diff options
| -rw-r--r-- | Changelog.md | 1 | ||||
| -rw-r--r-- | app/controllers/application_controller.rb | 6 | ||||
| -rw-r--r-- | app/mailers/notification_mailers/csrf_token_fail.rb | 7 | ||||
| -rw-r--r-- | app/mailers/notifier.rb | 4 | ||||
| -rw-r--r-- | app/views/notifier/csrf_token_fail.markerb | 1 | ||||
| -rw-r--r-- | app/workers/mail/csrf_token_fail.rb | 11 | ||||
| -rw-r--r-- | config/locales/diaspora/en.yml | 12 | ||||
| -rw-r--r-- | spec/integration/application_spec.rb | 6 | ||||
| -rw-r--r-- | spec/mailers/notifier_spec.rb | 20 | ||||
| -rw-r--r-- | spec/workers/mail/csrf_token_fail_spec.rb | 18 |
10 files changed, 85 insertions, 1 deletions
diff --git a/Changelog.md b/Changelog.md index 6ee36dc16..56b8a17ed 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,6 +4,7 @@ * Indicate proper way to report bugs in the sidebar [#7039](https://github.com/diaspora/diaspora/pull/7039) * Remove text color from notification mails and fix sender avatar [#7054](https://github.com/diaspora/diaspora/pull/7054) * Make the session cookies HttpOnly again [#7041](https://github.com/diaspora/diaspora/pull/7041) +* Invalidate sessions with invalid CSRF tokens [#7050](https://github.com/diaspora/diaspora/pull/7050) ## Bug fixes * Post comments no longer get collapsed when interacting with a post [#7040](https://github.com/diaspora/diaspora/pull/7040) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 12e30346b..bc79acdb2 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -8,7 +8,11 @@ class ApplicationController < ActionController::Base protect_from_forgery except: :receive, with: :exception rescue_from ActionController::InvalidAuthenticityToken do - sign_out current_user + if user_signed_in? + logger.warn "#{current_user.diaspora_handle} CSRF token fail. referer: #{request.referer || 'empty'}" + Workers::Mail::CsrfTokenFail.perform_async(current_user.id) + sign_out current_user + end flash[:error] = I18n.t("error_messages.csrf_token_fail") redirect_to new_user_session_path format: request[:format] end diff --git a/app/mailers/notification_mailers/csrf_token_fail.rb b/app/mailers/notification_mailers/csrf_token_fail.rb new file mode 100644 index 000000000..435f9d87b --- /dev/null +++ b/app/mailers/notification_mailers/csrf_token_fail.rb @@ -0,0 +1,7 @@ +module NotificationMailers + class CsrfTokenFail < NotificationMailers::Base + def set_headers + @headers[:subject] = I18n.t("notifier.csrf_token_fail.subject", name: @recipient.name) + end + end +end diff --git a/app/mailers/notifier.rb b/app/mailers/notifier.rb index e92795a18..80630ebe2 100644 --- a/app/mailers/notifier.rb +++ b/app/mailers/notifier.rb @@ -87,6 +87,10 @@ class Notifier < ActionMailer::Base send_notification(:confirm_email, recipient_id) end + def csrf_token_fail(recipient_id) + send_notification(:csrf_token_fail, recipient_id) + end + private def send_notification(type, *args) @notification = NotificationMailers.const_get(type.to_s.camelize).new(*args) diff --git a/app/views/notifier/csrf_token_fail.markerb b/app/views/notifier/csrf_token_fail.markerb new file mode 100644 index 000000000..22f3164ea --- /dev/null +++ b/app/views/notifier/csrf_token_fail.markerb @@ -0,0 +1 @@ +<%= t("notifier.csrf_token_fail.body", name: @notification.recipient_first_name, link: "https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)") %> diff --git a/app/workers/mail/csrf_token_fail.rb b/app/workers/mail/csrf_token_fail.rb new file mode 100644 index 000000000..a3372b322 --- /dev/null +++ b/app/workers/mail/csrf_token_fail.rb @@ -0,0 +1,11 @@ +module Workers + module Mail + class CsrfTokenFail < Base + sidekiq_options queue: :low + + def perform(user_id) + Notifier.csrf_token_fail(user_id).deliver_now + end + end + end +end diff --git a/config/locales/diaspora/en.yml b/config/locales/diaspora/en.yml index 523e9615f..62d697149 100644 --- a/config/locales/diaspora/en.yml +++ b/config/locales/diaspora/en.yml @@ -696,6 +696,18 @@ en: confirm_email: subject: "Please activate your new email address %{unconfirmed_email}" click_link: "To activate your new email address %{unconfirmed_email}, please follow this link:" + csrf_token_fail: + subject: "We received an unauthorized request from your account, %{name}" + body: |- + Hello %{name}, + + We received a request with a wrong/missing CSRF token from your account. To prevent any possible damage you have been logged out. + + For more information on CSRF see [%{link}](%{link}). + + Sorry, + + The diaspora* email robot! report_email: type: post: "post" diff --git a/spec/integration/application_spec.rb b/spec/integration/application_spec.rb index 014b40e5c..7f5527896 100644 --- a/spec/integration/application_spec.rb +++ b/spec/integration/application_spec.rb @@ -37,6 +37,12 @@ describe ApplicationController, type: :request do expect(flash[:error]).to eq(I18n.t("error_messages.csrf_token_fail")) end + it "sends an email to the current user if the token validation failed" do + expect_any_instance_of(UsersController).to receive(:verified_request?).and_return(false) + expect(Workers::Mail::CsrfTokenFail).to receive(:perform_async).with(alice.id) + put edit_user_path, user: {language: "en"} + end + it "doesn't sign out users if the token was correct" do expect_any_instance_of(UsersController).to receive(:verified_request?).and_return(true) put edit_user_path, user: {language: "en"} diff --git a/spec/mailers/notifier_spec.rb b/spec/mailers/notifier_spec.rb index 61595a7eb..3669fddd9 100644 --- a/spec/mailers/notifier_spec.rb +++ b/spec/mailers/notifier_spec.rb @@ -432,6 +432,26 @@ describe Notifier, type: :mailer do end end + describe ".csrf_token_fail" do + let(:email) { Notifier.csrf_token_fail(alice.id) } + + it "goes to the right person" do + expect(email.to).to eq([alice.email]) + end + + it "has the correct subject" do + expect(email.subject).to eq(I18n.translate("notifier.csrf_token_fail.subject", name: alice.name)) + end + + it "has the receivers name in the body" do + expect(email.body.encoded).to include(alice.person.profile.first_name) + end + + it "has some informative text in the body" do + expect(email.body.encoded).to include("https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)") + end + end + describe "hashtags" do it "escapes hashtags" do mails = Notifier.admin("#Welcome to bureaucracy!", [bob]) diff --git a/spec/workers/mail/csrf_token_fail_spec.rb b/spec/workers/mail/csrf_token_fail_spec.rb new file mode 100644 index 000000000..321b06dc4 --- /dev/null +++ b/spec/workers/mail/csrf_token_fail_spec.rb @@ -0,0 +1,18 @@ +# Copyright (c) 2010-2011, Diaspora Inc. This file is +# licensed under the Affero General Public License version 3 or later. See +# the COPYRIGHT file. + +require "spec_helper" + +describe Workers::Mail::CsrfTokenFail do + describe "#perfom" do + it "should call .deliver on the notifier object" do + user = alice + mail_double = double + expect(mail_double).to receive(:deliver_now) + expect(Notifier).to receive(:csrf_token_fail).with(user.id).and_return(mail_double) + + Workers::Mail::CsrfTokenFail.new.perform(user.id) + end + end +end |