aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/metal/request_forgery_protection.rb
Commit message (Collapse)AuthorAgeFilesLines
* Use media_type instead of content_type internallyEugene Kenny2019-08-041-1/+1
| | | | | | | These calls to `content_type` were triggering the deprecation from c631e8d011a7cf3e7ade4e9e8db56d2b89bd530c in upgraded applications. We can use `media_type` in all of these cases to avoid the deprecation.
* Use match? where we don't need MatchDataAkira Matsuda2019-07-291-1/+1
|
* Enable `Layout/EmptyLinesAroundAccessModifier` copRyuta Kamizono2019-06-131-2/+0
| | | | | | | | | | | We sometimes say "✂️ newline after `private`" in a code review (e.g. https://github.com/rails/rails/pull/18546#discussion_r23188776, https://github.com/rails/rails/pull/34832#discussion_r244847195). Now `Layout/EmptyLinesAroundAccessModifier` cop have new enforced style `EnforcedStyle: only_before` (https://github.com/rubocop-hq/rubocop/pull/7059). That cop and enforced style will reduce the our code review cost.
* Suggest 'strict-origin' Referrer-Policy headerTom Richards2019-03-171-1/+1
|
* Convert over the rest of the whitelist referencesKevin Deisz2018-08-241-1/+1
|
* Fix rubocop offensesbogdanvlviv2018-08-151-1/+1
| | | | | | | | | | | | | | | | | | | | | - Layout/TrailingWhitespace ``` actionpack/lib/action_controller/metal/request_forgery_protection.rb:49:4: C: Layout/TrailingWhitespace: Trailing whitespace detected. # ^ ``` Related to c3787494eda - Performance/StartWith ``` tasks/release.rb:108:44: C: Performance/StartWith: Use String#start_with? instead of a regex match anchored to the beginning of the string. header += "* No changes.\n\n\n" if current_contents =~ /\A##/ ```
* Merge pull request #31640 from gingerlime/patch-1Richard Schneeman2018-08-101-4/+11
|\ | | | | fixes #27157 CSRF protection documentation
| * fixes #27157 CSRF protection documentationgingerlime2018-01-051-4/+11
| | | | | | | | | | * removed reference to GET requests where it applies also to other HTTP verbs * updated documentation to try and better explain how CSRF protection works with XHR, and the potential exposure with CORS
* | Rails guides are now served over httpsPaul McMahon2018-07-241-1/+1
| | | | | | | | | | http links will be redirected to the https version, but still better to just directly link to the https version.
* | Avoid unused capture in `non_xhr_javascript_response?`Ryuta Kamizono2018-05-311-1/+1
| |
* | Include application/javascript when checking content_typeGabriel Jaldon2018-05-271-1/+1
| |
* | Speed up xor_byte_strings by 70%Jeremy Evans2018-05-181-3/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Benchmark: ```ruby require 'benchmark' require 'benchmark/ips' require 'securerandom' def xor_byte_strings(s1, s2) # :doc: s2_bytes = s2.bytes s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 } s2_bytes.pack("C*") end def xor_byte_strings_new(s1, s2) # :doc: s2 = s2.dup size = s1.bytesize i = 0 while i < size s2.setbyte(i, s1.getbyte(i) ^ s2.getbyte(i)) i += 1 end s2 end s1 = SecureRandom.random_bytes(32) s2 = SecureRandom.random_bytes(32) Benchmark.ips do |x| x.report("current"){xor_byte_strings(s1, s2)} x.report("new"){xor_byte_strings_new(s1, s2)} x.compare! end 100000.times do |i| s3 = SecureRandom.random_bytes(32) s4 = SecureRandom.random_bytes(32) raise unless xor_byte_strings(s3, s4) == xor_byte_strings_new(s3, s4) end ``` Results on ruby 2.5.1: ``` Warming up -------------------------------------- current 6.519k i/100ms new 10.508k i/100ms Calculating ------------------------------------- current 84.723k (_ 0.4%) i/s - 423.735k in 5.001456s new 145.871k (_ 0.3%) i/s - 735.560k in 5.042606s Comparison: new: 145870.6 i/s current: 84723.4 i/s - 1.72x slower ```
* | Improve the null origin error messagePatrik Bóna2018-04-091-1/+1
| |
* | Remove usage of strip_heredoc in the framework in favor of <<~Rafael Mendonça França2018-02-161-2/+1
|/ | | | | Some places we can't remove because Ruby still don't have a method equivalent to strip_heredoc to be called in an already existent string.
