angular_csrf 0.1.2 → 0.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +4 -4
- data/lib/angular_csrf.rb +1 -1
- data/lib/version.rb +1 -1
- data/spec/angular_csrf_spec.rb +11 -19
- data/spec/rails_app/Gemfile +1 -1
- data/spec/rails_app/Gemfile.lock +63 -38
- data/spec/rails_app/config/environments/production.rb +1 -1
- data/spec/rails_app/config/environments/test.rb +1 -1
- data/spec/rails_app/log/development.log +55 -0
- data/spec/rails_app/log/test.log +1156 -0
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d0d20b5f53013d30629c823691ed9c60419095a6
|
4
|
+
data.tar.gz: 936d25874e0f27d7850349e73402fc3939c52f03
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1d858874b318165898f9be2da58e192af0bf02375f6f9385ccc988800bede6681b52cfa840a13164e5ff0a483724cc137a2ec81d0e71a78437d42351125e711c
|
7
|
+
data.tar.gz: 5b481e2da6cabc859cb10c24c759b646b280de1caa1e0a8cc16cc41fa22e85f68a3c0f2973f902b16e47d9f0aa28878dc95982c3dfa75b67a49d5dcda9911a2f
|
data/README.md
CHANGED
@@ -9,15 +9,15 @@ Extends Rails CSRF protection to play nicely with AngularJS.
|
|
9
9
|
[![Dependency Status](https://gemnasium.com/Sinbadsoft/angular_csrf.svg)](https://gemnasium.com/Sinbadsoft/angular_csrf)
|
10
10
|
[![Gem Version](https://badge.fury.io/rb/angular_csrf.svg)](http://badge.fury.io/rb/angular_csrf)
|
11
11
|
|
12
|
+
Once installed, angular_csrf **just works**: No need to change or configure neither the AngularJS javascript code
|
13
|
+
nor the Rails application.
|
14
|
+
|
12
15
|
CSRF is an exploit that allows malicious websites to do unauthorized actions on a website that trusts the user.
|
13
16
|
The angular_csrf gem extends the CSRF protection in Rails to match the naming convention used in AngularJS for the HTTP
|
14
17
|
header and cookie token names
|
15
18
|
(see [Cookie-to-Header Token](http://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-Header_Token) CSRF
|
16
19
|
protection strategy for more details).
|
17
20
|
|
18
|
-
Once installed, angular_csrf "just works": No need to change or configure neither the AngularJS javascript code nor the
|
19
|
-
Rails application.
|
20
|
-
|
21
21
|
angular_csrf has a very small footprint and has only the rails gem as dependency.
|
22
22
|
|
23
23
|
## Getting Started
|
@@ -46,7 +46,7 @@ AngularJS [deals with CSRF protection](https://docs.angularjs.org/api/ng/service
|
|
46
46
|
* Reads the CSRF protection token form a cookie, by default `XSRF-TOKEN`
|
47
47
|
* Sends back the CSRF token as a http header, by default: `X-XSRF-TOKEN`
|
48
48
|
|
49
|
-
angular_csrf makes the Rails application or API set the expected cookie token and read validate the
|
49
|
+
angular_csrf makes the Rails application or API set the expected cookie token and read and validate the
|
50
50
|
http header sent by AngularJS. angular_csrf installs a Rails initializer
|
51
51
|
[that extends the application controllers](https://github.com/Sinbadsoft/angular_csrf/blob/master/lib/angular_csrf.rb)
|
52
52
|
to perform these tasks.
|
data/lib/angular_csrf.rb
CHANGED
@@ -13,7 +13,7 @@ module AngularCsrf
|
|
13
13
|
|
14
14
|
define_method :verified_request_with_angular_header? do
|
15
15
|
verified_request_without_angular_header? ||
|
16
|
-
|
16
|
+
valid_authenticity_token?(session, request.headers[ANGULAR_CSRF_HEADER_NAME])
|
17
17
|
end
|
18
18
|
alias_method_chain :verified_request?, :angular_header
|
19
19
|
end
|
data/lib/version.rb
CHANGED
data/spec/angular_csrf_spec.rb
CHANGED
@@ -1,33 +1,25 @@
|
|
1
1
|
require 'rails_helper'
|
2
2
|
|
3
3
|
describe 'angular_csrf', type: :request do
|
4
|
-
it '
|
4
|
+
it 'validates csrf protection using AngularJS set header name and with AngularJS cookie value' do
|
5
5
|
get '/'
|
6
|
-
expect(response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]).to_not be_nil
|
7
|
-
expect(response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]).to eq(session[:_csrf_token])
|
8
|
-
end
|
9
6
|
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
expect(response.status).to eq(201)
|
14
|
-
end
|
7
|
+
expect do
|
8
|
+
post '/'
|
9
|
+
end.to raise_error(ActionController::InvalidAuthenticityToken)
|
15
10
|
|
16
|
-
|
17
|
-
get '/'
|
18
|
-
post '/', { }, 'X-CSRF-Token' => session[:_csrf_token]
|
11
|
+
post '/', { }, AngularCsrf::ANGULAR_CSRF_HEADER_NAME => response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]
|
19
12
|
expect(response.status).to eq(201)
|
20
13
|
end
|
21
14
|
|
22
|
-
it '
|
15
|
+
it 'does not modify behavior for default csrf http header' do
|
23
16
|
get '/'
|
24
|
-
old_csrf_token = session[:_csrf_token]
|
25
17
|
|
26
|
-
|
27
|
-
|
28
|
-
|
18
|
+
expect do
|
19
|
+
post '/'
|
20
|
+
end.to raise_error(ActionController::InvalidAuthenticityToken)
|
29
21
|
|
30
|
-
|
31
|
-
expect(response.
