Craft 4.18

CHANGELOG-WIP.md

@@ -0,0 +1,4 @@
+# Release Notes for Craft CMS 4.18 (WIP)
+
+### Development
+- Added `craft\filters\SecFetchSiteFilter` for request origin verification. ([#18641](https://github.com/craftcms/cms/pull/18641))

src/filters/SecFetchSiteFilter.php

@@ -0,0 +1,74 @@
+<?php
+/**
+ * @link https://craftcms.com/
+ * @copyright Copyright (c) Pixel & Tonic, Inc.
+ * @license https://craftcms.github.io/license/
+ */
+
+namespace craft\filters;
+
+use Craft;
+use yii\base\ActionFilter;
+use yii\web\BadRequestHttpException;
+
+/**
+ * Action filter for validating the `Sec-Fetch-Site` header.
+ *
+ * @since 4.18.0
+ */
+class SecFetchSiteFilter extends ActionFilter
+{
+    use ConditionalFilterTrait;
+
+    /**
+     * Whether to use origin verification only (no CSRF token fallback).
+     */
+    public bool $originOnly = true;
+
+    /**
+     * Whether to accept `same-site` in addition to `same-origin` (e.g. subdomains).
+     */
+    public bool $allowSameSite = false;
+
+    public string $headerName = 'Sec-Fetch-Site';
+
+    public ?string $errorMessage = null;
+
+    public ?array $safeMethods = null;
+
+    /**
+     * @inheritdoc
+     */
+    public function beforeAction($action): bool
+    {
+        $this->setDefaults();
+
+        $request = Craft::$app->getRequest();
+
+        if (in_array($request->getMethod(), $this->safeMethods, true)) {
+            return true;
+        }
+
+        $secFetchSite = $request->getHeaders()->get($this->headerName);
+
+        if ($secFetchSite === 'same-origin') {
+            return true;
+        }
+
+        if ($secFetchSite === 'same-site' && $this->allowSameSite) {
+            return true;
+        }
+
+        if ($this->originOnly) {
+            throw new BadRequestHttpException($this->errorMessage);
+        }
+
+        return true;
+    }
+
+    private function setDefaults(): void
+    {
+        $this->safeMethods = $this->safeMethods ?? Craft::$app->getRequest()->csrfTokenSafeMethods;
+        $this->errorMessage = $this->errorMessage ?? Craft::t('yii', 'Unable to verify your data submission.');
+    }
+}

tests/unit/filters/SecFetchSiteFilterTest.php

@@ -0,0 +1,125 @@
+<?php
+/**
+ * @link https://craftcms.com/
+ * @copyright Copyright (c) Pixel & Tonic, Inc.
+ * @license https://craftcms.github.io/license/
+ */
+
+namespace crafttests\unit\filters;
+
+use Craft;
+use craft\filters\SecFetchSiteFilter;
+use craft\test\TestCase;
+use craft\web\Request;
+use yii\base\Action;
+use yii\web\BadRequestHttpException;
+use yii\web\Controller;
+
+/**
+ * Unit tests for SecFetchSiteFilter
+ *
+ * @author Pixel & Tonic, Inc. <support@pixelandtonic.com>
+ * @since 4.18.0
+ */
+class SecFetchSiteFilterTest extends TestCase
+{
+    private SecFetchSiteFilter $filter;
+    private Action $action;
+    private Request $request;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $controller = $this->createMock(Controller::class);
+        $this->action = new Action('test-action', $controller);
+        $this->filter = new SecFetchSiteFilter();
+        $this->request = Craft::$app->getRequest();
+    }
+
+    public function testAllowsSameOriginForUnsafeMethods(): void
+    {
+        $_SERVER['REQUEST_METHOD'] = 'POST';
+        $this->request->getHeaders()->set('Sec-Fetch-Site', 'same-origin');
+
+        self::assertTrue($this->filter->beforeAction($this->action));
+
+        unset($_SERVER['REQUEST_METHOD']);
+    }
+
+    public function testAllowsSameSiteWhenConfigured(): void
+    {
+        $_SERVER['REQUEST_METHOD'] = 'POST';
+        $this->request->getHeaders()->set('Sec-Fetch-Site', 'same-site');
+
+        $this->filter->allowSameSite = true;
+        self::assertTrue($this->filter->beforeAction($this->action));
+
+        unset($_SERVER['REQUEST_METHOD']);
+    }
+
+    public function testAllowsFallbackWhenHeaderMissingAndNotOriginOnly(): void
+    {
+        $_SERVER['REQUEST_METHOD'] = 'POST';
+        $this->request->getHeaders()->remove('Sec-Fetch-Site');
+
+        $this->filter->originOnly = false;
+        self::assertTrue($this->filter->beforeAction($this->action));
+
+        unset($_SERVER['REQUEST_METHOD']);
+    }
+
+    public function testRejectsWhenOriginOnlyAndHeaderInvalid(): void
+    {
+        $_SERVER['REQUEST_METHOD'] = 'POST';
+        $this->request->getHeaders()->set('Sec-Fetch-Site', 'cross-site');
+
+        $this->filter->originOnly = true;
+
+        $this->expectException(BadRequestHttpException::class);
+        $this->filter->beforeAction($this->action);
+
+        unset($_SERVER['REQUEST_METHOD']);
+    }
+
+    public function testEnforcesWhenCsrfDisabled(): void
+    {
+        $_SERVER['REQUEST_METHOD'] = 'POST';
+        $this->request->getHeaders()->set('Sec-Fetch-Site', 'cross-site');
+
+        $original = $this->request->enableCsrfValidation;
+        $this->request->enableCsrfValidation = false;
+
+        try {
+            $this->filter->originOnly = true;
+            $this->expectException(BadRequestHttpException::class);
+            $this->filter->beforeAction($this->action);
+        } finally {
+            $this->request->enableCsrfValidation = $original;
+        }
+
+        unset($_SERVER['REQUEST_METHOD']);
+    }
+
+    public function testSkipsSafeMethods(): void
+    {
+        $_SERVER['REQUEST_METHOD'] = 'GET';
+        $this->request->getHeaders()->set('Sec-Fetch-Site', 'cross-site');
+
+        $this->filter->originOnly = true;
+        self::assertTrue($this->filter->beforeAction($this->action));
+
+        unset($_SERVER['REQUEST_METHOD']);
+    }
+
+    public function testInvalidHeaderFallsThroughWhenNotOriginOnly(): void
+    {
+        $_SERVER['REQUEST_METHOD'] = 'POST';
+        $this->request->getHeaders()->set('Sec-Fetch-Site', 'cross-site');
+
+        $this->filter->originOnly = false;
+        self::assertTrue($this->filter->beforeAction($this->action));
+
+        unset($_SERVER['REQUEST_METHOD']);
+    }
+}