* Add missing require for `strip_heredoc`Peter Wagenet2018-01-041-0/+1
|
* Merge pull request #30780 from ↵Sean Griffin2017-12-071-0/+10
|\ | | | | | | | | JackMc/fix-chrome-referrer-invalidauthenticitytoken Fix issue #30658 by checking explicitly for 'null' referrer
| * Add a better error message when a "null" Origin header occursJack McCracken2017-11-031-0/+10
| |
* | Merge pull request #24510 from ↵Rafael Mendonça França2017-11-251-2/+2
|\ \ | | | | | | | | | | | | | | | vipulnsward/make-variable_size_secure_compare-public Make variable_size_secure_compare public
| * | Changed default behaviour of `ActiveSupport::SecurityUtils.secure_compare`,Vipul A M2017-06-071-2/+2
| | | | | | | | | | | | | | | | | | | | | to make it not leak length information even for variable length string. Renamed old `ActiveSupport::SecurityUtils.secure_compare` to `fixed_length_secure_compare`, and started raising `ArgumentError` in case of length mismatch of passed strings.
* | | Update incorrect backtick usage in RDoc to teletypeT.J. Schuck2017-11-221-3/+3
| | | | | | | | | [ci skip]
* | | Show `RequestForgeryProtection` methods in api doc [ci skip]yuuji.yaginuma2017-11-051-0/+1
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | Several methods of `RequestForgeryProtection` are not showed in the api doc even though `:doc:` is specified. (e.g. `form_authenticity_param`) http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html These methods are listed in the doc of v4.1. http://api.rubyonrails.org/v4.1/classes/ActionController/RequestForgeryProtection.html This is due to the influence of `:nodoc:` added in #18102, methods after `CROSS_ORIGIN_JAVASCRIPT_WARNING` not showed from the doc. Therefore, in order to show the method like originally, added `startdoc` after `CROSS_ORIGIN_JAVASCRIPT_WARNING`.
* | [Action Pack] require => require_relativeAkira Matsuda2017-10-211-1/+1
| | | | | | | | | | This basically reverts e9fca7668b9eba82bcc832cb0061459703368397, d08da958b9ae17d4bbe4c9d7db497ece2450db5f, d1fe1dcf8ab1c0210a37c2a78c1ee52cf199a66d, and 68eaf7b4d5f2bb56d939f71c5ece2d61cf6680a3
* | Use tt in doc for ActionPack [ci skip]Yoshiyuki Hirano2017-08-261-1/+1
| |
* | Use frozen string literal in actionpack/Kir Shatrov2017-07-291-0/+2
| |
* | Add ActionController::Base.skip_forgery_protectionLisa Ugray2017-07-101-0/+9
| | | | | | | | | | | | Since we now default to `protect_from_forgery with: :exception`, provide a wrapper to `skip_before_action :verify_authenticity_token` for disabling forgery protection.
* | Protect from forgery by defaultLisa Ugray2017-07-101-0/+4
| | | | | | | | | | | | | | | | Rather than protecting from forgery in the generated ApplicationController, add it to ActionController::Base by config. This configuration defaults to false to support older versions which have removed it from their ApplicationController, but is set to true for Rails 5.2.
* | [Action Controller] require => require_relativeAkira Matsuda2017-07-011-1/+1
|/
* Improve logging when Origin header doesn't matchJon Leighton2017-04-061-1/+5
| | | | | | | | | | | | | I came up against this while dealing with a misconfigured server. The browser was setting the Origin header to "https://example.com", but the Rails app returned "http://example.com" from request.base_url (because it was failing to detect that HTTPS was used). This caused verify_authenticity_token to fail, but the message in the log was "Can't verify CSRF token", which is confusing because the failure had nothing to do with the CSRF token sent in the request. This made it very hard to identify the issue, so hopefully this will make it more obvious for the next person.
