RubyGems - strict-forgery-protection - Versions diffs - 0.0.4 → 0.0.7 - Mend

strict-forgery-protection 0.0.4 → 0.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

data/lib/forgery_protection/controller_extension.rb +20 -12
data/lib/forgery_protection/version.rb +1 -1
data/test/controller_test.rb +46 -18
data/test/test.sqlite3 +0 -0
metadata +55 -61

data/lib/forgery_protection/controller_extension.rb CHANGED Viewed

@@ -3,29 +3,37 @@ module ForgeryProtection
   module ControllerExtension
     def self.included(controller)
-      controller.around_filter :verify_strict_authenticity
+      controller.around_filter :detect_unverified_db_update, :if => proc { |c| c.protect_against_forgery? }
-      def controller.skip_forgery_protection(*args)
-        skip_filter :verify_authenticity_token, *args
-        skip_filter :verify_strict_authenticity, *args
+      def controller.permit_unverified_state_changes(*args)
+        skip_filter :detect_unverified_db_update, *args
       end
     end
-    private
+    protected
-    def verify_strict_authenticity
+    def verify_authenticity_token
+      super.tap { @forgery_protection_invoked = true }
+    end
+    def detect_unverified_db_update
       ForgeryProtection::QueryTracker.reset_sql_events
       yield.tap do
-	provided_tokens = [ request.headers['X-CSRF-Token'], params[request_forgery_protection_token] ].compact
-	if ForgeryProtection::QueryTracker.sql_events.any? { |e| e.write? } && !provided_tokens.include?(form_authenticity_token)
-	  handle_unverified_request
-	end
+        if ForgeryProtection::QueryTracker.sql_events.any? { |e| e.write? }
+          raise AttemptError, "A database update occurred for an unverified request" unless valid_forgery_protection_token?
+          raise AttemptError, "A database update occured but forgery protection seems disabled" unless forgery_protection_invoked?
+        end
       end
     end
-    def handle_unverified_request
-      raise AttemptError
+    def forgery_protection_invoked?
+      !!@forgery_protection_invoked
+    end
+    def valid_forgery_protection_token?
+      form_authenticity_token == params[request_forgery_protection_token] ||
+      form_authenticity_token == request.headers['X-CSRF-Token']
     end
   end
 end

data/lib/forgery_protection/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module ForgeryProtection
-  VERSION = '0.0.4'.freeze
+  VERSION = '0.0.7'
 end

data/test/controller_test.rb CHANGED Viewed

@@ -4,22 +4,22 @@ require 'action_dispatch'
 class ControllerTest < ActionController::TestCase
   class Controller < ActionController::Base
-    skip_forgery_protection :only => :touch
+    protect_from_forgery :except => [ :unprotected_read, :unprotected_write ]
+    permit_unverified_state_changes :only => [ :db_permitted_read, :db_permitted_write ]
     def read
       render :json => post
     end
-    def update
-      post.update_attributes! :message => params[:message]
+    def write
+      post.update_attribute :message, params[:message]
       render :json => post
     end
-    def touch
-      post.touch
-      render :json => post
+    %w(unprotected db_permitted).each do |prefix|
+      define_method("#{prefix}_read") { read }
+      define_method("#{prefix}_write") { write }
     end
     private
@@ -48,33 +48,61 @@ class ControllerTest < ActionController::TestCase
   end
   def test_reads
-    get :read, :id => Post.last
+    %w(read unprotected_read db_permitted_read).each do |read_action|
+      get read_action, :id => Post.last
+    end
   end
-  def test_verified_get
-    assert_nothing_raised { get :update, :id => Post.last, :authenticity_token => @csrf_token, :message => 'bye' }
+  def test_verified_get_write
+    assert_nothing_raised { get :write, :id => Post.last, :authenticity_token => @csrf_token, :message => 'bye' }
     assert_equal 'bye', Post.last.message
   end
-  def test_verified_post
-    assert_nothing_raised { post :update, :id => Post.last, :authenticity_token => @csrf_token, :message => 'bye' }
+  def test_verified_post_write
+    assert_nothing_raised { post :write, :id => Post.last, :authenticity_token => @csrf_token, :message => 'bye' }
     assert_equal 'bye', Post.last.message
   end
-  def test_unverified_get
-    assert_raises(ForgeryProtection::AttemptError) { get :update, :id => Post.last, :authenticity_token => 'bad token', :message => 'bye' }
+  def test_unverified_get_write
+    assert_raises(ForgeryProtection::AttemptError) { get :write, :id => Post.last, :authenticity_token => 'bad token', :message => 'bye' }
   end
-  def test_unverified_post
-    assert_raises(ForgeryProtection::AttemptError) { post :update, :id => Post.last, :authenticity_token => 'bad token', :message => 'bye' }
+  def test_unverified_post_write
+    assert_raises(ForgeryProtection::AttemptError) { post :write, :id => Post.last, :authenticity_token => 'bad token', :message => 'bye' }
+  end
+  def test_unprotected_writes
+    # Unfortunately tripping up developers for just POSTs to bad token with protection disabled is not enough:
+    # They are very likely to make the requests via the form, which Rails will include a valid CSRF token for.
+    #
+    # This would cause this csrf vulnerability to be exposed only when a real attacker attempts to compromise
+    # production. Since our checks are done after the action executed, the error would be raised too late. Hence
+    # we try to trip up developers when they disable forgery protection and make state changing calls, even if
+    # a valid csrf token is specified.
+    assert_raises(ForgeryProtection::AttemptError) do
+      get :unprotected_write, :id => Post.last, :authenticity_token => @csrf_token, :message => 'bye'
+    end
+    assert_raises(ForgeryProtection::AttemptError) do
+      post :unprotected_write, :id => Post.last, :authenticity_token => @csrf_token, :message => 'good bye'
+    end
   end
-  def test_skipped_verification
+  def test_db_permitted_verification_write
     before = Post.last.updated_at
-    assert_nothing_raised { get :touch, :id => Post.last }
+    assert_nothing_raised { get :db_permitted_write, :id => Post.last }
     assert_not_equal before, Post.last.updated_at, "Should update the record"
   end
+  def test_global_forgery_disabled
+    @controller.allow_forgery_protection = false
+    assert_nothing_raised do
+      get :write, :id => Post.last, :message => 'get bye'
+      post :write, :id => Post.last, :message => 'post bye'
+    end
+  end
 end

