actionpack 6.1.7.5 → 7.1.3.1

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -4,13 +4,15 @@ require "rack/session/abstract/id"
 require "action_controller/metal/exceptions"
 require "active_support/security_utils"
 
-module ActionController #:nodoc:
-  class InvalidAuthenticityToken < ActionControllerError #:nodoc:
+module ActionController # :nodoc:
+  class InvalidAuthenticityToken < ActionControllerError # :nodoc:
   end
 
-  class InvalidCrossOriginRequest < ActionControllerError #:nodoc:
+  class InvalidCrossOriginRequest < ActionControllerError # :nodoc:
   end
 
+  # = Action Controller Request Forgery Protection
+  #
   # Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks
   # by including a token in the rendered HTML for your application. This token is
   # stored as a random string in the session, to which an attacker does not have
@@ -32,12 +34,12 @@ module ActionController #:nodoc:
   # response may be extracted. To prevent this, only XmlHttpRequest (known as XHR or
   # Ajax) requests are allowed to make requests for JavaScript responses.
   #
-  # Subclasses of <tt>ActionController::Base</tt> are protected by default with the
+  # Subclasses of ActionController::Base are protected by default with the
   # <tt>:exception</tt> strategy, which raises an
-  # <tt>ActionController::InvalidAuthenticityToken</tt> error on unverified requests.
+  # ActionController::InvalidAuthenticityToken error on unverified requests.
   #
   # APIs may want to disable this behavior since they are typically designed to be
-  # state-less: that is, the request API client handles the session instead of Rails.
+  # state-less: that is, the request API client handles the session instead of \Rails.
   # One way to achieve this is to use the <tt>:null_session</tt> strategy instead,
   # which allows unverified requests to be handled, but with an empty session:
   #
@@ -55,6 +57,8 @@ module ActionController #:nodoc:
   # Learn more about CSRF attacks and securing your application in the
   # {Ruby on Rails Security Guide}[https://guides.rubyonrails.org/security.html].
   module RequestForgeryProtection
+    CSRF_TOKEN = "action_controller.csrf_token"
+
     extend ActiveSupport::Concern
 
     include AbstractController::Helpers
@@ -90,9 +94,9 @@ module ActionController #:nodoc:
       config_accessor :default_protect_from_forgery
       self.default_protect_from_forgery = false
 
-      # Controls whether URL-safe CSRF tokens are generated.
-      config_accessor :urlsafe_csrf_tokens, instance_writer: false
-      self.urlsafe_csrf_tokens = false
+      # The strategy to use for storing and retrieving CSRF tokens.
+      config_accessor :csrf_token_storage_strategy
+      self.csrf_token_storage_strategy = SessionStore.new
 
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
@@ -109,30 +113,77 @@ module ActionController #:nodoc:
       #     protect_from_forgery except: :index
       #   end
       #
-      # You can disable forgery protection on controller by skipping the verification before_action:
+      # You can disable forgery protection on a controller using skip_forgery_protection:
       #
-      #   skip_before_action :verify_authenticity_token
+      #   class BarController < ApplicationController
+      #     skip_forgery_protection
+      #   end
       #
       # Valid Options:
       #
-      # * <tt>:only/:except</tt> - Only apply forgery protection to a subset of actions. For example <tt>only: [ :create, :create_all ]</tt>.
-      # * <tt>:if/:unless</tt> - Turn off the forgery protection entirely depending on the passed Proc or method reference.
+      # * <tt>:only</tt> / <tt>:except</tt> - Only apply forgery protection to a subset of actions. For example <tt>only: [ :create, :create_all ]</tt>.
+      # * <tt>:if</tt> / <tt>:unless</tt> - Turn off the forgery protection entirely depending on the passed Proc or method reference.
       # * <tt>:prepend</tt> - By default, the verification of the authentication token will be added at the position of the
       #   protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful
       #   when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).
       #
       #   If you need to add verification to the beginning of the callback chain, use <tt>prepend: true</tt>.
       # * <tt>:with</tt> - Set the method to handle unverified request.
+      #   Note if <tt>default_protect_from_forgery</tt> is true, Rails call protect_from_forgery with <tt>with :exception</tt>.
       #
-      # Valid unverified request handling methods are:
+      # Built-in unverified request handling methods are:
       # * <tt>:exception</tt> - Raises ActionController::InvalidAuthenticityToken exception.
       # * <tt>:reset_session</tt> - Resets the session.
       # * <tt>:null_session</tt> - Provides an empty session during request but doesn't reset it completely. Used as default if <tt>:with</tt> option is not specified.
+      #
+      # You can also implement custom strategy classes for unverified request handling:
+      #
+      #    class CustomStrategy
+      #      def initialize(controller)
+      #        @controller = controller
+      #      end
+      #
+      #      def handle_unverified_request
+      #        # Custom behavior for unverfied request
+      #      end
+      #    end
+      #
+      #    class ApplicationController < ActionController::Base
+      #      protect_from_forgery with: CustomStrategy
+      #    end
+      # * <tt>:store</tt> - Set the strategy to store and retrieve CSRF tokens.
+      #
+      # Built-in session token strategies are:
+      # * <tt>:session</tt> - Store the CSRF token in the session.  Used as default if <tt>:store</tt> option is not specified.
+      # * <tt>:cookie</tt> - Store the CSRF token in an encrypted cookie.
+      #
+      # You can also implement custom strategy classes for CSRF token storage:
+      #
+      #   class CustomStore
+      #     def fetch(request)
+      #       # Return the token from a custom location
+      #     end
+      #
+      #     def store(request, csrf_token)
+      #       # Store the token in a custom location
+      #     end
+      #
+      #     def reset(request)
+      #       # Delete the stored session token
+      #     end
+      #   end
+      #
+      #   class ApplicationController < ActionController::Base
+      #     protect_from_forgery store: CustomStore.new
+      #   end
       def protect_from_forgery(options = {})
         options = options.reverse_merge(prepend: false)
 
