last_line 0.0.1

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2013 Eugene Kalenkovich
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,90 @@
+# LastLine
+
+## Last Line of CSRF Defence
+
+Rails provides CSRF protection for your application out of the box. This protection
+covers only non-GET (or HEAD) requests, as GET requests are not supposed to change any state.
+Unfortunately, there are two main gaps in default CSRF prevention:
+
+- Routing information is handled independently from controller logic. It is not trivial to trace
+  which actions are allowed to process GET requests. Most common example - un-commenting generic route
+  `match ':controller(/:action(/:id))(.:format)'` (hidden at the end of `routes.rb`) opens all controller
+  actions to GET requests.
+
+- Sometimes it is important to provide CSRF protection for GET requests too. Common use case for this -
+  redirect from external service, like third party authentication.
+
+LastLine is an attempt to bridge these gaps. It provides
+
+- Whitelisting actions for GET requests on controller level
+
+- A way to verify authenticity token for GET request
+
+## Installation
+
+Include in your Gemfile
+
+    gem 'last_line'
+
+and run
+
+    bundle install
+
+## Usage
+
+### Whitelisting GET actions
+To require GET request whitelisting for the whole application, insert `protect_from_gets` in your
+`ApplicationController` after `protect_from_forgery`:
+
+    class ApplicationController < ActionController::Base
+      protect_from_forgery
+      protect_from_gets
+      [...]
+    end
+
+In case you want to whitelist GETs in a particular controller only, insert the same line in your controller
+instead of `ApplicationController` (not recommended)
+
+If you want to whitelist GET actions in your application, but exclude some controller from whitelisting
+(not recommended):
+
+    class MySafeController < ApplicationController
+      allow_gets :all
+    end
+
+The best (easiest to trace) way to whitelist a particular action is to add `allow_get :action` after its definition:
+
+    def index
+      [...]
+    end
+    allow_get :index
+
+Alternatively you can whitelist all actions in the same place. For this include in your controller
+
+    allow_gets :only => [:action1, :action2]
+
+There is also a simple way to do blacklisting instead of whitelisting (not recommended, as it is much less reliable):
+
+    allow_gets :except => [:action1, :action2]
+
+### CSRF protection for GET actions
+
+You can protect specific action from CSRF by specifying it as a `protected_get`. Such protection will automatically
+whitelist corresponding action for GET requests.
+
+    def redirected
+      [...]
+    end
+    protected_get :redirected
+
+When this action is called without `form_authenticity_token` as explicit parameter or in the header,
+`handle_unverified_request` will be called (default Rails behavior is to clear session data)
+
+You can add token as a parameter to your get request providing it explicitly
+
+    <%= link_to 'Protected get', some_defined_path(request_forgery_protection_token => form_authenticity_token) %>
+
+Please be aware that `protected_get` adds its filter on top of filter chain to avoid potential side effects
+of other filters. It means that none of subsequent filters that rely on session data will work if request is
+not verified
+

data/Rakefile

@@ -0,0 +1,35 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'LastLine'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task :default => :test

data/lib/last_line/controller.rb

@@ -0,0 +1,48 @@
+require 'active_support/concern'
+
+module LastLine
+  module Controller
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      ##
+      # When added on
+      def protect_from_gets
+        append_before_filter :block_gets
+      end
+
+      def protected_get action
+        skip_before_filter :block_gets, :only => action
+        prepend_before_filter :protect_get, :only => action
+      end
+
+      def allow_get action
+        skip_before_filter :block_gets, :only => action
+      end
+
+      def allow_gets *args
+        skip_before_filter :block_gets, *args
+      end
+    end
+
+    protected
+
+    def protect_get
+      unless token_verified?
+        logger.warn "WARNING: Can't verify CSRF token authenticity" if logger
+        handle_unverified_request
+      end
+    end
+
+    def block_gets
+      return unless request.get?
+      head :status => :forbidden
+    end
+
+    def token_verified?
+      !protect_against_forgery? ||
+          form_authenticity_token == params[request_forgery_protection_token] ||
+          form_authenticity_token == request.headers['X-CSRF-Token']
+    end
+  end
+end

