aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorLukas Reschke <lukas@owncloud.com>2016-01-25 17:15:54 +0100
committerLukas Reschke <lukas@owncloud.com>2016-01-25 20:03:40 +0100
commita977465af5834a76b1e98854a2c9bfbe413c218c (patch)
tree7a47d606f7935ac7de09fe8169188691cc9e4373 /lib
parent37f5f5077a59d69723965d1345536d46605589f5 (diff)
downloadnextcloud-server-a977465af5834a76b1e98854a2c9bfbe413c218c.tar.gz
nextcloud-server-a977465af5834a76b1e98854a2c9bfbe413c218c.zip
Add new CSRF manager for unit testing purposes
This adds a new CSRF manager for unit testing purposes, it's interface is based upon https://github.com/symfony/security-csrf. Due to some of our required custom changes it is however not possible to use the Symfony component directly.
Diffstat (limited to 'lib')
-rw-r--r--lib/private/appframework/http/request.php30
-rw-r--r--lib/private/security/csrf/csrftoken.php69
-rw-r--r--lib/private/security/csrf/csrftokengenerator.php52
-rw-r--r--lib/private/security/csrf/csrftokenmanager.php97
-rw-r--r--lib/private/security/csrf/tokenstorage/sessionstorage.php80
-rw-r--r--lib/private/server.php27
-rw-r--r--lib/private/template.php4
-rw-r--r--lib/private/template/base.php5
-rw-r--r--lib/private/user.php2
-rw-r--r--lib/private/util.php36
-rw-r--r--lib/public/util.php16
11 files changed, 348 insertions, 70 deletions
diff --git a/lib/private/appframework/http/request.php b/lib/private/appframework/http/request.php
index 2b944c116eb..caddb5a235d 100644
--- a/lib/private/appframework/http/request.php
+++ b/lib/private/appframework/http/request.php
@@ -33,6 +33,8 @@
namespace OC\AppFramework\Http;
+use OC\Security\CSRF\CsrfToken;
+use OC\Security\CSRF\CsrfTokenManager;
use OC\Security\TrustedDomainHelper;
use OCP\IConfig;
use OCP\IRequest;
@@ -75,6 +77,8 @@ class Request implements \ArrayAccess, \Countable, IRequest {
protected $requestId = '';
/** @var ICrypto */
protected $crypto;
+ /** @var CsrfTokenManager|null */
+ protected $csrfTokenManager;
/** @var bool */
protected $contentDecoded = false;
@@ -92,17 +96,20 @@ class Request implements \ArrayAccess, \Countable, IRequest {
* - string|false 'requesttoken' the requesttoken or false when not available
* @param ISecureRandom $secureRandom
* @param IConfig $config
+ * @param CsrfTokenManager|null $csrfTokenManager
* @param string $stream
* @see http://www.php.net/manual/en/reserved.variables.php
*/
public function __construct(array $vars=array(),
ISecureRandom $secureRandom = null,
IConfig $config,
- $stream='php://input') {
+ CsrfTokenManager $csrfTokenManager = null,
+ $stream = 'php://input') {
$this->inputStream = $stream;
$this->items['params'] = array();
$this->secureRandom = $secureRandom;
$this->config = $config;
+ $this->csrfTokenManager = $csrfTokenManager;
if(!array_key_exists('method', $vars)) {
$vars['method'] = 'GET';
@@ -421,10 +428,9 @@ class Request implements \ArrayAccess, \Countable, IRequest {
/**
* Checks if the CSRF check was correct
* @return bool true if CSRF check passed
- * @see OC_Util::callRegister()
*/
public function passesCSRFCheck() {
- if($this->items['requesttoken'] === false) {
+ if($this->csrfTokenManager === null) {
return false;
}
@@ -438,23 +444,9 @@ class Request implements \ArrayAccess, \Countable, IRequest {
//no token found.
return false;
}
+ $token = new CsrfToken($token);
- // Deobfuscate token to prevent BREACH like attacks
- $token = explode(':', $token);
- if (count($token) !== 2) {
- return false;
- }
-
- $obfuscatedToken = $token[0];
- $secret = $token[1];
- $deobfuscatedToken = base64_decode($obfuscatedToken) ^ $secret;
-
- // Check if the token is valid
- if(hash_equals($deobfuscatedToken, $this->items['requesttoken'])) {
- return true;
- } else {
- return false;
- }
+ return $this->csrfTokenManager->isTokenValid($token);
}
/**
diff --git a/lib/private/security/csrf/csrftoken.php b/lib/private/security/csrf/csrftoken.php
new file mode 100644
index 00000000000..4524d0db6e6
--- /dev/null
+++ b/lib/private/security/csrf/csrftoken.php
@@ -0,0 +1,69 @@
+<?php
+/**
+ * @author Lukas Reschke <lukas@owncloud.com>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Security\CSRF;
+
+/**
+ * Class CsrfToken represents the stored or provided CSRF token. To mitigate
+ * BREACH alike vulnerabilities the token is returned in an encrypted value as
+ * well in an unencrypted value. For display measures to the user always the
+ * unencrypted one should be chosen.
