Fix CSRF vulnerability

Sylius · Jul 8, 2018 · 24ee0d7 · 24ee0d7
1 parent 3a78b4f
commit 24ee0d7
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 0 deletions.
diff --git a/UPGRADE-1.0.md b/UPGRADE-1.0.md
@@ -1,3 +1,9 @@
+# UPGRADE FROM `v1.0.16` TO `v1.0.17`
+
+* `Sylius\Bundle\ResourceBundle\Controller::applyStateMachineTransitionAction` method now includes CSRF token checks due 
+  to security reasons. If you used it for REST API, these checks can be disabled by adding 
+  `csrf_protection: false` to your routing configuration. 
+
 # UPGRADE FROM `v1.0.8` TO `v1.0.9`
 
 * `Sylius\Bundle\CoreBundle\Templating\Helper\VariantResolverHelper`'s `resolveVariant(ProductInterface $product): ProductVariantInterface`

diff --git a/src/Sylius/Bundle/AdminApiBundle/Resources/config/routing/order.yml b/src/Sylius/Bundle/AdminApiBundle/Resources/config/routing/order.yml
@@ -56,4 +56,5 @@ sylius_admin_api_order_payment_complete:
                 graph: sylius_payment
                 transition: complete
             section: admin_api
+            csrf_protection: false
             return_content: false
diff --git a/src/Sylius/Bundle/AdminBundle/Resources/views/Order/Show/_payment.html.twig b/src/Sylius/Bundle/AdminBundle/Resources/views/Order/Show/_payment.html.twig
@@ -17,6 +17,7 @@
     {% if sm_can(payment, 'complete', 'sylius_payment') %}
     <div class="ui segment">
         <form action="{{ path('sylius_admin_order_payment_complete', {'orderId': order.id, 'id': payment.id}) }}" method="post" novalidate>
+            <input type="hidden" name="_csrf_token" value="{{ csrf_token(payment.id) }}" />
             <input type="hidden" name="_method" value="PUT">
             <button type="submit" class="ui icon labeled tiny blue fluid loadable button"><i class="check icon"></i> {{ 'sylius.ui.complete'|trans }}</button>
         </form>
@@ -25,6 +26,7 @@
     {% if sm_can(payment, 'refund', 'sylius_payment') %}
         <div class="ui segment">
             <form action="{{ path('sylius_admin_order_payment_refund', {'orderId': order.id, 'id': payment.id}) }}" method="post" novalidate>
+                <input type="hidden" name="_csrf_token" value="{{ csrf_token(payment.id) }}" />
                 <input type="hidden" name="_method" value="PUT">
                 <button type="submit" class="ui icon labeled tiny yellow fluid loadable button"><i class="reply all icon"></i> {{ 'sylius.ui.refund'|trans }}</button>
             </form>

diff --git a/src/Sylius/Bundle/ResourceBundle/Controller/ResourceController.php b/src/Sylius/Bundle/ResourceBundle/Controller/ResourceController.php
@@ -469,6 +469,10 @@ public function applyStateMachineTransitionAction(Request $request): Response
         $this->isGrantedOr403($configuration, ResourceActions::UPDATE);
         $resource = $this->findOr404($configuration);
 
+        if ($configuration->isCsrfProtectionEnabled() && !$this->isCsrfTokenValid($resource->getId(), $request->request->get('_csrf_token'))) {
+            throw new HttpException(Response::HTTP_FORBIDDEN, 'Invalid CSRF token.');
+        }
+
         $event = $this->eventDispatcher->dispatchPreEvent(ResourceActions::UPDATE, $configuration, $resource);
 
         if ($event->isStopped() && !$configuration->isHtmlRequest()) {

diff --git a/src/Sylius/Bundle/UiBundle/Resources/views/Grid/Action/applyTransition.html.twig b/src/Sylius/Bundle/UiBundle/Resources/views/Grid/Action/applyTransition.html.twig
@@ -1,5 +1,6 @@
 {% if sm_can(data, options.transition, options.graph) %}
     <form action="{{ path(options.link.route, options.link.parameters) }}" method="post">
+        <input type="hidden" name="_csrf_token" value="{{ csrf_token(data.id) }}">
         <input type="hidden" name="_method" value="PUT">
         <button class="ui loadable {{ options.class }} labeled icon button" type="submit"><i class="{{ action.icon }} icon"></i> {{ action.label|trans }}</button>
     </form>