         self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
         self.request_forgery_protection_token ||= :authenticity_token
+
+        self.csrf_token_storage_strategy = storage_strategy(options[:store] || SessionStore.new)
+
         before_action :verify_authenticity_token, options
         append_after_action :verify_same_origin_request
       end
@@ -143,14 +194,39 @@ module ActionController #:nodoc:
       #
       # See +skip_before_action+ for allowed options.
       def skip_forgery_protection(options = {})
-        skip_before_action :verify_authenticity_token, options
+        skip_before_action :verify_authenticity_token, options.reverse_merge(raise: false)
       end
 
       private
         def protection_method_class(name)
-          ActionController::RequestForgeryProtection::ProtectionMethods.const_get(name.to_s.classify)
-        rescue NameError
-          raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, or :reset_session"
+          case name
+          when :null_session
+            ProtectionMethods::NullSession
+          when :reset_session
+            ProtectionMethods::ResetSession
+          when :exception
+            ProtectionMethods::Exception
+          when Class
+            name
+          else
+            raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, :reset_session, or a custom forgery protection class."
+          end
+        end
+
+        def storage_strategy(name)
+          case name
+          when :session
+            SessionStore.new
+          when :cookie
+            CookieStore.new(:csrf_token)
+          else
+            return name if is_storage_strategy?(name)
+            raise ArgumentError, "Invalid CSRF token storage strategy, use :session, :cookie, or a custom CSRF token storage class."
+          end
+        end
+
+        def is_storage_strategy?(object)
+          object.respond_to?(:fetch) && object.respond_to?(:store) && object.respond_to?(:reset)
         end
     end
 
@@ -170,7 +246,7 @@ module ActionController #:nodoc:
         end
 
         private
-          class NullSessionHash < Rack::Session::Abstract::SessionHash #:nodoc:
+          class NullSessionHash < Rack::Session::Abstract::SessionHash # :nodoc:
             def initialize(req)
               super(nil, req)
               @data = {}
@@ -183,9 +259,13 @@ module ActionController #:nodoc:
             def exists?
               true
             end
+
+            def enabled?
+              false
+            end
           end
 
-          class NullCookieJar < ActionDispatch::Cookies::CookieJar #:nodoc:
+          class NullCookieJar < ActionDispatch::Cookies::CookieJar # :nodoc:
             def write(*)
               # nothing
             end
@@ -203,16 +283,80 @@ module ActionController #:nodoc:
       end
 
       class Exception
+        attr_accessor :warning_message
+
         def initialize(controller)
           @controller = controller
         end
 
         def handle_unverified_request
-          raise ActionController::InvalidAuthenticityToken
+          raise ActionController::InvalidAuthenticityToken, warning_message
         end
       end
     end
 
