Merge branch 'master' into release-7.0

Author: tvdijen

src/Cas/Ticket/FileSystemTicketStore.php

@@ -27,6 +27,7 @@
 
 use Exception;
 use SimpleSAML\Configuration;
+use SimpleSAML\XML\Assert\Assert;
 
 class FileSystemTicketStore extends TicketStore
 {
@@ -66,12 +67,15 @@ public function __construct(Configuration $config)
      */
     public function getTicket(string $ticketId): ?array
     {
-        $filename = $this->pathToTicketDirectory . '/' . $ticketId;
+        $filename = $this->validateTicketPath($ticketId);
 
         if (file_exists($filename)) {
             $content = file_get_contents($filename);
 
-            return unserialize($content);
+            $result = unserialize($content, ['allowed_classes' => false]);
+            Assert::isArray($result, "Failed to unserialize ticket.");
+
+            return $result;
         } else {
             return null;
         }
@@ -83,7 +87,7 @@ public function getTicket(string $ticketId): ?array
      */
     public function addTicket(array $ticket): void
     {
-        $filename = $this->pathToTicketDirectory . '/' . $ticket['id'];
+        $filename = $this->validateTicketPath($ticket['id']);
         file_put_contents($filename, serialize($ticket));
     }
 
@@ -93,10 +97,42 @@ public function addTicket(array $ticket): void
      */
     public function deleteTicket(string $ticketId): void
     {
-        $filename = $this->pathToTicketDirectory . '/' . $ticketId;
+        $filename = $this->validateTicketPath($ticketId);
 
         if (file_exists($filename)) {
             unlink($filename);
         }
     }
+
+
+    /**
+     * @param string $ticketId
+     * @return string
+     * @throws \Exception
+     */
+    private function validateTicketPath(string $ticketId): string
+    {
+        if ($ticketId === '') {
+            throw new Exception('Invalid ticketId provided.');
+        }
+
+        // Prevent directory traversal and path separators.
+        // CAS tickets are typically like: ST-..., PT-..., PGT-..., etc. Hyphens are ok.
+        if (
+            str_contains($ticketId, '/')
+            || str_contains($ticketId, '\\')
+            || str_contains($ticketId, '..')
+        ) {
+            throw new Exception('Invalid ticketId provided.');
+        }
+
+        $baseDir = realpath($this->pathToTicketDirectory);
+        if ($baseDir === false) {
+            throw new Exception('Ticket storage directory is not accessible.');
+        }
+
+        // Store tickets as hashed filenames inside the ticket directory.
+        // (Avoids issues with special chars / very long filenames.)
+        return $baseDir . '/' . sha1($ticketId);
+    }
 }

src/Controller/Cas10Controller.php

@@ -101,6 +101,14 @@ public function validate(
             );
         }
 
+        if ($ticket === '' || str_contains($ticket, "\0")) {
+            Logger::debug('casserver: Illegal value for ticket parameter.');
+            return new Response(
+                $this->cas10Protocol->getValidateFailureResponse(),
+                Response::HTTP_BAD_REQUEST,
+            );
+        }
+
         try {
             // Get the service ticket
             // `getTicket` uses the unserializable method and Objects may throw Throwables in their

src/Controller/Traits/TicketValidatorTrait.php

@@ -51,6 +51,16 @@ public function validate(
             );
         }
 
+        if ($ticket === '' || str_contains($ticket, "\0")) {
+            $message = 'Illegal value for ticket parameter.';
+            Logger::debug($message);
+
+            return new XmlResponse(
+                (string) $this->cas20Protocol->getValidateFailureResponse(C::ERR_INVALID_REQUEST, $message),
+                Response::HTTP_BAD_REQUEST,
+            );
+        }
+
         try {
             // Get the service ticket
             // `getTicket` uses the unserializable method and Objects may throw "Throwables" in their

tests/src/Controller/Cas10ControllerTest.php

@@ -116,6 +116,43 @@ public function testReturnBadRequestOnEmptyServiceOrTicket(array $params): void
     }
 
 
+    public static function illegalTicketValues(): array
+    {
+        return [
+            'Ticket is empty string' => [
+                ['service' => 'https://myservice.com/abcd', 'ticket' => ''],
+            ],
+            'Ticket contains NUL byte' => [
+                ['service' => 'https://myservice.com/abcd', 'ticket' => "ST-\0-123"],
+            ],
+        ];
+    }
+
+
+    /**
+     * @param array $params
+     *
+     * @return void
+     * @throws \Exception
+     */
+    #[DataProvider('illegalTicketValues')]
+    public function testReturnBadRequestOnIllegalTicketValue(array $params): void
+    {
+        $config = Configuration::loadFromArray($this->moduleConfig);
+
+        $request = Request::create(
+            uri: 'http://localhost',
+            parameters: $params,
+        );
+
+        $cas10Controller = new Cas10Controller($this->sspConfig, $config);
+        $response = $cas10Controller->validate($request, ...$params);
+
+        $this->assertEquals(400, $response->getStatusCode());
+        $this->assertEquals("no\n\n", $response->getContent());
+    }
+
+
     /**
      * @return void
      * @throws \Exception

tests/src/Controller/Cas20ControllerTest.php

@@ -406,6 +406,50 @@ public function testServiceValidateFailing(array $requestParams, string $message
     }
 
 
+    public static function validateFailsForIllegalTicketValue(): array
+    {
+        return [
+            'Ticket is empty string' => [
+                ['service' => 'http://localhost', 'ticket' => ''],
+                'Illegal value for ticket parameter.',
+            ],
+            'Ticket contains NUL byte' => [
+                ['service' => 'http://localhost', 'ticket' => "ST-\0-123"],
+                'Illegal value for ticket parameter.',
+            ],
+        ];
+    }
+
+
+    #[DataProvider('validateFailsForIllegalTicketValue')]
+    public function testServiceValidateFailsForIllegalTicketValue(array $requestParams, string $message): void
+    {
+        $casconfig = Configuration::loadFromArray($this->moduleConfig);
+        $request = Request::create(
+            uri:        '/',
+            parameters: $requestParams,
+        );
+
+        $cas20Controller = new Cas20Controller(
+            $this->sspConfig,
+            $casconfig,
+        );
+
+        $response = $cas20Controller->serviceValidate($request, ...$requestParams);
+
+        $this->assertEquals(Response::HTTP_BAD_REQUEST, $response->getStatusCode());
+        $this->assertStringContainsString($message, (string) $response->getContent());
+
+        $xml = simplexml_load_string((string) $response->getContent());
+        $xml->registerXPathNamespace('cas', 'serviceResponse');
+        $this->assertEquals('serviceResponse', $xml->getName());
+        $this->assertEquals(
+            C::ERR_INVALID_REQUEST,
+            $xml->xpath('//cas:authenticationFailure')[0]->attributes()['code'],
+        );
+    }
+
+
     public function testReturn500OnDeleteTicketThatThrows(): void
     {
         $config = Configuration::loadFromArray($this->moduleConfig);

tests/src/Ticket/FileSystemTicketStoreTest.php

@@ -0,0 +1,172 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\casserver\Tests\Cas\Ticket;
+
+use Exception;
+use PHPUnit\Framework\TestCase;
+use SimpleSAML\Configuration;
+use SimpleSAML\Module\casserver\Cas\Ticket\FileSystemTicketStore;
+
+final class FileSystemTicketStoreTest extends TestCase
+{
+    private string $ticketDir;
+
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $base = rtrim(sys_get_temp_dir(), DIRECTORY_SEPARATOR)
+            . DIRECTORY_SEPARATOR
+            . 'casserver-ticketstore-test-'
+            . bin2hex(random_bytes(8));
+
+        if (!mkdir($base, 0700, true) && !is_dir($base)) {
+            self::fail('Failed to create test directory: ' . $base);
+        }
+
+        $this->ticketDir = $base;
+    }
+
+
+    protected function tearDown(): void
+    {
+        $this->rmrf($this->ticketDir);
+        parent::tearDown();
+    }
+
+
+    public function testPathTraversalCannotReadOrUnserializeOutsideTicketDirectory(): void
+    {
+        $outsideFile = dirname($this->ticketDir) . DIRECTORY_SEPARATOR . 'outside-' . bin2hex(random_bytes(6)) . '.ser';
+        file_put_contents($outsideFile, serialize(['pwn' => true]));
+
+        $store = $this->createStore($this->ticketDir);
+
+        $this->expectException(Exception::class);
+        $this->expectExceptionMessage('Invalid ticketId provided.');
+        $store->getTicket('../' . basename($outsideFile));
+    }
+
+
+    public function testValidateTicketPathThrowsOnEmptyTicketId(): void
+    {
+        $store = $this->createStore($this->ticketDir);
+
+        $this->expectException(Exception::class);
+        $this->expectExceptionMessage('Invalid ticketId provided.');
+        $this->invokeValidateTicketPath($store, '');
+    }
+
+
+    public function testValidateTicketPathThrowsOnForwardSlash(): void
+    {
+        $store = $this->createStore($this->ticketDir);
+
+        $this->expectException(Exception::class);
+        $this->expectExceptionMessage('Invalid ticketId provided.');
+        $this->invokeValidateTicketPath($store, 'ST-123/456');
+    }
+
+
+    public function testValidateTicketPathThrowsOnBackslash(): void
+    {
+        $store = $this->createStore($this->ticketDir);
+
+        $this->expectException(Exception::class);
+        $this->expectExceptionMessage('Invalid ticketId provided.');
+        $this->invokeValidateTicketPath($store, 'ST-123\\456');
+    }
+
+
+    public function testValidateTicketPathThrowsOnDotDot(): void
+    {
+        $store = $this->createStore($this->ticketDir);
+
+        $this->expectException(Exception::class);
+        $this->expectExceptionMessage('Invalid ticketId provided.');
+        $this->invokeValidateTicketPath($store, 'ST-..-123');
+    }
+
+
+    public function testValidateTicketPathThrowsWhenTicketStorageDirectoryIsNotAccessible(): void
+    {
+        $store = $this->createStore($this->ticketDir);
+
+        $rp = new \ReflectionProperty($store, 'pathToTicketDirectory');
+        $rp->setAccessible(true);
+        $rp->setValue($store, $this->ticketDir . DIRECTORY_SEPARATOR . 'does-not-exist-' . bin2hex(random_bytes(4)));
+
+        $this->expectException(Exception::class);
+        $this->expectExceptionMessage('Ticket storage directory is not accessible.');
+        $this->invokeValidateTicketPath($store, 'ST-12345');
+    }
+
+
+    public function testValidateTicketPathReturnsAFileInsideTicketDirectory(): void
+    {
+        $store = $this->createStore($this->ticketDir);
+
+        $ticketId = 'ST-' . bin2hex(random_bytes(8));
+        $path = $this->invokeValidateTicketPath($store, $ticketId);
+
+        $realBase = realpath($this->ticketDir);
+        self::assertIsString($realBase);
+
+        self::assertStringStartsWith($realBase . DIRECTORY_SEPARATOR, $path);
+        self::assertSame($realBase . DIRECTORY_SEPARATOR . sha1($ticketId), $path);
+    }
+
+
+    private function createStore(string $ticketDir): FileSystemTicketStore
+    {
+        $config = Configuration::loadFromArray([
+            'ticketstore' => [
+                'directory' => $ticketDir,
+            ],
+        ]);
+
+        return new FileSystemTicketStore($config);
+    }
+
+
+    private function invokeValidateTicketPath(FileSystemTicketStore $store, string $ticketId): string
+    {
+        $rm = new \ReflectionMethod($store, 'validateTicketPath');
+        $rm->setAccessible(true);
+
+        $result = $rm->invoke($store, $ticketId);
+        self::assertIsString($result);
+
+        return $result;
+    }
+
+
+    private function rmrf(string $path): void
+    {
+        if ($path === '' || !file_exists($path)) {
+            return;
+        }
+
+        if (is_file($path) || is_link($path)) {
+            @unlink($path);
+            return;
+        }
+
+        $items = scandir($path);
+        if ($items === false) {
+            return;
+        }
+
+        foreach ($items as $item) {
+            if ($item === '.' || $item === '..') {
+                continue;
+            }
+            $this->rmrf($path . DIRECTORY_SEPARATOR . $item);
+        }
+
+        @rmdir($path);
+    }
+}