diff options
-rw-r--r-- | lib/action_cable/connection/base.rb | 13 | ||||
-rw-r--r-- | lib/action_cable/server/configuration.rb | 3 | ||||
-rw-r--r-- | test/connection/base_test.rb | 5 | ||||
-rw-r--r-- | test/connection/cross_site_forgery_test.rb | 55 |
4 files changed, 74 insertions, 2 deletions
diff --git a/lib/action_cable/connection/base.rb b/lib/action_cable/connection/base.rb index cd7f76f118..2f2fa1fdec 100644 --- a/lib/action_cable/connection/base.rb +++ b/lib/action_cable/connection/base.rb @@ -70,7 +70,7 @@ module ActionCable def process logger.info started_request_message - if websocket.possible? + if websocket.possible? && allow_request_origin? websocket.on(:open) { |event| send_async :on_open } websocket.on(:message) { |event| on_message event.data } websocket.on(:close) { |event| send_async :on_close } @@ -172,6 +172,17 @@ module ActionCable end + def allow_request_origin? + return true if server.config.disable_request_forgery_protection + + if Array(server.config.allowed_request_origins).include? env['HTTP_ORIGIN'] + true + else + logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}") + false + end + end + def respond_to_successful_request websocket.rack_response end diff --git a/lib/action_cable/server/configuration.rb b/lib/action_cable/server/configuration.rb index ac9fa7b085..315782ec3e 100644 --- a/lib/action_cable/server/configuration.rb +++ b/lib/action_cable/server/configuration.rb @@ -6,6 +6,7 @@ module ActionCable attr_accessor :logger, :log_tags attr_accessor :connection_class, :worker_pool_size attr_accessor :redis_path, :channels_path + attr_accessor :disable_request_forgery_protection, :allowed_request_origins def initialize @logger = Rails.logger @@ -16,6 +17,8 @@ module ActionCable @redis_path = Rails.root.join('config/redis/cable.yml') @channels_path = Rails.root.join('app/channels') + + @disable_request_forgery_protection = false end def channel_paths diff --git a/test/connection/base_test.rb b/test/connection/base_test.rb index 81009f0849..7118c34d9e 100644 --- a/test/connection/base_test.rb +++ b/test/connection/base_test.rb @@ -16,8 +16,11 @@ class ActionCable::Connection::BaseTest < ActiveSupport::TestCase setup do @server = TestServer.new + @server.config.allowed_request_origins = %w( http://rubyonrails.com ) + + env = Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket', + 'HTTP_ORIGIN' => 'http://rubyonrails.com' - env = Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket' @connection = Connection.new(@server, env) @response = @connection.process end diff --git a/test/connection/cross_site_forgery_test.rb b/test/connection/cross_site_forgery_test.rb new file mode 100644 index 0000000000..6073f89287 --- /dev/null +++ b/test/connection/cross_site_forgery_test.rb @@ -0,0 +1,55 @@ +require 'test_helper' +require 'stubs/test_server' + +class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase + HOST = 'rubyonrails.com' + + setup do + @server = TestServer.new + @server.config.allowed_request_origins = %w( http://rubyonrails.com ) + end + + teardown do + @server.config.disable_request_forgery_protection = false + @server.config.allowed_request_origins = [] + end + + test "disable forgery protection" do + @server.config.disable_request_forgery_protection = true + assert_origin_allowed 'http://rubyonrails.com' + assert_origin_allowed 'http://hax.com' + end + + test "explicitly specified a single allowed origin" do + @server.config.allowed_request_origins = 'http://hax.com' + assert_origin_not_allowed 'http://rubyonrails.com' + assert_origin_allowed 'http://hax.com' + end + + test "explicitly specified multiple allowed origins" do + @server.config.allowed_request_origins = %w( http://rubyonrails.com http://www.rubyonrails.com ) + assert_origin_allowed 'http://rubyonrails.com' + assert_origin_allowed 'http://www.rubyonrails.com' + assert_origin_not_allowed 'http://hax.com' + end + + private + def assert_origin_allowed(origin) + response = connect_with_origin origin + assert_equal -1, response[0] + end + + def assert_origin_not_allowed(origin) + response = connect_with_origin origin + assert_equal 404, response[0] + end + + def connect_with_origin(origin) + ActionCable::Connection::Base.new(@server, env_for_origin(origin)).process + end + + def env_for_origin(origin) + Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket', 'SERVER_NAME' => HOST, + 'HTTP_ORIGIN' => origin + end +end |