summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDouwe Maan <douwe@gitlab.com>2018-06-22 08:02:43 +0000
committerDouwe Maan <douwe@gitlab.com>2018-06-22 08:02:43 +0000
commit8db69d19e3f3b058a8b8f5755b0f07869cd0fdad (patch)
tree71ca72501df2ec3c201a1812631ab801ff2c95dc
parent1980b9c5636e08a8b5a63793536afd4840864c56 (diff)
parent6fef87f17fa6fde7c15668faa43b563eebc0a918 (diff)
downloadgitlab-ce-8db69d19e3f3b058a8b8f5755b0f07869cd0fdad.tar.gz
Merge branch 'blackst0ne-fix-protect-from-forgery-in-application-controller' into 'master'
[Rails5] Force the `protect_from_forgery` callback run first Closes #48204 See merge request gitlab-org/gitlab-ce!20055
-rw-r--r--app/controllers/application_controller.rb2
-rw-r--r--app/controllers/health_controller.rb2
-rw-r--r--app/controllers/metrics_controller.rb2
-rw-r--r--app/controllers/omniauth_callbacks_controller.rb2
-rw-r--r--changelogs/unreleased/blackst0ne-fix-protect-from-forgery-in-application-controller.yml5
-rw-r--r--lib/gitlab/request_forgery_protection.rb2
6 files changed, 10 insertions, 5 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 56312f801fb..21cc6dfdd16 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -27,7 +27,7 @@ class ApplicationController < ActionController::Base
after_action :set_page_title_header, if: -> { request.format == :json }
- protect_from_forgery with: :exception
+ protect_from_forgery with: :exception, prepend: true
helper_method :can?
helper_method :import_sources_enabled?, :github_import_enabled?, :gitea_import_enabled?, :github_import_configured?, :gitlab_import_enabled?, :gitlab_import_configured?, :bitbucket_import_enabled?, :bitbucket_import_configured?, :google_code_import_enabled?, :fogbugz_import_enabled?, :git_import_enabled?, :gitlab_project_import_enabled?
diff --git a/app/controllers/health_controller.rb b/app/controllers/health_controller.rb
index 16abf7bab7e..e54f372344d 100644
--- a/app/controllers/health_controller.rb
+++ b/app/controllers/health_controller.rb
@@ -1,5 +1,5 @@
class HealthController < ActionController::Base
- protect_from_forgery with: :exception, except: :storage_check
+ protect_from_forgery with: :exception, except: :storage_check, prepend: true
include RequiresWhitelistedMonitoringClient
CHECKS = [
diff --git a/app/controllers/metrics_controller.rb b/app/controllers/metrics_controller.rb
index 33b682d2859..0400ffcfee5 100644
--- a/app/controllers/metrics_controller.rb
+++ b/app/controllers/metrics_controller.rb
@@ -1,7 +1,7 @@
class MetricsController < ActionController::Base
include RequiresWhitelistedMonitoringClient
- protect_from_forgery with: :exception
+ protect_from_forgery with: :exception, prepend: true
def index
response = if Gitlab::Metrics.prometheus_metrics_enabled?
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index 27fd5f7ba37..ba62d2d5142 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -2,7 +2,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
include AuthenticatesWithTwoFactor
include Devise::Controllers::Rememberable
- protect_from_forgery except: [:kerberos, :saml, :cas3]
+ protect_from_forgery except: [:kerberos, :saml, :cas3], prepend: true
def handle_omniauth
omniauth_flow(Gitlab::Auth::OAuth)
diff --git a/changelogs/unreleased/blackst0ne-fix-protect-from-forgery-in-application-controller.yml b/changelogs/unreleased/blackst0ne-fix-protect-from-forgery-in-application-controller.yml
new file mode 100644
index 00000000000..da75ea8b09e
--- /dev/null
+++ b/changelogs/unreleased/blackst0ne-fix-protect-from-forgery-in-application-controller.yml
@@ -0,0 +1,5 @@
+---
+title: "[Rails5] Force the callback run first"
+merge_request: 20055
+author: "@blackst0ne"
+type: fixed
diff --git a/lib/gitlab/request_forgery_protection.rb b/lib/gitlab/request_forgery_protection.rb
index ccfe0d6bed3..a502ad8a541 100644
--- a/lib/gitlab/request_forgery_protection.rb
+++ b/lib/gitlab/request_forgery_protection.rb
@@ -5,7 +5,7 @@
module Gitlab
module RequestForgeryProtection
class Controller < ActionController::Base
- protect_from_forgery with: :exception
+ protect_from_forgery with: :exception, prepend: true
rescue_from ActionController::InvalidAuthenticityToken do |e|
logger.warn "This CSRF token verification failure is handled internally by `GitLab::RequestForgeryProtection`"