RubyGems - strict-forgery-protection - Versions diffs - 0.0.4 → 0.0.7 - Mend

strict-forgery-protection 0.0.4 → 0.0.7

Files changed (5) hide show

data/lib/forgery_protection/controller_extension.rb +20 -12
data/lib/forgery_protection/version.rb +1 -1
data/test/controller_test.rb +46 -18
data/test/test.sqlite3 +0 -0
metadata +55 -61

data/lib/forgery_protection/controller_extension.rb CHANGED Viewed

@@ -3,29 +3,37 @@ module ForgeryProtection
   module ControllerExtension
     def self.included(controller)
-      controller.around_filter :verify_strict_authenticity
+      controller.around_filter :detect_unverified_db_update, :if => proc { |c| c.protect_against_forgery? }
-      def controller.skip_forgery_protection(*args)
-        skip_filter :verify_authenticity_token, *args
-        skip_filter :verify_strict_authenticity, *args
+      def controller.permit_unverified_state_changes(*args)
+        skip_filter :detect_unverified_db_update, *args
       end
     end
-    private
+    protected
-    def verify_strict_authenticity
+    def verify_authenticity_token
+      super.tap { @forgery_protection_invoked = true }
+    end
+    def detect_unverified_db_update
       ForgeryProtection::QueryTracker.reset_sql_events
       yield.tap do
-	provided_tokens = [ request.headers['X-CSRF-Token'], params[request_forgery_protection_token] ].compact
-	if ForgeryProtection::QueryTracker.sql_events.any? { |e| e.write? } && !provided_tokens.include?(form_authenticity_token)
-	  handle_unverified_request
-	end
+        if ForgeryProtection::QueryTracker.sql_events.any? { |e| e.write? }
+          raise AttemptError, "A database update occurred for an unverified request" unless valid_forgery_protection_token?
+          raise AttemptError, "A database update occured but forgery protection seems disabled" unless forgery_protection_invoked?
+        end
       end
     end
-    def handle_unverified_request
-      raise AttemptError
+    def forgery_protection_invoked?
+      !!@forgery_protection_invoked
+    end
+    def valid_forgery_protection_token?
+      form_authenticity_token == params[request_forgery_protection_token] ||
+      form_authenticity_token == request.headers['X-CSRF-Token']
     end
   end
 end

data/lib/forgery_protection/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module ForgeryProtection
-  VERSION = '0.0.4'.freeze
+  VERSION = '0.0.7'
 end

data/test/controller_test.rb CHANGED Viewed

@@ -4,22 +4,22 @@ require 'action_dispatch'
 class ControllerTest < ActionController::TestCase
   class Controller < ActionController::Base
-    skip_forgery_protection :only => :touch
+    protect_from_forgery :except => [ :unprotected_read, :unprotected_write ]
+    permit_unverified_state_changes :only => [ :db_permitted_read, :db_permitted_write ]
     def read
       render :json => post
     end
-    def update
-      post.update_attributes! :message => params[:message]
+    def write
+      post.update_attribute :message, params[:message]
       render :json => post
     end
-    def touch
-      post.touch
-      render :json => post
+    %w(unprotected db_permitted).each do |prefix|
+      define_method("#{prefix}_read") { read }
+      define_method("#{prefix}_write") { write }
     end
     private
@@ -48,33 +48,61 @@ class ControllerTest < ActionController::TestCase
   end
   def test_reads
-    get :read, :id => Post.last
+    %w(read unprotected_read db_permitted_read).each do |read_action|
+      get read_action, :id => Post.last
+    end
   end
-  def test_verified_get
-    assert_nothing_raised { get :update, :id => Post.last, :authenticity_token => @csrf_token, :message => 'bye' }
+  def test_verified_get_write
+    assert_nothing_raised { get :write, :id => Post.last, :authenticity_token => @csrf_token, :message => 'bye' }
     assert_equal 'bye', Post.last.message
   end
-  def test_verified_post
-    assert_nothing_raised { post :update, :id => Post.last, :authenticity_token => @csrf_token, :message => 'bye' }
+  def test_verified_post_write
+    assert_nothing_raised { post :write, :id => Post.last, :authenticity_token => @csrf_token, :message => 'bye' }
     assert_equal 'bye', Post.last.message
   end
-  def test_unverified_get
-    assert_raises(ForgeryProtection::AttemptError) { get :update, :id => Post.last, :authenticity_token => 'bad token', :message => 'bye' }
+  def test_unverified_get_write
+    assert_raises(ForgeryProtection::AttemptError) { get :write, :id => Post.last, :authenticity_token => 'bad token', :message => 'bye' }
   end
-  def test_unverified_post
-    assert_raises(ForgeryProtection::AttemptError) { post :update, :id => Post.last, :authenticity_token => 'bad token', :message => 'bye' }
+  def test_unverified_post_write
+    assert_raises(ForgeryProtection::AttemptError) { post :write, :id => Post.last, :authenticity_token => 'bad token', :message => 'bye' }
+  end
+  def test_unprotected_writes
+    # Unfortunately tripping up developers for just POSTs to bad token with protection disabled is not enough:
+    # They are very likely to make the requests via the form, which Rails will include a valid CSRF token for.
+    #
+    # This would cause this csrf vulnerability to be exposed only when a real attacker attempts to compromise
+    # production. Since our checks are done after the action executed, the error would be raised too late. Hence
+    # we try to trip up developers when they disable forgery protection and make state changing calls, even if
+    # a valid csrf token is specified.
+    assert_raises(ForgeryProtection::AttemptError) do
+      get :unprotected_write, :id => Post.last, :authenticity_token => @csrf_token, :message => 'bye'
+    end
+    assert_raises(ForgeryProtection::AttemptError) do
+      post :unprotected_write, :id => Post.last, :authenticity_token => @csrf_token, :message => 'good bye'
+    end
   end
-  def test_skipped_verification
+  def test_db_permitted_verification_write
     before = Post.last.updated_at
-    assert_nothing_raised { get :touch, :id => Post.last }
+    assert_nothing_raised { get :db_permitted_write, :id => Post.last }
     assert_not_equal before, Post.last.updated_at, "Should update the record"
   end
+  def test_global_forgery_disabled
+    @controller.allow_forgery_protection = false
+    assert_nothing_raised do
+      get :write, :id => Post.last, :message => 'get bye'
+      post :write, :id => Post.last, :message => 'post bye'
+    end
+  end
 end