data/lib/last_line/railtie.rb

@@ -0,0 +1,12 @@
+require 'last_line'
+require 'rails'
+
+module LastLine
+  class Railtie < ::Rails::Railtie
+    initializer "last_line.action_controller" do |app|
+      ActiveSupport.on_load :action_controller do
+        ActionController::Base.send :include, Controller
+      end
+    end
+  end
+end

data/lib/last_line/version.rb

@@ -0,0 +1,3 @@
+module LastLine
+  VERSION = '0.0.1'
+end

data/lib/last_line.rb

@@ -0,0 +1,4 @@
+module LastLine
+end
+require 'last_line/controller'
+require 'last_line/railtie' #if defined?(Rails)

data/test/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,3 @@
+class ApplicationController < ActionController::Base
+  protect_from_forgery
+end

data/test/dummy/config/application.rb

@@ -0,0 +1,10 @@
+require File.expand_path('../boot', __FILE__)
+require "action_controller/railtie"
+Bundler.require
+
+module Dummy
+  class Application < Rails::Application
+    config.active_support.deprecation = :stderr
+  end
+end
+

data/test/dummy/config/boot.rb

@@ -0,0 +1,10 @@
+require 'rubygems'
+gemfile = File.expand_path('../../../../Gemfile', __FILE__)
+
+if File.exist?(gemfile)
+  ENV['BUNDLE_GEMFILE'] = gemfile
+  require 'bundler'
+  Bundler.setup
+end
+
+$:.unshift File.expand_path('../../../../lib', __FILE__)

data/test/dummy/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the rails application
+require File.expand_path('../application', __FILE__)
+
+# Initialize the rails application
+Dummy::Application.initialize!

data/test/dummy/config/routes.rb

@@ -0,0 +1,3 @@
+Dummy::Application.routes.draw do
+  match ':controller(/:action(/:id))(.:format)'
+end

data/test/dummy/config.ru

@@ -0,0 +1,3 @@
+# This file is used by Rack-based servers to start the application.
+require ::File.expand_path('../config/environment',  __FILE__)
+run Dummy::Application

data/test/dummy/log/test.log

@@ -0,0 +1,463 @@
+Processing by ProtectedController#explicitly as HTML
+Filter chain halted as #<Proc:0x007f82da8046c0@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Filter chain halted as #<Proc:0x007f82da8046c0@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#explicitly as HTML
+Filter chain halted as #<Proc:0x007fc9cc44ab18@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Filter chain halted as #<Proc:0x007fc9cc44ab18@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#explicitly as HTML
+Filter chain halted as #<Proc:0x007f87fecbd850@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Filter chain halted as #<Proc:0x007f87fecbd850@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#explicitly as HTML
+Filter chain halted as #<Proc:0x007f94d4c85ee0@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Filter chain halted as #<Proc:0x007f94d4c85ee0@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#explicitly as HTML
+Filter chain halted as #<Proc:0x007fc1a2bb4f20@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Filter chain halted as #<Proc:0x007fc1a2bb4f20@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#explicitly as HTML
+Filter chain halted as #<Proc:0x007fdf39899ea8@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Filter chain halted as #<Proc:0x007fdf39899ea8@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#explicitly as HTML
+Filter chain halted as #<Proc:0x007fbc7fa16920@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Filter chain halted as #<Proc:0x007fbc7fa16920@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+Filter chain halted as #<Proc:0x007fbc7fa16920@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Filter chain halted as #<Proc:0x007ff4b6e640f8@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Filter chain halted as #<Proc:0x007ff4b6e640f8@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+Filter chain halted as #<Proc:0x007ff4b6e640f8@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Filter chain halted as #<Proc:0x007fcb67f352e8@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Filter chain halted as #<Proc:0x007fcb67f352e8@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+Filter chain halted as #<Proc:0x007fcb67f352e8@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Filter chain halted as #<Proc:0x007fa25bc54b58@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Filter chain halted as #<Proc:0x007fa25bc54b58@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+Filter chain halted as #<Proc:0x007fa25bc54b58@/Users/eugeneka/Projects/last_line/test/protected_controller_test.rb:5 (lambda)> rendered or redirected
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+Completed 500 Internal Server Error in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+  Parameters: {"user"=>"42"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+  Parameters: {"user"=>"42"}
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#protected_get as HTML
+  Parameters: {"authenticity_token"=>"HRPJ9cJcUE3XmwKV0lmsZhbMSKba8WQQrlLmK3aeDHw="}
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#protected_get as HTML
+  Parameters: {"authenticity_token"=>"eVL1Xq4Iu4c/U87DUvG8/M9kziqzGyf27GBCbTh1oF8="}
+Completed 500 Internal Server Error in 1ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+Completed 500 Internal Server Error in 1ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#protected_get as HTML
+  Parameters: {"authenticity_token"=>"cWWJ/B2k3oBhfJVHs3h/zG9gY2MskVaL3uLHusvWPfk="}
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#protected_get as HTML
+  Parameters: {"authenticity_token"=>"dSihlQMk1PtnG6bn1j/5EWuyNx/nO76ze0F5F63YVJ0="}
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#protected_get as HTML
+  Parameters: {"authenticity_token"=>"nOg570TE6LvoIfe1tEaWlMXkjY1iEbdm+E8R4jjb+ZE="}
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 1ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms
+Processing by ProtectedController#explicitly as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#allowed_gets as HTML
+Completed 200 OK in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+  Parameters: {"authenticity_token"=>"token"}
+Completed 200 OK in 0ms
+Processing by ProtectedController#not_allowed as HTML
+Filter chain halted as :block_gets rendered or redirected
+Completed 403 Forbidden in 0ms
+Processing by ProtectedController#my_protected_get as HTML
+WARNING: Can't verify CSRF token authenticity
+Completed 200 OK in 0ms

