aboutsummaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
authorFerdinand Thiessen <rpm@fthiessen.de>2023-01-26 21:08:10 +0100
committerFerdinand Thiessen <rpm@fthiessen.de>2023-02-16 22:55:18 +0100
commitf655f83c840f30781999cd84d800cb2cc27983bf (patch)
tree8df8276fc81af6224b936482109ca49be9cb5013 /tests
parent57c974f421e8a409ef728fae0b1ac670a70c7f11 (diff)
downloadnextcloud-server-f655f83c840f30781999cd84d800cb2cc27983bf.tar.gz
nextcloud-server-f655f83c840f30781999cd84d800cb2cc27983bf.zip
fix(CORS): CORS should only be bypassed on `PublicPage` if not logged in to prevent CSRF attack vectors
Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
Diffstat (limited to 'tests')
-rw-r--r--tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php36
1 files changed, 35 insertions, 1 deletions
diff --git a/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php
index f3c1f7934ef..986d0e577b7 100644
--- a/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php
+++ b/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php
@@ -123,10 +123,12 @@ class CORSMiddlewareTest extends \Test\TestCase {
}
/**
+ * CORS must not be enforced for anonymous users on public pages
+ *
* @CORS
* @PublicPage
*/
- public function testNoCORSShouldAllowCookieAuth() {
+ public function testNoCORSOnAnonymousPublicPage() {
$request = new Request(
[],
$this->createMock(IRequestId::class),
@@ -134,6 +136,9 @@ class CORSMiddlewareTest extends \Test\TestCase {
);
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
+ $this->session->expects($this->once())
+ ->method('isLoggedIn')
+ ->willReturn(false);
$this->session->expects($this->never())
->method('logout');
$this->session->expects($this->never())
@@ -146,6 +151,35 @@ class CORSMiddlewareTest extends \Test\TestCase {
}
/**
+ * Even on public pages users logged in using session cookies,
+ * that do not provide a valid CSRF token are disallowed
+ *
+ * @CORS
+ * @PublicPage
+ */
+ public function testCORSShouldNeverAllowCookieAuth() {
+ $request = new Request(
+ [],
+ $this->createMock(IRequestId::class),
+ $this->createMock(IConfig::class)
+ );
+ $this->reflector->reflect($this, __FUNCTION__);
+ $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
+ $this->session->expects($this->once())
+ ->method('isLoggedIn')
+ ->willReturn(true);
+ $this->session->expects($this->once())
+ ->method('logout');
+ $this->session->expects($this->never())
+ ->method('logClientIn')
+ ->with($this->equalTo('user'), $this->equalTo('pass'))
+ ->willReturn(true);
+
+ $this->expectException(SecurityException::class);
+ $middleware->beforeController($this->controller, __FUNCTION__);
+ }
+
+ /**
* @CORS
*/
public function testCORSShouldRelogin() {