copilot 1st draft

remove form helpers

remove constants

remove magic

array_key_exists

WIP single use tokens

remove normal token in favor of single use tokens

rename function

better logging

fixup

require

refactor

add inputs to all forms

validate in all pages

remove file

remove from init

remove from ajax

fixup tests

init csrf_tokens array

unique sessions for test cases

automatically generate csrf tokens for http_post in testing

add missing imports

don't overwrite tokens

validate in POST in header.php

remove bad test

set csrf_tokens array even if unauthenticated

add session cleanup

write session data to filesystem immediately on cleanup

rename config option

clear should leave an empty array

must session_start before accessing $_SESSION

change test

dont validate twice in header.php

update test case to check for double verification

Author: simonLeary42

defaults/config.ini.default

@@ -18,6 +18,7 @@ enable_verbose_error_log = true ; internal use only
 enable_redirect_message = true ; internal use only
 enable_exception_handler = true ; internal use only
 enable_error_handler = true ; internal use only
+session_cleanup_idle_seconds = 1800 ; how long a session must be idle before messages and CSRF tokens are cleared
 
 [ldap]
 uri = "ldap://identity"  ; URI of remote LDAP server

resources/autoload.php

@@ -24,6 +24,7 @@
 require_once __DIR__ . "/lib/UnityWebhook.php";
 require_once __DIR__ . "/lib/UnityGithub.php";
 require_once __DIR__ . "/lib/utils.php";
+require_once __DIR__ . "/lib/CSRFToken.php";
 require_once __DIR__ . "/lib/exceptions/NoDieException.php";
 require_once __DIR__ . "/lib/exceptions/SSOException.php";
 require_once __DIR__ . "/lib/exceptions/ArrayKeyException.php";

resources/init.php

@@ -21,8 +21,6 @@
     set_error_handler(["UnityWebPortal\lib\UnityHTTPD", "errorHandler"]);
 }
 
-session_start();
-
 if (isset($GLOBALS["ldapconn"])) {
     $LDAP = $GLOBALS["ldapconn"];
 } else {
@@ -34,10 +32,24 @@
 $WEBHOOK = new UnityWebhook();
 $GITHUB = new UnityGithub();
 
+session_start();
+// https://stackoverflow.com/a/1270960/18696276
+if (time() - ($_SESSION["LAST_ACTIVITY"] ?? 0) > CONFIG["site"]["session_cleanup_idle_seconds"]) {
+    $_SESSION["csrf_tokens"] = [];
+    $_SESSION["messages"] = [];
+    session_write_close();
+    session_start();
+}
+$_SESSION["LAST_ACTIVITY"] = time();
+
 if (!array_key_exists("messages", $_SESSION)) {
     $_SESSION["messages"] = [];
 }
 
+if (!array_key_exists("csrf_tokens", $_SESSION)) {
+    $_SESSION["csrf_tokens"] = [];
+}
+
 if (isset($_SERVER["REMOTE_USER"])) {
     // Check if SSO is enabled on this page
     $SSO = UnitySSO::getSSO();

resources/lib/CSRFToken.php

@@ -0,0 +1,67 @@
+<?php
+namespace UnityWebPortal\lib;
+
+class CSRFToken
+{
+    private static function ensureSessionCSRFTokensSanity(): void
+    {
+        if (!isset($_SESSION)) {
+            throw new \RuntimeException("Session is not started. Call session_start() first.");
+        }
+        if (!array_key_exists("csrf_tokens", $_SESSION)) {
+            UnityHTTPD::errorLog(
+                "invalid session",
+                '$_SESSION has no array key "csrf_tokens"',
+                data: ['$_SESSION' => $_SESSION],
+            );
+            $_SESSION["csrf_tokens"] = [];
+        }
+        if (!is_array($_SESSION["csrf_tokens"])) {
+            UnityHTTPD::errorLog(
+                "invalid session",
+                '$_SESSION["csrf_tokens"] is not an array',
+                data: ['$_SESSION' => $_SESSION],
+            );
+            $_SESSION["csrf_tokens"] = [];
+        }
+    }
+
+    public static function generate(): string
+    {
+        self::ensureSessionCSRFTokensSanity();
+        $token = bin2hex(random_bytes(32));
+        $_SESSION["csrf_tokens"][$token] = false;
+        return $token;
+    }
+
+    public static function validate(string $token): bool
+    {
+        self::ensureSessionCSRFTokensSanity();
+        if ($token === "") {
+            UnityHTTPD::errorLog("empty CSRF token", "");
+            return false;
+        }
+        if (!array_key_exists($token, $_SESSION["csrf_tokens"])) {
+            UnityHTTPD::errorLog("unknown CSRF token", $token);
+            return false;
+        }
+        $entry = $_SESSION["csrf_tokens"][$token];
+        if ($entry === true) {
+            UnityHTTPD::errorLog("reused CSRF token", $token);
+            return false;
+        }
+        $_SESSION["csrf_tokens"][$token] = true;
+        return true;
+    }
+
+    public static function clear(): void
+    {
+        if (!isset($_SESSION)) {
+            return;
+        }
+        if (array_key_exists("csrf_tokens", $_SESSION)) {
+            unset($_SESSION["csrf_tokens"]);
+        }
+        $_SESSION["csrf_tokens"] = [];
+    }
+}

