aboutsummaryrefslogtreecommitdiffstats
path: root/railties
diff options
context:
space:
mode:
authorSergey Nartimov <just.lest@gmail.com>2012-09-13 12:07:37 +0300
committerSergey Nartimov <just.lest@gmail.com>2012-09-13 12:07:37 +0300
commit95be790ece75710f2588558a6d5f40fd09543b97 (patch)
tree5dbcfe62d1337ed87c2afdc95f025aee22587a17 /railties
parent616ba15f2cb89588ae3b0a55452f4059f2c118b1 (diff)
downloadrails-95be790ece75710f2588558a6d5f40fd09543b97.tar.gz
rails-95be790ece75710f2588558a6d5f40fd09543b97.tar.bz2
rails-95be790ece75710f2588558a6d5f40fd09543b97.zip
Implement :null_session CSRF protection method
It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does).
Diffstat (limited to 'railties')
-rw-r--r--railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt2
-rw-r--r--railties/test/application/middleware/session_test.rb82
2 files changed, 83 insertions, 1 deletions
diff --git a/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt b/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt
index 6c0ef31725..d83690e1b9 100644
--- a/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt
@@ -1,5 +1,5 @@
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
- # For APIs, you may want to use :reset_session instead.
+ # For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
end
diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb
index 07134cc935..06dec81d40 100644
--- a/railties/test/application/middleware/session_test.rb
+++ b/railties/test/application/middleware/session_test.rb
@@ -46,5 +46,87 @@ module ApplicationTests
assert last_request.env["HTTP_COOKIE"]
assert !last_response.headers["Set-Cookie"]
end
+
+ test "session is empty and isn't saved on unverified request when using :null_session protect method" do
+ app_file 'config/routes.rb', <<-RUBY
+ AppTemplate::Application.routes.draw do
+ get ':controller(/:action)'
+ post ':controller(/:action)'
+ end
+ RUBY
+
+ controller :foo, <<-RUBY
+ class FooController < ActionController::Base
+ protect_from_forgery with: :null_session
+
+ def write_session
+ session[:foo] = 1
+ render nothing: true
+ end
+
+ def read_session
+ render text: session[:foo].inspect
+ end
+ end
+ RUBY
+
+ add_to_config <<-RUBY
+ config.action_controller.allow_forgery_protection = true
+ RUBY
+
+ require "#{app_path}/config/environment"
+
+ get '/foo/write_session'
+ get '/foo/read_session'
+ assert_equal '1', last_response.body
+
+ post '/foo/read_session' # Read session using POST request without CSRF token
+ assert_equal 'nil', last_response.body # Stored value shouldn't be accessible
+
+ post '/foo/write_session' # Write session using POST request without CSRF token
+ get '/foo/read_session' # Session shouldn't be changed
+ assert_equal '1', last_response.body
+ end
+
+ test "cookie jar is empty and isn't saved on unverified request when using :null_session protect method" do
+ app_file 'config/routes.rb', <<-RUBY
+ AppTemplate::Application.routes.draw do
+ get ':controller(/:action)'
+ post ':controller(/:action)'
+ end
+ RUBY
+
+ controller :foo, <<-RUBY
+ class FooController < ActionController::Base
+ protect_from_forgery with: :null_session
+
+ def write_cookie
+ cookies[:foo] = '1'
+ render nothing: true
+ end
+
+ def read_cookie
+ render text: cookies[:foo].inspect
+ end
+ end
+ RUBY
+
+ add_to_config <<-RUBY
+ config.action_controller.allow_forgery_protection = true
+ RUBY
+
+ require "#{app_path}/config/environment"
+
+ get '/foo/write_cookie'
+ get '/foo/read_cookie'
+ assert_equal '"1"', last_response.body
+
+ post '/foo/read_cookie' # Read cookie using POST request without CSRF token
+ assert_equal 'nil', last_response.body # Stored value shouldn't be accessible
+
+ post '/foo/write_cookie' # Write cookie using POST request without CSRF token
+ get '/foo/read_cookie' # Cookie shouldn't be changed
+ assert_equal '"1"', last_response.body
+ end
end
end