diff options
author | Douwe Maan <douwe@gitlab.com> | 2015-04-24 17:03:18 +0200 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2015-04-24 17:03:18 +0200 |
commit | 571ba5a7feb870b7aa711d5a6fc6d4d53d92a4c5 (patch) | |
tree | 817cd5b54a81a1a229be4b42e7643ad90f5040e1 /lib | |
parent | 62117f2f25646009fb5b20d7a215d7d697ce3231 (diff) | |
download | gitlab-ce-571ba5a7feb870b7aa711d5a6fc6d4d53d92a4c5.tar.gz |
Protect OmniAuth request phase against CSRF.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/omni_auth/request_forgery_protection.rb | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/lib/omni_auth/request_forgery_protection.rb b/lib/omni_auth/request_forgery_protection.rb new file mode 100644 index 00000000000..cbbb686473c --- /dev/null +++ b/lib/omni_auth/request_forgery_protection.rb @@ -0,0 +1,62 @@ +# Protects OmniAuth request phase against CSRF. + +module OmniAuth + # Based from ActionController::RequestForgeryProtection. + class RequestForgeryProtection + def initialize(env) + @env = env + end + + def request + @request ||= ActionDispatch::Request.new(@env) + end + + def session + request.session + end + + def params + request.params + end + + def call + verify_authenticity_token + end + + def verify_authenticity_token + if !verified_request? + Rails.logger.warn "Can't verify CSRF token authenticity" if Rails.logger + handle_unverified_request + end + end + + private + + def protect_against_forgery? + ApplicationController.allow_forgery_protection + end + + def request_forgery_protection_token + ApplicationController.request_forgery_protection_token + end + + def forgery_protection_strategy + ApplicationController.forgery_protection_strategy + end + + def verified_request? + !protect_against_forgery? || request.get? || request.head? || + form_authenticity_token == params[request_forgery_protection_token] || + form_authenticity_token == request.headers['X-CSRF-Token'] + end + + def handle_unverified_request + forgery_protection_strategy.new(self).handle_unverified_request + end + + # Sets the token value for the current session. + def form_authenticity_token + session[:_csrf_token] ||= SecureRandom.base64(32) + end + end +end |