data/test/protected_controller_test.rb

@@ -0,0 +1,49 @@
+require 'test_helper'
+
+class ProtectedController < ApplicationController
+  protect_from_gets
+  allow_gets :only => :allowed_gets
+
+  def not_allowed() head(200) end
+
+  def explicitly() head(200) end
+  allow_get :explicitly
+
+  def allowed_gets() head(200) end
+
+  def my_protected_get() head(200) end
+  protected_get :my_protected_get
+
+  # stub token and make it accessible
+  def form_authenticity_token() 'token' end
+end
+
+class ProtectedControllerTest < ActionController::TestCase
+  test 'should prevent get' do
+    get :not_allowed
+    assert_response :forbidden
+  end
+
+  test 'should allow explict get' do
+    get :explicitly, nil, {:user => 42}
+    assert_response :success
+    assert_equal 42, session[:user]
+  end
+
+  test 'should allow_gets' do
+    get :allowed_gets
+    assert_response :success
+  end
+
+  test 'should protect get' do
+    get :my_protected_get, nil, {:user => 42}
+    assert_response :success
+    assert_nil session[:user]
+  end
+
+  test 'should allow protected get with token' do
+    get :my_protected_get, {@controller.request_forgery_protection_token => 'token'}, {:user => 42}
+    assert_response :success
+    assert_equal 42, session[:user]
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,5 @@
+ENV["RAILS_ENV"] = "test"
+
+require File.expand_path("../dummy/config/environment.rb",  __FILE__)
+require "rails/test_help"
+

metadata

@@ -0,0 +1,88 @@
+--- !ruby/object:Gem::Specification
+name: last_line
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Eugene Kalenkovich
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-03-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.1'
+description: Explicitly allow GET requests for specific actions, verify authenticity
+  token on GET
+email:
+- rubify@softover.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/last_line/controller.rb
+- lib/last_line/railtie.rb
+- lib/last_line/version.rb
+- lib/last_line.rb
+- MIT-LICENSE
+- Rakefile
+- README.md
+- test/dummy/app/controllers/application_controller.rb
+- test/dummy/config/application.rb
+- test/dummy/config/boot.rb
+- test/dummy/config/environment.rb
+- test/dummy/config/routes.rb
+- test/dummy/config.ru
+- test/dummy/log/test.log
+- test/protected_controller_test.rb
+- test/test_helper.rb
+homepage: https://github.com/kalenkov/last_line
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Last line of CSRF defence in your controllers
+test_files:
+- test/dummy/app/controllers/application_controller.rb
+- test/dummy/config/application.rb
+- test/dummy/config/boot.rb
+- test/dummy/config/environment.rb
+- test/dummy/config/routes.rb
+- test/dummy/config.ru
+- test/dummy/log/test.log
+- test/protected_controller_test.rb
+- test/test_helper.rb
+has_rdoc: