aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/controller/request_forgery_protection_test.rb
Commit message (Collapse)AuthorAgeFilesLines
* Add a better error message when a "null" Origin header occursJack McCracken2017-11-031-0/+13
|
* Add key rotation cookies middlewareMichael Coyne2017-09-241-1/+3
| | | | | | Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions.
* Use frozen string literal in actionpack/Kir Shatrov2017-07-291-0/+2
|
* Add ActionController::Base.skip_forgery_protectionLisa Ugray2017-07-101-0/+30
| | | | | | Since we now default to `protect_from_forgery with: :exception`, provide a wrapper to `skip_before_action :verify_authenticity_token` for disabling forgery protection.
* Revert "Merge pull request #29540 from kirs/rubocop-frozen-string"Matthew Draper2017-07-021-1/+0
| | | | | This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
* Enforce frozen string in RubocopKir Shatrov2017-07-011-0/+1
|
* Default embed_authenticity_token_in_remote_forms to nil.Kasper Timm Hansen2017-04-161-0/+90
| | | | | | | Effectively treat nil values as "auto", e.g. whatever a form helper chooses to interpret it as. But treat an explicitly assigned false value as disabling.
* Improve logging when Origin header doesn't matchJon Leighton2017-04-061-0/+11
| | | | | | | | | | | | | I came up against this while dealing with a misconfigured server. The browser was setting the Origin header to "https://example.com", but the Rails app returned "http://example.com" from request.base_url (because it was failing to detect that HTTPS was used). This caused verify_authenticity_token to fail, but the message in the log was "Can't verify CSRF token", which is confusing because the failure had nothing to do with the CSRF token sent in the request. This made it very hard to identify the issue, so hopefully this will make it more obvious for the next person.
* Privatize unneededly protected methods in Action Pack testsAkira Matsuda2016-12-231-1/+1
|
* Add three new rubocop rulesRafael Mendonça França2016-08-161-16/+16
| | | | | | | | Style/SpaceBeforeBlockBraces Style/SpaceInsideBlockBraces Style/SpaceInsideHashLiteralBraces Fix all violations in the repository.
* Add `Style/EmptyLines` in `.rubocop.yml` and remove extra empty linesRyuta Kamizono2016-08-071-1/+0
|
* applies remaining conventions across the projectXavier Noria2016-08-061-1/+0
|
* normalizes indentation and whitespace across the projectXavier Noria2016-08-061-10/+10
|
* modernizes hash syntax in actionpackXavier Noria2016-08-061-13/+13
|
* applies new string literal convention in actionpack/testXavier Noria2016-08-061-70/+70
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* Make sure the tests setup are made correctlyRafael Mendonça França2016-07-171-9/+9
|
* Respect `log_warning_on_csrf_failure` setting for all CSRF failuresMatthew Caruana Galizia2016-05-231-0/+31
| | | | | | | | | | | | CSRF verification for non-XHR GET requests (cross-origin `<script>` tags) didn't check this flag before logging failures. Setting `config.action_controller.log_warning_on_csrf_failure = false` now disables logging for these CSRF failures as well. Closes #25086. Signed-off-by: Jeremy Daer <jeremydaer@gmail.com>
* Discart the schema and host information when building the per-form tokenRafael Mendonça França2016-04-201-0/+13
| | | | | | | | | | | When the token is generated by the form we were using the schema and host information while only using the path to compare if the action was the same. This was causing the token to be invalid. To fix this we use the same information to generate the token and check it. Fix #24257
* Make per form token work when method is not providedRafael Mendonça França2016-02-221-2/+16
| | | | | | When `button_to 'Botton', url` form was being used the per form token was not correct because the method that is was being used to generate it was an empty string.
* Refactored Request Forgery CSRF PerFormTokensController tests and DRY'ed ↵Vipul A M2016-02-221-70/+38
| | | | them up.