|
22
|
+
post '/', { }, 'X-CSRF-Token' => session[:_csrf_token]
|
23
|
+
expect(response.status).to eq(201)
|
32
24
|
end
|
33
25
|
end
|
data/spec/rails_app/Gemfile
CHANGED
data/spec/rails_app/Gemfile.lock
CHANGED
@@ -1,74 +1,99 @@
|
|
1
1
|
PATH
|
2
2
|
remote: ../../
|
3
3
|
specs:
|
4
|
-
angular_csrf (0.1.
|
4
|
+
angular_csrf (0.1.3)
|
5
5
|
rails (>= 3.1)
|
6
6
|
|
7
7
|
GEM
|
8
8
|
remote: https://rubygems.org/
|
9
9
|
specs:
|
10
|
-
actionmailer (4.
|
11
|
-
actionpack (= 4.
|
12
|
-
actionview (= 4.
|
10
|
+
actionmailer (4.2.0)
|
11
|
+
actionpack (= 4.2.0)
|
12
|
+
actionview (= 4.2.0)
|
13
|
+
activejob (= 4.2.0)
|
13
14
|
mail (~> 2.5, >= 2.5.4)
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
15
|
+
rails-dom-testing (~> 1.0, >= 1.0.5)
|
16
|
+
actionpack (4.2.0)
|
17
|
+
actionview (= 4.2.0)
|
18
|
+
activesupport (= 4.2.0)
|
19
|
+
rack (~> 1.6.0)
|
18
20
|
rack-test (~> 0.6.2)
|
19
|
-
|
20
|
-
|
21
|
+
rails-dom-testing (~> 1.0, >= 1.0.5)
|
22
|
+
rails-html-sanitizer (~> 1.0, >= 1.0.1)
|
23
|
+
actionview (4.2.0)
|
24
|
+
activesupport (= 4.2.0)
|
21
25
|
builder (~> 3.1)
|
22
26
|
erubis (~> 2.7.0)
|
23
|
-
|
24
|
-
|
27
|
+
rails-dom-testing (~> 1.0, >= 1.0.5)
|
28
|
+
rails-html-sanitizer (~> 1.0, >= 1.0.1)
|
29
|
+
activejob (4.2.0)
|
30
|
+
activesupport (= 4.2.0)
|
31
|
+
globalid (>= 0.3.0)
|
32
|
+
activemodel (4.2.0)
|
33
|
+
activesupport (= 4.2.0)
|
25
34
|
builder (~> 3.1)
|
26
|
-
activerecord (4.
|
27
|
-
activemodel (= 4.
|
28
|
-
activesupport (= 4.
|
29
|
-
arel (~>
|
30
|
-
activesupport (4.
|
31
|
-
i18n (~> 0.
|
35
|
+
activerecord (4.2.0)
|
36
|
+
activemodel (= 4.2.0)
|
37
|
+
activesupport (= 4.2.0)
|
38
|
+
arel (~> 6.0)
|
39
|
+
activesupport (4.2.0)
|
40
|
+
i18n (~> 0.7)
|
32
41
|
json (~> 1.7, >= 1.7.7)
|
33
42
|
minitest (~> 5.1)
|
34
|
-
thread_safe (~> 0.
|
43
|
+
thread_safe (~> 0.3, >= 0.3.4)
|
35
44
|
tzinfo (~> 1.1)
|
36
|
-
arel (
|
45
|
+
arel (6.0.0)
|
37
46
|
builder (3.2.2)
|
38
47
|
erubis (2.7.0)
|
48
|
+
globalid (0.3.0)
|
49
|
+
activesupport (>= 4.1.0)
|
39
50
|
hike (1.2.3)
|
40
|
-
i18n (0.
|
51
|
+
i18n (0.7.0)
|
41
52
|
json (1.8.1)
|
53
|
+
loofah (2.0.1)
|
54
|
+
nokogiri (>= 1.5.9)
|
42
55
|
mail (2.6.3)
|
43
56
|
mime-types (>= 1.16, < 3)
|
44
57
|
mime-types (2.4.3)
|
45
|
-
|
58
|
+
mini_portile (0.6.1)
|
59
|
+
minitest (5.5.0)
|
46
60
|
multi_json (1.10.1)
|
47
|
-
|
61
|
+
nokogiri (1.6.5)
|
62
|
+
mini_portile (~> 0.6.0)
|
63
|
+
rack (1.6.0)
|
48
64
|
rack-test (0.6.2)
|
49
65
|
rack (>= 1.0)
|
50
|
-
rails (4.
|
51
|
-
actionmailer (= 4.
|
52
|
-
actionpack (= 4.
|
53
|
-
actionview (= 4.
|
54
|
-
|
55
|
-
|
56
|
-
|
66
|
+
rails (4.2.0)
|
67
|
+
actionmailer (= 4.2.0)
|
68
|
+
actionpack (= 4.2.0)
|
69
|
+
actionview (= 4.2.0)
|
70
|
+
activejob (= 4.2.0)
|
71
|
+
activemodel (= 4.2.0)
|
72
|
+
activerecord (= 4.2.0)
|
73
|
+
activesupport (= 4.2.0)
|
57
74
|
bundler (>= 1.3.0, < 2.0)
|
58
|
-
railties (= 4.
|
59
|
-
sprockets-rails
|
60
|
-
|
61
|
-
|
62
|
-
|
75
|
+
railties (= 4.2.0)
|
76
|
+
sprockets-rails
|
77
|
+
rails-deprecated_sanitizer (1.0.3)
|
78
|
+
activesupport (>= 4.2.0.alpha)
|
79
|
+
rails-dom-testing (1.0.5)
|
80
|
+
activesupport (>= 4.2.0.beta, < 5.0)
|
81
|
+
nokogiri (~> 1.6.0)
|
82
|
+
rails-deprecated_sanitizer (>= 1.0.1)
|
83
|
+
rails-html-sanitizer (1.0.1)
|
84
|
+
loofah (~> 2.0)
|
85
|
+
railties (4.2.0)
|
86
|
+
actionpack (= 4.2.0)
|
87
|
+
activesupport (= 4.2.0)
|
63
88
|
rake (>= 0.8.7)
|
64
89
|
thor (>= 0.18.1, < 2.0)
|
65
|
-
rake (10.
|
90
|
+
rake (10.4.2)
|
66
91
|
sprockets (2.12.3)
|
67
92
|
hike (~> 1.2)
|
68
93
|
multi_json (~> 1.0)
|
69
94
|
rack (~> 1.0)
|
70
95
|
tilt (~> 1.1, != 1.3.0)
|
71
|
-
sprockets-rails (2.2.
|
96
|
+
sprockets-rails (2.2.2)
|
72
97
|
actionpack (>= 3.0)
|
73
98
|
activesupport (>= 3.0)
|
74
99
|
sprockets (>= 2.8, < 4.0)
|
@@ -83,4 +108,4 @@ PLATFORMS
|
|
83
108
|
|
84
109
|
DEPENDENCIES
|
85
110
|
angular_csrf!
|
86
|
-
rails (= 4.
|
111
|
+
rails (= 4.2.0)
|
@@ -20,7 +20,7 @@ Rails.application.configure do
|
|
20
20
|
# config.action_dispatch.rack_cache = true
|
21
21
|
|
22
22
|
# Disable Rails's static asset server (Apache or nginx will already do this).
|
23
|
-
config.
|
23
|
+
config.serve_static_files = false
|
24
24
|
|
25
25
|
|
26
26
|
# Specifies the header that your server uses for sending files.
|
@@ -13,7 +13,7 @@ Rails.application.configure do
|
|
13
13
|
config.eager_load = false
|
14
14
|
|
15
15
|
# Configure static asset server for tests with Cache-Control for performance.
|
16
|
-
config.