+ *
+ * @package OC\Security\CSRF
+ */
+class CsrfToken {
+ /** @var string */
+ private $value;
+
+ /**
+ * @param string $value Value of the token. Can be encrypted or not encrypted.
+ */
+ public function __construct($value) {
+ $this->value = $value;
+ }
+
+ /**
+ * Encrypted value of the token. This is used to mitigate BREACH alike
+ * vulnerabilities. For display measures do use this functionality.
+ *
+ * @return string
+ */
+ public function getEncryptedValue() {
+ $sharedSecret = base64_encode(random_bytes(strlen($this->value)));
+ return base64_encode($this->value ^ $sharedSecret) .':'.$sharedSecret;
+ }
+
+ /**
+ * The unencrypted value of the token. Used for decrypting an already
+ * encrypted token.
+ *
+ * @return int
+ */
+ public function getDecryptedValue() {
+ $token = explode(':', $this->value);
+ if (count($token) !== 2) {
+ return '';
+ }
+ $obfuscatedToken = $token[0];
+ $secret = $token[1];
+ return base64_decode($obfuscatedToken) ^ $secret;
+ }
+}
diff --git a/lib/private/security/csrf/csrftokengenerator.php b/lib/private/security/csrf/csrftokengenerator.php
new file mode 100644
index 00000000000..6ea71636d22
--- /dev/null
+++ b/lib/private/security/csrf/csrftokengenerator.php
@@ -0,0 +1,52 @@
+<?php
+/**
+ * @author Lukas Reschke <lukas@owncloud.com>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Security\CSRF;
+
+use OCP\Security\ISecureRandom;
+
+/**
+ * Class CsrfTokenGenerator is used to generate a cryptographically secure
+ * pseudo-random number for the token.
+ *
+ * @package OC\Security\CSRF
+ */
+class CsrfTokenGenerator {
+ /** @var ISecureRandom */
+ private $random;
+
+ /**
+ * @param ISecureRandom $random
+ */
+ public function __construct(ISecureRandom $random) {
+ $this->random = $random;
+ }
+
+ /**
+ * Generate a new CSRF token.
+ *
+ * @param int $length Length of the token in characters.
+ * @return string
+ */
+ public function generateToken($length = 32) {
+ return $this->random->generate($length);
+ }
+}
diff --git a/lib/private/security/csrf/csrftokenmanager.php b/lib/private/security/csrf/csrftokenmanager.php
new file mode 100644
index 00000000000..8d1bf5c0819
--- /dev/null
+++ b/lib/private/security/csrf/csrftokenmanager.php
@@ -0,0 +1,97 @@
+<?php
+/**
+ * @author Lukas Reschke <lukas@owncloud.com>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Security\CSRF;
+
+use OC\Security\CSRF\TokenStorage\SessionStorage;
+
+/**
+ * Class CsrfTokenManager is the manager for all CSRF token related activities.
+ *
+ * @package OC\Security\CSRF
+ */
+class CsrfTokenManager {
+ /** @var CsrfTokenGenerator */
+ private $tokenGenerator;
+ /** @var SessionStorage */
+ private $sessionStorage;
+
+ /**
+ * @param CsrfTokenGenerator $tokenGenerator
+ * @param SessionStorage $storageInterface
+ */
+ public function __construct(CsrfTokenGenerator $tokenGenerator,
+ SessionStorage $storageInterface) {
+ $this->tokenGenerator = $tokenGenerator;
+ $this->sessionStorage = $storageInterface;
+ }
+
+ /**
+ * Returns the current CSRF token, if none set it will create a new one.
+ *
+ * @return CsrfToken
+ */
+ public function getToken() {
+ if($this->sessionStorage->hasToken()) {
+ $value = $this->sessionStorage->getToken();
+ } else {
+ $value = $this->tokenGenerator->generateToken();
+ $this->sessionStorage->setToken($value);
+ }
+
+ return new CsrfToken($value);
+ }
+
+ /**
+ * Invalidates any current token and sets a new one.
+ *
+ * @return CsrfToken
+ */
+ public function refreshToken() {
+ $value = $this->tokenGenerator->generateToken();
+ $this->sessionStorage->setToken($value);
+ return new CsrfToken($value);
+ }
+
+ /**
+ * Remove the current token from the storage.
+ */
+ public function removeToken() {
+ $this->sessionStorage->removeToken();
+ }
+
+ /**
+ * Verifies whether the provided token is valid.