resources/lib/UnityHTTPD.php

@@ -390,4 +390,18 @@ public static function deleteMessage(UnityHTTPDMessageLevel $level, string $titl
         unset($_SESSION["messages"][$index]);
         $_SESSION["messages"] = array_values($_SESSION["messages"]);
     }
+
+    public static function validatePostCSRFToken(): void
+    {
+        $token = self::getPostData("csrf_token");
+        if (!CSRFToken::validate($token)) {
+            self::badRequest("CSRF token validation failed", data: ["token" => $token]);
+        }
+    }
+
+    public static function getCSRFTokenHiddenFormInput(): string
+    {
+        $token = htmlspecialchars(CSRFToken::generate());
+        return "<input type='hidden' name='csrf_token' value='$token'>";
+    }
 }

resources/templates/header.php

@@ -3,6 +3,8 @@
 use UnityWebPortal\lib\UnityHTTPD;
 
 if ($_SERVER["REQUEST_METHOD"] == "POST") {
+    // another page should have already validated and we can't validate the same token twice
+    // UnityHTTPD::validatePostCSRFToken();
     if (
         ($_SESSION["is_admin"] ?? false) == true
         && ($_POST["form_type"] ?? null) == "clearView"
@@ -179,10 +181,12 @@
         && isset($_SESSION["viewUser"])
     ) {
         $viewUser = $_SESSION["viewUser"];
+        $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput();
         echo "
           <div id='viewAsBar'>
             <span>You are accessing the web portal as the user <strong>$viewUser</strong></span>
             <form method='POST' action=''>
+              $CSRFTokenHiddenFormInput
               <input type='hidden' name='form_type' value='clearView'>
               <input type='hidden' name='uid' value='$viewUser'>
               <input type='submit' value='Return to My User'>

test/functional/ViewAsUserTest.php

@@ -25,7 +25,7 @@ public function _testViewAsUser(array $beforeUser, array $afterUser)
         // now we should be new user
         $this->assertEquals($afterUid, $USER->uid);
         // $this->assertTrue($_SESSION["user_exists"]);
-        http_post(__DIR__ . "/../../resources/templates/header.php", [
+        http_post(__DIR__ . "/../../webroot/panel/account.php", [
             "form_type" => "clearView",
         ]);
         $this->assertArrayNotHasKey("viewUser", $_SESSION);

test/phpunit-bootstrap.php

@@ -15,6 +15,7 @@
 require_once __DIR__ . "/../resources/lib/UnityWebhook.php";
 require_once __DIR__ . "/../resources/lib/UnityGithub.php";
 require_once __DIR__ . "/../resources/lib/utils.php";
+require_once __DIR__ . "/../resources/lib/CSRFToken.php";
 require_once __DIR__ . "/../resources/lib/exceptions/NoDieException.php";
 require_once __DIR__ . "/../resources/lib/exceptions/SSOException.php";
 require_once __DIR__ . "/../resources/lib/exceptions/ArrayKeyException.php";
@@ -25,6 +26,7 @@
 require_once __DIR__ . "/../resources/lib/exceptions/EncodingConversionException.php";
 require_once __DIR__ . "/../resources/lib/exceptions/UnityHTTPDMessageNotFoundException.php";
 
+use UnityWebPortal\lib\CSRFToken;
 use UnityWebPortal\lib\UnityGroup;
 use UnityWebPortal\lib\UnityHTTPD;
 use UnityWebPortal\lib\UnitySQL;
@@ -97,7 +99,7 @@ function switchUser(
     ensure(!is_null($USER));
 }
 
