From 3e98819e20bc113343d4d4c0df614865ad5a9d3a Mon Sep 17 00:00:00 2001
From: Ben Toews <mastahyeti@users.noreply.github.com>
Date: Mon, 4 Jan 2016 12:23:55 -0700
Subject: add option for per-form CSRF tokens

---
 .../metal/request_forgery_protection.rb            | 65 ++++++++++++++++++----
 1 file changed, 54 insertions(+), 11 deletions(-)

(limited to 'actionpack/lib/action_controller/metal/request_forgery_protection.rb')

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 26c4550f89..91b3403ad5 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -81,6 +81,10 @@ module ActionController #:nodoc:
       config_accessor :forgery_protection_origin_check
       self.forgery_protection_origin_check = false
 
+      # Controls whether form-action/method specific CSRF tokens are used.
+      config_accessor :per_form_csrf_tokens
+      self.per_form_csrf_tokens = false
+
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
     end
@@ -277,16 +281,25 @@ module ActionController #:nodoc:
       end
 
       # Sets the token value for the current session.
-      def form_authenticity_token
-        masked_authenticity_token(session)
+      def form_authenticity_token(form_options: {})
+        masked_authenticity_token(session, form_options: form_options)
       end
 
       # Creates a masked version of the authenticity token that varies
       # on each request. The masking is used to mitigate SSL attacks
       # like BREACH.
-      def masked_authenticity_token(session)
+      def masked_authenticity_token(session, form_options: {})
+        action, method = form_options.values_at(:action, :method)
+
+        raw_token = if per_form_csrf_tokens && action && method
+          action_path = normalize_action_path(action)
+          per_form_csrf_token(session, action_path, method)
+        else
+          real_csrf_token(session)
+        end
+
         one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
-        encrypted_csrf_token = xor_byte_strings(one_time_pad, real_csrf_token(session))
+        encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
         masked_token = one_time_pad + encrypted_csrf_token
         Base64.strict_encode64(masked_token)
       end
@@ -316,28 +329,54 @@ module ActionController #:nodoc:
           compare_with_real_token masked_token, session
 
         elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
-          # Split the token into the one-time pad and the encrypted
-          # value and decrypt it
-          one_time_pad = masked_token[0...AUTHENTICITY_TOKEN_LENGTH]
-          encrypted_csrf_token = masked_token[AUTHENTICITY_TOKEN_LENGTH..-1]
-          csrf_token = xor_byte_strings(one_time_pad, encrypted_csrf_token)
-
-          compare_with_real_token csrf_token, session
+          csrf_token = unmask_token(masked_token)
 
+          compare_with_real_token(csrf_token, session) ||
+            valid_per_form_csrf_token?(csrf_token, session)
         else
           false # Token is malformed
         end
       end
 
+      def unmask_token(masked_token)
+        # Split the token into the one-time pad and the encrypted
+        # value and decrypt it
+        one_time_pad = masked_token[0...AUTHENTICITY_TOKEN_LENGTH]
+        encrypted_csrf_token = masked_token[AUTHENTICITY_TOKEN_LENGTH..-1]
+        xor_byte_strings(one_time_pad, encrypted_csrf_token)
+      end
+
       def compare_with_real_token(token, session)
         ActiveSupport::SecurityUtils.secure_compare(token, real_csrf_token(session))
       end
 
+      def valid_per_form_csrf_token?(token, session)
+        if per_form_csrf_tokens
+          correct_token = per_form_csrf_token(
+            session,
+            normalize_action_path(request.fullpath),
+            request.request_method
+          )
+
+          ActiveSupport::SecurityUtils.secure_compare(token, correct_token)
+        else
+          false
+        end
+      end
+
       def real_csrf_token(session)
         session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
         Base64.strict_decode64(session[:_csrf_token])
       end
 
+      def per_form_csrf_token(session, action_path, method)
+        OpenSSL::HMAC.digest(
+          OpenSSL::Digest::SHA256.new,
+          real_csrf_token(session),
+          [action_path, method.downcase].join("#")
+        )
+      end
+
       def xor_byte_strings(s1, s2)
         s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
       end
@@ -362,5 +401,9 @@ module ActionController #:nodoc:
           true
         end
       end
+
+      def normalize_action_path(action_path)
+        action_path.split('?').first.to_s.chomp('/')
+      end
   end
 end
-- 
cgit v1.2.3