+    class SessionStore
+      def fetch(request)
+        request.session[:_csrf_token]
+      end
+
+      def store(request, csrf_token)
+        request.session[:_csrf_token] = csrf_token
+      end
+
+      def reset(request)
+        request.session.delete(:_csrf_token)
+      end
+    end
+
+    class CookieStore
+      def initialize(cookie = :csrf_token)
+        @cookie_name = cookie
+      end
+
+      def fetch(request)
+        contents = request.cookie_jar.encrypted[@cookie_name]
+        return nil if contents.nil?
+
+        value = JSON.parse(contents)
+        return nil unless value.dig("session_id", "public_id") == request.session.id_was&.public_id
+
+        value["token"]
+      rescue JSON::ParserError
+        nil
+      end
+
+      def store(request, csrf_token)
+        request.cookie_jar.encrypted.permanent[@cookie_name] = {
+          value: {
+            token: csrf_token,
+            session_id: request.session.id,
+          }.to_json,
+          httponly: true,
+          same_site: :lax,
+        }
+      end
+
+      def reset(request)
+        request.cookie_jar.delete(@cookie_name)
+      end
+    end
+
+    def initialize(...)
+      super
+      @marked_for_same_origin_verification = nil
+    end
+
+    def reset_csrf_token(request) # :doc:
+      request.env.delete(CSRF_TOKEN)
+      csrf_token_storage_strategy.reset(request)
+    end
+
+    def commit_csrf_token(request) # :doc:
+      csrf_token = request.env[CSRF_TOKEN]
+      csrf_token_storage_strategy.store(request, csrf_token) unless csrf_token.nil?
+    end
+
     private
       # The actual before_action that is used to verify the CSRF token.
       # Don't override this directly. Provide your own forgery protection
@@ -228,22 +372,31 @@ module ActionController #:nodoc:
         mark_for_same_origin_verification!
 
         if !verified_request?
-          if logger && log_warning_on_csrf_failure
-            if valid_request_origin?
-              logger.warn "Can't verify CSRF token authenticity."
-            else
-              logger.warn "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})"
-            end
-          end
+          logger.warn unverified_request_warning_message if logger && log_warning_on_csrf_failure
+
           handle_unverified_request
         end
       end
 
       def handle_unverified_request # :doc:
-        forgery_protection_strategy.new(self).handle_unverified_request
+        protection_strategy = forgery_protection_strategy.new(self)
+
+        if protection_strategy.respond_to?(:warning_message)
+          protection_strategy.warning_message = unverified_request_warning_message
+        end
+
+        protection_strategy.handle_unverified_request
+      end
+
+      def unverified_request_warning_message # :nodoc:
+        if valid_request_origin?
+          "Can't verify CSRF token authenticity."
+        else
+          "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})"
+        end
       end
 
-      #:nodoc:
+      # :nodoc:
       CROSS_ORIGIN_JAVASCRIPT_WARNING = "Security warning: an embedded " \
         "<script> tag on another site requested protected JavaScript. " \
         "If you know what you're doing, go ahead and disable forgery " \
@@ -285,7 +438,7 @@ module ActionController #:nodoc:
       #
       # * Is it a GET or HEAD request? GETs should be safe and idempotent
       # * Does the form_authenticity_token match the given token value from the params?
-      # * Does the X-CSRF-Token header match the form_authenticity_token?
+      # * Does the +X-CSRF-Token+ header match the form_authenticity_token?
       def verified_request? # :doc:
         !protect_against_forgery? || request.get? || request.head? ||
           (valid_request_origin? && any_authenticity_token_valid?)
@@ -303,22 +456,22 @@ module ActionController #:nodoc:
         [form_authenticity_param, request.x_csrf_token]
       end
 
-      # Sets the token value for the current session.
-      def form_authenticity_token(form_options: {})
-        masked_authenticity_token(session, form_options: form_options)
+      # Creates the authenticity token for the current request.
+      def form_authenticity_token(form_options: {}) # :doc:
+        masked_authenticity_token(form_options: form_options)
       end
 
       # Creates a masked version of the authenticity token that varies
       # on each request. The masking is used to mitigate SSL attacks
       # like BREACH.
-      def masked_authenticity_token(session, form_options: {}) # :doc:
+      def masked_authenticity_token(form_options: {})
         action, method = form_options.values_at(:action, :method)
 
         raw_token = if per_form_csrf_tokens && action && method
           action_path = normalize_action_path(action)
-          per_form_csrf_token(session, action_path, method)
+          per_form_csrf_token(nil, action_path, method)
         else
-          global_csrf_token(session)
+          global_csrf_token
         end
 
         mask_token(raw_token)
@@ -346,14 +499,14 @@ module ActionController #:nodoc:
           # This is actually an unmasked token. This is expected if
           # you have just upgraded to masked tokens, but should stop
           # happening shortly after installing this gem.
-          compare_with_real_token masked_token, session
+          compare_with_real_token masked_token
 
         elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
           csrf_token = unmask_token(masked_token)
 
