Merge pull request #7616 from lest/null-session-forgery-protection

Implement :null_session CSRF protection method

2 files changed, 83 insertions, 1 deletions

diff --git a/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt b/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt
index 6c0ef31725..d83690e1b9 100644
--- a/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt
@@ -1,5 +1,5 @@
 class ApplicationController < ActionController::Base
   # Prevent CSRF attacks by raising an exception.
-  # For APIs, you may want to use :reset_session instead.
+  # For APIs, you may want to use :null_session instead.
   protect_from_forgery with: :exception
 end
diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb
index 07134cc935..06dec81d40 100644
--- a/railties/test/application/middleware/session_test.rb
+++ b/railties/test/application/middleware/session_test.rb
@@ -46,5 +46,87 @@ module ApplicationTests
       assert last_request.env["HTTP_COOKIE"]
       assert !last_response.headers["Set-Cookie"]
     end
+
+    test "session is empty and isn't saved on unverified request when using :null_session protect method" do
+      app_file 'config/routes.rb', <<-RUBY
+        AppTemplate::Application.routes.draw do
+          get  ':controller(/:action)'
+          post ':controller(/:action)'
+        end
+      RUBY
+
+      controller :foo, <<-RUBY
+        class FooController < ActionController::Base
+          protect_from_forgery with: :null_session
+
+          def write_session
+            session[:foo] = 1
+            render nothing: true
+          end
+
+          def read_session
+            render text: session[:foo].inspect
+          end
+        end
+      RUBY
+
+      add_to_config <<-RUBY
+        config.action_controller.allow_forgery_protection = true
+      RUBY
+
+      require "#{app_path}/config/environment"
+
+      get '/foo/write_session'
+      get '/foo/read_session'
+      assert_equal '1', last_response.body
+
+      post '/foo/read_session'               # Read session using POST request without CSRF token
+      assert_equal 'nil', last_response.body # Stored value shouldn't be accessible
+
+      post '/foo/write_session' # Write session using POST request without CSRF token
+      get '/foo/read_session'   # Session shouldn't be changed
+      assert_equal '1', last_response.body
+    end
+
+    test "cookie jar is empty and isn't saved on unverified request when using :null_session protect method" do
+      app_file 'config/routes.rb', <<-RUBY
+        AppTemplate::Application.routes.draw do
+          get  ':controller(/:action)'
+          post ':controller(/:action)'
+        end
+      RUBY
+
+      controller :foo, <<-RUBY
+        class FooController < ActionController::Base
+          protect_from_forgery with: :null_session
+
+          def write_cookie
+            cookies[:foo] = '1'
+            render nothing: true
+          end
+
+          def read_cookie
+            render text: cookies[:foo].inspect
+          end
+        end
+      RUBY
+
+      add_to_config <<-RUBY
+        config.action_controller.allow_forgery_protection = true
+      RUBY
+
+      require "#{app_path}/config/environment"
+
+      get '/foo/write_cookie'
+      get '/foo/read_cookie'
+      assert_equal '"1"', last_response.body
+
+      post '/foo/read_cookie'                # Read cookie using POST request without CSRF token
+      assert_equal 'nil', last_response.body # Stored value shouldn't be accessible
+
+      post '/foo/write_cookie' # Write cookie using POST request without CSRF token
+      get '/foo/read_cookie'   # Cookie shouldn't be changed
+      assert_equal '"1"', last_response.body
+    end
   end
 end