From da81b71f9337621a60def04c304cb301321163b7 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Fri, 3 Jan 2020 13:08:37 +0100
Subject: [PATCH] Only allow requesting new CSRF tokens if it passes the
 SameSite Cookie test

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 core/Controller/CSRFTokenController.php           |  5 +++++
 tests/Core/Controller/CSRFTokenControllerTest.php | 13 ++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/core/Controller/CSRFTokenController.php b/core/Controller/CSRFTokenController.php
index 1ae4dce6a13..b4b04ba2669 100644
--- a/core/Controller/CSRFTokenController.php
+++ b/core/Controller/CSRFTokenController.php
@@ -28,6 +28,7 @@ namespace OC\Core\Controller;
 
 use OC\Security\CSRF\CsrfTokenManager;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\IRequest;
 
@@ -54,6 +55,10 @@ class CSRFTokenController extends Controller {
 	 * @return JSONResponse
 	 */
 	public function index(): JSONResponse {
+		if (!$this->request->passesStrictCookieCheck()) {
+			return new JSONResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		$requestToken = $this->tokenManager->getToken();
 
 		return new JSONResponse([
diff --git a/tests/Core/Controller/CSRFTokenControllerTest.php b/tests/Core/Controller/CSRFTokenControllerTest.php
index 74eebf61749..a02f84832e5 100644
--- a/tests/Core/Controller/CSRFTokenControllerTest.php
+++ b/tests/Core/Controller/CSRFTokenControllerTest.php
@@ -54,7 +54,9 @@ class CSRFTokenControllerTest extends TestCase {
 			$this->tokenManager);
 	}
 
-	public function testGetToken() {
+	public function testGetToken(): void {
+		$this->request->method('passesStrictCookieCheck')->willReturn(true);
+
 		$token = $this->createMock(CsrfToken::class);
 		$this->tokenManager->method('getToken')->willReturn($token);
 		$token->method('getEncryptedValue')->willReturn('toktok123');
@@ -68,4 +70,13 @@ class CSRFTokenControllerTest extends TestCase {
 			], $response->getData());
 	}
 
+	public function testGetTokenNoStrictSameSiteCookie(): void {
+		$this->request->method('passesStrictCookieCheck')->willReturn(false);
+
+		$response = $this->controller->index();
+
+		$this->assertInstanceOf(JSONResponse::class, $response);
+		$this->assertSame(Http::STATUS_FORBIDDEN, $response->getStatus());
+	}
+
 }
-- 
GitLab