strict-forgery-protection 0.0.2

data/lib/forgery_protection/controller_extension.rb

@@ -0,0 +1,31 @@
+module ForgeryProtection
+  class AttemptError < StandardError; end
+
+  module ControllerExtension
+    def self.included(controller)
+      controller.around_filter :verify_strict_authenticity
+
+      def controller.skip_forgery_protection(*args)
+        skip_filter :verify_authenticity_token, *args
+        skip_filter :verify_strict_authenticity, *args
+      end
+    end
+
+    private
+
+    def verify_strict_authenticity
+      ForgeryProtection::QueryTracker.reset_sql_events
+
+      yield.tap do
+	provided_tokens = [ request.headers['X-CSRF-Token'], params[request_forgery_protection_token] ].compact
+	if ForgeryProtection::QueryTracker.sql_events.any? { |e| e.write? } && !provided_tokens.include?(form_authenticity_token) 
+	  handle_unverified_request
+	end
+      end
+    end
+
+    def handle_unverified_request
+      raise AttemptError
+    end
+  end
+end

data/lib/forgery_protection/instrumenter_extension.rb

@@ -0,0 +1,14 @@
+class ActiveSupport::Notifications::Instrumenter
+  def instrument(name, payload={})
+    started = Time.now
+
+    begin
+      yield.tap { |result| payload[:result] = result }
+    rescue Exception => e
+      payload[:exception] = [e.class.name, e.message]
+      raise e
+    ensure
+      @notifier.publish(name, started, Time.now, @id, payload)
+    end
+  end
+end

data/lib/forgery_protection/query_tracker.rb

@@ -0,0 +1,22 @@
+require 'forgery_protection/instrumenter_extension'
+require 'forgery_protection/sql_event'
+
+module ForgeryProtection
+  class QueryTracker
+    def self.record_sql_event(event)
+      sql_events << event
+    end
+
+    def self.sql_events
+      Thread.current['active_record_sql_events'] ||= []
+    end
+
+    def self.reset_sql_events
+      sql_events.clear
+    end
+
+    def call(*args)
+      self.class.record_sql_event SqlEvent.new(*args)
+    end
+  end
+end

data/lib/forgery_protection/sql_event.rb

@@ -0,0 +1,23 @@
+require 'active_support'
+
+module ForgeryProtection
+  class SqlEvent < ActiveSupport::Notifications::Event
+    def read?
+      result.respond_to?(:each)
+    end
+
+    def write?
+      !read?
+    end
+
+    private
+
+    def result
+      payload[:result]
+    end
+
+    def sql
+      payload[:sql]
+    end
+  end
+end

data/lib/forgery_protection/version.rb

@@ -0,0 +1,3 @@
+module ForgeryProtection
+  VERSION = '0.0.2'.freeze
+end

data/lib/strict-forgery-protection.rb

@@ -0,0 +1,11 @@
+require 'forgery_protection/query_tracker'
+require 'forgery_protection/controller_extension'
+
+ActiveSupport.on_load(:active_record) do
+  ActiveSupport::Notifications.notifier.subscribe 'sql.active_record', ForgeryProtection::QueryTracker.new
+end
+
+ActiveSupport.on_load(:action_controller) do
+  include ForgeryProtection::ControllerExtension
+end
+

data/test/controller_test.rb

@@ -0,0 +1,80 @@
+require 'test_helper'
+
+require 'action_dispatch'
+
+class ControllerTest < ActionController::TestCase
+  class Controller < ActionController::Base
+    skip_forgery_protection :only => :touch
+
+    def read
+      render :json => post
+    end
+
+    def update
+      post.update_attributes! :message => params[:message]
+
+      render :json => post
+    end
+
+    def touch
+      post.touch
+
+      render :json => post
+    end
+
+    private
+
+    def post
+      Post.find params[:id]
+    end
+  end
+
+  tests Controller
+
+  setup do
+    @routes = ActionDispatch::Routing::RouteSet.new
+
+    @routes.draw do
+      match ':controller/:action(/:id)'
+    end
+
+    @controller.extend @routes.url_helpers
+
+    session[:_csrf_token] = @csrf_token = 'secret-csrf-token'
+
+    Post.delete_all
+
+    Post.create! :message => 'hello'
+  end
+
+  def test_reads
+    get :read, :id => Post.last
+  end
+
+  def test_verified_get
+    assert_nothing_raised { get :update, :id => Post.last, :authenticity_token => @csrf_token, :message => 'bye' }
+
+    assert_equal 'bye', Post.last.message
+  end
+
+  def test_verified_post
+    assert_nothing_raised { post :update, :id => Post.last, :authenticity_token => @csrf_token, :message => 'bye' }
+
+    assert_equal 'bye', Post.last.message
+  end
+
+  def test_unverified_get
+    assert_raises(ForgeryProtection::AttemptError) { get :update, :id => Post.last, :authenticity_token => 'bad token', :message => 'bye' }
+  end
+
+  def test_unverified_post
+    assert_raises(ForgeryProtection::AttemptError) { post :update, :id => Post.last, :authenticity_token => 'bad token', :message => 'bye' }
+  end
+
+  def test_skipped_verification
+    before = Post.last.updated_at
+    assert_nothing_raised { get :touch, :id => Post.last }
+
+    assert_not_equal before, Post.last.updated_at, "Should update the record"
+  end
+end

