/CookieStore.php
@@ -13,6 +13,8 @@
 
 use ArrayIterator;
 use CodeIgniter\Cookie\Exceptions\CookieException;
+use CodeIgniter\Security\Exceptions\SecurityException;
+use Config\Services;
 use Countable;
 use IteratorAggregate;
 use Traversable;
@@ -161,7 +163,13 @@ public function remove(string $name, string $prefix = '')
      */
     public function dispatch(): void
     {
+        $request = Services::request();
+
         foreach ($this->cookies as $cookie) {
+            if ($cookie->isSecure() && ! $request->isSecure()) {
+                throw SecurityException::forDisallowedAction();
+            }
+
             $name    = $cookie->getPrefixedName();
             $value   = $cookie->getValue();
             $options = $cookie->getOptions();
diff --git a/system/Security/Security.php b/system/Security/Security.php
@@ -538,9 +538,6 @@ private function saveHashInCookie(): void
      */
     protected function sendCookie(RequestInterface $request)
     {
-        if ($this->cookie->isSecure() && ! $request->isSecure()) {
-            return false;
-        }
 
         $this->doSendCookie();
         log_message('info', 'CSRF cookie sent.');
diff --git a/tests/system/HTTP/ResponseSendTest.php b/tests/system/HTTP/ResponseSendTest.php
@@ -11,8 +11,10 @@
 
 namespace CodeIgniter\HTTP;
 
+use CodeIgniter\Security\Exceptions\SecurityException;
 use CodeIgniter\Test\CIUnitTestCase;
 use Config\App;
+use Config\Services;
 
 /**
  * This test suite has been created separately from
@@ -135,4 +137,38 @@ public function testRedirectResponseCookies()
         $this->assertHeaderEmitted('Set-Cookie: foo=bar;');
         $this->assertHeaderEmitted('Set-Cookie: login_time');
     }
+
+    /**
+     * Make sure secure cookies are not sent with HTTP request
+     *
+     * @ runInSeparateProcess
+     * @ preserveGlobalState  disabled
+     */
+    public function testDoNotSendUnSecureCookie(): void
+    {
+        $this->expectException(SecurityException::class);
+        $this->expectExceptionMessage('The action you requested is not allowed');
+
+        $request = $this->createMock(IncomingRequest::class);
+        $request->method('isSecure')->willReturn(false);
+        Services::injectMock('request', $request);
+
+        $response = new Response(new App());
+        $response->pretend(false);
+        $body = 'Hello';
+        $response->setBody($body);
+
+        $response->setCookie(
+            'foo',
+            'bar',
+            '',
+            '',
+            '/',
+            '',
+            true
+        );
+
+        // send it
+        $response->send();
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -538,9 +538,6 @@ private function saveHashInCookie(): void`
`538`	`538`	`*/`
`539`	`539`	`protected function sendCookie(RequestInterface $request)`
`540`	`540`	`{`
`541`		`- if ($this->cookie->isSecure() && ! $request->isSecure()) {`
`542`		`- return false;`
`543`		`- }`
`544`	`541`
`545`	`542`	`$this->doSendCookie();`
`546`	`543`	`log_message('info', 'CSRF cookie sent.');`