-          compare_with_global_token(csrf_token, session) ||
-            compare_with_real_token(csrf_token, session) ||
-            valid_per_form_csrf_token?(csrf_token, session)
+          compare_with_global_token(csrf_token) ||
+            compare_with_real_token(csrf_token) ||
+            valid_per_form_csrf_token?(csrf_token)
         else
           false # Token is malformed.
         end
@@ -374,15 +527,15 @@ module ActionController #:nodoc:
         encode_csrf_token(masked_token)
       end
 
-      def compare_with_real_token(token, session) # :doc:
+      def compare_with_real_token(token, session = nil) # :doc:
         ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
       end
 
-      def compare_with_global_token(token, session) # :doc:
+      def compare_with_global_token(token, session = nil) # :doc:
         ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, global_csrf_token(session))
       end
 
-      def valid_per_form_csrf_token?(token, session) # :doc:
+      def valid_per_form_csrf_token?(token, session = nil) # :doc:
         if per_form_csrf_tokens
           correct_token = per_form_csrf_token(
             session,
@@ -396,9 +549,12 @@ module ActionController #:nodoc:
         end
       end
 
-      def real_csrf_token(session) # :doc:
-        session[:_csrf_token] ||= generate_csrf_token
-        decode_csrf_token(session[:_csrf_token])
+      def real_csrf_token(_session = nil) # :doc:
+        csrf_token = request.env.fetch(CSRF_TOKEN) do
+          request.env[CSRF_TOKEN] = csrf_token_storage_strategy.fetch(request) || generate_csrf_token
+        end
+
+        decode_csrf_token(csrf_token)
       end
 
       def per_form_csrf_token(session, action_path, method) # :doc:
@@ -408,7 +564,7 @@ module ActionController #:nodoc:
       GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
       private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
 
-      def global_csrf_token(session) # :doc:
+      def global_csrf_token(session = nil) # :doc:
         csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
       end
 
@@ -438,7 +594,7 @@ module ActionController #:nodoc:
 
       # Checks if the controller allows forgery protection.
       def protect_against_forgery? # :doc:
-        allow_forgery_protection
+        allow_forgery_protection && (!session.respond_to?(:enabled?) || session.enabled?)
       end
 
       NULL_ORIGIN_MESSAGE = <<~MSG
@@ -468,31 +624,15 @@ module ActionController #:nodoc:
       end
 
       def generate_csrf_token # :nodoc:
-        if urlsafe_csrf_tokens
-          SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding: false)
-        else
-          SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
-        end
+        SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
       end
 
       def encode_csrf_token(csrf_token) # :nodoc:
-        if urlsafe_csrf_tokens
-          Base64.urlsafe_encode64(csrf_token, padding: false)
-        else
-          Base64.strict_encode64(csrf_token)
-        end
+        Base64.urlsafe_encode64(csrf_token, padding: false)
       end
 
       def decode_csrf_token(encoded_csrf_token) # :nodoc:
-        if urlsafe_csrf_tokens
-          Base64.urlsafe_decode64(encoded_csrf_token)
-        else
-          begin
-            Base64.strict_decode64(encoded_csrf_token)
-          rescue ArgumentError
-            Base64.urlsafe_decode64(encoded_csrf_token)
-          end
-        end
+        Base64.urlsafe_decode64(encoded_csrf_token)
       end
   end
 end

data/lib/action_controller/metal/rescue.rb

@@ -1,9 +1,12 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
-  # This module is responsible for providing +rescue_from+ helpers
-  # to controllers and configuring when detailed exceptions must be
-  # shown.
+module ActionController # :nodoc:
+  # = Action Controller \Rescue
+  #
+  # This module is responsible for providing
+  # {rescue_from}[rdoc-ref:ActiveSupport::Rescuable::ClassMethods#rescue_from]
+  # to controllers, wrapping actions to handle configured errors, and
+  # configuring when detailed exceptions must be shown.
   module Rescue
     extend ActiveSupport::Concern
     include ActiveSupport::Rescuable