Merge pull request from GHSA-gjvc-55fw-v6vq

Replace GET way to POST way to delete API client
2024-05-17 16:52:39 +00:00 · 2023-08-21 11:08:47 +02:00 · 2023-08-21 11:08:47 +02:00 · ffcc5c9062
parent 78b0b55c40 c3d1f92278
commit ffcc5c9062
3 changed files with 15 additions and 12 deletions
--- a/src/Wallabag/ApiBundle/Controller/DeveloperController.php
+++ b/src/Wallabag/ApiBundle/Controller/DeveloperController.php
@ -69,12 +69,17 @@ class DeveloperController extends AbstractController
    /**
     * Remove a client.
     *
-     * @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client")
+     * @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client", methods={"POST"})
     *
     * @return RedirectResponse
     */
-    public function deleteClientAction(Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator)
+    public function deleteClientAction(Request $request, Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator)
    {
+
+        if (!$this->isCsrfTokenValid('delete-client', $request->request->get('token'))) {
+            throw $this->createAccessDeniedException('Bad CSRF token.');
+        }
+
        if (null === $this->getUser() || $client->getUser()->getId() !== $this->getUser()->getId()) {
            throw $this->createAccessDeniedException('You can not access this client.');
        }
--- a/src/Wallabag/CoreBundle/Resources/views/Developer/index.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/Developer/index.html.twig
@ -57,9 +57,11 @@

                                    <p>{{ 'developer.remove.warn_message_1'|trans({'%name%': client.name}) }}</p>
                                    <p>{{ 'developer.remove.warn_message_2'|trans({'%name%': client.name}) }}</p>
-                                    <p>
-                                        <a class="waves-effect waves-light red btn" href="{{ path('developer_delete_client', {'id': client.id}) }}">{{ 'developer.remove.action'|trans({'%name%': client.name}) }}</a>
-                                    </p>
+                                    <form action="{{ path('developer_delete_client', { id: client.id }) }}" method="post" name="delete-client">
+                                        <input type="hidden" name="token" value="{{ csrf_token('delete-client') }}" />
+
+                                        <button class="waves-effect waves-light btn red" type="submit">{{ 'developer.remove.action'|trans({'%name%': client.name}) }}</button>
+                                    </form>
                                </div>
                            </li>
                        {% endfor %}
--- a/tests/Wallabag/ApiBundle/Controller/DeveloperControllerTest.php
+++ b/tests/Wallabag/ApiBundle/Controller/DeveloperControllerTest.php
@ -104,20 +104,16 @@ class DeveloperControllerTest extends WallabagCoreTestCase
        $this->assertStringContainsString('no_client', $client->getResponse()->getContent());

        $this->logInAs('bob');
-        $client->request('GET', '/developer/client/delete/' . $adminApiClient->getId());
+        $client->request('POST', '/developer/client/delete/' . $adminApiClient->getId());
        $this->assertSame(403, $client->getResponse()->getStatusCode());

        // Try to remove the admin's client with the good user
        $this->logInAs('admin');
        $crawler = $client->request('GET', '/developer');

-        $link = $crawler
-            ->filter('div[class=collapsible-body] p a')
-            ->eq(0)
-            ->link()
-        ;
+        $form = $crawler->filter('form[name=delete-client]')->form();

-        $client->click($link);
+        $client->submit($form);
        $this->assertSame(302, $client->getResponse()->getStatusCode());

        $this->assertNull(