-function http_post(string $phpfile, array $post_data, bool $enforce_PRG = true): void
+function http_post(string $phpfile, array $post_data, bool $enforce_PRG = true, bool $do_generate_csrf_token = true): void
 {
     global $LDAP,
         $SQL,
@@ -115,6 +117,9 @@ function http_post(string $phpfile, array $post_data, bool $enforce_PRG = true):
     $_SERVER["REQUEST_METHOD"] = "POST";
     $_SERVER["PHP_SELF"] = preg_replace("/.*webroot\//", "/", $phpfile);
     $_SERVER["REQUEST_URI"] = preg_replace("/.*webroot\//", "/", $phpfile); // Slightly imprecise because it doesn't include get parameters
+    if (!array_key_exists("csrf_token", $post_data) && $do_generate_csrf_token) {
+        $post_data["csrf_token"] = CSRFToken::generate();
+    }
     $_POST = $post_data;
     ob_start();
     $post_did_redirect_or_die = false;

test/unit/CSRFTokenTest.php

@@ -0,0 +1,83 @@
+<?php
+use PHPUnit\Framework\TestCase;
+use UnityWebPortal\lib\CSRFToken;
+
+class CSRFTokenTest extends TestCase
+{
+    protected function setUp(): void
+    {
+        session_id(uniqid());
+        session_start();
+        $_SESSION["csrf_tokens"] = [];
+    }
+
+    protected function tearDown(): void
+    {
+        CSRFToken::clear();
+        session_write_close();
+        session_id(uniqid());
+    }
+
+    public function testGenerateCreatesToken(): void
+    {
+        $token = CSRFToken::generate();
+        $this->assertIsString($token);
+        $this->assertEquals(64, strlen($token));
+        $this->assertMatchesRegularExpression('/^[0-9a-f]{64}$/', $token);
+    }
+
+    public function testGenerateStoresTokenInSession(): void
+    {
+        $token = CSRFToken::generate();
+        $this->assertArrayHasKey("csrf_tokens", $_SESSION);
+        $this->assertArrayHasKey($token, $_SESSION["csrf_tokens"]);
+        $this->assertFalse($_SESSION["csrf_tokens"][$token]);
+    }
+
+    public function testValidateWithValidToken(): void
+    {
+        $token = CSRFToken::generate();
+        $this->assertTrue(CSRFToken::validate($token));
+        $this->assertTrue($_SESSION["csrf_tokens"][$token]);
+    }
+
+    public function testValidateWithInvalidToken(): void
+    {
+        CSRFToken::generate();
+        $this->assertFalse(CSRFToken::validate("invalid_token"));
+    }
+
+    public function testValidateWithEmptyToken(): void
+    {
+        CSRFToken::generate();
+        $this->assertFalse(CSRFToken::validate(""));
+    }
+
+    public function testValidateWithoutSessionToken(): void
+    {
+        $this->assertFalse(CSRFToken::validate("any_token"));
+    }
+
+    public function testClearRemovesToken(): void
+    {
+        CSRFToken::generate();
+        $this->assertNotEmpty($_SESSION["csrf_tokens"]);
+        CSRFToken::clear();
+        $this->assertEmpty($_SESSION["csrf_tokens"]);
+    }
+
+    public function testMultipleTokenGenerations(): void
+    {
+        $token1 = CSRFToken::generate();
+        $token2 = CSRFToken::generate();
+        $this->assertNotEquals($token1, $token2);
+    }
+
+    public function testTokenIsSingleUse(): void
+    {
+        $token = CSRFToken::generate();
+        $this->assertTrue(CSRFToken::validate($token));
+        $this->assertFalse(CSRFToken::validate($token));
+        $this->assertTrue($_SESSION["csrf_tokens"][$token]);
+    }
+}

webroot/admin/ajax/get_group_members.php

@@ -31,6 +31,7 @@
     echo "<td>$uid</td>";
     echo "<td><a href='mailto:$mail'>$mail</a></td>";
     echo "<td>";
+    $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput();
     echo "
         <form
             action=''
@@ -39,6 +40,7 @@
                 return confirm(\"Are you sure you want to remove $uid from this group?\");
             '
         >
+        $CSRFTokenHiddenFormInput
         <input type='hidden' name='form_type' value='remUserChild'>
         <input type='hidden' name='uid' value='$uid'>
         <input type='hidden' name='pi' value='$group->gid'>
@@ -62,9 +64,11 @@
     echo "<td>$user->uid</td>";
     echo "<td><a href='mailto:$email'>$email</a></td>";
     echo "<td>";
+    $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput();
     echo
         "<form action='' method='POST'
     onsubmit='return confirm(\"Are you sure you want to approve $user->uid ?\");'>
+    $CSRFTokenHiddenFormInput
     <input type='hidden' name='form_type' value='reqChild'>
     <input type='hidden' name='uid' value='$user->uid'>
     <input type='hidden' name='pi' value='$group->gid'>