data/test/test.sqlite3 CHANGED Viewed

Binary file

metadata CHANGED Viewed

@@ -1,77 +1,71 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: strict-forgery-protection
-version: !ruby/object:Gem::Version
-  prerelease:
-  version: 0.0.4
+version: !ruby/object:Gem::Version
+  prerelease:
+  version: 0.0.7
 platform: ruby
-authors:
-  - Dmitry Ratnikov
-autorequire:
+authors:
+- Dmitry Ratnikov
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-04-19 00:00:00 Z
-dependencies:
-  - !ruby/object:Gem::Dependency
-    name: rails
-    prerelease: false
-    requirement: &id001 !ruby/object:Gem::Requirement
-      none: false
-      requirements:
-        - - ~>
-          - !ruby/object:Gem::Version
-            version: "3.1"
-    type: :runtime
-    version_requirements: *id001
-description:
-email:
-  - ratnikov@google.com
+date: 2012-05-10 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  version_requirements: &2056 !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.1'
+    none: false
+  requirement: *2056
+  prerelease: false
+  type: :runtime
+description:
+email:
+- ratnikov@google.com
 executables: []
 extensions: []
 extra_rdoc_files: []
-files:
-  - lib/strict-forgery-protection.rb
-  - lib/forgery_protection/controller_extension.rb
-  - lib/forgery_protection/instrumenter_extension.rb
-  - lib/forgery_protection/query_tracker.rb
-  - lib/forgery_protection/sql_event.rb
-  - lib/forgery_protection/version.rb
-  - test/controller_test.rb
-  - test/db_events_test.rb
-  - test/test.sqlite3
-  - test/test_helper.rb
+files:
+- lib/strict-forgery-protection.rb
+- lib/forgery_protection/controller_extension.rb
+- lib/forgery_protection/instrumenter_extension.rb
+- lib/forgery_protection/query_tracker.rb
+- lib/forgery_protection/sql_event.rb
+- lib/forgery_protection/version.rb
+- test/controller_test.rb
+- test/db_events_test.rb
+- test/test.sqlite3
+- test/test_helper.rb
 homepage: http://github.com/ratnikov/strict-forgery-protection
 licenses: []
-post_install_message:
+post_install_message:
 rdoc_options: []
-require_paths:
-  - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
   none: false
-  requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
   none: false
-  requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: "0"
 requirements: []
-rubyforge_project:
+rubyforge_project:
 rubygems_version: 1.8.15
-signing_key:
+signing_key:
 specification_version: 3
 summary: Extends Rails to be strict CSRF token protection
-test_files:
-  - test/controller_test.rb
-  - test/db_events_test.rb
-  - test/test.sqlite3
-  - test/test_helper.rb
+test_files:
+- test/controller_test.rb
+- test/db_events_test.rb
+- test/test.sqlite3
+- test/test_helper.rb
+...