fix: preserve JSON body when CSRF token is sent in header (#10064)

michalsn · web-flow · commit 08f8131554ee · 2026-03-25T01:24:01.000+08:00
* fix: preserve JSON body when CSRF token is sent in header

* add changelog

* apply suggestions
diff --git a/system/Security/Security.php b/system/Security/Security.php
@@ -298,15 +298,18 @@ private function removeTokenInRequest(IncomingRequest $request): void
             $json = null;
         }
 
-        if (is_object($json) && property_exists($json, $tokenName)) {
-            unset($json->{$tokenName});
-            $request->setBody(json_encode($json));
+        if (is_object($json)) {
+            if (property_exists($json, $tokenName)) {
+                unset($json->{$tokenName});
+                $request->setBody(json_encode($json));
+            }
 
             return;
         }
 
         // If the token is found in form-encoded data, we can safely remove it.
         parse_str($body, $result);
+
         unset($result[$tokenName]);
         $request->setBody(http_build_query($result));
     }
diff --git a/tests/system/Security/SecurityCSRFSessionTest.php b/tests/system/Security/SecurityCSRFSessionTest.php
@@ -251,6 +251,37 @@ public function testCSRFVerifyJsonReturnsSelfOnMatch(): void
         $this->assertSame('{"foo":"bar"}', $request->getBody());
     }
 
+    public function testCSRFVerifyHeaderWithJsonBodyPreservesBody(): void
+    {
+        service('superglobals')->setServer('REQUEST_METHOD', 'POST');
+
+        $request = $this->createIncomingRequest();
+        $body    = '{"foo":"bar"}';
+
+        $request->setHeader('X-CSRF-TOKEN', '8b9218a55906f9dcc1dc263dce7f005a');
+        $request->setBody($body);
+        $security = $this->createSecurity();
+
+        $this->assertInstanceOf(Security::class, $security->verify($request));
+        $this->assertLogged('info', 'CSRF token verified.');
+        $this->assertSame($body, $request->getBody());
+    }
+
+    public function testCSRFVerifyHeaderWithJsonBodyStripsTokenFromBody(): void
+    {
+        service('superglobals')->setServer('REQUEST_METHOD', 'POST');
+
+        $request = $this->createIncomingRequest();
+
+        $request->setHeader('X-CSRF-TOKEN', '8b9218a55906f9dcc1dc263dce7f005a');
+        $request->setBody('{"csrf_test_name":"8b9218a55906f9dcc1dc263dce7f005a","foo":"bar"}');
+        $security = $this->createSecurity();
+
+        $this->assertInstanceOf(Security::class, $security->verify($request));
+        $this->assertLogged('info', 'CSRF token verified.');
+        $this->assertSame('{"foo":"bar"}', $request->getBody());
+    }
+
     public function testRegenerateWithFalseSecurityRegenerateProperty(): void
     {
         service('superglobals')
diff --git a/tests/system/Security/SecurityTest.php b/tests/system/Security/SecurityTest.php
@@ -204,6 +204,39 @@ public function testCsrfVerifyJsonReturnsSelfOnMatch(): void
         $this->assertSame('{"foo":"bar"}', $request->getBody());
     }
 
+    public function testCsrfVerifyHeaderWithJsonBodyPreservesBody(): void
+    {
+        service('superglobals')
+            ->setServer('REQUEST_METHOD', 'POST')
+            ->setCookie('csrf_cookie_name', self::CORRECT_CSRF_HASH);
+
+        $security = $this->createMockSecurity();
+        $request  = $this->createIncomingRequest();
+        $body     = '{"foo":"bar"}';
+
+        $request->setHeader('X-CSRF-TOKEN', self::CORRECT_CSRF_HASH);
+        $request->setBody($body);
+
+        $this->assertInstanceOf(Security::class, $security->verify($request));
+        $this->assertSame($body, $request->getBody());
+    }
+
+    public function testCsrfVerifyHeaderWithJsonBodyStripsTokenFromBody(): void
+    {
+        service('superglobals')
+            ->setServer('REQUEST_METHOD', 'POST')
+            ->setCookie('csrf_cookie_name', self::CORRECT_CSRF_HASH);
+
+        $security = $this->createMockSecurity();
+        $request  = $this->createIncomingRequest();
+
+        $request->setHeader('X-CSRF-TOKEN', self::CORRECT_CSRF_HASH);
+        $request->setBody('{"csrf_test_name":"' . self::CORRECT_CSRF_HASH . '","foo":"bar"}');
+
+        $this->assertInstanceOf(Security::class, $security->verify($request));
+        $this->assertSame('{"foo":"bar"}', $request->getBody());
+    }
+
     public function testCsrfVerifyPutBodyThrowsExceptionOnNoMatch(): void
     {
         service('superglobals')
diff --git a/user_guide_src/source/changelogs/v4.7.2.rst b/user_guide_src/source/changelogs/v4.7.2.rst
@@ -30,6 +30,8 @@ Deprecations
 Bugs Fixed
 **********
 
+- **Security:** Fixed a bug where the CSRF filter could corrupt JSON request bodies after successful verification when the CSRF token was provided via the ``X-CSRF-TOKEN`` header. This caused ``IncomingRequest::getJSON()`` to fail on valid ``application/json`` requests.
+
 See the repo's
 `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_
 for a complete list of bugs fixed.

Original file line number	Diff line number	Diff line change
`@@ -298,15 +298,18 @@ private function removeTokenInRequest(IncomingRequest $request): void`
`298`	`298`	`$json = null;`
`299`	`299`	`}`
`300`	`300`
`301`		`- if (is_object($json) && property_exists($json, $tokenName)) {`
`302`		`- unset($json->{$tokenName});`
`303`		`- $request->setBody(json_encode($json));`
	`301`	`+ if (is_object($json)) {`
	`302`	`+ if (property_exists($json, $tokenName)) {`
	`303`	`+ unset($json->{$tokenName});`
	`304`	`+ $request->setBody(json_encode($json));`
	`305`	`+ }`
`304`	`306`
`305`	`307`	`return;`
`306`	`308`	`}`
`307`	`309`
`308`	`310`	`// If the token is found in form-encoded data, we can safely remove it.`
`309`	`311`	`parse_str($body, $result);`
	`312`	`+`
`310`	`313`	`unset($result[$tokenName]);`
`311`	`314`	`$request->setBody(http_build_query($result));`
`312`	`315`	`}`