php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled

semgrep

Author

unknown

Download Count*

License

CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting csrf_protection property to true.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: symfony-csrf-protection-disabled
    patterns:
      - pattern-either:
          - pattern: $X->createForm($TYPE, $TASK, [..., 'csrf_protection' => false, ...],
              ...)
          - pattern: $X->prependExtensionConfig('framework', [..., 'csrf_protection' =>
              false, ...], ...)
          - pattern: $X->loadFromExtension('framework', [..., 'csrf_protection' => false,
              ...], ...)
          - pattern: $X->setDefaults([..., 'csrf_protection' => false, ...], ...)
          - patterns:
              - pattern-either:
                  - pattern: $X->createForm($TYPE, $TASK, [..., 'csrf_protection' => $VAL, ...],
                      ...)
                  - pattern: $X->prependExtensionConfig('framework', [..., 'csrf_protection' =>
                      $VAL, ...], ...)
                  - pattern: $X->loadFromExtension('framework', [..., 'csrf_protection' => $VAL,
                      ...], ...)
                  - pattern: $X->setDefaults([..., 'csrf_protection' => $VAL, ...], ...)
              - pattern-inside: |
                  $VAL = false;
                  ...
    message: CSRF protection is disabled for this configuration. This is a security
      risk. Make sure that it is safe or consider setting `csrf_protection`
      property to `true`.
    metadata:
      references:
        - https://symfony.com/doc/current/security/csrf.html
      cwe:
        - "CWE-352: Cross-Site Request Forgery (CSRF)"
      owasp:
        - A01:2021 - Broken Access Control
      category: security
      technology:
        - symfony
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site Request Forgery (CSRF)
    languages:
      - php
    severity: WARNING

Examples

symfony-csrf-protection-disabled.php

<?php

use Symfony\Component\Form\AbstractType;
use Symfony\Component\OptionsResolver\OptionsResolver;
use Symfony\Component\HttpKernel\DependencyInjection\Extension;
use Symfony\Component\DependencyInjection\ContainerBuilder;
use Symfony\Component\DependencyInjection\Extension\PrependExtensionInterface;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;


class Type extends AbstractType
{
  public function configureOptions(OptionsResolver $resolver)
  {
      // ruleid: symfony-csrf-protection-disabled
    $resolver->setDefaults([
      'data_class'      => Type::class,
      'csrf_protection' => false
    ]);

    // ruleid: symfony-csrf-protection-disabled
    $resolver->setDefaults(array(
      'csrf_protection' => false
    ));


    $csrf = false;
    // ruleid: symfony-csrf-protection-disabled
    $resolver->setDefaults([
      'csrf_protection' => $csrf
    ]);

    // ok: symfony-csrf-protection-disabled
    $resolver->setDefaults([
      'csrf_protection' => true
    ]);

    // ok: symfony-csrf-protection-disabled
    $resolver->setDefaults([
      'data_class' => Type::class,
    ]);

    // ok: symfony-csrf-protection-disabled
    $resolver->setDefaults($options);
  }
}

class TestExtension extends Extension implements PrependExtensionInterface
{
  public function prepend(ContainerBuilder $container)
  {

    // ruleid: symfony-csrf-protection-disabled
    $container->prependExtensionConfig('framework', ['csrf_protection' => false,]);

    // ruleid: symfony-csrf-protection-disabled
    $container->prependExtensionConfig('framework', ['something_else' => true, 'csrf_protection' => false,]);

    $csrfOption = false;
    // ruleid: symfony-csrf-protection-disabled
    $container->prependExtensionConfig('framework', ['csrf_protection' => $csrfOption,]);

    // ruleid: symfony-csrf-protection-disabled
    $container->loadFromExtension('framework', ['csrf_protection' => false,]);

    // ok: symfony-csrf-protection-disabled
    $container->loadFromExtension('framework', ['csrf_protection' => null,]);

    // ok: symfony-csrf-protection-disabled
    $container->prependExtensionConfig('framework', ['csrf_protection' => true,]);

    // ok: symfony-csrf-protection-disabled
    $container->prependExtensionConfig('framework', ['csrf_protection' => null,]);

    // ok: symfony-csrf-protection-disabled
    $container->prependExtensionConfig('something_else', ['csrf_protection' => false,]);
  }
}

class MyController1 extends AbstractController
{
  public function action()
  {
    // ruleid: symfony-csrf-protection-disabled
    $this->createForm(TaskType::class, $task, [
      'other_option' => false,
      'csrf_protection' => false,
    ]);

    // ruleid: symfony-csrf-protection-disabled
    $this->createForm(TaskType::class, $task, array(
      'csrf_protection' => false,
    ));

    $csrf = false;
    // ruleid: symfony-csrf-protection-disabled
    $this->createForm(TaskType::class, $task, array(
      'csrf_protection' => $csrf,
    ));

      // ok: symfony-csrf-protection-disabled
    $this->createForm(TaskType::class, $task, ['csrf_protection' => true]);

    // ok: symfony-csrf-protection-disabled
    $this->createForm(TaskType::class, $task, ['other_option' => false]);

    $this->redirectToRoute('/');
  }
}

Short Link: https://sg.run/N1gz