First take at cross site forgery protection

3 files changed, 27 insertions, 1 deletions

diff --git a/lib/action_cable.rb b/lib/action_cable.rb
index d2c5251634..49f14b51bc 100644
--- a/lib/action_cable.rb
+++ b/lib/action_cable.rb
@@ -8,6 +8,7 @@ require 'active_support'
 require 'active_support/json'
 require 'active_support/concern'
 require 'active_support/core_ext/hash/indifferent_access'
+require 'active_support/core_ext/array/wrap'
 require 'active_support/core_ext/module/delegation'
 require 'active_support/callbacks'
 
diff --git a/lib/action_cable/connection/base.rb b/lib/action_cable/connection/base.rb
index 08a75156a3..a2ef99dff4 100644
--- a/lib/action_cable/connection/base.rb
+++ b/lib/action_cable/connection/base.rb
@@ -71,7 +71,7 @@ module ActionCable
       def process
         logger.info started_request_message
 
-        if websocket.possible?
+        if websocket.possible? && allow_request_origin?
           websocket.on(:open)    { |event| send_async :on_open   }
           websocket.on(:message) { |event| on_message event.data }
           websocket.on(:close)   { |event| send_async :on_close  }
@@ -165,6 +165,28 @@ module ActionCable
         end
 
 
+        def allow_request_origin?
+          return true if server.config.disable_request_forgery_protection
+
+          if env['HTTP_ORIGIN'].present?
+            origin_host = URI.parse(env['HTTP_ORIGIN']).host
+
+            allowed = if server.config.allowed_request_origins.present?
+              Array.wrap(server.config.allowed_request_origins).include? origin_host
+            else
+              request.host == origin_host
+            end
+
+            logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}") unless allowed
+            allowed
+          else
+            logger.error("Request origin missing.")
+            false
+          end
+        rescue URI::InvalidURIError
+          false
+        end
+
         def respond_to_successful_request
           websocket.rack_response
         end
diff --git a/lib/action_cable/server/configuration.rb b/lib/action_cable/server/configuration.rb
index ac9fa7b085..315782ec3e 100644
--- a/lib/action_cable/server/configuration.rb
+++ b/lib/action_cable/server/configuration.rb
@@ -6,6 +6,7 @@ module ActionCable
       attr_accessor :logger, :log_tags
       attr_accessor :connection_class, :worker_pool_size
       attr_accessor :redis_path, :channels_path
+      attr_accessor :disable_request_forgery_protection, :allowed_request_origins
 
       def initialize
         @logger   = Rails.logger
@@ -16,6 +17,8 @@ module ActionCable
 
         @redis_path    = Rails.root.join('config/redis/cable.yml')
         @channels_path = Rails.root.join('app/channels')
+
+        @disable_request_forgery_protection = false
       end
 
       def channel_paths