* [docs] fix ActionController documentationHrvoje Šimić2017-03-121-5/+5
| | | | [ci skip]
* Privatize unneededly protected methods in Action PackAkira Matsuda2016-12-241-23/+23
|
* normalizes indentation and whitespace across the projectXavier Noria2016-08-061-20/+20
|
* applies new string literal convention in actionpack/libXavier Noria2016-08-061-6/+6
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* Fix incorrect indentation in method comment [ci skip]Junya Ogura2016-07-211-3/+3
|
* Respect `log_warning_on_csrf_failure` setting for all CSRF failuresMatthew Caruana Galizia2016-05-231-1/+3
| | | | | | | | | | | | CSRF verification for non-XHR GET requests (cross-origin `<script>` tags) didn't check this flag before logging failures. Setting `config.action_controller.log_warning_on_csrf_failure = false` now disables logging for these CSRF failures as well. Closes #25086. Signed-off-by: Jeremy Daer <jeremydaer@gmail.com>
* Discart the schema and host information when building the per-form tokenRafael Mendonça França2016-04-201-1/+2
| | | | | | | | | | | When the token is generated by the form we were using the schema and host information while only using the path to compare if the action was the same. This was causing the token to be invalid. To fix this we use the same information to generate the token and check it. Fix #24257
* Pass over all Rails 5 warnings, to make sure:Vipul A M2016-04-121-1/+1
| | | | | | | | | | - we are ending sentences properly - fixing of space issues - fixed continuity issues in some sentences. Reverts https://github.com/rails/rails/commit/8fc97d198ef31c1d7a4b9b849b96fc08a667fb02 . This change reverts making sure we add '.' at end of deprecation sentences. This is to keep sentences within Rails itself consistent and with a '.' at the end.
* Improve the performance of string xor operationshik2016-02-151-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use `each_byte` instead of `bytes` to speed up string xor operation and reduce object allocations. Inspired by commit 02c3867882d6d23b10df262a6db5f937ca69fb53. ``` ruby require 'benchmark/ips' require 'allocation_tracer' a = 32.times.map { rand(256) }.pack('C*') b = 32.times.map { rand(256) }.pack('C*') def xor_byte_strings1(s1, s2) s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*') end def xor_byte_strings2(s1, s2) s2_bytes = s2.bytes s1.bytes.map.with_index { |c1, i| c1 ^ s2_bytes[i] }.pack('c*') end def xor_byte_strings3(s1, s2) s2_bytes = s2.bytes s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 } s2_bytes.pack('C*') end fail if xor_byte_strings1(a, b) != xor_byte_strings2(a, b) fail if xor_byte_strings1(a, b) != xor_byte_strings3(a, b) Benchmark.ips do |x| x.report('xor_byte_strings1') { xor_byte_strings1(a, b) } x.report('xor_byte_strings2') { xor_byte_strings2(a, b) } x.report('xor_byte_strings3') { xor_byte_strings3(a, b) } x.compare! end Tracer = ObjectSpace::AllocationTracer Tracer.setup(%i{type}) p xor_byte_strings1: Tracer.trace { xor_byte_strings1(a, b) } p xor_byte_strings2: Tracer.trace { xor_byte_strings2(a, b) } p xor_byte_strings3: Tracer.trace { xor_byte_strings3(a, b) } ``` ``` Warming up -------------------------------------- xor_byte_strings1 10.668k i/100ms xor_byte_strings2 11.814k i/100ms xor_byte_strings3 13.139k i/100ms Calculating ------------------------------------- xor_byte_strings1 116.667k (± 3.1%) i/s - 586.740k xor_byte_strings2 129.932k (± 4.3%) i/s - 649.770k xor_byte_strings3 142.506k (± 4.2%) i/s - 722.645k Comparison: xor_byte_strings3: 142506.3 i/s xor_byte_strings2: 129932.4 i/s - 1.10x slower xor_byte_strings1: 116666.8 i/s - 1.22x slower {:xor_byte_strings1=>{[:T_ARRAY]=>[38, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}} {:xor_byte_strings2=>{[:T_ARRAY]=>[3, 0, 0, 0, 0, 0], [:T_DATA]=>[1, 0, 0, 0, 0, 0], [:T_IMEMO]=>[2, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}} {:xor_byte_strings3=>{[:T_ARRAY]=>[1, 0, 0, 0, 0, 0], [:T_DATA]=>[1, 0, 0, 0, 0, 0], [:T_IMEMO]=>[2, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}} ```
* speed up string xor operation and reduce object allocationsAaron Patterson2016-02-081-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ``` [aaron@TC rails (master)]$ cat xor.rb a = "\x14b\"\xB4P8\x05\x8D\xC74\xC3\xEC}\xFDf\x8E!h\xCF^\xBF\xA5%\xC6\xF0\xA9\xF9x\x04\xFA\xF1\x82" b = "O.\xF7\x01\xA9D\xA3\xE1D\x7FU\x85\xFC\x8Ak\e\x04\x8A\x97\x91\xD01\x02\xA4G\x1EIf:Y\x0F@" def xor_byte_strings(s1, s2) s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*') end def xor_byte_strings2(s1, s2) s2_bytes = s2.bytes s1.bytes.map.with_index { |c1, i| c1 ^ s2_bytes[i] }.pack('c*') end require 'benchmark/ips' require 'allocation_tracer' Benchmark.ips do |x| x.report 'xor_byte_strings' do xor_byte_strings a, b end x.report 'xor_byte_strings2' do xor_byte_strings2 a, b end end ObjectSpace::AllocationTracer.setup(%i{type}) result = ObjectSpace::AllocationTracer.trace do xor_byte_strings a, b end p :xor_byte_strings => result ObjectSpace::AllocationTracer.clear result = ObjectSpace::AllocationTracer.trace do xor_byte_strings2 a, b end p :xor_byte_strings2 => result [aaron@TC rails (master)]$ ruby -I~/git/allocation_tracer/lib xor.rb Calculating ------------------------------------- xor_byte_strings 10.087k i/100ms xor_byte_strings2 11.339k i/100ms ------------------------------------------------- xor_byte_strings 108.386k (± 5.8%) i/s - 544.698k xor_byte_strings2 122.239k (± 3.0%) i/s - 612.306k {:xor_byte_strings=>{[:T_ARRAY]=>[38, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}} {:xor_byte_strings2=>{[:T_ARRAY]=>[3, 0, 0, 0, 0, 0], [:T_DATA]=>[1, 0, 0, 0, 0, 0], [:T_IMEMO]=>[2, 0, 0, 0, 0, 0], [:T_STRING]=>[2, 0, 0, 0, 0, 0]}} ```
* add option for per-form CSRF tokensBen Toews2016-01-041-11/+54
|
* Change the `protect_from_forgery` prepend default to `false`eileencodes2015-12-071-7/+7
| | | | | | | | | | | | | | | | | | | | | Per this comment https://github.com/rails/rails/pull/18334#issuecomment-69234050 we want `protect_from_forgery` to default to `prepend: false`. `protect_from_forgery` will now be insterted into the callback chain at the point it is called in your application. This is useful for cases where you want to `protect_from_forgery` after you perform required authentication callbacks or other callbacks that are required to run after forgery protection. If you want `protect_from_forgery` callbacks to always run first, regardless of position they are called in your application, then you can add `prepend: true` to your `protect_from_forgery` call. Example: ```ruby protect_from_forgery prepend: true ```
* Add option to verify Origin header in CSRF checksBen Toews2015-11-251-2/+28
|
* [ci skip] Fix document of `ActionController::RequestForgeryProtection`yui-knk2015-09-281-0/+2
| | | | | * add `end` to end of class definition * add a blank line between explanation and example code
* Use rack.session_options instead of directly change envJuanito Fatas2015-09-161-1/+1
|
* fewer direct env manipulationsAaron Patterson2015-09-151-1/+1
| | | | this commit removes some direct access to `env`.
* Another place to use a request object in NullSessionHash Ronak Jangir2015-08-231-3/+3
| | | | May be missed in 5fe141638f1243ac6ae187ae14aa398b4c1875a2 commit Also fixes the broken build
* add a setter for the cookie jarAaron Patterson2015-08-061-1/+1
|
* remove `@host` ivarAaron Patterson2015-08-051-7/+1
|
* remove @secure ivarAaron Patterson2015-08-051-2/+1
|
* CookieJar does not need the key_generator parameter anymoreAaron Patterson2015-08-051-2/+1
|
* stop using an options hash with the cookie jarAaron Patterson2015-08-051-1/+1
| | | | | | | | The cookie jar can just ask the request object for the information it needs. This allows us to stop allocating hashes for options, and also allows us to delay calculating values in advance. Generating the options hash forced us to calculate values that we may never have needed at runtime
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-02 03:52:46 +0000