data/test/test.sqlite3 CHANGED Viewed

Binary file

metadata CHANGED Viewed

@@ -1,77 +1,71 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: strict-forgery-protection
-version: !ruby/object:Gem::Version
-  prerelease:
-  version: 0.0.4
+version: !ruby/object:Gem::Version
+  prerelease:
+  version: 0.0.7
 platform: ruby
-authors:
-  - Dmitry Ratnikov
-autorequire:
+authors:
+- Dmitry Ratnikov
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-04-19 00:00:00 Z
-dependencies:
-  - !ruby/object:Gem::Dependency
-    name: rails
-    prerelease: false
-    requirement: &id001 !ruby/object:Gem::Requirement
-      none: false
-      requirements:
-        - - ~>
-          - !ruby/object:Gem::Version
-            version: "3.1"
-    type: :runtime
-    version_requirements: *id001
-description:
-email:
-  - ratnikov@google.com
+date: 2012-05-10 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  version_requirements: &2056 !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.1'
+    none: false
+  requirement: *2056
+  prerelease: false
+  type: :runtime
+description:
+email:
+- ratnikov@google.com
 executables: []
 extensions: []
 extra_rdoc_files: []
-files:
-  - lib/strict-forgery-protection.rb
-  - lib/forgery_protection/controller_extension.rb
-  - lib/forgery_protection/instrumenter_extension.rb
-  - lib/forgery_protection/query_tracker.rb
-  - lib/forgery_protection/sql_event.rb
-  - lib/forgery_protection/version.rb
-  - test/controller_test.rb
-  - test/db_events_test.rb
-  - test/test.sqlite3
-  - test/test_helper.rb
+files:
+- lib/strict-forgery-protection.rb
+- lib/forgery_protection/controller_extension.rb
+- lib/forgery_protection/instrumenter_extension.rb
+- lib/forgery_protection/query_tracker.rb
+- lib/forgery_protection/sql_event.rb
+- lib/forgery_protection/version.rb
+- test/controller_test.rb
+- test/db_events_test.rb
+- test/test.sqlite3
+- test/test_helper.rb
 homepage: http://github.com/ratnikov/strict-forgery-protection
 licenses: []
-post_install_message:
+post_install_message:
 rdoc_options: []
-require_paths:
-  - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
   none: false
-  requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
   none: false
-  requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: "0"
 requirements: []
-rubyforge_project:
+rubyforge_project:
 rubygems_version: 1.8.15
-signing_key:
+signing_key:
 specification_version: 3
 summary: Extends Rails to be strict CSRF token protection
-test_files:
-  - test/controller_test.rb
-  - test/db_events_test.rb
-  - test/test.sqlite3
-  - test/test_helper.rb
+test_files:
+- test/controller_test.rb
+- test/db_events_test.rb
+- test/test.sqlite3
+- test/test_helper.rb
+...