diff options
| author | Ferdinand Thiessen <rpm@fthiessen.de> | 2023-01-26 21:08:10 +0100 |
|---|---|---|
| committer | Ferdinand Thiessen <rpm@fthiessen.de> | 2023-02-16 22:55:18 +0100 |
| commit | f655f83c840f30781999cd84d800cb2cc27983bf (patch) | |
| tree | 8df8276fc81af6224b936482109ca49be9cb5013 /tests/lib/AppFramework/Middleware/Security | |
| parent | 57c974f421e8a409ef728fae0b1ac670a70c7f11 (diff) | |
| download | nextcloud-server-f655f83c840f30781999cd84d800cb2cc27983bf.tar.gz nextcloud-server-f655f83c840f30781999cd84d800cb2cc27983bf.zip | |
fix(CORS): CORS should only be bypassed on `PublicPage` if not logged in to prevent CSRF attack vectors
Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
Diffstat (limited to 'tests/lib/AppFramework/Middleware/Security')
| -rw-r--r-- | tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php index f3c1f7934ef..986d0e577b7 100644 --- a/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php +++ b/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php @@ -123,10 +123,12 @@ class CORSMiddlewareTest extends \Test\TestCase { } /** + * CORS must not be enforced for anonymous users on public pages + * * @CORS * @PublicPage */ - public function testNoCORSShouldAllowCookieAuth() { + public function testNoCORSOnAnonymousPublicPage() { $request = new Request( [], $this->createMock(IRequestId::class), @@ -134,6 +136,9 @@ class CORSMiddlewareTest extends \Test\TestCase { ); $this->reflector->reflect($this, __FUNCTION__); $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler); + $this->session->expects($this->once()) + ->method('isLoggedIn') + ->willReturn(false); $this->session->expects($this->never()) ->method('logout'); $this->session->expects($this->never()) @@ -146,6 +151,35 @@ class CORSMiddlewareTest extends \Test\TestCase { } /** + * Even on public pages users logged in using session cookies, + * that do not provide a valid CSRF token are disallowed + * + * @CORS + * @PublicPage + */ + public function testCORSShouldNeverAllowCookieAuth() { + $request = new Request( + [], + $this->createMock(IRequestId::class), + $this->createMock(IConfig::class) + ); + $this->reflector->reflect($this, __FUNCTION__); + $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler); + $this->session->expects($this->once()) + ->method('isLoggedIn') + ->willReturn(true); + $this->session->expects($this->once()) + ->method('logout'); + $this->session->expects($this->never()) + ->method('logClientIn') + ->with($this->equalTo('user'), $this->equalTo('pass')) + ->willReturn(true); + + $this->expectException(SecurityException::class); + $middleware->beforeController($this->controller, __FUNCTION__); + } + + /** * @CORS */ public function testCORSShouldRelogin() { |