[WebProfilerBundle] Fix CORS ajax security issues

romainneutron · romainneutron · commit cd33ed0f22e4 · 2016-04-02T12:36:07.000+02:00
diff --git a/src/Symfony/Bundle/WebProfilerBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/WebProfilerBundle/DependencyInjection/Configuration.php
@@ -45,6 +45,7 @@ public function getConfigTreeBuilder()
                     ->end()
                 ->end()
                 ->booleanNode('intercept_redirects')->defaultFalse()->end()
+                ->booleanNode('enable_cors')->defaultFalse()->end()
                 ->scalarNode('excluded_ajax_paths')->defaultValue('^/(app(_[\\w]+)?\\.php/)?_wdt')->end()
             ->end()
         ;
diff --git a/src/Symfony/Bundle/WebProfilerBundle/DependencyInjection/WebProfilerExtension.php b/src/Symfony/Bundle/WebProfilerBundle/DependencyInjection/WebProfilerExtension.php
@@ -49,6 +49,7 @@ public function load(array $configs, ContainerBuilder $container)
         if ($config['toolbar'] || $config['intercept_redirects']) {
             $loader->load('toolbar.xml');
             $container->getDefinition('web_profiler.debug_toolbar')->replaceArgument(5, $config['excluded_ajax_paths']);
+            $container->getDefinition('web_profiler.debug_toolbar')->replaceArgument(6, $config['enable_cors']);
             $container->setParameter('web_profiler.debug_toolbar.intercept_redirects', $config['intercept_redirects']);
             $container->setParameter('web_profiler.debug_toolbar.mode', $config['toolbar'] ? WebDebugToolbarListener::ENABLED : WebDebugToolbarListener::DISABLED);
         }
diff --git a/src/Symfony/Bundle/WebProfilerBundle/EventListener/WebDebugToolbarListener.php b/src/Symfony/Bundle/WebProfilerBundle/EventListener/WebDebugToolbarListener.php
@@ -40,15 +40,17 @@ class WebDebugToolbarListener implements EventSubscriberInterface
     protected $mode;
     protected $position;
     protected $excludedAjaxPaths;
+    protected $enableCors;
 
-    public function __construct(\Twig_Environment $twig, $interceptRedirects = false, $mode = self::ENABLED, $position = 'bottom', UrlGeneratorInterface $urlGenerator = null, $excludedAjaxPaths = '^/bundles|^/_wdt')
+    public function __construct(\Twig_Environment $twig, $interceptRedirects = false, $mode = self::ENABLED, $position = 'bottom', UrlGeneratorInterface $urlGenerator = null, $excludedAjaxPaths = '^/bundles|^/_wdt', $enableCors = false)
     {
         $this->twig = $twig;
         $this->urlGenerator = $urlGenerator;
         $this->interceptRedirects = (bool) $interceptRedirects;
         $this->mode = (int) $mode;
         $this->position = $position;
         $this->excludedAjaxPaths = $excludedAjaxPaths;
+        $this->enableCors = $enableCors;
     }
 
     public function isEnabled()
@@ -123,6 +125,7 @@ protected function injectToolbar(Response $response, Request $request)
                     'excluded_ajax_paths' => $this->excludedAjaxPaths,
                     'token' => $response->headers->get('X-Debug-Token'),
                     'request' => $request,
+                    'enable_cors' => $this->enableCors,
                 )
             ))."\n";
             $content = substr($content, 0, $pos).$toolbar.substr($content, $pos);
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Resources/config/toolbar.xml b/src/Symfony/Bundle/WebProfilerBundle/Resources/config/toolbar.xml
@@ -17,6 +17,7 @@
             <argument>%web_profiler.debug_toolbar.position%</argument>
             <argument type="service" id="router" on-invalid="ignore" />
             <argument /> <!-- paths that should be excluded from the AJAX requests shown in the toolbar -->
+            <argument /> <!-- enable CORS AJAX requests shown in the toolbar -->
         </service>
     </services>
 </container>
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/base_js.html.twig b/src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/base_js.html.twig
@@ -208,12 +208,15 @@
         {% if excluded_ajax_paths is defined %}
             if (window.XMLHttpRequest && XMLHttpRequest.prototype.addEventListener) {
                 var proxied = XMLHttpRequest.prototype.open;
+                var enable_cors = {{ enable_cors ? 'true' : 'false' }};
 
                 XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {
                     var self = this;
 
                     /* prevent logging AJAX calls to static and inline files, like templates */
                     var path = url;
+                    var is_cors_request = false;
+
                     if (url.substr(0, 1) === '/') {
                         if (0 === url.indexOf('{{ request.basePath|e('js') }}')) {
                             path = url.substr({{ request.basePath|length }});
@@ -222,8 +225,11 @@
                     else if (0 === url.indexOf('{{ (request.schemeAndHttpHost ~ request.basePath)|e('js') }}')) {
                         path = url.substr({{ (request.schemeAndHttpHost ~ request.basePath)|length }});
                     }
+                    else if (!enable_cors) {
+                        is_cors_request = true;
+                    }
 
