summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDouwe Maan <douwe@gitlab.com>2015-04-24 17:03:18 +0200
committerDouwe Maan <douwe@gitlab.com>2015-04-24 17:03:18 +0200
commit571ba5a7feb870b7aa711d5a6fc6d4d53d92a4c5 (patch)
tree817cd5b54a81a1a229be4b42e7643ad90f5040e1 /lib
parent62117f2f25646009fb5b20d7a215d7d697ce3231 (diff)
downloadgitlab-ce-571ba5a7feb870b7aa711d5a6fc6d4d53d92a4c5.tar.gz
Protect OmniAuth request phase against CSRF.
Diffstat (limited to 'lib')
-rw-r--r--lib/omni_auth/request_forgery_protection.rb62
1 files changed, 62 insertions, 0 deletions
diff --git a/lib/omni_auth/request_forgery_protection.rb b/lib/omni_auth/request_forgery_protection.rb
new file mode 100644
index 00000000000..cbbb686473c
--- /dev/null
+++ b/lib/omni_auth/request_forgery_protection.rb
@@ -0,0 +1,62 @@
+# Protects OmniAuth request phase against CSRF.
+
+module OmniAuth
+ # Based from ActionController::RequestForgeryProtection.
+ class RequestForgeryProtection
+ def initialize(env)
+ @env = env
+ end
+
+ def request
+ @request ||= ActionDispatch::Request.new(@env)
+ end
+
+ def session
+ request.session
+ end
+
+ def params
+ request.params
+ end
+
+ def call
+ verify_authenticity_token
+ end
+
+ def verify_authenticity_token
+ if !verified_request?
+ Rails.logger.warn "Can't verify CSRF token authenticity" if Rails.logger
+ handle_unverified_request
+ end
+ end
+
+ private
+
+ def protect_against_forgery?
+ ApplicationController.allow_forgery_protection
+ end
+
+ def request_forgery_protection_token
+ ApplicationController.request_forgery_protection_token
+ end
+
+ def forgery_protection_strategy
+ ApplicationController.forgery_protection_strategy
+ end
+
+ def verified_request?
+ !protect_against_forgery? || request.get? || request.head? ||
+ form_authenticity_token == params[request_forgery_protection_token] ||
+ form_authenticity_token == request.headers['X-CSRF-Token']
+ end
+
+ def handle_unverified_request
+ forgery_protection_strategy.new(self).handle_unverified_request
+ end
+
+ # Sets the token value for the current session.
+ def form_authenticity_token
+ session[:_csrf_token] ||= SecureRandom.base64(32)
+ end
+ end
+end