Provide a framework for CSRF protection, with tests.

Add CSRF protection to Asset editSave, AssetManager, VersionTags and Group operations.

t/Form/CsrfToken.t

@@ -0,0 +1,58 @@
+#-------------------------------------------------------------------
+# WebGUI is Copyright 2001-2009 Plain Black Corporation.
+#-------------------------------------------------------------------
+# Please read the legal notices (docs/legal.txt) and the license
+# (docs/license.txt) that came with this distribution before using
+# this software.
+#-------------------------------------------------------------------
+# http://www.plainblack.com                     info@plainblack.com
+#-------------------------------------------------------------------
+
+use FindBin;
+use strict;
+use lib "$FindBin::Bin/../lib";
+
+use WebGUI::Test;
+use WebGUI::Form;
+use WebGUI::Form::CsrfToken;
+use WebGUI::Session;
+use HTML::Form;
+use WebGUI::Form_Checking;
+
+#The goal of this test is to verify that Zipcode form elements work
+
+use Test::More; # increment this value for each test you create
+
+my $session = WebGUI::Test->session;
+
+# put your tests here
+
+my $formClass = 'WebGUI::Form::CsrfToken';
+
+my $numTests = 5;
+
+plan tests => $numTests;
+
+my ($header, $footer) = (WebGUI::Form::formHeader($session), WebGUI::Form::formFooter($session));
+
+my $html = join "\n",
+	$header, 
+	$formClass->new($session, {})->toHtml,
+	$footer;
+
+my @forms = HTML::Form->parse($html, 'http://www.webgui.org');
+
+##Test Form Generation
+
+is(scalar @forms, 1, '1 form was parsed');
+
+my @inputs = $forms[0]->inputs;
+is(scalar @inputs, 1, 'The form has 1 input');
+
+#Basic tests
+
+my $input = $inputs[0];
+is($input->name, 'webguiCsrfToken', 'Checking input name');
+is($input->type, 'hidden', 'Checking input type');
+is($input->value, $session->scratch->get('webguiCsrfToken'), 'Checking token value');
+

t/Session/Form.t

@@ -0,0 +1,37 @@
+#-------------------------------------------------------------------
+# WebGUI is Copyright 2001-2009 Plain Black Corporation.
+#-------------------------------------------------------------------
+# Please read the legal notices (docs/legal.txt) and the license
+# (docs/license.txt) that came with this distribution before using
+# this software.
+#-------------------------------------------------------------------
+# http://www.plainblack.com                     info@plainblack.com
+#-------------------------------------------------------------------
+
+use FindBin;
+use strict;
+use lib "$FindBin::Bin/../lib";
+
+use WebGUI::Test;
+use WebGUI::Session;
+
+use Test::More;
+
+plan tests => 4;
+
+my $session = WebGUI::Test->session;
+my $token = $session->scratch->get('webguiCsrfToken');
+
+$session->request->method('POST');
+$session->request->setup_param({ webguiCsrfToken => $token, });
+ok($session->form->validToken, 'validToken: right method and form value');
+
+$session->request->method('GET');
+ok(! $session->form->validToken, '... wrong method, right form value');
+
+$session->request->method('POST');
+$session->request->setup_param({ webguiCsrfToken => 'bad token', });
+ok(! $session->form->validToken, 'validToken: right method and wrong form value');
+
+$session->request->method('GET');
+ok(! $session->form->validToken, 'validToken: wrong method and form value');

t/Session/Var.t

@@ -16,7 +16,7 @@ use WebGUI::Test;
 use WebGUI::Session;
 use WebGUI::Session::Var;
 
-use Test::More tests => 40; # increment this value for each test you create
+use Test::More tests => 44; # increment this value for each test you create
 use Test::Deep;
  
 my $session = WebGUI::Test->session;
@@ -29,9 +29,13 @@ is($session->var->isAdminOn, 1, "switchAdminOn()");
 $session->var->switchAdminOff;
 is($session->var->isAdminOn, 0, "switchAdminOff()");
 
+my $token = $session->scratch->get('webguiCsrfToken');
+ok( $token, 'CSRF token set');
+ok( $session->id->valid($token), '...is a valid GUID');
+
 my $id = $session->var->getId;
 my ($count) = $session->db->quickArray("select count(*) from userSession where sessionId=?",[$id]);
-is($count, 1,"created an user session entry in the database");
+is($count, 1, "created an user session entry in the database");
 
 my %newEnvHash = ( REMOTE_ADDR => '192.168.0.34');
 my $origEnv = $session->env->{_env};
@@ -41,6 +45,8 @@ my $var = WebGUI::Session::Var->new($session);
 my $varTime = time();
 my $varExpires = $varTime + $session->setting->get('sessionTimeout');
 isa_ok($var, 'WebGUI::Session::Var', 'new returns Var object');
+isnt($session->scratch->get('webguiCsrfToken'), $token, '... calling new without sessionId creates a new token');
+$token = $session->scratch->get('webguiCsrfToken');
 
 cmp_ok(abs($var->get('lastPageView') - $varTime), '<=', 1, 'lastPageView set correctly');
 cmp_ok(abs($var->get('expires') - $varExpires), '<=', 1, 'expires set correctly');
@@ -66,6 +72,7 @@ $newEnvHash{REMOTE_ADDR} = '10.0.5.5';
 $varTime = time();
 my $var2 = WebGUI::Session::Var->new($session, $session->getId);
 $varExpires = $varTime + $session->setting->get('sessionTimeout');
+is($var2->session->scratch->get('webguiCsrfToken'), $token, 'opening a new user session did not change the CSRF token');
 
 cmp_deeply(
 	$var2,

t/lib/WebGUI/PseudoRequest.pm

@@ -378,6 +378,23 @@ sub get_output {
 
 #----------------------------------------------------------------------------
 
+=head2 method ( [ $method ] )
+
+Getter/setter for the HTTP request method.
+
+=cut
+
+sub method {
+    my ($self, $newMethod) = @_;
+    my $method = $self->{method};
+    if (defined $newMethod) {
+        $self->{method} = $newMethod;
+    }
+    return $method;
+}
+
+#----------------------------------------------------------------------------
+
 =head2 print ( @values )
 
 Fake print method for the PseudoRequest object.  It caches everything printed