Sha256: 23d13d4ef0fb20e78c325929fe4aa1f7d39a97a0308fa5ffc21e84578e32159f
Contents?: true
Size: 1.77 KB
Versions: 26
Compression:
Stored size: 1.77 KB
Contents
require 'rack/protection'
module Rack
module Protection
##
# Prevented attack:: CSRF
# Supported browsers:: all
# More infos:: http://flask.pocoo.org/docs/0.10/security/#json-security
# http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
#
# JSON GET APIs are vulnerable to being embedded as JavaScript when the
# Array prototype has been patched to track data. Checks the referrer
# even on GET requests if the content type is JSON.
#
# If request includes Origin HTTP header, defers to HttpOrigin to determine
# if the request is safe. Please refer to the documentation for more info.
#
# The `:allow_if` option can be set to a proc to use custom allow/deny logic.
class JsonCsrf < Base
default_options :allow_if => nil
alias react deny
def call(env)
request = Request.new(env)
status, headers, body = app.call(env)
if has_vector?(request, headers)
warn env, "attack prevented by #{self.class}"
react_and_close(env, body) or [status, headers, body]
else
[status, headers, body]
end
end
def has_vector?(request, headers)
return false if request.xhr?
return false if options[:allow_if] && options[:allow_if].call(request.env)
return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
origin(request.env).nil? and referrer(request.env) != request.host
end
def react_and_close(env, body)
reaction = react(env)
close_body(body) if reaction
reaction
end
def close_body(body)
body.close if body.respond_to?(:close)
end
end
end
end
Version data entries
26 entries across 23 versions & 4 rubygems