aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--lib/action_cable.rb1
-rw-r--r--lib/action_cable/connection/base.rb24
-rw-r--r--lib/action_cable/server/configuration.rb3
-rw-r--r--test/connection/base_test.rb1
-rw-r--r--test/connection/cross_site_forgery_test.rb55
5 files changed, 83 insertions, 1 deletions
diff --git a/lib/action_cable.rb b/lib/action_cable.rb
index d2c5251634..49f14b51bc 100644
--- a/lib/action_cable.rb
+++ b/lib/action_cable.rb
@@ -8,6 +8,7 @@ require 'active_support'
require 'active_support/json'
require 'active_support/concern'
require 'active_support/core_ext/hash/indifferent_access'
+require 'active_support/core_ext/array/wrap'
require 'active_support/core_ext/module/delegation'
require 'active_support/callbacks'
diff --git a/lib/action_cable/connection/base.rb b/lib/action_cable/connection/base.rb
index 08a75156a3..a2ef99dff4 100644
--- a/lib/action_cable/connection/base.rb
+++ b/lib/action_cable/connection/base.rb
@@ -71,7 +71,7 @@ module ActionCable
def process
logger.info started_request_message
- if websocket.possible?
+ if websocket.possible? && allow_request_origin?
websocket.on(:open) { |event| send_async :on_open }
websocket.on(:message) { |event| on_message event.data }
websocket.on(:close) { |event| send_async :on_close }
@@ -165,6 +165,28 @@ module ActionCable
end
+ def allow_request_origin?
+ return true if server.config.disable_request_forgery_protection
+
+ if env['HTTP_ORIGIN'].present?
+ origin_host = URI.parse(env['HTTP_ORIGIN']).host
+
+ allowed = if server.config.allowed_request_origins.present?
+ Array.wrap(server.config.allowed_request_origins).include? origin_host
+ else
+ request.host == origin_host
+ end
+
+ logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}") unless allowed
+ allowed
+ else
+ logger.error("Request origin missing.")
+ false
+ end
+ rescue URI::InvalidURIError
+ false
+ end
+
def respond_to_successful_request
websocket.rack_response
end
diff --git a/lib/action_cable/server/configuration.rb b/lib/action_cable/server/configuration.rb
index ac9fa7b085..315782ec3e 100644
--- a/lib/action_cable/server/configuration.rb
+++ b/lib/action_cable/server/configuration.rb
@@ -6,6 +6,7 @@ module ActionCable
attr_accessor :logger, :log_tags
attr_accessor :connection_class, :worker_pool_size
attr_accessor :redis_path, :channels_path
+ attr_accessor :disable_request_forgery_protection, :allowed_request_origins
def initialize
@logger = Rails.logger
@@ -16,6 +17,8 @@ module ActionCable
@redis_path = Rails.root.join('config/redis/cable.yml')
@channels_path = Rails.root.join('app/channels')
+
+ @disable_request_forgery_protection = false
end
def channel_paths
diff --git a/test/connection/base_test.rb b/test/connection/base_test.rb
index 2f008652ee..a4bd7f4a03 100644
--- a/test/connection/base_test.rb
+++ b/test/connection/base_test.rb
@@ -16,6 +16,7 @@ class ActionCable::Connection::BaseTest < ActiveSupport::TestCase
setup do
@server = TestServer.new
+ @server.config.disable_request_forgery_protection = true
env = Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket'
@connection = Connection.new(@server, env)
diff --git a/test/connection/cross_site_forgery_test.rb b/test/connection/cross_site_forgery_test.rb
new file mode 100644
index 0000000000..b904dbd8b6
--- /dev/null
+++ b/test/connection/cross_site_forgery_test.rb
@@ -0,0 +1,55 @@
+require 'test_helper'
+require 'stubs/test_server'
+
+class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase
+ HOST = 'rubyonrails.com'
+
+ setup do
+ @server = TestServer.new
+ end
+
+ test "default cross site forgery protection only allows origin same as the server host" do
+ assert_origin_allowed 'http://rubyonrails.com'
+ assert_origin_not_allowed 'http://hax.com'
+ end
+
+ test "disable forgery protection" do
+ @server.config.disable_request_forgery_protection = true
+ assert_origin_allowed 'http://rubyonrails.com'
+ assert_origin_allowed 'http://hax.com'
+ end
+
+ test "explicitly specified a single allowed origin" do
+ @server.config.allowed_request_origins = 'hax.com'
+ assert_origin_not_allowed 'http://rubyonrails.com'
+ assert_origin_allowed 'http://hax.com'
+ end
+
+ test "explicitly specified multiple allowed origins" do
+ @server.config.allowed_request_origins = %w( rubyonrails.com www.rubyonrails.com )
+ assert_origin_allowed 'http://rubyonrails.com'
+ assert_origin_allowed 'http://www.rubyonrails.com'
+ assert_origin_allowed 'https://www.rubyonrails.com'
+ assert_origin_not_allowed 'http://hax.com'
+ end
+
+ private
+ def assert_origin_allowed(origin)
+ response = connect_with_origin origin
+ assert_equal -1, response[0]
+ end
+
+ def assert_origin_not_allowed(origin)
+ response = connect_with_origin origin
+ assert_equal 404, response[0]
+ end
+
+ def connect_with_origin(origin)
+ ActionCable::Connection::Base.new(@server, env_for_origin(origin)).process
+ end
+
+ def env_for_origin(origin)
+ Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket', 'SERVER_NAME' => HOST,
+ 'HTTP_ORIGIN' => origin
+ end
+end