OTS-OpenSource/Cloud-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial Upload

Browse Source
This commit is contained in:
Matt Batchelder
2025-12-02 10:32:59 -05:00
commit 05ce0da296
2240 changed files with 467811 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
lib/Middleware/CsrfGuard.php Normal file
View File

@@ -0,0 +1,123 @@
<?php
/**
* Copyright (C) 2020 Xibo Signage Ltd
*
* Xibo - Digital Signage - http://www.xibo.org.uk
*
* This file is part of Xibo.
*
* Xibo is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* any later version.
*
* Xibo is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with Xibo. If not, see <http://www.gnu.org/licenses/>.
*/
namespace Xibo\Middleware;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Server\MiddlewareInterface as Middleware;
use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
use Slim\App as App;
use Slim\Routing\RouteContext;
use Xibo\Helper\Environment;
use Xibo\Support\Exception\ExpiredException;
class CsrfGuard implements Middleware
{
/**
* CSRF token key name.
*
* @var string
*/
protected $key;
/* @var App $app */
private $app;
/**
* Constructor.
*
* @param App $app
* @param string $key The CSRF token key name.
*/
public function __construct($app, $key = 'csrfToken')
{
if (! is_string($key) || empty($key) || preg_match('/[^a-zA-Z0-9\-\_]/', $key)) {
throw new \OutOfBoundsException('Invalid CSRF token key "' . $key . '"');
}
$this->key = $key;
$this->app = $app;
}
/**
* Call middleware.
*
* @param Request $request
* @param RequestHandler $handler
* @return Response
* @throws ExpiredException
*/
public function process(Request $request, RequestHandler $handler): Response
{
$container = $this->app->getContainer();
/* @var \Xibo\Helper\Session $session */
$session = $this->app->getContainer()->get('session');
if (!$session->get($this->key)) {
$session->set($this->key, bin2hex(random_bytes(20)));
}
$token = $session->get($this->key);
// Validate the CSRF token.
if (in_array($request->getMethod(), ['POST', 'PUT', 'DELETE'])) {
// Validate the token unless we are on an excluded route
// Get the current route pattern
$routeContext = RouteContext::fromRequest($request);
$route = $routeContext->getRoute();
$resource = $route->getPattern();
$excludedRoutes = $request->getAttribute('excludedCsrfRoutes');
if (($excludedRoutes !== null && is_array($excludedRoutes) && in_array($resource, $excludedRoutes))
|| (Environment::isDevMode() && $resource === '/login')
) {
$container->get('logger')->info('Route excluded from CSRF: ' . $resource);
} else {
// Checking CSRF
$userToken = $request->getHeaderLine('X-XSRF-TOKEN');
if ($userToken == '') {
$parsedBody = $request->getParsedBody();
foreach ($parsedBody as $param => $value) {
if ($param == $this->key) {
$userToken = $value;
}
}
}
if ($token !== $userToken) {
throw new ExpiredException(__('Sorry the form has expired. Please refresh.'));
}
}
}
// Assign CSRF token key and value to view.
$container->get('view')->offsetSet('csrfKey', $this->key);
$container->get('view')->offsetSet('csrfToken',$token);
// Call next middleware.
return $handler->handle($request);
}
}