Sha256: 11e8ddc4195c8d42b32f5eaae61fe5886874369aaab6ef4f357162727f5d1189
Contents?: true
Size: 1.41 KB
Versions: 3
Compression:
Stored size: 1.41 KB
Contents
require 'rack/protection'
module Rack
module Protection
##
# Prevented attack:: CSRF
# Supported browsers:: all
# More infos:: http://flask.pocoo.org/docs/security/#json-security
#
# JSON GET APIs are vulnerable to being embedded as JavaScript while the
# Array prototype has been patched to track data. Checks the referrer
# even on GET requests if the content type is JSON.
#
# Uses HttpOrigin to determine if requests are safe, please refer to the
# documentation for more.
class JsonCsrf < Base
alias react deny
def call(env)
request = Request.new(env)
status, headers, body = app.call(env)
if has_vector?(request, headers)
warn env, "attack prevented by #{self.class}"
react_and_close(env, body) or [status, headers, body]
else
[status, headers, body]
end
end
def has_vector?(request, headers)
return false if request.xhr?
return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
origin(request.env).nil? and referrer(request.env) != request.host
end
def react_and_close(env, body)
reaction = react(env)
close_body(body) if reaction
reaction
end
def close_body(body)
body.close if body.respond_to?(:close)
end
end
end
end
Version data entries
3 entries across 3 versions & 1 rubygems
| Version | Path |
|---|---|
| rack-protection-2.0.0.rc1 | lib/rack/protection/json_csrf.rb |
| rack-protection-2.0.0.beta2 | lib/rack/protection/json_csrf.rb |
| rack-protection-2.0.0.beta1 | lib/rack/protection/json_csrf.rb |