platformos-check 0.4.5 → 0.4.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -1
- data/config/default.yml +4 -0
- data/docs/checks/form_authenticity_token.md +55 -0
- data/lib/platformos_check/checks/form_authenticity_token.rb +21 -0
- data/lib/platformos_check/version.rb +1 -1
- metadata +3 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 737ae774f598b10b46e556298d68e7eafe711c00ef6463c30ba8f8736c6cf42a
|
|
4
|
+
data.tar.gz: 443998e3955d4032ab41b2d5189ff42f5a736781b05cf0bdfa2a8dfe1b4fe629
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5049fd3616a7721b1d23920c87436ed19a525d96454ef18a93cb22ba210e733a5984c154f3a79778f047769fa059052fc65b3ca56cc02d70e4ee5e108c568b29
|
|
7
|
+
data.tar.gz: c7dcafbce9b30fc5fd2b954a080e4f167f24c7fcfbc8ea48b6131b54eb33eb71657f45068075c1ea2f9f6520682a33f94eb207e0a68341e10f9abcda4939b8db
|
data/CHANGELOG.md
CHANGED
data/config/default.yml
CHANGED
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
# Form authenticity token (`FormAuthenticityToken`)
|
|
2
|
+
|
|
3
|
+
In platformOS all POST/PATCH/PUT/DELETE requests are protected from [CSRF Attacks][csrf-attack] through [authenticity_token][page-csrf]
|
|
4
|
+
Form action defines the endpoint to which browser will make a request after submitting it.
|
|
5
|
+
|
|
6
|
+
As a general rule you should include hidden input `<input type="hidden" name="authenticity_token" value="{{ context.authenticity_token }}">` in every form. Missing it will result in session invalidation and any logged in user will be automatically logged out.
|
|
7
|
+
|
|
8
|
+
## Check Details
|
|
9
|
+
|
|
10
|
+
This check is aimed at ensuring you have not forgotten to include authenticity_token in a form.
|
|
11
|
+
|
|
12
|
+
:-1: Examples of **incorrect** code for this check:
|
|
13
|
+
|
|
14
|
+
```liquid
|
|
15
|
+
<form action="dummy/create">
|
|
16
|
+
</form>
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
:+1: Examples of **correct** code for this check:
|
|
20
|
+
|
|
21
|
+
```liquid
|
|
22
|
+
<form action="/dummy/create">
|
|
23
|
+
<input type="hidden" name="authenticity_token" value="{{ context.authenticity_token }}">
|
|
24
|
+
</form>
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
## Check Options
|
|
28
|
+
|
|
29
|
+
The default configuration for this check is the following:
|
|
30
|
+
|
|
31
|
+
```yaml
|
|
32
|
+
FormAuthenticityToken:
|
|
33
|
+
enabled: true
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
## When Not To Use It
|
|
37
|
+
|
|
38
|
+
There should be no cases where disabling this rule is needed.
|
|
39
|
+
|
|
40
|
+
## Version
|
|
41
|
+
|
|
42
|
+
This check has been introduced in PlatformOS Check 0.46.0.
|
|
43
|
+
|
|
44
|
+
## Resources
|
|
45
|
+
|
|
46
|
+
- [Rule Source][codesource]
|
|
47
|
+
- [Documentation Source][docsource]
|
|
48
|
+
- [platformOS Page documentation][page-csrf]
|
|
49
|
+
- [OWASP Cross Site Request Forgery][csrf-attack]
|
|
50
|
+
|
|
51
|
+
[codesource]: /lib/platformos_check/checks/form_authenticity_token.rb
|
|
52
|
+
[docsource]: /docs/checks/form_authenticity_token.md
|
|
53
|
+
[page-csrf]: https://documentation.platformos.com/developer-guide/pages/pages#post-put-patch-delete-methods-and-cross-site-request-forgery-attacks
|
|
54
|
+
[csrf-attack]: https://owasp.org/www-community/attacks/csrf
|
|
55
|
+
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module PlatformosCheck
|
|
4
|
+
class FormAuthenticityToken < HtmlCheck
|
|
5
|
+
severity :error
|
|
6
|
+
categories :html
|
|
7
|
+
doc docs_url(__FILE__)
|
|
8
|
+
|
|
9
|
+
AUTHENTICITY_TOKEN_VALUE = /\A\s*{{\s*context\.authenticity_token\s*}}\s*\z/
|
|
10
|
+
|
|
11
|
+
def on_form(node)
|
|
12
|
+
authenticity_toke_inputs = node.children.select { |c| c.name == 'input' && c.attributes['name'] == 'authenticity_token' && c.attributes['value']&.match?(AUTHENTICITY_TOKEN_VALUE) }
|
|
13
|
+
return if authenticity_toke_inputs.size == 1
|
|
14
|
+
return add_offense('Duplicated authenticity_token inputs', node:) if authenticity_toke_inputs.size > 1
|
|
15
|
+
|
|
16
|
+
add_offense('Missing authenticity_token input <input type="hidden" name="authenticity_token" value="{{ context.authenticity_token }}">', node:) do |corrector|
|
|
17
|
+
corrector.insert_after(node, "\n<input type=\"hidden\" name=\"authenticity_token\" value=\"{{ context.authenticity_token }}\">")
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: platformos-check
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Piotr Bliszczyk
|
|
@@ -118,6 +118,7 @@ files:
|
|
|
118
118
|
- docs/checks/convert_include_to_render.md
|
|
119
119
|
- docs/checks/deprecated_filter.md
|
|
120
120
|
- docs/checks/form_action.md
|
|
121
|
+
- docs/checks/form_authenticity_token.md
|
|
121
122
|
- docs/checks/html_parsing_error.md
|
|
122
123
|
- docs/checks/img_lazy_loading.md
|
|
123
124
|
- docs/checks/img_width_and_height.md
|
|
@@ -161,6 +162,7 @@ files:
|
|
|
161
162
|
- lib/platformos_check/checks/convert_include_to_render.rb
|
|
162
163
|
- lib/platformos_check/checks/deprecated_filter.rb
|
|
163
164
|
- lib/platformos_check/checks/form_action.rb
|
|
165
|
+
- lib/platformos_check/checks/form_authenticity_token.rb
|
|
164
166
|
- lib/platformos_check/checks/html_parsing_error.rb
|
|
165
167
|
- lib/platformos_check/checks/img_lazy_loading.rb
|
|
166
168
|
- lib/platformos_check/checks/img_width_and_height.rb
|