Loading src/Routing/QueryRouteEnhancer.php +7 −3 Original line number Diff line number Diff line Loading @@ -92,7 +92,7 @@ class QueryRouteEnhancer implements EnhancerInterface { return; } /** @phpstan-ignore-next-line */ // @phpstan-ignore-next-line $content_format = method_exists($request, 'getContentTypeFormat') ? $request->getContentTypeFormat() : $request->getContentType(); if ($content_format === NULL) { // Symfony before 5.4 does not detect "multipart/form-data", check for it Loading @@ -116,7 +116,11 @@ class QueryRouteEnhancer implements EnhancerInterface { if ($content_format === "form") { // If the client set a custom header then we can be sure CORS was // respected. $custom_headers = ['Apollo-Require-Preflight', 'X-Apollo-Operation-Name', 'x-graphql-yoga-csrf']; $custom_headers = [ 'Apollo-Require-Preflight', 'X-Apollo-Operation-Name', 'x-graphql-yoga-csrf', ]; foreach ($custom_headers as $custom_header) { if ($request->headers->has($custom_header)) { return; Loading @@ -133,7 +137,7 @@ class QueryRouteEnhancer implements EnhancerInterface { if (!empty($this->corsOptions['enabled'])) { $cors_service = new CorsService($this->corsOptions); // Drupal 9 compatibility, method name has changed in Drupal 10. /** @phpstan-ignore-next-line */ // @phpstan-ignore-next-line if ($cors_service->isActualRequestAllowed($request)) { return; } Loading tests/src/Kernel/Framework/CsrfTest.php +27 −17 Original line number Diff line number Diff line Loading @@ -155,26 +155,36 @@ GQL; [['CONTENT_TYPE' => 'multipart/form-data']], // The custom Apollo-Require-Preflight header overrules any evil Origin // header. [[ [ [ 'CONTENT_TYPE' => 'multipart/form-data', 'HTTP_APOLLO_REQUIRE_PREFLIGHT' => 'test', 'HTTP_ORIGIN' => 'https://evil.example.com', ]], ], ], // The Origin header alone with the correct domain is allowed. [[ [ [ 'CONTENT_TYPE' => 'multipart/form-data', 'HTTP_ORIGIN' => 'https://example.com', ]], ], ], // The Origin header with an allowed domain. [[ [ [ 'CONTENT_TYPE' => 'multipart/form-data', 'HTTP_ORIGIN' => 'https://allowed.example.com', ], ['https://allowed.example.com']], ], ['https://allowed.example.com'], ], // The Origin header with any allowed domain. [[ [ [ 'CONTENT_TYPE' => 'multipart/form-data', 'HTTP_ORIGIN' => 'https://allowed.example.com', ], ['*']], ], ['*'], ], ]; } Loading Loading
src/Routing/QueryRouteEnhancer.php +7 −3 Original line number Diff line number Diff line Loading @@ -92,7 +92,7 @@ class QueryRouteEnhancer implements EnhancerInterface { return; } /** @phpstan-ignore-next-line */ // @phpstan-ignore-next-line $content_format = method_exists($request, 'getContentTypeFormat') ? $request->getContentTypeFormat() : $request->getContentType(); if ($content_format === NULL) { // Symfony before 5.4 does not detect "multipart/form-data", check for it Loading @@ -116,7 +116,11 @@ class QueryRouteEnhancer implements EnhancerInterface { if ($content_format === "form") { // If the client set a custom header then we can be sure CORS was // respected. $custom_headers = ['Apollo-Require-Preflight', 'X-Apollo-Operation-Name', 'x-graphql-yoga-csrf']; $custom_headers = [ 'Apollo-Require-Preflight', 'X-Apollo-Operation-Name', 'x-graphql-yoga-csrf', ]; foreach ($custom_headers as $custom_header) { if ($request->headers->has($custom_header)) { return; Loading @@ -133,7 +137,7 @@ class QueryRouteEnhancer implements EnhancerInterface { if (!empty($this->corsOptions['enabled'])) { $cors_service = new CorsService($this->corsOptions); // Drupal 9 compatibility, method name has changed in Drupal 10. /** @phpstan-ignore-next-line */ // @phpstan-ignore-next-line if ($cors_service->isActualRequestAllowed($request)) { return; } Loading
tests/src/Kernel/Framework/CsrfTest.php +27 −17 Original line number Diff line number Diff line Loading @@ -155,26 +155,36 @@ GQL; [['CONTENT_TYPE' => 'multipart/form-data']], // The custom Apollo-Require-Preflight header overrules any evil Origin // header. [[ [ [ 'CONTENT_TYPE' => 'multipart/form-data', 'HTTP_APOLLO_REQUIRE_PREFLIGHT' => 'test', 'HTTP_ORIGIN' => 'https://evil.example.com', ]], ], ], // The Origin header alone with the correct domain is allowed. [[ [ [ 'CONTENT_TYPE' => 'multipart/form-data', 'HTTP_ORIGIN' => 'https://example.com', ]], ], ], // The Origin header with an allowed domain. [[ [ [ 'CONTENT_TYPE' => 'multipart/form-data', 'HTTP_ORIGIN' => 'https://allowed.example.com', ], ['https://allowed.example.com']], ], ['https://allowed.example.com'], ], // The Origin header with any allowed domain. [[ [ [ 'CONTENT_TYPE' => 'multipart/form-data', 'HTTP_ORIGIN' => 'https://allowed.example.com', ], ['*']], ], ['*'], ], ]; } Loading
