Only allow requesting new CSRF tokens if it passes the SameSite Cookie test

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Only allow requesting new CSRF tokens if it passes the SameSite Cookie test
da81b71f · Roeland Jago Douma · 7976cb7e · da81b71f · da81b71f
Unverified Commit da81b71f authored 5 years ago by Roeland Jago Douma
--- a/core/Controller/CSRFTokenController.php
+++ b/core/Controller/CSRFTokenController.php
@@ -28,6 +28,7 @@ namespace OC\Core\Controller;

 use OC\Security\CSRF\CsrfTokenManager;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\IRequest;

@@ -54,6 +55,10 @@ class CSRFTokenController extends Controller {
 	 * @return JSONResponse
 	 */
 	public function index(): JSONResponse {
+		if (!$this->request->passesStrictCookieCheck()) {
+			return new JSONResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		$requestToken = $this->tokenManager->getToken();

 		return new JSONResponse([

--- a/tests/Core/Controller/CSRFTokenControllerTest.php
+++ b/tests/Core/Controller/CSRFTokenControllerTest.php
@@ -54,7 +54,9 @@ class CSRFTokenControllerTest extends TestCase {
 			$this->tokenManager);
 	}

-	public function testGetToken() {
+	public function testGetToken(): void {
+		$this->request->method('passesStrictCookieCheck')->willReturn(true);
+
 		$token = $this->createMock(CsrfToken::class);
 		$this->tokenManager->method('getToken')->willReturn($token);
 		$token->method('getEncryptedValue')->willReturn('toktok123');
@@ -68,4 +70,13 @@ class CSRFTokenControllerTest extends TestCase {
 			], $response->getData());
 	}

+	public function testGetTokenNoStrictSameSiteCookie(): void {
+		$this->request->method('passesStrictCookieCheck')->willReturn(false);
+
+		$response = $this->controller->index();
+
+		$this->assertInstanceOf(JSONResponse::class, $response);
+		$this->assertSame(Http::STATUS_FORBIDDEN, $response->getStatus());
+	}
+
 }