Protect mass_action with a CSRF token

Author: yguedidi

src/Wallabag/CoreBundle/Controller/EntryController.php

@@ -53,12 +53,16 @@ public function __construct(EntityManagerInterface $entityManager, EventDispatch
     }
 
     /**
-     * @Route("/mass", name="mass_action")
+     * @Route("/mass", name="mass_action", methods={"POST"})
      *
      * @return Response
      */
     public function massAction(Request $request, TagRepository $tagRepository)
     {
+        if (!$this->isCsrfTokenValid('mass-action', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
         $values = $request->request->all();
 
         $tagsToAdd = [];

src/Wallabag/CoreBundle/Resources/views/Entry/entries.html.twig

@@ -26,7 +26,9 @@
     {% if current_route == 'homepage' %}
         {% set current_route = 'unread' %}
     {% endif %}
-    <form id="form_mass_action" name="form_mass_action" action="{{ path('mass_action', {redirect: current_path}) }}" method="post"></form>
+    <form id="form_mass_action" name="form_mass_action" action="{{ path('mass_action', {redirect: current_path}) }}" method="post">
+        <input type="hidden" name="token" value="{{ csrf_token('mass-action') }}"/>
+    </form>
     <div class="results">
         <div class="nb-results">
             {{ 'entry.list.number_on_the_page'|trans({'%count%': entries.count}) }}

tests/Wallabag/CoreBundle/Controller/EntryControllerTest.php

@@ -1764,8 +1764,12 @@ public function testMass()
         $entries[] = $entry1Id = $entry1->getId();
         $entries[] = $entry2Id = $entry2->getId();
 
+        $crawler = $client->request('GET', '/all/list');
+        $token = $crawler->filter('#form_mass_action input[name=token]')->attr('value');
+
         // Mass actions : archive
         $client->request('POST', '/mass', [
+            'token' => $token,
             'toggle-archive' => '',
             'entry-checkbox' => $entries,
         ]);
@@ -1786,8 +1790,12 @@ public function testMass()
 
         $this->assertSame(1, $res->isArchived());
 
+        $crawler = $client->request('GET', '/all/list');
+        $token = $crawler->filter('#form_mass_action input[name=token]')->attr('value');
+
         // Mass actions : star
         $client->request('POST', '/mass', [
+            'token' => $token,
             'toggle-star' => '',
             'entry-checkbox' => $entries,
         ]);
@@ -1808,8 +1816,12 @@ public function testMass()
 
         $this->assertSame(1, $res->isStarred());
 
+        $crawler = $client->request('GET', '/all/list');
+        $token = $crawler->filter('#form_mass_action input[name=token]')->attr('value');
+
         // Mass actions : tag
         $client->request('POST', '/mass', [
+            'token' => $token,
             'tag' => '',
             'tags' => 'foo',
             'entry-checkbox' => $entries,
@@ -1838,8 +1850,12 @@ public function testMass()
 
         $this->assertNotContains('foo', $res->getTagsLabel());
 
+        $crawler = $client->request('GET', '/all/list');
+        $token = $crawler->filter('#form_mass_action input[name=token]')->attr('value');
+
         // Mass actions : delete
         $client->request('POST', '/mass', [
+            'token' => $token,
             'delete' => '',
             'entry-checkbox' => $entries,
         ]);