From 863d398f9abedbf3c6da805d4785242000fbe834 Mon Sep 17 00:00:00 2001 From: MatTheCat Date: Wed, 23 Nov 2022 10:05:40 +0100 Subject: [PATCH] [Security][LoginLink] Throw InvalidLoginLinkException on missing parameter --- LoginLink/LoginLinkHandler.php | 8 ++++++-- Tests/LoginLink/LoginLinkHandlerTest.php | 24 ++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/LoginLink/LoginLinkHandler.php b/LoginLink/LoginLinkHandler.php index e245ad5f..74c6c7e7 100644 --- a/LoginLink/LoginLinkHandler.php +++ b/LoginLink/LoginLinkHandler.php @@ -97,8 +97,12 @@ public function consumeLoginLink(Request $request): UserInterface throw new InvalidLoginLinkException('User not found.', 0, $exception); } - $hash = $request->get('hash'); - $expires = $request->get('expires'); + if (!$hash = $request->get('hash')) { + throw new InvalidLoginLinkException('Missing "hash" parameter.'); + } + if (!$expires = $request->get('expires')) { + throw new InvalidLoginLinkException('Missing "expires" parameter.'); + } try { $this->signatureHasher->verifySignatureHash($user, $expires, $hash); diff --git a/Tests/LoginLink/LoginLinkHandlerTest.php b/Tests/LoginLink/LoginLinkHandlerTest.php index 697584d2..c29bb9a8 100644 --- a/Tests/LoginLink/LoginLinkHandlerTest.php +++ b/Tests/LoginLink/LoginLinkHandlerTest.php @@ -182,6 +182,30 @@ public function testConsumeLoginLinkExceedsMaxUsage() $linker->consumeLoginLink($request); } + public function testConsumeLoginLinkWithMissingHash() + { + $user = new TestLoginLinkHandlerUser('weaverryan', 'ryan@symfonycasts.com', 'pwhash'); + $this->userProvider->createUser($user); + + $this->expectException(InvalidLoginLinkException::class); + $request = Request::create('/login/verify?user=weaverryan&expires=10000'); + + $linker = $this->createLinker(); + $linker->consumeLoginLink($request); + } + + public function testConsumeLoginLinkWithMissingExpiration() + { + $user = new TestLoginLinkHandlerUser('weaverryan', 'ryan@symfonycasts.com', 'pwhash'); + $this->userProvider->createUser($user); + + $this->expectException(InvalidLoginLinkException::class); + $request = Request::create('/login/verify?user=weaverryan&hash=thehash'); + + $linker = $this->createLinker(); + $linker->consumeLoginLink($request); + } + private function createSignatureHash(string $username, int $expires, array $extraFields): string { $fields = [base64_encode($username), $expires];