26456911037

Committed 26 May 2026 03:09PM UTC coverage: 93.345%. Remained the same

Build Type

push

github

Committed by

Commit Message

fixed PHPStan errors

Coverage Stats

48 of 51 new or added lines in 12 files covered. (94.12%)

34 existing lines in 10 files now uncovered.

2104 of 2254 relevant lines covered (93.35%)

0.93 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

96.55

/src/Forms/Controls/CsrfProtection.php

<?php declare(strict_types=1);

/**
 * This file is part of the Nette Framework (https://nette.org)
 * Copyright (c) 2004 David Grudl (https://davidgrudl.com)
 */

namespace Nette\Forms\Controls;

use Nette;
use Nette\Application\UI\Presenter;
use Stringable;
use function base64_encode, sha1, substr;


/**
 * CSRF protection field.
 */
class CsrfProtection extends HiddenField
{
        public const Protection = 'Nette\Forms\Controls\CsrfProtection::validateCsrf';

        /** @deprecated use CsrfProtection::Protection */
        public const PROTECTION = self::Protection;

        public ?Nette\Http\Session $session = null;


        public function __construct(string|Stringable|null $errorMessage = null)
        {
                parent::__construct();
                $this->setOmitted()
                        ->setRequired()
                        ->addRule(self::Protection, $errorMessage);

                $this->monitor(Presenter::class, function (Presenter $presenter): void {
                        if (!$this->session) {
                                $session = $presenter->getSession();
                                assert($session instanceof Nette\Http\Session);
                                $this->session = $session;
                                $this->session->start();
                        }
                });

                $this->monitor(Nette\Forms\Form::class, function (Nette\Forms\Form $form): void {
                        if (!$this->session && !$form instanceof Nette\Application\UI\Form) {
                                $this->session = new Nette\Http\Session($form->httpRequest, new Nette\Http\Response);
                                $this->session->start();
                        }
                });
        }


        /**
         * @internal
         */
        public function setValue($value): static
        {
                return $this;
        }


        public function loadHttpData(): void
        {
                $this->value = $this->getHttpData(Nette\Forms\Form::DataText);
        }


        public function getToken(): string
        {
                if (!$this->session) {
                        throw new Nette\InvalidStateException('Session initialization error');
                }

                $session = $this->session->getSection(self::class);
                if (!$session->get('token')) {
                        $session->set('token', Nette\Utils\Random::generate());
                }

                return $session->get('token') ^ $this->session->getId();
        }


        private function generateToken(?string $random = null): string
        {
                $random ??= Nette\Utils\Random::generate(10);
                return $random . base64_encode(sha1($this->getToken() . $random, binary: true));
        }


        public function getControl(): Nette\Utils\Html
        {
                return parent::getControl()->value($this->generateToken());
        }


        /** @internal */
        public static function validateCsrf(self $control): bool
        {
                $value = (string) $control->getValue();
                return $control->generateToken(substr($value, 0, 10)) === $value;
        }
}

1	<?php declare(strict_types=1);
2
3	/**
4	* This file is part of the Nette Framework (https://nette.org)
5	* Copyright (c) 2004 David Grudl (https://davidgrudl.com)
6	*/
7
8	namespace Nette\Forms\Controls;
9
10	use Nette;
11	use Nette\Application\UI\Presenter;
12	use Stringable;
13	use function base64_encode, sha1, substr;
14
15
16	/**
17	* CSRF protection field.
18	*/
19	class CsrfProtection extends HiddenField
20	{
21	public const Protection = 'Nette\Forms\Controls\CsrfProtection::validateCsrf';
22
23	/** @deprecated use CsrfProtection::Protection */
24	public const PROTECTION = self::Protection;
25
26	public ?Nette\Http\Session $session = null;
27
28
29	public function __construct(string\|Stringable\|null $errorMessage = null)	1✔
30	{
31	parent::__construct();	1✔
32	$this->setOmitted()	1✔
33	->setRequired()	1✔
34	->addRule(self::Protection, $errorMessage);	1✔
35
36	$this->monitor(Presenter::class, function (Presenter $presenter): void {	1✔
37	if (!$this->session) {
38	$session = $presenter->getSession();
39	assert($session instanceof Nette\Http\Session);
40	$this->session = $session;
41	$this->session->start();
42	}
43	});	1✔
44
45	$this->monitor(Nette\Forms\Form::class, function (Nette\Forms\Form $form): void {	1✔
46	if (!$this->session && !$form instanceof Nette\Application\UI\Form) {	1✔
47	$this->session = new Nette\Http\Session($form->httpRequest, new Nette\Http\Response);	1✔
48	$this->session->start();	1✔
49	}
50	});	1✔
51	}	1✔
52
53
54	/**
55	* @internal
56	*/
57	public function setValue($value): static
58	{
59	return $this;	1✔
60	}
61
62
63	public function loadHttpData(): void
64	{
65	$this->value = $this->getHttpData(Nette\Forms\Form::DataText);	1✔
66	}	1✔
67
68
69	public function getToken(): string
70	{
71	if (!$this->session) {	1✔
UNCOV 72	throw new Nette\InvalidStateException('Session initialization error');	×
73	}
74
75	$session = $this->session->getSection(self::class);	1✔
76	if (!$session->get('token')) {	1✔
77	$session->set('token', Nette\Utils\Random::generate());	1✔
78	}
79
80	return $session->get('token') ^ $this->session->getId();	1✔
81	}
82
83
84	private function generateToken(?string $random = null): string	1✔
85	{
86	$random ??= Nette\Utils\Random::generate(10);	1✔
87	return $random . base64_encode(sha1($this->getToken() . $random, binary: true));	1✔
88	}
89
90
91	public function getControl(): Nette\Utils\Html
92	{
93	return parent::getControl()->value($this->generateToken());	1✔
94	}
95
96
97	/** @internal */
98	public static function validateCsrf(self $control): bool	1✔
99	{
100	$value = (string) $control->getValue();	1✔
101	return $control->generateToken(substr($value, 0, 10)) === $value;	1✔
102	}
103	}

nette / forms / 26456911037

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous