Framework: User made error by sending invalid X-XSRF-TOKEN

Created on 6 Jun 2020 · 6Comments · Source: laravel/framework

Laravel Version: 7.14.1
PHP Version: 7.4

Description:

It's possible to cause a Illuminate\Contracts\Encryption\DecryptException: The payload is invalid. exception to get thrown, by passing a X-XSRF-TOKEN with invalid data.

This gets logged in the error.log.

Steps To Reproduce:

Install fresh Laravel project
Create a routes which accepts a post request
Send a post request with header X-XSRF-TOKEN using invalid data. For example "INVALID_DATA"

Source

andershagbard

Most helpful comment

Considering the X-XSRF-TOKEN is an user input, and the user can cause the error themself, I think the error should be handled.

andershagbard on 7 Jun 2020

👍2

All 6 comments

What exactly is the issue?

taylorotwell on 7 Jun 2020

This sounds like expected behavior if you pass a malformed CSRF string.

taylorotwell on 7 Jun 2020

Considering the X-XSRF-TOKEN is an user input, and the user can cause the error themself, I think the error should be handled.

andershagbard on 7 Jun 2020

👍2

@taylorotwell I got issue with sanctrum. My XSRF-TOKEN contains malformed data
eyJpdiI6IjA5V0VUaGJnMWVsUEtHVG56bVhKenc9PSIsInZhbHVlIjoiTVJNZGtBdGprcnd1dEtwaEV6UmdXOS9pTTZZckc1eThQWjNBb0RucDd4TzRLVWFXSnlhdVNDTkJPalVxWUMxSiIsIm1hYyI6IjNhNzY0ODJlNTkyZWYyYzUwMGQ5ZmNkY2E1ZjU2NTZiYjk0YjAwMWQ4ZTgyNzRhMzFhMzc1NDJiZTFlY2FjOTQifQ%3D%3D

notice the 3D, which in return becomes 401 when I navigate after successful login in sanctrum, if I manually changed to ==, it works.I am using cookie as session driver.

ianrussel on 21 Jun 2020

👍1

@taylorotwell I got issue with sanctrum. My XSRF-TOKEN contains malformed data
eyJpdiI6IjA5V0VUaGJnMWVsUEtHVG56bVhKenc9PSIsInZhbHVlIjoiTVJNZGtBdGprcnd1dEtwaEV6UmdXOS9pTTZZckc1eThQWjNBb0RucDd4TzRLVWFXSnlhdVNDTkJPalVxWUMxSiIsIm1hYyI6IjNhNzY0ODJlNTkyZWYyYzUwMGQ5ZmNkY2E1ZjU2NTZiYjk0YjAwMWQ4ZTgyNzRhMzFhMzc1NDJiZTFlY2FjOTQifQ%3D%3D

notice the 3D, which in return becomes 401 when I navigate after successful login in sanctrum, if I manually changed to ==, it works.I am using cookie as session driver.

PHP - urldecode($token)
Javascript - decodeURI($token)

smtlab on 27 Jun 2020

Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php:155

    /**
     * Get the CSRF token from the request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return string
     */

    protected function getTokenFromRequest($request)
    {
        $token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');

        if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
            $token = CookieValuePrefix::remove($this->encrypter->decrypt($header, static::serialized())); // line #155
        }

        return $token;
    }

Here we call the decrypt method, which throws DecryptException for invalid payloads took from the client's requests (X-XSRF-TOKEN header). Consider try-catch-ing it and returning empty string on DecryptException (since the client has not passed a valid token). Another possibility is try-catch-ing the call of getTokenFromRequest in the tokensMatch method and returning false on the same exception in Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php:137:

    /**
     * Determine if the session and input CSRF tokens match.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return bool
     */
    protected function tokensMatch($request)
    {
        $token = $this->getTokenFromRequest($request); // line #137

        return is_string($request->session()->token()) &&
               is_string($token) &&
               hash_equals($request->session()->token(), $token);
    }