From 760621a7369d8001ec1a1b9a4c6a43abefc59317 Mon Sep 17 00:00:00 2001 From: Andrei Onita Date: Mon, 26 Jun 2023 15:04:20 +0300 Subject: [PATCH] csrf validation added to all forms --- src/Contact/src/Form/ContactForm.php | 9 +++++++++ src/Contact/templates/contact/contact-form.html.twig | 2 ++ src/User/src/Form/LoginForm.php | 9 +++++++++ src/User/src/Form/ProfileDeleteForm.php | 9 +++++++++ src/User/src/Form/ProfileDetailsForm.php | 9 +++++++++ src/User/src/Form/ProfilePasswordForm.php | 9 +++++++++ src/User/src/Form/RegisterForm.php | 9 +++++++++ src/User/src/Form/RequestResetPasswordForm.php | 9 +++++++++ src/User/src/Form/ResetPasswordForm.php | 9 +++++++++ src/User/src/Form/UploadAvatarForm.php | 9 +++++++++ src/User/templates/profile/avatar.html.twig | 2 ++ src/User/templates/profile/change-password.html.twig | 2 ++ src/User/templates/profile/delete-account.html.twig | 2 ++ src/User/templates/profile/details.html.twig | 2 ++ src/User/templates/user/login.html.twig | 3 +++ src/User/templates/user/register.html.twig | 2 ++ src/User/templates/user/request-reset-form.html.twig | 2 ++ src/User/templates/user/reset-password-form.html.twig | 2 ++ 18 files changed, 100 insertions(+) diff --git a/src/Contact/src/Form/ContactForm.php b/src/Contact/src/Form/ContactForm.php index e9378da5..66681c02 100644 --- a/src/Contact/src/Form/ContactForm.php +++ b/src/Contact/src/Form/ContactForm.php @@ -87,6 +87,15 @@ public function init(): void ], 'type' => Textarea::class, ]); + + $this->add([ + 'name' => 'contact_csrf', + 'type' => 'csrf', + 'options' => [ + 'timeout' => 3600, + 'message' => 'The form CSRF has expired and was refreshed. Please resend the form', + ], + ]); } /** diff --git a/src/Contact/templates/contact/contact-form.html.twig b/src/Contact/templates/contact/contact-form.html.twig index d458181b..bffef9db 100644 --- a/src/Contact/templates/contact/contact-form.html.twig +++ b/src/Contact/templates/contact/contact-form.html.twig @@ -71,6 +71,8 @@ + {{ formElement(form.get('contact_csrf')) }} +
diff --git a/src/User/src/Form/LoginForm.php b/src/User/src/Form/LoginForm.php index d137cc07..7caf1e5e 100644 --- a/src/User/src/Form/LoginForm.php +++ b/src/User/src/Form/LoginForm.php @@ -70,6 +70,15 @@ public function init() ], ]); + $this->add([ + 'name' => 'login_csrf', + 'type' => 'csrf', + 'options' => [ + 'timeout' => 3600, + 'message' => 'The form CSRF has expired and was refreshed. Please resend the form', + ], + ]); + $this->add([ 'name' => 'submit', 'attributes' => [ diff --git a/src/User/src/Form/ProfileDeleteForm.php b/src/User/src/Form/ProfileDeleteForm.php index a6a36df1..65f188ce 100644 --- a/src/User/src/Form/ProfileDeleteForm.php +++ b/src/User/src/Form/ProfileDeleteForm.php @@ -53,6 +53,15 @@ public function init() ] ]); + $this->add([ + 'name' => 'profile_delete_csrf', + 'type' => 'csrf', + 'options' => [ + 'timeout' => 3600, + 'message' => 'The form CSRF has expired and was refreshed. Please resend the form', + ], + ]); + $this->add([ 'name' => 'submit', 'attributes' => [ diff --git a/src/User/src/Form/ProfileDetailsForm.php b/src/User/src/Form/ProfileDetailsForm.php index e60bef27..5df161da 100644 --- a/src/User/src/Form/ProfileDetailsForm.php +++ b/src/User/src/Form/ProfileDetailsForm.php @@ -45,6 +45,15 @@ public function init() 'type' => UserDetailFieldset::class ]); + $this->add([ + 'name' => 'profile_details_csrf', + 'type' => 'csrf', + 'options' => [ + 'timeout' => 3600, + 'message' => 'The form CSRF has expired and was refreshed. Please resend the form', + ], + ]); + $this->add([ 'name' => 'submit', 'attributes' => [ diff --git a/src/User/src/Form/ProfilePasswordForm.php b/src/User/src/Form/ProfilePasswordForm.php index b3038e75..f2822819 100644 --- a/src/User/src/Form/ProfilePasswordForm.php +++ b/src/User/src/Form/ProfilePasswordForm.php @@ -59,6 +59,15 @@ public function init() 'type' => Password::class ]); + $this->add([ + 'name' => 'profile_password_csrf', + 'type' => 'csrf', + 'options' => [ + 'timeout' => 3600, + 'message' => 'The form CSRF has expired and was refreshed. Please resend the form', + ], + ]); + $this->add([ 'name' => 'submit', 'attributes' => [ diff --git a/src/User/src/Form/RegisterForm.php b/src/User/src/Form/RegisterForm.php index a1fbc3bd..7fe6fb12 100644 --- a/src/User/src/Form/RegisterForm.php +++ b/src/User/src/Form/RegisterForm.php @@ -81,6 +81,15 @@ public function init() 'type' => Password::class ]); + $this->add([ + 'name' => 'register_csrf', + 'type' => 'csrf', + 'options' => [ + 'timeout' => 3600, + 'message' => 'The form CSRF has expired and was refreshed. Please resend the form', + ], + ]); + $this->add([ 'name' => 'submit', 'attributes' => [ diff --git a/src/User/src/Form/RequestResetPasswordForm.php b/src/User/src/Form/RequestResetPasswordForm.php index 3a5d4a16..b1024782 100644 --- a/src/User/src/Form/RequestResetPasswordForm.php +++ b/src/User/src/Form/RequestResetPasswordForm.php @@ -48,6 +48,15 @@ public function init() 'type' => Email::class ]); + $this->add([ + 'name' => 'request_reset_password_csrf', + 'type' => 'csrf', + 'options' => [ + 'timeout' => 3600, + 'message' => 'The form CSRF has expired and was refreshed. Please resend the form', + ], + ]); + $this->add([ 'name' => 'submit', 'attributes' => [ diff --git a/src/User/src/Form/ResetPasswordForm.php b/src/User/src/Form/ResetPasswordForm.php index 926c4b9f..2ef44f98 100644 --- a/src/User/src/Form/ResetPasswordForm.php +++ b/src/User/src/Form/ResetPasswordForm.php @@ -59,6 +59,15 @@ public function init() 'type' => Password::class ]); + $this->add([ + 'name' => 'reset_password_csrf', + 'type' => 'csrf', + 'options' => [ + 'timeout' => 3600, + 'message' => 'The form CSRF has expired and was refreshed. Please resend the form', + ], + ]); + $this->add([ 'name' => 'submit', 'attributes' => [ diff --git a/src/User/src/Form/UploadAvatarForm.php b/src/User/src/Form/UploadAvatarForm.php index a8e15f85..2f8750a7 100644 --- a/src/User/src/Form/UploadAvatarForm.php +++ b/src/User/src/Form/UploadAvatarForm.php @@ -38,6 +38,15 @@ public function init() 'type' => AvatarFieldset::class ]); + $this->add([ + 'name' => 'upload_avatar_csrf', + 'type' => 'csrf', + 'options' => [ + 'timeout' => 3600, + 'message' => 'The form CSRF has expired and was refreshed. Please resend the form', + ], + ]); + $this->add([ 'name' => 'submit', 'attributes' => [ diff --git a/src/User/templates/profile/avatar.html.twig b/src/User/templates/profile/avatar.html.twig index 24d8cf74..2f020df4 100644 --- a/src/User/templates/profile/avatar.html.twig +++ b/src/User/templates/profile/avatar.html.twig @@ -19,6 +19,8 @@ {% set dummy = image.setAttribute('data-url', path('account', {'action': 'avatar'})) %} {{ formElement(image) }} +{{ formElement(form.get('upload_avatar_csrf')) }} + {% set submit = form.get('submit') %} {% set submitValue = submit.getValue|trans|raw %} {% set dummy = submit.setAttribute('value', submitValue) %} diff --git a/src/User/templates/profile/change-password.html.twig b/src/User/templates/profile/change-password.html.twig index c8ba3f78..c446c8d2 100644 --- a/src/User/templates/profile/change-password.html.twig +++ b/src/User/templates/profile/change-password.html.twig @@ -16,6 +16,8 @@ {% set dummy = passwordConfirm.setAttribute('placeholder', elementTranslatePlaceholder) %} {{ formElement(passwordConfirm) }} +{{ formElement(form.get('profile_password_csrf')) }} + {% set submit = form.get('submit') %} {% set submitValue = submit.getValue|trans|raw %} {% set dummy = submit.setAttribute('value', submitValue) %} diff --git a/src/User/templates/profile/delete-account.html.twig b/src/User/templates/profile/delete-account.html.twig index 86aea0e8..9467113d 100644 --- a/src/User/templates/profile/delete-account.html.twig +++ b/src/User/templates/profile/delete-account.html.twig @@ -12,6 +12,8 @@

I accept the Terms and Conditions and I want to delete my account with all additional data.

