Contents

require 'rack/protection'

module Rack
  module Protection
    ##
    # Prevented attack::   CSRF
    # Supported browsers:: all
    # More infos::         http://flask.pocoo.org/docs/security/#json-security
    #
    # JSON GET APIs are vulnerable to being embedded as JavaScript while the
    # Array prototype has been patched to track data. Checks the referrer
    # even on GET requests if the content type is JSON.
    class JsonCsrf < Base
      alias react deny

      def call(env)
        request               = Request.new(env)
        status, headers, body = app.call(env)

        if has_vector? request, headers
          warn env, "attack prevented by #{self.class}"
          react(env) or [status, headers, body]
        else
          [status, headers, body]
        end
      end

      def has_vector?(request, headers)
        return false if request.xhr?
        return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
        origin(request.env).nil? and referrer(request.env) != request.host
      end
    end
  end
end

Version data entries

84 entries across 81 versions & 21 rubygems

Version	Path
logstash-output-scalyr-0.2.1.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.2.0	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.2.0.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.26.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.25.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.24.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.23.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.22.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.21.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.20.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.19.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.18.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.17.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.16.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.15.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.14.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.13	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.12	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.11.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb
logstash-output-scalyr-0.1.10.beta	vendor/bundle/jruby/2.5.0/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb