| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
CSRF verification for non-XHR GET requests (cross-origin `<script>`
tags) didn't check this flag before logging failures.
Setting `config.action_controller.log_warning_on_csrf_failure = false`
now disables logging for these CSRF failures as well.
Closes #25086.
Signed-off-by: Jeremy Daer <jeremydaer@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
When the token is generated by the form we were using the schema and
host information while only using the path to compare if the action was
the same. This was causing the token to be invalid.
To fix this we use the same information to generate the token and check
it.
Fix #24257
|
|
|
|
|
|
|
|
|
|
| |
- we are ending sentences properly
- fixing of space issues
- fixed continuity issues in some sentences.
Reverts https://github.com/rails/rails/commit/8fc97d198ef31c1d7a4b9b849b96fc08a667fb02 .
This change reverts making sure we add '.' at end of deprecation sentences.
This is to keep sentences within Rails itself consistent and with a '.' at the end.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use `each_byte` instead of `bytes` to speed up string xor operation and
reduce object allocations.
Inspired by commit 02c3867882d6d23b10df262a6db5f937ca69fb53.
``` ruby
require 'benchmark/ips'
require 'allocation_tracer'
a = 32.times.map { rand(256) }.pack('C*')
b = 32.times.map { rand(256) }.pack('C*')
def xor_byte_strings1(s1, s2)
s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
end
def xor_byte_strings2(s1, s2)
s2_bytes = s2.bytes
s1.bytes.map.with_index { |c1, i| c1 ^ s2_bytes[i] }.pack('c*')
end
def xor_byte_strings3(s1, s2)
s2_bytes = s2.bytes
s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 }
s2_bytes.pack('C*')
end
fail if xor_byte_strings1(a, b) != xor_byte_strings2(a, b)
fail if xor_byte_strings1(a, b) != xor_byte_strings3(a, b)
Benchmark.ips do |x|
x.report('xor_byte_strings1') { xor_byte_strings1(a, b) }
x.report('xor_byte_strings2') { xor_byte_strings2(a, b) }
x.report('xor_byte_strings3') { xor_byte_strings3(a, b) }
x.compare!
end
Tracer = ObjectSpace::AllocationTracer
Tracer.setup(%i{type})
p xor_byte_strings1: Tracer.trace { xor_byte_strings1(a, b) }
p xor_byte_strings2: Tracer.trace { xor_byte_strings2(a, b) }
p xor_byte_strings3: Tracer.trace { xor_byte_strings3(a, b) }
```
```
Warming up --------------------------------------
xor_byte_strings1 10.668k i/100ms
xor_byte_strings2 11.814k i/100ms
xor_byte_strings3 13.139k i/100ms
Calculating -------------------------------------
xor_byte_strings1 116.667k (± 3.1%) i/s - 586.740k
xor_byte_strings2 129.932k (± 4.3%) i/s - 649.770k
xor_byte_strings3 142.506k (± 4.2%) i/s - 722.645k
Comparison:
xor_byte_strings3: 142506.3 i/s
xor_byte_strings2: 129932.4 i/s - 1.10x slower
xor_byte_strings1: 116666.8 i/s - 1.22x slower
{:xor_byte_strings1=>{[:T_ARRAY]=>[38, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}}
{:xor_byte_strings2=>{[:T_ARRAY]=>[3, 0, 0, 0, 0, 0], [:T_DATA]=>[1, 0, 0, 0, 0, 0], [:T_IMEMO]=>[2, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}}
{:xor_byte_strings3=>{[:T_ARRAY]=>[1, 0, 0, 0, 0, 0], [:T_DATA]=>[1, 0, 0, 0, 0, 0], [:T_IMEMO]=>[2, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}}
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
```
[aaron@TC rails (master)]$ cat xor.rb
a = "\x14b\"\xB4P8\x05\x8D\xC74\xC3\xEC}\xFDf\x8E!h\xCF^\xBF\xA5%\xC6\xF0\xA9\xF9x\x04\xFA\xF1\x82"
b = "O.\xF7\x01\xA9D\xA3\xE1D\x7FU\x85\xFC\x8Ak\e\x04\x8A\x97\x91\xD01\x02\xA4G\x1EIf:Y\x0F@"
def xor_byte_strings(s1, s2)
s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
end
def xor_byte_strings2(s1, s2)
s2_bytes = s2.bytes
s1.bytes.map.with_index { |c1, i| c1 ^ s2_bytes[i] }.pack('c*')
end
require 'benchmark/ips'
require 'allocation_tracer'
Benchmark.ips do |x|
x.report 'xor_byte_strings' do
xor_byte_strings a, b
end
x.report 'xor_byte_strings2' do
xor_byte_strings2 a, b
end
end
ObjectSpace::AllocationTracer.setup(%i{type})
result = ObjectSpace::AllocationTracer.trace do
xor_byte_strings a, b
end
p :xor_byte_strings => result
ObjectSpace::AllocationTracer.clear
result = ObjectSpace::AllocationTracer.trace do
xor_byte_strings2 a, b
end
p :xor_byte_strings2 => result
[aaron@TC rails (master)]$ ruby -I~/git/allocation_tracer/lib xor.rb
Calculating -------------------------------------
xor_byte_strings 10.087k i/100ms
xor_byte_strings2 11.339k i/100ms
-------------------------------------------------
xor_byte_strings 108.386k (± 5.8%) i/s - 544.698k
xor_byte_strings2 122.239k (± 3.0%) i/s - 612.306k
{:xor_byte_strings=>{[:T_ARRAY]=>[38, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}}
{:xor_byte_strings2=>{[:T_ARRAY]=>[3, 0, 0, 0, 0, 0], [:T_DATA]=>[1, 0, 0, 0, 0, 0], [:T_IMEMO]=>[2, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}}
```
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per this comment
https://github.com/rails/rails/pull/18334#issuecomment-69234050 we want
`protect_from_forgery` to default to `prepend: false`.
`protect_from_forgery` will now be insterted into the callback chain at the
point it is called in your application. This is useful for cases where you
want to `protect_from_forgery` after you perform required authentication
callbacks or other callbacks that are required to run after forgery protection.
If you want `protect_from_forgery` callbacks to always run first, regardless of
position they are called in your application, then you can add `prepend: true`
to your `protect_from_forgery` call.
Example:
```ruby
protect_from_forgery prepend: true
```
|
| |
|
|
|
|
|
| |
* add `end` to end of class definition
* add a blank line between explanation and example code
|
| |
|
|
|
|
| |
this commit removes some direct access to `env`.
|
|
|
|
| |
May be missed in 5fe141638f1243ac6ae187ae14aa398b4c1875a2 commit
Also fixes the broken build
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
The cookie jar can just ask the request object for the information it
needs. This allows us to stop allocating hashes for options, and also
allows us to delay calculating values in advance. Generating the
options hash forced us to calculate values that we may never have needed
at runtime
|
|
|
|
|
|
| |
Accessing a request object has nice advantages over accessing a hash.
If you use a missing method name, you'll get an exception rather than a
`nil` (is one nice feature)
|
| |
|
|\ |
|
| | |
|
|/
|
|
|
|
|
|
|
|
| |
spelling fix [ci skip]
example to be consistent [ci skip]
grammatical fix
typo fixes [ci skip]
|
|\ |
|
| |
| |
| |
| | |
[ci skip]
|
|/
|
|
|
|
| |
- Changed Javascript to JavaScript.
- Added full-stop which was missing, also wrapped the sentence to 80 chars.
- Changed proc to Proc and oauth to OAuth.
|
| |
|
|
|
|
|
|
| |
specifically are checked for CSRF, when dealing with the browser.
[ci skip]
|
| |
|
|
|
|
|
| |
This approach will avoid us to check for NoMethodError when trying to
decode
|
|
|
|
| |
Non-string authenticity tokens raised NoMethodError when decoding the
masked token.
|
| |
|
| |
|
|
|
|
| |
[ci skip]
|
|
|
|
| |
Add nodoc to some constants [skip ci]
|
| |
|
|\
| |
| | |
CSRF token mask from breach-mitigation-rails gem
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This merges in the code from the breach-mitigation-rails gem that masks
authenticity tokens on each request by XORing them with a random set of
bytes. The masking is used to make it impossible for an attacker to
steal a CSRF token from an SSL session by using techniques like the
BREACH attack.
The patch is pretty simple - I've copied over the [relevant
code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb)
and updated the tests to pass, mostly by adjusting stubs and mocks.
|
|/
|
|
| |
[skip ci]
|
| |
|
|
|
|
| |
improved tests.
|
|
|
|
|
| |
Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection
which is on by default.
|
| |
|
|
|
|
| |
Thanks to @homakov for sounding the alarm about JSONP-style data leaking
|
|
|
|
| |
Previously it was raising a NilException
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
Make HEAD work / convert to GET once more
|
| | |
|