CSRF protection from cross-origin <script> tags

Thanks to @homakov for sounding the alarm about JSONP-style data leaking
author: Jeremy Kemper <jeremy@bitsweat.net> 2013-12-12 20:41:14 -0700
committer: Jeremy Kemper <jeremy@bitsweat.net> 2013-12-17 13:14:17 -0700
commit: 1650bb3d56897cfef4c7e6b86a36eed4f1a41df5 (patch)
tree: 6f2e5fc872568c8d0f74e17e0e05230c6173526e /actionpack/test/controller
parent: 290368bdb2c9ecb7d6212a1d3767ae69554788a9 (diff)
download: rails-1650bb3d56897cfef4c7e6b86a36eed4f1a41df5.tar.gz
rails-1650bb3d56897cfef4c7e6b86a36eed4f1a41df5.tar.bz2
rails-1650bb3d56897cfef4c7e6b86a36eed4f1a41df5.zip
3 files changed, 72 insertions, 12 deletions
diff --git a/actionpack/test/controller/render_js_test.rb b/actionpack/test/controller/render_js_test.rb
index f070109b27..d550422a2f 100644
--- a/actionpack/test/controller/render_js_test.rb
+++ b/actionpack/test/controller/render_js_test.rb
@@ -22,7 +22,7 @@ class RenderJSTest < ActionController::TestCase
   tests TestController
 
   def test_render_vanilla_js
-    get :render_vanilla_js_hello
+    xhr :get, :render_vanilla_js_hello
     assert_equal "alert('hello')", @response.body
     assert_equal "text/javascript", @response.content_type
   end
diff --git a/actionpack/test/controller/render_json_test.rb b/actionpack/test/controller/render_json_test.rb
index 7c0a6bd67e..de8d1cbd9b 100644
--- a/actionpack/test/controller/render_json_test.rb
+++ b/actionpack/test/controller/render_json_test.rb
@@ -100,13 +100,13 @@ class RenderJsonTest < ActionController::TestCase
   end
 
   def test_render_json_with_callback
-    get :render_json_hello_world_with_callback
+    xhr :get, :render_json_hello_world_with_callback
     assert_equal 'alert({"hello":"world"})', @response.body
     assert_equal 'text/javascript', @response.content_type
   end
 
   def test_render_json_with_custom_content_type
-    get :render_json_with_custom_content_type
+    xhr :get, :render_json_with_custom_content_type
     assert_equal '{"hello":"world"}', @response.body
     assert_equal 'text/javascript', @response.content_type
   end
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 727db79241..f1ed545205 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -52,18 +52,36 @@ module RequestForgeryProtectionActions
     render :inline => "<%= form_for(:some_resource, :remote => true, :authenticity_token => 'external_token') {} %>"
   end
 
+  def same_origin_js
+    render js: 'foo();'
+  end
+
+  def negotiate_same_origin
+    respond_to do |format|
+      format.js { same_origin_js }
+    end
+  end
+
+  def cross_origin_js
+    same_origin_js
+  end
+
+  def negotiate_cross_origin
+    negotiate_same_origin
+  end
+
   def rescue_action(e) raise e end
 end
 
 # sample controllers
 class RequestForgeryProtectionControllerUsingResetSession < ActionController::Base
   include RequestForgeryProtectionActions
-  protect_from_forgery :only => %w(index meta), :with => :reset_session
+  protect_from_forgery :only => %w(index meta same_origin_js negotiate_same_origin), :with => :reset_session
 end
 
 class RequestForgeryProtectionControllerUsingException < ActionController::Base
   include RequestForgeryProtectionActions
-  protect_from_forgery :only => %w(index meta), :with => :exception
+  protect_from_forgery :only => %w(index meta same_origin_js negotiate_same_origin), :with => :exception
 end
 
 class RequestForgeryProtectionControllerUsingNullSession < ActionController::Base
@@ -201,7 +219,7 @@ module RequestForgeryProtectionTests
   end
 
   def test_should_not_allow_post_without_token_irrespective_of_format
-    assert_blocked { post :index, :format=>'xml' }
+    assert_blocked { post :index, format: 'xml' }
   end
 
   def test_should_not_allow_patch_without_token
@@ -271,6 +289,38 @@ module RequestForgeryProtectionTests
     end
   end
 
+  def test_should_only_allow_same_origin_js_get_with_xhr_header
+    assert_cross_origin_blocked { get :same_origin_js }
+    assert_cross_origin_blocked { get :same_origin_js, format: 'js' }
+    assert_cross_origin_blocked do
+      @request.accept = 'text/javascript'
+      get :negotiate_same_origin
+    end
+
+    assert_cross_origin_not_blocked { xhr :get, :same_origin_js }
+    assert_cross_origin_not_blocked { xhr :get, :same_origin_js, format: 'js' }
+    assert_cross_origin_not_blocked do
+      @request.accept = 'text/javascript'
+      xhr :get, :negotiate_same_origin
+    end
+  end
+
+  def test_should_only_allow_cross_origin_js_get_without_xhr_header_if_protection_disabled
+    assert_cross_origin_not_blocked { get :cross_origin_js }
+    assert_cross_origin_not_blocked { get :cross_origin_js, format: 'js' }
+    assert_cross_origin_not_blocked do
+      @request.accept = 'text/javascript'
+      get :negotiate_cross_origin
+    end
+
+    assert_cross_origin_not_blocked { xhr :get, :cross_origin_js }
+    assert_cross_origin_not_blocked { xhr :get, :cross_origin_js, format: 'js' }
+    assert_cross_origin_not_blocked do
+      @request.accept = 'text/javascript'
+      xhr :get, :negotiate_cross_origin
+    end
+  end
+
   def assert_blocked
     session[:something_like_user_id] = 1
     yield
@@ -282,6 +332,16 @@ module RequestForgeryProtectionTests
     assert_nothing_raised { yield }
     assert_response :success
   end
+
+  def assert_cross_origin_blocked
+    assert_raises(ActionController::InvalidCrossOriginRequest) do
+      yield
+    end
+  end
+
+  def assert_cross_origin_not_blocked
+    assert_not_blocked { yield }
+  end
 end
 
 # OK let's get our test on
@@ -305,13 +365,13 @@ class RequestForgeryProtectionControllerUsingResetSessionTest < ActionController
   end
 end
 
-class NullSessionDummyKeyGenerator
-  def generate_key(secret)
-    '03312270731a2ed0d11ed091c2338a06'
+class RequestForgeryProtectionControllerUsingNullSessionTest < ActionController::TestCase
+  class NullSessionDummyKeyGenerator
+    def generate_key(secret)
+      '03312270731a2ed0d11ed091c2338a06'
+    end
   end
-end
 
-class RequestForgeryProtectionControllerUsingNullSessionTest < ActionController::TestCase  
   def setup
     @request.env[ActionDispatch::Cookies::GENERATOR_KEY] = NullSessionDummyKeyGenerator.new
   end
@@ -375,8 +435,8 @@ end
 
 class CustomAuthenticityParamControllerTest < ActionController::TestCase
   def setup
-    ActionController::Base.request_forgery_protection_token = :custom_token_name
     super
+    ActionController::Base.request_forgery_protection_token = :custom_token_name
   end
 
   def teardown
author	Jeremy Kemper <jeremy@bitsweat.net>	2013-12-12 20:41:14 -0700
committer	Jeremy Kemper <jeremy@bitsweat.net>	2013-12-17 13:14:17 -0700
commit	1650bb3d56897cfef4c7e6b86a36eed4f1a41df5 (patch)
tree	6f2e5fc872568c8d0f74e17e0e05230c6173526e /actionpack/test/controller
parent	290368bdb2c9ecb7d6212a1d3767ae69554788a9 (diff)
download	rails-1650bb3d56897cfef4c7e6b86a36eed4f1a41df5.tar.gz rails-1650bb3d56897cfef4c7e6b86a36eed4f1a41df5.tar.bz2 rails-1650bb3d56897cfef4c7e6b86a36eed4f1a41df5.zip