+ *
+ * @param CsrfToken $token
+ * @return bool
+ */
+ public function isTokenValid(CsrfToken $token) {
+ if(!$this->sessionStorage->hasToken()) {
+ return false;
+ }
+
+ return hash_equals(
+ $this->sessionStorage->getToken(),
+ $token->getDecryptedValue()
+ );
+ }
+}
diff --git a/lib/private/security/csrf/tokenstorage/sessionstorage.php b/lib/private/security/csrf/tokenstorage/sessionstorage.php
new file mode 100644
index 00000000000..e1c8c96e920
--- /dev/null
+++ b/lib/private/security/csrf/tokenstorage/sessionstorage.php
@@ -0,0 +1,80 @@
+<?php
+/**
+ * @author Lukas Reschke <lukas@owncloud.com>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Security\CSRF\TokenStorage;
+
+use OCP\ISession;
+
+/**
+ * Class SessionStorage provides the session storage
+ *
+ * @package OC\Security\CSRF\TokenStorage
+ */
+class SessionStorage {
+ /** @var ISession */
+ private $session;
+
+ /**
+ * @param ISession $session
+ */
+ public function __construct(ISession $session) {
+ $this->session = $session;
+ }
+
+ /**
+ * Returns the current token or throws an exception if none is found.
+ *
+ * @return string
+ * @throws \Exception
+ */
+ public function getToken() {
+ $token = $this->session->get('requesttoken');
+ if(empty($token)) {
+ throw new \Exception('Session does not contain a requesttoken');
+ }
+
+ return $token;
+ }
+
+ /**
+ * Set the valid current token to $value.
+ *
+ * @param string $value
+ */
+ public function setToken($value) {
+ $this->session->set('requesttoken', $value);
+ }
+
+ /**
+ * Removes the current token.
+ */
+ public function removeToken() {
+ $this->session->remove('requesttoken');
+ }
+ /**
+ * Whether the storage has a storage.
+ *
+ * @return bool
+ */
+ public function hasToken() {
+ return $this->session->exists('requesttoken');
+ }
+}
diff --git a/lib/private/server.php b/lib/private/server.php
index 6e9c5ca0c68..eca7ac348ef 100644
--- a/lib/private/server.php
+++ b/lib/private/server.php
@@ -64,6 +64,9 @@ use OC\Mail\Mailer;
use OC\Notification\Manager;
use OC\Security\CertificateManager;
use OC\Security\Crypto;
+use OC\Security\CSRF\CsrfTokenGenerator;
+use OC\Security\CSRF\CsrfTokenManager;
+use OC\Security\CSRF\TokenStorage\SessionStorage;
use OC\Security\Hasher;
use OC\Security\CredentialsManager;
use OC\Security\SecureRandom;
@@ -469,12 +472,6 @@ class Server extends ServerContainer implements IServerContainer {
$urlParams = [];
}
- if ($this->getSession()->exists('requesttoken')) {
- $requestToken = $this->getSession()->get('requesttoken');
- } else {
- $requestToken = false;
- }
-
if (defined('PHPUNIT_RUN') && PHPUNIT_RUN
&& in_array('fakeinput', stream_get_wrappers())
) {
@@ -495,10 +492,10 @@ class Server extends ServerContainer implements IServerContainer {
? $_SERVER['REQUEST_METHOD']
: null,
'urlParams' => $urlParams,
- 'requesttoken' => $requestToken,
],
$this->getSecureRandom(),
$this->getConfig(),
+ $this->getCsrfTokenManager(),
$stream
);
});
@@ -588,6 +585,15 @@ class Server extends ServerContainer implements IServerContainer {
$request
);
});
+ $this->registerService('CsrfTokenManager', function (Server $c) {
+ $tokenGenerator = new CsrfTokenGenerator($c->getSecureRandom());
+ $sessionStorage = new SessionStorage($c->getSession());
+
+ return new CsrfTokenManager(
+ $tokenGenerator,
+ $sessionStorage
+ );
+ });
$this->registerService('ShareManager', function(Server $c) {
$config = $c->getConfig();
$factoryClass = $config->getSystemValue('sharing.managerFactory', '\OC\Share20\ProviderFactory');
@@ -1205,6 +1211,13 @@ class Server extends ServerContainer implements IServerContainer {
}
/**
+ * @return CsrfTokenManager
+ */
+ public function getCsrfTokenManager() {
+ return $this->query('CsrfTokenManager');
+ }
+
+ /**
* Not a public API as of 8.2, wait for 9.0
*
* @return \OCA\Files_External\Service\BackendService
diff --git a/lib/private/template.php b/lib/private/template.php
index 717f91a7034..ae3e857a798 100644
--- a/lib/private/template.php
+++ b/lib/private/template.php
@@ -76,7 +76,7 @@ class OC_Template extends \OC\Template\Base {
$theme = OC_Util::getTheme();
- $requesttoken = (OC::$server->getSession() and $registerCall) ? OC_Util::callRegister() : '';
+ $requestToken = (OC::$server->getSession() && $registerCall) ? \OCP\Util::callRegister() : '';
