phpgt / csrf Goto Github PK

This would reduce the attack surface, countering the fact that far more tokens will be generated to allow AJAX forms to be permitted (feature #14).

At the moment, the ArrayTokenStore remains in-play for as long as the session survives.

@g105b any thoughts on the timeout? 30 mins maybe? Don't want to frustrate people who take a phone-call or take a long time filling out a form before they click a button.

Ensure coding styleguide is matched

Currently it's set at 64 characters, and there is no way for users to change it. Frankly, 6 characters would probably be more than sufficient and considerably quicker (though it's pretty snappy already...)

Currently, javscript would have to parse the token out of a form somewhere in the page (assuming one exists). Adding a specific tag to the head (which is reliably in the same place) would simplify the javascript logic considerably.

Remember composer.json's autoload bit.

Spawned from #16.

On busy sites with many forms per page, long session timeouts and many users the amount of memory used for storing all these tokens could become significant.

Obvious options to resolve include a timeout or a limit to the number of tokens in circulation per user.

The timeout is not optimal because it would have to be long (2 hours?) to allow users to take a call or be part way through filling out a form then doing something else etc

The fixed number of tokens seems more useful as it can be tuned to an appropriate depth for a given application - a number much smaller than the total number of tokens generated over a period of hours. HOWEVER, should a user leave one tab open then start working on another they could invalidate the tokens associated with the first page. This could be mitigated by setting the limit to a fairly high number (1,000?) but the risk would remain.

Thoughts @g105b?

Idea of an extra TokenStore type that abstracts the need to get, set and check the session variables yourself.

Using global variables is discouraged in the StyleGuide

Instead, provide a method for setting the input data. Maybe allow array or InputData?

The DOM repository is being refactored and will no longer directly extend the native DOMDocument. See the facade branch for more details.

As an open source project I don't think it's right to mark code as copyright Brightflair Ltd - that's simply not the case for code written by others and will discourage contributions :)

Rather than one token for all forms, this will allow ajax requests to use the already generated tokens rather than having to generate their own.

The last command in protectAndInject sets the meta's content to the last-generated token for the page. What about the other ones?

Dependabot needs to be tamed, as per PhpGt/WebEngine#568

It is never going to return false, as it should throw an exception if the token is invalid.

Leaving the bool return type could lead to confusion in how new implementations of TokenStore should behave.

There is already the HTMLDocument within the DOM, so having a class of this name within the csrf package might be confusing?

I was working on a legacy project for a client that uses the DOMDocument to render the HTML. Using this repo on that project would involve rendering the DOMDocument into a HTMLDocument, then back again.

A few more type checks on $html in the HTMLDocumentProtector's constructor will be beneficial.

When updating parts of the page using JavaScript, rather than having to parse the response for form tags and extract the input elements, it would be really useful to have the tokens provided by HTTP tokens.

1. Are there any security implications of doing this?
2. How would responses containing multiple forms be handled?

I can't tell what's going wrong. If you check the history of my circleci pull request you'll see it did pass once... but goodness knows why.

It appears to be failing to consolidate the results of the various steps.

ircmaxell/RandomLib uses mcrypt, which will be removed in PHP 7.2 for security reasons.

Already tracked here: ircmaxell/RandomLib#55

Possible solution: https://github.com/paragonie/random_compat

Generating a CSRF token for GET forms is not needed.

Rather than one token for all forms, this will allow ajax requests to use the already generated tokens rather than having to generate their own.

There are so many instances where multiple forms are output to the same response that I think it would be beneficial to have the PER_FORM flag as default.

However, this is still up for the decision of the implementor, in which case WebEngine can make this choice.

Leaving this issue here while I ponder, or if anyone else wants to share their thoughts.

Update to CircleCI 2.0, excuse to organise unit tests too.

PHP 7.2 ships with inbuilt crypto features, such as cryptographically secure random byte generator (https://www.php.net/manual/en/function.random-bytes.php)

There is no need to depend on ircmaxel's fantastic library any more, and as such, we will no longer have to depend on packages such as:

    "symfony/console": "^3.4.17 || ^4.1.6",
    "symfony/event-dispatcher": "^3.0 || ^4.0",
    "symfony/filesystem": "^3.0 || ^4.0",
    "symfony/finder": "^3.0 || ^4.0",
    "symfony/options-resolver": "^3.0 || ^4.0",
    "symfony/polyfill-php70": "^1.0",
    "symfony/polyfill-php72": "^1.4",
    "symfony/process": "^3.0 || ^4.0",
    "symfony/stopwatch": "^3.0 || ^4.0"

Use www.shields.io for consistency. See other phpgt repositories methods for doing this.

There's already a form property on HTMLDocuments - iterate over this?

Have just tried to update the php version to 7.0.11 but found that CircleCI is defaulting to Ubuntu 12.04. Is it time to update?

From https://circleci.com/docs/build-image-trusty/#php
"You can run your Linux builds on Ubuntu 14.04 Trusty (default is Ubuntu 12.04). You can switch to Trusty from “Project Settings” -> “Build Environment” of your project."

@g105b it seems this is something only you can do

This would use Gt\Database's QueryBuilder to ensure engine-agnostic queries are generated independent of whatever database engine the developer is using.