Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add CSRF token randomization #5283

Merged
merged 7 commits into from
Nov 14, 2021
Merged

feat: add CSRF token randomization #5283

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0355175
feat: add CSRF token randomization
kenjis Nov 4, 2021
f95e75f
refactor: rename variable names
kenjis Nov 14, 2021
1037f7f
refactor: CSRF_HASH_BYTES can be overridden
kenjis Nov 14, 2021
1811d00
test: add $this->expectExceptionMessage();
kenjis Nov 14, 2021
b1bc7ba
docs: add Token Randomization to user guide
kenjis Nov 14, 2021
29bfacf
test: fix assertions
kenjis Nov 14, 2021
899d7d4
test: refactor MockSecurity
kenjis Nov 14, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions app/Config/Security.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,17 @@ class Security extends BaseConfig
*/
public $csrfProtection = 'cookie';

/**
* --------------------------------------------------------------------------
* CSRF Token Randomization
* --------------------------------------------------------------------------
*
* Randomize the CSRF Token for added security.
*
* @var bool
*/
public $tokenRandomize = false;

/**
* --------------------------------------------------------------------------
* CSRF Token Name
Expand Down
1 change: 1 addition & 0 deletions env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@
#--------------------------------------------------------------------

# security.csrfProtection = 'cookie'
# security.tokenRandomize = false
# security.tokenName = 'csrf_token_name'
# security.headerName = 'X-CSRF-TOKEN'
# security.cookieName = 'csrf_cookie_name'
Expand Down
43 changes: 40 additions & 3 deletions system/Security/Security.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
use Config\Cookie as CookieConfig;
use Config\Security as SecurityConfig;
use Config\Services;
use LogicException;

/**
* Class Security
Expand All @@ -30,6 +31,7 @@ class Security implements SecurityInterface
{
public const CSRF_PROTECTION_COOKIE = 'cookie';
public const CSRF_PROTECTION_SESSION = 'session';
protected const CSRF_HASH_BYTES = 16;

/**
* CSRF Protection Method
Expand All @@ -40,6 +42,13 @@ class Security implements SecurityInterface
*/
protected $csrfProtection = self::CSRF_PROTECTION_COOKIE;

/**
* CSRF Token Randomization
*
* @var bool
*/
protected $tokenRandomize = false;

/**
* CSRF Hash
*
Expand Down Expand Up @@ -167,6 +176,7 @@ public function __construct(App $config)
$this->regenerate = $security->regenerate ?? $this->regenerate;
$this->rawCookieName = $security->cookieName ?? $this->rawCookieName;
$this->expires = $security->expires ?? $this->expires;
$this->tokenRandomize = $security->tokenRandomize ?? $this->tokenRandomize;
} else {
// `Config/Security.php` is absence
$this->tokenName = $config->CSRFTokenName ?? $this->tokenName;
Expand Down Expand Up @@ -270,7 +280,8 @@ public function verify(RequestInterface $request)
return $this;
}

$token = $this->getPostedToken($request);
$token = $this->tokenRandomize ? $this->derandomize($this->getPostedToken($request))
: $this->getPostedToken($request);

// Do the tokens match?
if (! isset($token, $this->hash) || ! hash_equals($this->hash, $token)) {
Expand Down Expand Up @@ -329,7 +340,33 @@ private function getPostedToken(RequestInterface $request): ?string
*/
public function getHash(): ?string
{
return $this->hash;
return $this->tokenRandomize ? $this->randomize($this->hash) : $this->hash;
}

/**
* Randomize hash to avoid BREACH attacks.
*/
protected function randomize(string $hash): string
{
$keyBinary = random_bytes(static::CSRF_HASH_BYTES);
$hashBinary = hex2bin($hash);

if ($hashBinary === false) {
throw new LogicException('$hash is invalid: ' . $hash);
paulbalandan marked this conversation as resolved.
Show resolved Hide resolved
}

return bin2hex(($hashBinary ^ $keyBinary) . $keyBinary);
}

/**
* Derandomize the token.
*/
protected function derandomize(string $token): string
{
$key = substr($token, -static::CSRF_HASH_BYTES * 2);
$value = substr($token, 0, static::CSRF_HASH_BYTES * 2);

return bin2hex(hex2bin($value) ^ hex2bin($key));
}

/**
Expand Down Expand Up @@ -461,7 +498,7 @@ protected function generateHash(): string
return $this->hash = $this->session->get($this->tokenName);
}

$this->hash = bin2hex(random_bytes(16));
$this->hash = bin2hex(random_bytes(static::CSRF_HASH_BYTES));

if ($this->isCSRFCookie()) {
$this->saveHashInCookie();
Expand Down
8 changes: 8 additions & 0 deletions system/Test/Mock/MockSecurity.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,12 @@ protected function doSendCookie(): void
{
$_COOKIE['csrf_cookie_name'] = $this->hash;
}

protected function randomize(string $hash): string
{
$keyBinary = hex2bin('005513c290126d34d41bf41c5265e0f1');
$hashBinary = hex2bin($hash);

return bin2hex(($hashBinary ^ $keyBinary) . $keyBinary);
}
}
Loading