$parts = explode('/', $app); // fix translation when app is something like core/lostpassword
$l10n = \OC::$server->getL10N($parts[0]);
@@ -89,7 +89,7 @@ class OC_Template extends \OC\Template\Base {
$this->path = $path;
$this->app = $app;
- parent::__construct($template, $requesttoken, $l10n, $themeDefaults);
+ parent::__construct($template, $requestToken, $l10n, $themeDefaults);
}
public static function initTemplateEngine($renderAs) {
diff --git a/lib/private/template/base.php b/lib/private/template/base.php
index 944747197b7..938cca4c38d 100644
--- a/lib/private/template/base.php
+++ b/lib/private/template/base.php
@@ -34,12 +34,13 @@ class Base {
/**
* @param string $template
+ * @param string $requestToken
* @param \OC_L10N $l10n
* @param \OC_Defaults $theme
*/
- public function __construct( $template, $requesttoken, $l10n, $theme ) {
+ public function __construct($template, $requestToken, $l10n, $theme ) {
$this->vars = array();
- $this->vars['requesttoken'] = $requesttoken;
+ $this->vars['requesttoken'] = $requestToken;
$this->l10n = $l10n;
$this->template = $template;
$this->theme = $theme;
diff --git a/lib/private/user.php b/lib/private/user.php
index 7d1f21cc409..90925a2c89a 100644
--- a/lib/private/user.php
+++ b/lib/private/user.php
@@ -328,7 +328,7 @@ class OC_User {
return $backend->getLogoutAttribute();
}
- return 'href="' . link_to('', 'index.php') . '?logout=true&amp;requesttoken=' . urlencode(OC_Util::callRegister()) . '"';
+ return 'href="' . link_to('', 'index.php') . '?logout=true&amp;requesttoken=' . urlencode(\OCP\Util::callRegister()) . '"';
}
/**
diff --git a/lib/private/util.php b/lib/private/util.php
index 5ae5c452d6b..64695d95a03 100644
--- a/lib/private/util.php
+++ b/lib/private/util.php
@@ -1105,42 +1105,6 @@ class OC_Util {
return $id;
}
- protected static $obfuscatedToken;
- /**
- * Register an get/post call. Important to prevent CSRF attacks.
- *
- * @return string The encrypted CSRF token, the shared secret is appended after the `:`.
- *
- * @description
- * Creates a 'request token' (random) and stores it inside the session.
- * Ever subsequent (ajax) request must use such a valid token to succeed,
- * otherwise the request will be denied as a protection against CSRF.
- */
- public static function callRegister() {
- // Use existing token if function has already been called
- if(isset(self::$obfuscatedToken)) {
- return self::$obfuscatedToken;
- }
-
- $tokenLength = 30;
-
- // Check if a token exists
- if (!\OC::$server->getSession()->exists('requesttoken')) {
- // No valid token found, generate a new one.
- $requestToken = \OC::$server->getSecureRandom()->generate($tokenLength);
- \OC::$server->getSession()->set('requesttoken', $requestToken);
- } else {
- // Valid token already exists, send it
- $requestToken = \OC::$server->getSession()->get('requesttoken');
- }
-
- // XOR the token to mitigate breach-like attacks
- $sharedSecret = \OC::$server->getSecureRandom()->generate($tokenLength);
- self::$obfuscatedToken = base64_encode($requestToken ^ $sharedSecret) .':'.$sharedSecret;
-
- return self::$obfuscatedToken;
- }
-
/**
* Public function to sanitize HTML
*
diff --git a/lib/public/util.php b/lib/public/util.php
index 4762f595c2d..45df62ac735 100644
--- a/lib/public/util.php
+++ b/lib/public/util.php
@@ -480,18 +480,28 @@ class Util {
}
/**
+ * Cached encrypted CSRF token. Some static unit-tests of ownCloud compare
+ * multiple OC_Template elements which invoke `callRegister`. If the value
+ * would not be cached these unit-tests would fail.
+ * @var string
+ */
+ private static $token = '';
+
+ /**
* Register an get/post call. This is important to prevent CSRF attacks
- * TODO: write example
* @since 4.5.0
*/
public static function callRegister() {
- return(\OC_Util::callRegister());
+ if(self::$token === '') {
+ self::$token = \OC::$server->getCsrfTokenManager()->getToken()->getEncryptedValue();
+ }
+ return self::$token;
}
/**
* Check an ajax get/post call if the request token is valid. exit if not.
- * Todo: Write howto
* @since 4.5.0
+ * @deprecated 9.0.0 Use annotations based on the app framework.
*/
public static function callCheck() {
if (!(\OC::$server->getRequest()->passesCSRFCheck())) {