Merge pull request #85 from rails/cross-site-forgery-protection

Add support for cross site forgery protection
author: Pratik <pratiknaik@gmail.com> 2015-10-12 18:14:57 -0500
committer: Pratik <pratiknaik@gmail.com> 2015-10-12 18:14:57 -0500
commit: a6ee365703bbee67db7091e6209be29733d034cd (patch)
tree: 3588a8b7846209912eb01c67e72d2c32c39a0f56
parent: d222f7de572f28fc2fa185e9f21cac6f7e6c84f0 (diff)
parent: ecab8314eba8519bd593cbc097ef60ee0c285cf2 (diff)
download: rails-a6ee365703bbee67db7091e6209be29733d034cd.tar.gz
rails-a6ee365703bbee67db7091e6209be29733d034cd.tar.bz2
rails-a6ee365703bbee67db7091e6209be29733d034cd.zip
4 files changed, 74 insertions, 2 deletions
diff --git a/lib/action_cable/connection/base.rb b/lib/action_cable/connection/base.rb
index cd7f76f118..2f2fa1fdec 100644
--- a/lib/action_cable/connection/base.rb
+++ b/lib/action_cable/connection/base.rb
@@ -70,7 +70,7 @@ module ActionCable
       def process
         logger.info started_request_message
 
-        if websocket.possible?
+        if websocket.possible? && allow_request_origin?
           websocket.on(:open)    { |event| send_async :on_open   }
           websocket.on(:message) { |event| on_message event.data }
           websocket.on(:close)   { |event| send_async :on_close  }
@@ -172,6 +172,17 @@ module ActionCable
         end
 
 
+        def allow_request_origin?
+          return true if server.config.disable_request_forgery_protection
+
+          if Array(server.config.allowed_request_origins).include? env['HTTP_ORIGIN']
+            true
+          else
+            logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}")
+            false
+          end
+        end
+
         def respond_to_successful_request
           websocket.rack_response
         end
diff --git a/lib/action_cable/server/configuration.rb b/lib/action_cable/server/configuration.rb
index ac9fa7b085..315782ec3e 100644
--- a/lib/action_cable/server/configuration.rb
+++ b/lib/action_cable/server/configuration.rb
@@ -6,6 +6,7 @@ module ActionCable
       attr_accessor :logger, :log_tags
       attr_accessor :connection_class, :worker_pool_size
       attr_accessor :redis_path, :channels_path
+      attr_accessor :disable_request_forgery_protection, :allowed_request_origins
 
       def initialize
         @logger   = Rails.logger
@@ -16,6 +17,8 @@ module ActionCable
 
         @redis_path    = Rails.root.join('config/redis/cable.yml')
         @channels_path = Rails.root.join('app/channels')
+
+        @disable_request_forgery_protection = false
       end
 
       def channel_paths
diff --git a/test/connection/base_test.rb b/test/connection/base_test.rb
index 81009f0849..7118c34d9e 100644
--- a/test/connection/base_test.rb
+++ b/test/connection/base_test.rb
@@ -16,8 +16,11 @@ class ActionCable::Connection::BaseTest < ActiveSupport::TestCase
 
   setup do
     @server = TestServer.new
+    @server.config.allowed_request_origins = %w( http://rubyonrails.com )
+
+    env = Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket',
+      'HTTP_ORIGIN' => 'http://rubyonrails.com'
 
-    env = Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket'
     @connection = Connection.new(@server, env)
     @response = @connection.process
   end
diff --git a/test/connection/cross_site_forgery_test.rb b/test/connection/cross_site_forgery_test.rb
new file mode 100644
index 0000000000..6073f89287
--- /dev/null
+++ b/test/connection/cross_site_forgery_test.rb
@@ -0,0 +1,55 @@
+require 'test_helper'
+require 'stubs/test_server'
+
+class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase
+  HOST = 'rubyonrails.com'
+
+  setup do
+    @server = TestServer.new
+    @server.config.allowed_request_origins = %w( http://rubyonrails.com )
+  end
+
+  teardown do
+    @server.config.disable_request_forgery_protection = false
+    @server.config.allowed_request_origins = []
+  end
+
+  test "disable forgery protection" do
+    @server.config.disable_request_forgery_protection = true
+    assert_origin_allowed 'http://rubyonrails.com'
+    assert_origin_allowed 'http://hax.com'
+  end
+
+  test "explicitly specified a single allowed origin" do
+    @server.config.allowed_request_origins = 'http://hax.com'
+    assert_origin_not_allowed 'http://rubyonrails.com'
+    assert_origin_allowed 'http://hax.com'
+  end
+
+  test "explicitly specified multiple allowed origins" do
+    @server.config.allowed_request_origins = %w( http://rubyonrails.com http://www.rubyonrails.com )
+    assert_origin_allowed 'http://rubyonrails.com'
+    assert_origin_allowed 'http://www.rubyonrails.com'
+    assert_origin_not_allowed 'http://hax.com'
+  end
+
+  private
+    def assert_origin_allowed(origin)
+      response = connect_with_origin origin
+      assert_equal -1, response[0]
+    end
+
+    def assert_origin_not_allowed(origin)
+      response = connect_with_origin origin
+      assert_equal 404, response[0]
+    end
+
+    def connect_with_origin(origin)
+      ActionCable::Connection::Base.new(@server, env_for_origin(origin)).process
+    end
+
+    def env_for_origin(origin)
+      Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket', 'SERVER_NAME' => HOST,
+        'HTTP_ORIGIN' => origin
+    end
+end
author	Pratik <pratiknaik@gmail.com>	2015-10-12 18:14:57 -0500
committer	Pratik <pratiknaik@gmail.com>	2015-10-12 18:14:57 -0500
commit	a6ee365703bbee67db7091e6209be29733d034cd (patch)
tree	3588a8b7846209912eb01c67e72d2c32c39a0f56
parent	d222f7de572f28fc2fa185e9f21cac6f7e6c84f0 (diff)
parent	ecab8314eba8519bd593cbc097ef60ee0c285cf2 (diff)
download	rails-a6ee365703bbee67db7091e6209be29733d034cd.tar.gz rails-a6ee365703bbee67db7091e6209be29733d034cd.tar.bz2 rails-a6ee365703bbee67db7091e6209be29733d034cd.zip