phpgt / csrf Goto Github PK
View Code? Open in Web Editor NEWAutomatic protection from Cross-Site Request Forgery.
Home Page: https://www.php.gt/csrf
License: MIT License
Automatic protection from Cross-Site Request Forgery.
Home Page: https://www.php.gt/csrf
License: MIT License
This would reduce the attack surface, countering the fact that far more tokens will be generated to allow AJAX forms to be permitted (feature #14).
At the moment, the ArrayTokenStore remains in-play for as long as the session survives.
@g105b any thoughts on the timeout? 30 mins maybe? Don't want to frustrate people who take a phone-call or take a long time filling out a form before they click a button.
Ensure coding styleguide is matched
Currently it's set at 64 characters, and there is no way for users to change it. Frankly, 6 characters would probably be more than sufficient and considerably quicker (though it's pretty snappy already...)
Currently, javscript would have to parse the token out of a form somewhere in the page (assuming one exists). Adding a specific tag to the head (which is reliably in the same place) would simplify the javascript logic considerably.
Remember composer.json
's autoload bit.
Spawned from #16.
On busy sites with many forms per page, long session timeouts and many users the amount of memory used for storing all these tokens could become significant.
Obvious options to resolve include a timeout or a limit to the number of tokens in circulation per user.
The timeout is not optimal because it would have to be long (2 hours?) to allow users to take a call or be part way through filling out a form then doing something else etc
The fixed number of tokens seems more useful as it can be tuned to an appropriate depth for a given application - a number much smaller than the total number of tokens generated over a period of hours. HOWEVER, should a user leave one tab open then start working on another they could invalidate the tokens associated with the first page. This could be mitigated by setting the limit to a fairly high number (1,000?) but the risk would remain.
Thoughts @g105b?
Idea of an extra TokenStore type that abstracts the need to get, set and check the session variables yourself.
Using global variables is discouraged in the StyleGuide
Instead, provide a method for setting the input data. Maybe allow array
or InputData
?
The DOM repository is being refactored and will no longer directly extend the native DOMDocument. See the facade branch for more details.
As an open source project I don't think it's right to mark code as copyright Brightflair Ltd - that's simply not the case for code written by others and will discourage contributions :)
Rather than one token for all forms, this will allow ajax requests to use the already generated tokens rather than having to generate their own.
The last command in protectAndInject
sets the meta's content to the last-generated token for the page. What about the other ones?
Dependabot needs to be tamed, as per PhpGt/WebEngine#568
It is never going to return false, as it should throw an exception if the token is invalid.
Leaving the bool return type could lead to confusion in how new implementations of TokenStore should behave.
There is already the HTMLDocument within the DOM, so having a class of this name within the csrf package might be confusing?
I was working on a legacy project for a client that uses the DOMDocument to render the HTML. Using this repo on that project would involve rendering the DOMDocument into a HTMLDocument, then back again.
A few more type checks on $html
in the HTMLDocumentProtector's constructor will be beneficial.
When updating parts of the page using JavaScript, rather than having to parse the response for form tags and extract the input elements, it would be really useful to have the tokens provided by HTTP tokens.
I can't tell what's going wrong. If you check the history of my circleci pull request you'll see it did pass once... but goodness knows why.
It appears to be failing to consolidate the results of the various steps.
ircmaxell/RandomLib uses mcrypt, which will be removed in PHP 7.2 for security reasons.
Already tracked here: ircmaxell/RandomLib#55
Possible solution: https://github.com/paragonie/random_compat
Generating a CSRF token for GET forms is not needed.
Rather than one token for all forms, this will allow ajax requests to use the already generated tokens rather than having to generate their own.
There are so many instances where multiple forms are output to the same response that I think it would be beneficial to have the PER_FORM flag as default.
However, this is still up for the decision of the implementor, in which case WebEngine can make this choice.
Leaving this issue here while I ponder, or if anyone else wants to share their thoughts.
Update to CircleCI 2.0, excuse to organise unit tests too.
PHP 7.2 ships with inbuilt crypto features, such as cryptographically secure random byte generator (https://www.php.net/manual/en/function.random-bytes.php)
There is no need to depend on ircmaxel's fantastic library any more, and as such, we will no longer have to depend on packages such as:
"symfony/console": "^3.4.17 || ^4.1.6",
"symfony/event-dispatcher": "^3.0 || ^4.0",
"symfony/filesystem": "^3.0 || ^4.0",
"symfony/finder": "^3.0 || ^4.0",
"symfony/options-resolver": "^3.0 || ^4.0",
"symfony/polyfill-php70": "^1.0",
"symfony/polyfill-php72": "^1.4",
"symfony/process": "^3.0 || ^4.0",
"symfony/stopwatch": "^3.0 || ^4.0"
Use www.shields.io for consistency. See other phpgt repositories methods for doing this.
There's already a form
property on HTMLDocuments - iterate over this?
Have just tried to update the php version to 7.0.11 but found that CircleCI is defaulting to Ubuntu 12.04. Is it time to update?
From https://circleci.com/docs/build-image-trusty/#php
"You can run your Linux builds on Ubuntu 14.04 Trusty (default is Ubuntu 12.04). You can switch to Trusty from “Project Settings” -> “Build Environment” of your project."
@g105b it seems this is something only you can do
This would use Gt\Database
's QueryBuilder to ensure engine-agnostic queries are generated independent of whatever database engine the developer is using.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.