diff options
author | blackst0ne <blackst0ne.ru@gmail.com> | 2017-06-21 17:52:54 +1100 |
---|---|---|
committer | Douwe Maan <douwe@selenight.nl> | 2017-07-26 11:05:44 +0200 |
commit | 8ce8b21f675709c884148d050663b9f2374cdc61 (patch) | |
tree | 524480e042ce4ee835a59bec0f3089e401c94913 /lib | |
parent | 29022350999ab3ddc4518f7a7647939ec2de8e09 (diff) | |
download | gitlab-ce-8ce8b21f675709c884148d050663b9f2374cdc61.tar.gz |
Refactor CSRF protection
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/helpers.rb | 32 | ||||
-rw-r--r-- | lib/gitlab/request_forgery_protection.rb (renamed from lib/omni_auth/request_forgery_protection.rb) | 6 |
2 files changed, 6 insertions, 32 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index ab5f4c865e0..b81ce75ef4f 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -328,33 +328,6 @@ module API private - def xor_byte_strings(s1, s2) - s2_bytes = s2.bytes - s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 } - s2_bytes.pack('C*') - end - - # Check if CSRF tokens are equal. - # The header token is masked. - # So, before the comparison it must be unmasked. - def csrf_tokens_valid?(request) - session_token = request.session['_csrf_token'] - header_token = request.headers['X-Csrf-Token'] - - session_token = Base64.strict_decode64(session_token) - header_token = Base64.strict_decode64(header_token) - - # Decoded CSRF token passed from the frontend has to be 64 symbols long. - return false if header_token.size != 64 - - header_token = xor_byte_strings(header_token[0...32], header_token[32..-1]) - - ActiveSupport::SecurityUtils.secure_compare(session_token, header_token) - - rescue - false - end - def private_token params[APIGuard::PRIVATE_TOKEN_PARAM] || env[APIGuard::PRIVATE_TOKEN_HEADER] end @@ -363,10 +336,9 @@ module API env['warden'] end + # Check if CSRF tokens are valid. def verified_request? - request = Grape::Request.new(env) - - request.head? || request.get? || csrf_tokens_valid?(request) + GitLab::RequestForgeryProtection.call(env) end # Check the Rails session for valid authentication details diff --git a/lib/omni_auth/request_forgery_protection.rb b/lib/gitlab/request_forgery_protection.rb index 69155131d8d..071a72a1f8b 100644 --- a/lib/omni_auth/request_forgery_protection.rb +++ b/lib/gitlab/request_forgery_protection.rb @@ -1,6 +1,8 @@ -# Protects OmniAuth request phase against CSRF. +# A module to check CSRF tokens in requests. +# It's used in API helpers and OmniAuth. +# Usage: GitLab::RequestForgeryProtection.call(env) -module OmniAuth +module GitLab module RequestForgeryProtection class Controller < ActionController::Base protect_from_forgery with: :exception |