platformos-check 0.4.5 → 0.4.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -1
- data/config/default.yml +4 -0
- data/docs/checks/form_authenticity_token.md +55 -0
- data/lib/platformos_check/checks/form_authenticity_token.rb +21 -0
- data/lib/platformos_check/version.rb +1 -1
- metadata +3 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 737ae774f598b10b46e556298d68e7eafe711c00ef6463c30ba8f8736c6cf42a
|
|
4
|
+
data.tar.gz: 443998e3955d4032ab41b2d5189ff42f5a736781b05cf0bdfa2a8dfe1b4fe629
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5049fd3616a7721b1d23920c87436ed19a525d96454ef18a93cb22ba210e733a5984c154f3a79778f047769fa059052fc65b3ca56cc02d70e4ee5e108c568b29
|
|
7
|
+
data.tar.gz: c7dcafbce9b30fc5fd2b954a080e4f167f24c7fcfbc8ea48b6131b54eb33eb71657f45068075c1ea2f9f6520682a33f94eb207e0a68341e10f9abcda4939b8db
|
data/CHANGELOG.md
CHANGED
data/config/default.yml
CHANGED
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
# Form authenticity token (`FormAuthenticityToken`)
|
|
2
|
+
|
|
3
|
+
In platformOS all POST/PATCH/PUT/DELETE requests are protected from [CSRF Attacks][csrf-attack] through [authenticity_token][page-csrf]
|
|
4
|
+
Form action defines the endpoint to which browser will make a request after submitting it.
|
|
5
|
+
|
|
6
|
+
As a general rule you should include hidden input `<input type="hidden" name="authenticity_token" value="{{ context.authenticity_token }}">` in every form. Missing it will result in session invalidation and any logged in user will be automatically logged out.
|
|
7
|
+
|
|
8
|
+
## Check Details
|
|
9
|
+
|
|
10
|
+
This check is aimed at ensuring you have not forgotten to include authenticity_token in a form.
|
|
11
|
+
|
|
12
|
+
:-1: Examples of **incorrect** code for this check:
|
|
13
|
+
|
|
14
|
+
```liquid
|
|
15
|
+
<form action="dummy/create">
|
|
16
|
+
</form>
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
:+1: Examples of **correct** code for this check:
|
|
20
|
+
|
|
21
|
+
```liquid
|
|
22
|
+
<form action="/dummy/create">
|
|
23
|
+
<input type="hidden" name="authenticity_token" value="{{ context.authenticity_token }}">
|
|
24
|
+
</form>
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
## Check Options
|
|
28
|
+
|
|
29
|
+
The default configuration for this check is the following:
|
|
30
|
+
|
|
31
|
+
```yaml
|
|
32
|
+
FormAuthenticityToken:
|
|
33
|
+
enabled: true
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
## When Not To Use It
|
|
37
|
+
|
|
38
|
+
There should be no cases where disabling this rule is needed.
|
|
39
|
+
|
|
40
|
+
## Version
|
|
41
|
+
|
|
42
|
+
This check has been introduced in PlatformOS Check 0.46.0.
|
|
43
|
+
|
|
44
|
+
## Resources
|
|
45
|
+
|
|
46
|
+
- [Rule Source][codesource]
|
|
47
|
+
- [Documentation Source][docsource]
|
|
48
|
+
- [platformOS Page documentation][page-csrf]
|
|
49
|
+
- [OWASP Cross Site Request Forgery][csrf-attack]
|
|
50
|
+
|
|
51
|
+
[codesource]: /lib/platformos_check/checks/form_authenticity_token.rb
|
|
52
|
+
[docsource]: /docs/checks/form_authenticity_token.md
|
|
53
|
+
[page-csrf]: https://documentation.platformos.com/developer-guide/pages/pages#post-put-patch-delete-methods-and-cross-site-request-forgery-attacks
|
|
54
|
+
[csrf-attack]: https://owasp.org/www-community/attacks/csrf
|
|
55
|
+
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module PlatformosCheck
|
|
4
|
+
class FormAuthenticityToken < HtmlCheck
|
|
5
|
+
severity :error
|
|
6
|
+
categories :html
|
|
7
|
+
doc docs_url(__FILE__)
|
|
8
|
+
|
|
9
|
+
AUTHENTICITY_TOKEN_VALUE = /\A\s*{{\s*context\.authenticity_token\s*}}\s*\z/
|
|
10
|
+
|
|
11
|
+
def on_form(node)
|
|
12
|
+
authenticity_toke_inputs = node.children.select { |c| c.name == 'input' && c.attributes['name'] == 'authenticity_token' && c.attributes['value']&.match?(AUTHENTICITY_TOKEN_VALUE) }
|
|
13
|
+
return if authenticity_toke_inputs.size == 1
|
|
14
|
+
return add_offense('Duplicated authenticity_token inputs', node:) if authenticity_toke_inputs.size > 1
|
|
15
|
+
|
|
16
|
+
add_offense('Missing authenticity_token input <input type="hidden" name="authenticity_token" value="{{ context.authenticity_token }}">', node:) do |corrector|
|
|
17
|
+
corrector.insert_after(node, "\n<input type=\"hidden\" name=\"authenticity_token\" value=\"{{ context.authenticity_token }}\">")
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: platformos-check
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Piotr Bliszczyk
|
|
@@ -118,6 +118,7 @@ files:
|
|
|
118
118
|
- docs/checks/convert_include_to_render.md
|
|
119
119
|
- docs/checks/deprecated_filter.md
|
|
120
120
|
- docs/checks/form_action.md
|
|
121
|
+
- docs/checks/form_authenticity_token.md
|
|
121
122
|
- docs/checks/html_parsing_error.md
|
|
122
123
|
- docs/checks/img_lazy_loading.md
|
|
123
124
|
- docs/checks/img_width_and_height.md
|
|
@@ -161,6 +162,7 @@ files:
|
|
|
161
162
|
- lib/platformos_check/checks/convert_include_to_render.rb
|
|
162
163
|
- lib/platformos_check/checks/deprecated_filter.rb
|
|
163
164
|
- lib/platformos_check/checks/form_action.rb
|
|
165
|
+
- lib/platformos_check/checks/form_authenticity_token.rb
|
|
164
166
|
- lib/platformos_check/checks/html_parsing_error.rb
|
|
165
167
|
- lib/platformos_check/checks/img_lazy_loading.rb
|
|
166
168
|
- lib/platformos_check/checks/img_width_and_height.rb
|