bug #7556 Improve security of batchDelete() action (javiereguiluz)

This PR was squashed before being merged into the 4.x branch.

Discussion
----------

Improve security of batchDelete() action

Commits
-------

4cde4cd Improve security of batchDelete() action

Author: javiereguiluz

src/Controller/AbstractCrudController.php

@@ -435,10 +435,18 @@ public function batchDelete(AdminContext $context, BatchActionDto $batchActionDt
             return $event->getResponse();
         }
 
-        if (!$this->isCsrfTokenValid('ea-batch-action-'.Action::BATCH_DELETE, $batchActionDto->getCsrfToken())) {
+        if (!$this->isCsrfTokenValid('ea-batch-action-'.Action::BATCH_DELETE.'-'.$batchActionDto->getEntityFqcn(), $batchActionDto->getCsrfToken())) {
             return $this->redirectToRoute($context->getDashboardRouteName());
         }
 
+        // the entity FQCN in the batch action DTO comes from the POST body and is
+        // attacker-controlled. The FQCN in the admin context comes from the URL-routed
+        // CRUD controller. If they disagree, an admin with batch-delete rights on one
+        // CRUD could delete rows of any other Doctrine entity. Reject the mismatch.
+        if ($batchActionDto->getEntityFqcn() !== $context->getEntity()->getFqcn()) {
+            throw new BadRequestHttpException();
+        }
+
         /** @var EntityManagerInterface $entityManager */
         $entityManager = $this->container->get('doctrine')->getManagerForClass($batchActionDto->getEntityFqcn());
         $repository = $entityManager->getRepository($batchActionDto->getEntityFqcn());

src/Dto/EntityDto.php

@@ -306,7 +306,11 @@ public function isEmbeddedClassProperty(string $propertyName): bool
      */
     public function setInstance(?object $newEntityInstance): void
     {
-        if (null !== $this->instance && null !== $newEntityInstance && !$newEntityInstance instanceof $this->fqcn) {
+        // the instanceof guard must run even when $this->instance is null. Otherwise
+        // a caller can store an instance whose class does not match $this->fqcn, and
+        // downstream code (authorization, DB operations) that trusts either side of
+        // that pair may be redirected to the wrong entity (this is a CWE-441 (Confused Deputy) attack vector)
+        if (null !== $newEntityInstance && !$newEntityInstance instanceof $this->fqcn) {
             throw new \InvalidArgumentException(sprintf('The new entity instance must be of the same type as the previous instance (original instance: "%s", new instance: "%s").', $this->fqcn, $newEntityInstance::class));
         }
 
@@ -331,7 +335,12 @@ public function newWithInstance(/* object */ $newEntityInstance): self
             );
         }
 
-        if (null !== $this->instance && !$newEntityInstance instanceof $this->fqcn) {
+        // the instanceof guard must run even when $this->instance is null. Otherwise
+        // a caller that wraps an entity into a DTO whose $fqcn was set from a different
+        // source (e.g. batch actions, where the FQCN comes from the admin context but
+        // the instance comes from a repository lookup) can silently produce a DTO
+        // whose $fqcn does not match its $instance (this is a CWE-441 (Confused Deputy) attack vector).
+        if (!$newEntityInstance instanceof $this->fqcn) {
             throw new \InvalidArgumentException(sprintf('The new entity instance must be of the same type as the previous instance (original instance: "%s", new instance: "%s").', $this->fqcn, $newEntityInstance::class));
         }
 

src/Factory/ActionFactory.php

@@ -312,7 +312,9 @@ private function processAction(string $pageName, ActionDto $actionDto, ?EntityDt
 
         if ($actionDto->isBatchAction()) {
             $batchActionAttributes = [
-                'data-action-csrf-token' => $this->csrfTokenManager?->getToken('ea-batch-action-'.$actionDto->getName()),
+                // the token id is bound to the entity FQCN so a token minted for
+                // one CRUD cannot be replayed against another CRUD's batch action.
+                'data-action-csrf-token' => $this->csrfTokenManager?->getToken('ea-batch-action-'.$actionDto->getName().'-'.$adminContext->getCrud()->getEntityFqcn()),
                 'data-action-batch' => 'true',
                 'data-entity-fqcn' => $adminContext->getCrud()->getEntityFqcn(),
                 'data-action-url' => $actionDto->getLinkUrl(),

tests/Functional/BatchActions/BatchDeleteTest.php

@@ -7,6 +7,7 @@
 use EasyCorp\Bundle\EasyAdminBundle\Test\AbstractCrudTestCase;
 use EasyCorp\Bundle\EasyAdminBundle\Tests\Functional\Apps\DefaultApp\Controller\DashboardController;
 use EasyCorp\Bundle\EasyAdminBundle\Tests\Functional\Apps\DefaultApp\Controller\Synthetic\BatchActionTestEntityCrudController;
+use EasyCorp\Bundle\EasyAdminBundle\Tests\Functional\Apps\DefaultApp\Entity\Category;
 use EasyCorp\Bundle\EasyAdminBundle\Tests\Functional\Apps\DefaultApp\Entity\Synthetic\BatchActionTestEntity;
 use EasyCorp\Bundle\EasyAdminBundle\Tests\Functional\Apps\DefaultApp\Kernel;
 use Symfony\Component\DomCrawler\Crawler;
@@ -140,6 +141,31 @@ public function testBatchDeleteWithNonExistentEntityId(): void
         self::assertSame($initialCount, $finalCount, 'No entities should have been deleted with non-existent ID');
     }
 
+    public function testBatchDeleteRejectsMismatchedEntityFqcn(): void
+    {
+        $categoryRepository = $this->entityManager->getRepository(Category::class);
+        $initialCategoryCount = \count($categoryRepository->findAll());
+        self::assertGreaterThan(0, $initialCategoryCount, 'Need at least 1 Category fixture for this test');
+
+        $targetCategoryId = $categoryRepository->findAll()[0]->getId();
+        $initialBatchEntityCount = \count($this->repository->findAll());
+
+        // simulate an attacker that can batchDelete on BatchActionTestEntityCrudController
+        // but targets a different Doctrine entity (Category) by overriding entityFqcn in
+        // the POST body. The attack must be blocked (either by the FQCN-bound CSRF token
+        // or by the explicit mismatch check) and no rows of any entity may be deleted.
+        $this->submitBatchDelete([$targetCategoryId], entityFqcnOverride: Category::class);
+
+        $this->entityManager->clear();
+
+        self::assertNotNull(
+            $categoryRepository->find($targetCategoryId),
+            'Category row must not be deleted by a cross-entity batchDelete attempt'
+        );
+        self::assertCount($initialCategoryCount, $categoryRepository->findAll());
+        self::assertCount($initialBatchEntityCount, $this->repository->findAll());
+    }
+
     public function testBatchDeleteRedirectsToIndexPage(): void
     {
         // get first entity ID
@@ -163,12 +189,14 @@ public function testBatchDeleteRedirectsToIndexPage(): void
      * 2. Extracting the data attributes needed for submission
      * 3. Submitting a POST request with the same parameters the JavaScript would send
      *
-     * @param array $entityIds         The entity IDs to delete
-     * @param bool  $useValidCsrfToken Whether to use a valid CSRF token (false to test CSRF protection)
+     * @param array       $entityIds          The entity IDs to delete
+     * @param bool        $useValidCsrfToken  Whether to use a valid CSRF token (false to test CSRF protection)
+     * @param string|null $entityFqcnOverride When set, replaces the body's entityFqcn with this class (used to
+     *                                        simulate a cross-entity authorization-bypass attempt)
      *
      * @return Crawler The crawler after submitting the batch action
      */
-    private function submitBatchDelete(array $entityIds, bool $useValidCsrfToken = true): Crawler
+    private function submitBatchDelete(array $entityIds, bool $useValidCsrfToken = true, ?string $entityFqcnOverride = null): Crawler
     {
         $crawler = $this->client->request('GET', $this->generateIndexUrl());
         self::assertResponseIsSuccessful();
@@ -179,7 +207,7 @@ private function submitBatchDelete(array $entityIds, bool $useValidCsrfToken = t
 
         $csrfToken = $useValidCsrfToken ? $batchDeleteButton->attr('data-action-csrf-token') : 'invalid-csrf-token';
         $batchActionUrl = $batchDeleteButton->attr('data-action-url');
-        $entityFqcn = $batchDeleteButton->attr('data-entity-fqcn');
+        $entityFqcn = $entityFqcnOverride ?? $batchDeleteButton->attr('data-entity-fqcn');
 
         // submit the batch delete action
         return $this->client->request('POST', $batchActionUrl, [

tests/Unit/Dto/EntityDtoTest.php

@@ -0,0 +1,87 @@
+<?php
+
+namespace EasyCorp\Bundle\EasyAdminBundle\Tests\Unit\Dto;
+
+use Doctrine\ORM\Mapping\ClassMetadata;
+use EasyCorp\Bundle\EasyAdminBundle\Dto\EntityDto;
+use PHPUnit\Framework\TestCase;
+
+class EntityDtoTest extends TestCase
+{
+    public function testNewWithInstanceAcceptsMatchingInstance(): void
+    {
+        $dto = $this->createEntityDto(\stdClass::class);
+
+        $newDto = $dto->newWithInstance($instance = new \stdClass());
+
+        self::assertNotSame($dto, $newDto);
+        self::assertSame($instance, $newDto->getInstance());
+        self::assertSame(\stdClass::class, $newDto->getFqcn());
+    }
+
+    public function testNewWithInstanceRejectsMismatchedInstanceOnEmptyDto(): void
+    {
+        // a DTO whose $instance is null must still reject a mismatched instance;
+        // before the fix, the instanceof guard was gated on "null !== $this->instance"
+        // and this call silently produced a DTO whose $fqcn did not match its $instance
+        // (CWE-441 Confused Deputy, exploited by the batchDelete cross-entity bypass).
+        $dto = $this->createEntityDto(\stdClass::class);
+
+        $this->expectException(\InvalidArgumentException::class);
+
+        $dto->newWithInstance(new \DateTime());
+    }
+
+    public function testNewWithInstanceRejectsMismatchedInstanceOnPopulatedDto(): void
+    {
+        $dto = $this->createEntityDto(\stdClass::class, new \stdClass());
+
+        $this->expectException(\InvalidArgumentException::class);
+
+        $dto->newWithInstance(new \DateTime());
+    }
+
+    public function testSetInstanceAcceptsMatchingInstance(): void
+    {
+        $dto = $this->createEntityDto(\stdClass::class);
+
+        $dto->setInstance($instance = new \stdClass());
+
+        self::assertSame($instance, $dto->getInstance());
+    }
+
+    public function testSetInstanceAcceptsNull(): void
+    {
+        $dto = $this->createEntityDto(\stdClass::class, new \stdClass());
+
+        $dto->setInstance(null);
+
+        self::assertNull($dto->getInstance());
+    }
+
+    public function testSetInstanceRejectsMismatchedInstanceOnEmptyDto(): void
+    {
+        // same defense as in newWithInstance: the instanceof guard must run even when
+        // $this->instance is null, so that a fresh DTO cannot be populated with an
+        // instance whose class does not match its $fqcn.
+        $dto = $this->createEntityDto(\stdClass::class);
+
+        $this->expectException(\InvalidArgumentException::class);
+
+        $dto->setInstance(new \DateTime());
+    }
+
+    public function testSetInstanceRejectsMismatchedInstanceOnPopulatedDto(): void
+    {
+        $dto = $this->createEntityDto(\stdClass::class, new \stdClass());
+
+        $this->expectException(\InvalidArgumentException::class);
+
+        $dto->setInstance(new \DateTime());
+    }
+
+    private function createEntityDto(string $fqcn, ?object $instance = null): EntityDto
+    {
+        return new EntityDto($fqcn, $this->createStub(ClassMetadata::class), null, $instance);
+    }
+}