anyt

OWASP CSRF Protection Concerns and Symfony's Response

Background

This document analyzes the OWASP security concerns raised during the development of Symfony's stateless CSRF protection feature, based on GitHub PR #58095.

OWASP Concerns Raised

Initial Challenge by @jderusse

anyt

imports:
  - behat.yml.dist

default: &default
    extensions: &default_extensions
        Behat\MinkExtension:
            base_url: 'http://oro.ee.local'
            sessions:
                second_session:
                    oroSelenium2:

anyt

composer create-project davidrjonas/composer-lock-diff:^1.0 --working-dir=$APP_ROOT
  
local composer_diff=$(php -derror_reporting=0 ./composer-lock-diff/composer-lock-diff --from HEAD:composer.lock --to composer.lock --md)
rm -rf ${APP_ROOT}/composer-lock-diff

git commit -a -m "Updated composer.locks

${composer_diff}" || fatal "Can't commit to git"

anyt

Run on changed files:

php bin/phpcs {} -p --encoding=utf-8 --extensions=php --standard=vendor/oro/platform/build/Oro/phpcs.xml

php bin/php-cs-fixer fix {} --verbose --dry-run --config=vendor/oro/platform/build/.php-cs-fixer.php

php bin/phpmd {} text vendor/oro/platform/build/phpmd.xml --suffixes php 

where {} is the changed file

anyt

{"paths":["\/Users\/anyt\/Sites\/laboro\/maintenance-41\/package\/platform\/src\/Oro\/Bundle\/WsseAuthenticationBundle","\/Users\/anyt\/Sites\/laboro\/maintenance-41\/package\/platform\/src\/Oro\/Bundle\/CacheBundle","\/Users\/anyt\/Sites\/laboro\/maintenance-41\/application\/commerce-crm-ee\/vendor\/symfony\/symfony\/src\/Symfony\/Bundle\/FrameworkBundle","\/Users\/anyt\/Sites\/laboro\/maintenance-41\/application\/commerce-crm-ee\/vendor\/gos\/pubsub-router-bundle","\/Users\/anyt\/Sites\/laboro\/maintenance-41\/application\/commerce-crm-ee\/vendor\/symfony\/acl-bundle\/src","\/Users\/anyt\/Sites\/laboro\/maintenance-41\/application\/commerce-crm-ee\/vendor\/symfony\/symfony\/src\/Symfony\/Bundle\/SecurityBundle","\/Users\/anyt\/Sites\/laboro\/maintenance-41\/package\/platform\/src\/Oro\/Bundle\/SyncBundle","\/Users\/anyt\/Sites\/laboro\/maintenance-41\/application\/commerce-crm-ee\/vendor\/symfony\/symfony\/src\/Symfony\/Bundle\/TwigBundle","\/Users\/anyt\/Sites\/laboro\/maintenance-41\/application\/commerce

anyt

1. Install PHP 7.4 with all required extensions.

sudo apt -y install php \
      php-fpm \
      php-cli \
      php-pdo \
      php-mysqlnd \
      php-xml \
      php-soap \
      php-gd \

anyt

layout:
  actions:
    - '@move':
        id: product_datagrid_cell__product_add_to_cart_button_wrapper
        parentId: product_datagrid_row_product_line_item_form_buttons
        prepend: true
    - '@move':
        id: product_datagrid_toolbar_filter_container
        parentId: page_sidebar
    - '@move':

anyt

1. Install PHP 7.3

brew install [email protected] 

2. Run commands from the above command output. In my environment there are two of them after this phrase:

If you need to have [email protected] first in your PATH run:

 echo 'export PATH="/usr/local/opt/[email protected]/bin:$PATH"' >> ~/.zshrc

anyt

Docker

Pgsql

Backup

docker exec -t $(docker-compose ps -q pgsql) pg_dumpall -c -U oro_db_user > dump.psql

Restore

anyt

<?php

namespace AppBundle;

use Symfony\Component\HttpKernel\Bundle\Bundle;

class AppBundle extends Bundle
{
}