|
16
|
+
config.serve_static_files = true
|
17
17
|
config.static_cache_control = 'public, max-age=3600'
|
18
18
|
|
19
19
|
# Show full error reports and disable caching.
|
@@ -18,3 +18,58 @@ Completed 200 OK in 0ms
|
|
18
18
|
Started GET "/" for 127.0.0.1 at 2014-11-08 22:52:50 +0100
|
19
19
|
Processing by GuineaPigController#index as HTML
|
20
20
|
Completed 200 OK in 23ms
|
21
|
+
|
22
|
+
|
23
|
+
Started GET "/" for ::1 at 2014-12-29 16:05:04 +0100
|
24
|
+
Processing by GuineaPigController#index as HTML
|
25
|
+
Completed 200 OK in 7ms
|
26
|
+
|
27
|
+
|
28
|
+
Started GET "/" for ::1 at 2014-12-29 16:05:16 +0100
|
29
|
+
Processing by GuineaPigController#index as HTML
|
30
|
+
Completed 200 OK in 0ms
|
31
|
+
|
32
|
+
|
33
|
+
Started GET "/" for ::1 at 2014-12-29 16:05:43 +0100
|
34
|
+
Processing by GuineaPigController#index as HTML
|
35
|
+
Completed 200 OK in 1ms
|
36
|
+
|
37
|
+
|
38
|
+
Started GET "/" for ::1 at 2014-12-29 16:07:32 +0100
|
39
|
+
Processing by GuineaPigController#index as HTML
|
40
|
+
Completed 200 OK in 0ms
|
41
|
+
|
42
|
+
|
43
|
+
Started GET "/create" for ::1 at 2014-12-29 16:07:40 +0100
|
44
|
+
|
45
|
+
ActionController::RoutingError (No route matches [GET] "/create"):
|
46
|
+
actionpack (4.2.0) lib/action_dispatch/middleware/debug_exceptions.rb:21:in `call'
|
47
|
+
actionpack (4.2.0) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
|
48
|
+
railties (4.2.0) lib/rails/rack/logger.rb:38:in `call_app'
|
49
|
+
railties (4.2.0) lib/rails/rack/logger.rb:20:in `block in call'
|
50
|
+
activesupport (4.2.0) lib/active_support/tagged_logging.rb:68:in `block in tagged'
|
51
|
+
activesupport (4.2.0) lib/active_support/tagged_logging.rb:26:in `tagged'
|
52
|
+
activesupport (4.2.0) lib/active_support/tagged_logging.rb:68:in `tagged'
|
53
|
+
railties (4.2.0) lib/rails/rack/logger.rb:20:in `call'
|
54
|
+
actionpack (4.2.0) lib/action_dispatch/middleware/request_id.rb:21:in `call'
|
55
|
+
rack (1.6.0) lib/rack/methodoverride.rb:22:in `call'
|
56
|
+
rack (1.6.0) lib/rack/runtime.rb:18:in `call'
|
57
|
+
activesupport (4.2.0) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
|
58
|
+
rack (1.6.0) lib/rack/lock.rb:17:in `call'
|
59
|
+
actionpack (4.2.0) lib/action_dispatch/middleware/static.rb:113:in `call'
|
60
|
+
rack (1.6.0) lib/rack/sendfile.rb:113:in `call'
|
61
|
+
railties (4.2.0) lib/rails/engine.rb:518:in `call'
|
62
|
+
railties (4.2.0) lib/rails/application.rb:164:in `call'
|
63
|
+
rack (1.6.0) lib/rack/lock.rb:17:in `call'
|
64
|
+
rack (1.6.0) lib/rack/content_length.rb:15:in `call'
|
65
|
+
rack (1.6.0) lib/rack/handler/webrick.rb:89:in `service'
|
66
|
+
/Users/nakhli/.rvm/rubies/ruby-2.1.3/lib/ruby/2.1.0/webrick/httpserver.rb:138:in `service'
|
67
|
+
/Users/nakhli/.rvm/rubies/ruby-2.1.3/lib/ruby/2.1.0/webrick/httpserver.rb:94:in `run'
|
68
|
+
/Users/nakhli/.rvm/rubies/ruby-2.1.3/lib/ruby/2.1.0/webrick/server.rb:295:in `block in start_thread'
|
69
|
+
|
70
|
+
|
71
|
+
Rendered /Users/nakhli/.rvm/gems/ruby-2.1.3@angular_csrf/gems/actionpack-4.2.0/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb (0.9ms)
|
72
|
+
Rendered /Users/nakhli/.rvm/gems/ruby-2.1.3@angular_csrf/gems/actionpack-4.2.0/lib/action_dispatch/middleware/templates/routes/_route.html.erb (0.5ms)
|
73
|
+
Rendered /Users/nakhli/.rvm/gems/ruby-2.1.3@angular_csrf/gems/actionpack-4.2.0/lib/action_dispatch/middleware/templates/routes/_table.html.erb (3.8ms)
|
74
|
+
Rendered /Users/nakhli/.rvm/gems/ruby-2.1.3@angular_csrf/gems/actionpack-4.2.0/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb (1.1ms)
|
75
|
+
Rendered /Users/nakhli/.rvm/gems/ruby-2.1.3@angular_csrf/gems/actionpack-4.2.0/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb within rescues/layout (19.4ms)
|