data/test/db_events_test.rb

@@ -0,0 +1,70 @@
+require 'test_helper'
+
+class DbEventsTest < ActiveSupport::TestCase
+  def test_read_queries
+    assert_reads do
+      Post.all
+      Post.count
+      Post.find_by_id 42
+    end
+  end
+
+  def test_raw_reads
+    assert_reads do
+      execute "SELECT * from posts"
+      execute "SELECT total_changes()"
+    end
+  end
+
+  def test_record_modification
+    assert_writes do
+      post = Post.create! :message => 'hello world'
+      Post.delete_all
+      post.update_attributes :message => 'goodbye'
+      post.destroy
+    end
+  end
+
+  def test_raw_writes
+    assert_writes do
+      execute "CREATE TABLE foos (foo INT)"
+      execute "INSERT INTO foos (foo) VALUES (5)"
+      execute "DELETE FROM foos"
+      execute "DROP TABLE foos"
+    end
+  end
+
+  private
+
+  def assert_reads
+    previous_changes = total_changes
+
+    events = sql_events { yield }
+
+    assert events.all?(&:read?), "Expected all events to be read, but got: #{events.map { |e| [e, e.read? ] }.inspect}"
+
+    assert_equal 0, total_changes - previous_changes, "Expected no new changes"
+  end
+
+  def assert_writes
+    events = sql_events { yield }
+
+    assert events.all?(&:write?), "Expected all events to be write, but got: #{events.map { |e| [ e, e.write? ] }.inspect}"
+  end
+
+  def sql_events
+    ForgeryProtection::QueryTracker.reset_sql_events
+
+    yield
+
+    ForgeryProtection::QueryTracker.sql_events
+  end
+
+  def total_changes
+    execute("SELECT total_changes()").first['total_changes()']
+  end
+
+  def execute(sql)
+    ActiveRecord::Base.connection.execute sql
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,30 @@
+require 'rubygems'
+require 'bundler'
+
+Bundler.setup
+
+require 'test/unit'
+
+require 'active_support'
+require 'active_record'
+require 'action_controller'
+require 'logger'
+
+require 'strict-forgery-protection'
+
+ActiveRecord::Base.logger = Logger.new('debug.log')
+ActiveRecord::Base.establish_connection :adapter => 'sqlite3',
+  :database => File.expand_path('../test.sqlite3', __FILE__),
+  :timeout => 5000
+
+ActiveRecord::Schema.define do
+  create_table :posts, :force => true do |t|
+    t.string :message
+
+    t.timestamps
+  end
+end
+
+class Post < ActiveRecord::Base
+end
+

metadata

@@ -0,0 +1,77 @@
+--- !ruby/object:Gem::Specification 
+name: strict-forgery-protection
+version: !ruby/object:Gem::Version 
+  prerelease: 
+  version: 0.0.2
+platform: ruby
+authors: 
+  - Dmitry Ratnikov
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2012-02-09 00:00:00 Z
+dependencies: 
+  - !ruby/object:Gem::Dependency 
+    name: rails
+    prerelease: false
+    requirement: &id001 !ruby/object:Gem::Requirement 
+      none: false
+      requirements: 
+        - - ~>
+          - !ruby/object:Gem::Version 
+            version: 3.1.0
+    type: :runtime
+    version_requirements: *id001
+description: 
+email: 
+  - ratnikov@google.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+  - lib/strict-forgery-protection.rb
+  - lib/forgery_protection/controller_extension.rb
+  - lib/forgery_protection/instrumenter_extension.rb
+  - lib/forgery_protection/query_tracker.rb
+  - lib/forgery_protection/sql_event.rb
+  - lib/forgery_protection/version.rb
+  - test/controller_test.rb
+  - test/db_events_test.rb
+  - test/test.sqlite3
+  - test/test_helper.rb
+homepage: http://github.com/ratnikov/strict-forgery-protection
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+  - lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.8.9
+signing_key: 
+specification_version: 3
+summary: Extends Rails to be strict CSRF token protection
+test_files: 
+  - test/controller_test.rb
+  - test/db_events_test.rb
+  - test/test.sqlite3
+  - test/test_helper.rb