-                    if (!path.match(new RegExp({{ excluded_ajax_paths|json_encode|raw }}))) {
+                    if ((!is_cors_request || enable_cors) && !path.match(new RegExp({{ excluded_ajax_paths|json_encode|raw }}))) {
                         var stackElement = {
                             loading: true,
                             error: false,
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Tests/DependencyInjection/ConfigurationTest.php b/src/Symfony/Bundle/WebProfilerBundle/Tests/DependencyInjection/ConfigurationTest.php
@@ -31,12 +31,13 @@ public function testConfigTree($options, $results)
     public function getDebugModes()
     {
         return array(
-            array(array(), array('intercept_redirects' => false, 'toolbar' => false, 'position' => 'bottom', 'excluded_ajax_paths' => '^/(app(_[\\w]+)?\\.php/)?_wdt')),
-            array(array('intercept_redirects' => true), array('intercept_redirects' => true, 'toolbar' => false, 'position' => 'bottom', 'excluded_ajax_paths' => '^/(app(_[\\w]+)?\\.php/)?_wdt')),
-            array(array('intercept_redirects' => false), array('intercept_redirects' => false, 'toolbar' => false, 'position' => 'bottom', 'excluded_ajax_paths' => '^/(app(_[\\w]+)?\\.php/)?_wdt')),
-            array(array('toolbar' => true), array('intercept_redirects' => false, 'toolbar' => true, 'position' => 'bottom', 'excluded_ajax_paths' => '^/(app(_[\\w]+)?\\.php/)?_wdt')),
-            array(array('position' => 'top'), array('intercept_redirects' => false, 'toolbar' => false, 'position' => 'top', 'excluded_ajax_paths' => '^/(app(_[\\w]+)?\\.php/)?_wdt')),
-            array(array('excluded_ajax_paths' => 'test'), array('intercept_redirects' => false, 'toolbar' => false, 'position' => 'bottom', 'excluded_ajax_paths' => 'test')),
+            array(array(), array('intercept_redirects' => false, 'toolbar' => false, 'position' => 'bottom', 'excluded_ajax_paths' => '^/(app(_[\\w]+)?\\.php/)?_wdt', 'enable_cors' => false)),
+            array(array('intercept_redirects' => true), array('intercept_redirects' => true, 'toolbar' => false, 'position' => 'bottom', 'excluded_ajax_paths' => '^/(app(_[\\w]+)?\\.php/)?_wdt', 'enable_cors' => false)),
+            array(array('intercept_redirects' => false), array('intercept_redirects' => false, 'toolbar' => false, 'position' => 'bottom', 'excluded_ajax_paths' => '^/(app(_[\\w]+)?\\.php/)?_wdt', 'enable_cors' => false)),
+            array(array('toolbar' => true), array('intercept_redirects' => false, 'toolbar' => true, 'position' => 'bottom', 'excluded_ajax_paths' => '^/(app(_[\\w]+)?\\.php/)?_wdt', 'enable_cors' => false)),
+            array(array('position' => 'top'), array('intercept_redirects' => false, 'toolbar' => false, 'position' => 'top', 'excluded_ajax_paths' => '^/(app(_[\\w]+)?\\.php/)?_wdt', 'enable_cors' => false)),
+            array(array('excluded_ajax_paths' => 'test'), array('intercept_redirects' => false, 'toolbar' => false, 'position' => 'bottom', 'excluded_ajax_paths' => 'test', 'enable_cors' => false)),
+            array(array('enable_cors' => true), array('intercept_redirects' => false, 'toolbar' => false, 'position' => 'bottom', 'excluded_ajax_paths' => '^/(app(_[\\w]+)?\\.php/)?_wdt', 'enable_cors' => true)),
         );
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,7 @@ public function getConfigTreeBuilder()`
`45`	`45`	`->end()`
`46`	`46`	`->end()`
`47`	`47`	`->booleanNode('intercept_redirects')->defaultFalse()->end()`
	`48`	`+ ->booleanNode('enable_cors')->defaultFalse()->end()`
`48`	`49`	`->scalarNode('excluded_ajax_paths')->defaultValue('^/(app(_[\\w]+)?\\.php/)?_wdt')->end()`
`49`	`50`	`->end()`
`50`	`51`	`;`
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ public function load(array $configs, ContainerBuilder $container)`
`49`	`49`	`if ($config['toolbar'] \|\| $config['intercept_redirects']) {`
`50`	`50`	`$loader->load('toolbar.xml');`
`51`	`51`	`$container->getDefinition('web_profiler.debug_toolbar')->replaceArgument(5, $config['excluded_ajax_paths']);`
	`52`	`+ $container->getDefinition('web_profiler.debug_toolbar')->replaceArgument(6, $config['enable_cors']);`
`52`	`53`	`$container->setParameter('web_profiler.debug_toolbar.intercept_redirects', $config['intercept_redirects']);`
`53`	`54`	`$container->setParameter('web_profiler.debug_toolbar.mode', $config['toolbar'] ? WebDebugToolbarListener::ENABLED : WebDebugToolbarListener::DISABLED);`
`54`	`55`	`}`