+{{ formElement(form.get('profile_delete_csrf')) }} + {% set submit = form.get('submit') %} {% set submitValue = submit.getValue|trans|raw %} {% set dummy = submit.setAttribute('value', submitValue) %} diff --git a/src/User/templates/profile/details.html.twig b/src/User/templates/profile/details.html.twig index 91c6df8e..3850b770 100644 --- a/src/User/templates/profile/details.html.twig +++ b/src/User/templates/profile/details.html.twig @@ -18,6 +18,8 @@ {% set dummy = lastName.setAttribute('placeholder', elementTranslatePlaceholder) %} {{ formElement(lastName) }} +{{ formElement(form.get('profile_details_csrf')) }} + {% set submit = form.get('submit') %} {% set submitValue = submit.getValue|trans|raw %} {% set dummy = submit.setAttribute('value', submitValue) %} diff --git a/src/User/templates/user/login.html.twig b/src/User/templates/user/login.html.twig index 2fbf7192..f4735d7c 100644 --- a/src/User/templates/user/login.html.twig +++ b/src/User/templates/user/login.html.twig @@ -37,6 +37,9 @@ + {{ formElement(form.get('login_csrf')) }} + + {% set submit = form.get('submit') %} {% set submitValue = submit.getValue|trans|raw %} {% set dummy = submit.setAttribute('value', submitValue) %} diff --git a/src/User/templates/user/register.html.twig b/src/User/templates/user/register.html.twig index b1b090af..c9288829 100644 --- a/src/User/templates/user/register.html.twig +++ b/src/User/templates/user/register.html.twig @@ -44,6 +44,8 @@ {% set dummy = passwordConfirm.setAttribute('placeholder', elementTranslatePlaceholder) %} {{ formElement(passwordConfirm) }} + {{ formElement(form.get('register_csrf')) }} + {% set submit = form.get('submit') %} {% set submitValue = submit.getValue|trans|raw %} {% set dummy = submit.setAttribute('value', submitValue) %} diff --git a/src/User/templates/user/request-reset-form.html.twig b/src/User/templates/user/request-reset-form.html.twig index 8c2c2338..42c6afa7 100644 --- a/src/User/templates/user/request-reset-form.html.twig +++ b/src/User/templates/user/request-reset-form.html.twig @@ -22,6 +22,8 @@ {% set dummy = identity.setAttribute('placeholder', elementTranslatePlaceholder) %} {{ formElement(identity) }} + {{ formElement(form.get('request_reset_password_csrf')) }} + {% set submit = form.get('submit') %} {% set submitValue = submit.getValue|trans|raw %} {% set dummy = submit.setAttribute('value', submitValue) %} diff --git a/src/User/templates/user/reset-password-form.html.twig b/src/User/templates/user/reset-password-form.html.twig index 5eb3efa2..fd1368c8 100644 --- a/src/User/templates/user/reset-password-form.html.twig +++ b/src/User/templates/user/reset-password-form.html.twig @@ -27,6 +27,8 @@ {% set dummy = passwordConfirm.setAttribute('placeholder', elementTranslatePlaceholder) %} {{ formElement(passwordConfirm) }} + {{ formElement(form.get('reset_password_csrf')) }} + {% set submit = form.get('submit') %} {% set submitValue = submit.getValue|trans|raw %} {% set dummy = submit.setAttribute('value', submitValue) %}