* Fixed passing of delete method on button_to tag, creating wrong form csrf tokenVipul A M2016-02-211-0/+44
| | | | Fixes #23524
* add option for per-form CSRF tokensBen Toews2016-01-041-0/+172
|
* Change the `protect_from_forgery` prepend default to `false`eileencodes2015-12-071-2/+2
| | | | | | | | | | | | | | | | | | | | | Per this comment https://github.com/rails/rails/pull/18334#issuecomment-69234050 we want `protect_from_forgery` to default to `prepend: false`. `protect_from_forgery` will now be insterted into the callback chain at the point it is called in your application. This is useful for cases where you want to `protect_from_forgery` after you perform required authentication callbacks or other callbacks that are required to run after forgery protection. If you want `protect_from_forgery` callbacks to always run first, regardless of position they are called in your application, then you can add `prepend: true` to your `protect_from_forgery` call. Example: ```ruby protect_from_forgery prepend: true ```
* Add option to verify Origin header in CSRF checksBen Toews2015-11-251-0/+45
|
* Remove mocha from ActionPack testsMarcin Olichwirowicz2015-09-051-1/+0
|
* Get rid of mocha tests - part 2Marcin Olichwirowicz2015-08-251-8/+24
|
* Get rid of mocha tests - part 1Marcin Olichwirowicz2015-08-241-33/+46
|
* Stop using deprecated `render :text` in testPrem Sichanugrist2015-07-171-1/+1
| | | | | | | | | This will silence deprecation warnings. Most of the test can be changed from `render :text` to render `:plain` or `render :body` right away. However, there are some tests that needed to be fixed by hand as they actually assert the default Content-Type returned from `render :body`.
* let the superclass build the request and responseAaron Patterson2015-07-081-2/+1
| | | | | We should leverage the request / response objects that the superclass has already allocated for us.
* Deprecate `:nothing` option for render methodMehmet Emin İNAÇ2015-05-281-3/+3
| | | | `head` method works similar to `render` method with `:nothing` option
* Removed unused code from request_forgery_protection testsPrathamesh Sonpatki2015-04-261-17/+0
|
* Handle non-string authenticity tokensVille Lautanala2015-02-121-0/+7
| | | | Non-string authenticity tokens raised NoMethodError when decoding the masked token.
* Migrating xhr methods to keyword arguments syntaxKir Shatrov2015-02-011-7/+7
| | | | | | | | | | | | in `ActionController::TestCase` and `ActionDispatch::Integration` Old syntax: `xhr :get, :create, params: { id: 1 }` New syntax example: `get :create, params: { id: 1 }, xhr: true`
* Switch to kwargs in ActionController::TestCase and ActionDispatch::IntegrationKir Shatrov2015-01-291-10/+10
| | | | | | | | Non-kwargs requests are deprecated now. Guides are updated as well. `post url, nil, nil, { a: 'b' }` doesn't make sense. `post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same
* Add prepend option to protect_from_forgery.Josef Šimánek2015-01-081-0/+60
|
* Merge pull request #16570 from bradleybuda/breach-mitigation-mask-csrf-tokenJeremy Kemper2014-08-191-5/+6
|\ | | | | CSRF token mask from breach-mitigation-rails gem
| * Auth token mask from breach-mitigation-rails gemBradley Buda2014-08-191-5/+6
| | | | | | | | | | | | | | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks.
* | Remove unneeded comment in test.Timm2014-06-161-1/+1
| |
* | Nokogiri leaves '<' unescaped, so the assert_select looking for '&lt;' will ↵Timm2014-06-161-2/+3
| | | | | | | | never work. Switched to assert_matching the reponse body.
* | Fixed Nokogiri::CSS::SyntaxErrors.Timm2014-06-151-2/+2
|/ | | | Fixed a Nokogiri::CSS::SyntaxError by using its expected format for unicode characters.
* Avoid hardcoded value in teardown.Zuhao Wan2014-05-281-3/+6
|
* Moved 'params[request_forgery_protection_token]' into its own method and ↵Tom Kadwill2014-05-061-5/+26
| | | | improved tests.
* Remove wrapper div for inputs in button_toRafael Mendonça França2014-04-171-1/+1
| | | | Related with cbb917455f306cf5818644b162f22be09f77d4b2
* Update Request forgery tests to remove input wrappign divRafael Mendonça França2014-04-171-5/+5
| | | | This was changed at cbb917455f306cf5818644b162f22be09f77d4b2
* Make CSRF failure logging optional/configurable.John Barton (joho)2014-03-051-0/+16
| | | | | Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection which is on by default.
* Clearly limit new CSRF protection to GET requestsJeremy Kemper2013-12-171-0/+10
|
* CSRF protection from cross-origin <script> tagsJeremy Kemper2013-12-171-9/+69
| | | | Thanks to @homakov for sounding the alarm about JSONP-style data leaking
* NullSessionHash#destroy should be a no-opJonathan Baudanza2013-09-181-0/+10
| | | | Previously it was raising a NilException
* Fix #9168 Initialize NullCookieJar with all options needed for KeyGeneratorAndrey Chernih2013-02-081-0/+35
|
* Added a test that shows that a HEAD request does not normally pass CSRF ↵Michiel Sikkes2013-01-221-0/+4
| | | | protection