function AccountTakeoverGadgetChainTest::testAccountTakeoverGadgetChain

Tests unserializing a SQLi / account takeover payload.

File

core/tests/Drupal/KernelTests/Core/User/AccountTakeoverGadgetChainTest.php, line 50

Class

AccountTakeoverGadgetChainTest
Tests protection against SA-CORE-2024-007 Gadget Chain.

Namespace

Drupal\KernelTests\Core\User

Code

public function testAccountTakeoverGadgetChain() : void {
    $this->createUser([], 'topsecret', FALSE, [
        'uid' => 1,
    ]);
    // ./phpggc --public-properties Drupal/AT1 'evil@example.com'
    $payload = 'O:27:"Drupal\\views\\ViewExecutable":6:{s:17:"serializationData";a:9:{s:8:"executed";b:1;s:7:"storage";s:9:"frontpage";s:15:"current_display";s:7:"default";s:4:"args";a:0:{}s:12:"current_page";s:0:"";s:13:"exposed_input";s:0:"";s:12:"exposed_data";s:0:"";s:17:"exposed_raw_input";s:0:"";s:6:"dom_id";s:0:"";}s:5:"built";b:1;s:12:"live_preview";b:1;s:5:"query";O:33:"Drupal\\Core\\Database\\Query\\Update":8:{s:16:"connectionTarget";s:7:"default";s:13:"connectionKey";s:7:"default";s:12:"queryOptions";a:0:{}s:16:"uniqueIdentifier";s:23:"67b85459508987.47505064";s:15:"nextPlaceholder";i:0;s:5:"table";s:16:"users_field_data";s:6:"fields";a:3:{s:4:"mail";s:16:"evil@example.com";s:4:"name";s:5:"admin";s:6:"status";i:1;}s:9:"condition";O:36:"Drupal\\Core\\Database\\Query\\Condition":5:{s:10:"conditions";a:2:{s:12:"#conjunction";s:3:"AND";i:0;a:3:{s:5:"field";s:3:"uid";s:5:"value";i:1;s:8:"operator";s:1:"=";}}s:9:"arguments";a:0:{}s:7:"changed";b:1;s:26:"queryPlaceholderIdentifier";N;s:13:"stringVersion";N;}}s:15:"displayHandlers";O:36:"Drupal\\views\\DisplayPluginCollection":0:{}s:15:"display_handler";O:48:"Drupal\\views\\Plugin\\views\\display\\DefaultDisplay":0:{}}';
    try {
        unserialize($payload);
        $this->fail('No exception was thrown');
    } catch (\Throwable $e) {
        $this->assertInstanceOf(\TypeError::class, $e);
        $this->assertStringContainsString('Cannot assign Drupal\\Core\\Database\\Query\\Update to property Drupal\\views\\ViewExecutable::$query', $e->getMessage());
    }
    $admin = User::load(1);
    $this->assertEquals('topsecret@example.com', $admin->getEmail());
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.