diff options
author | Sean McGivern <sean@mcgivern.me.uk> | 2017-07-27 13:20:52 +0300 |
---|---|---|
committer | Sean McGivern <sean@mcgivern.me.uk> | 2017-07-27 13:20:52 +0300 |
commit | ef50875d3aa27a8e7bcc3296f911da4710be0585 (patch) | |
tree | 6b3522c20239dc319719203372464a0aa88fd9cb /lib | |
parent | 2850efcdd51909a5a92f844e7b8940ed0190d234 (diff) | |
parent | bfe8b96874c66c54e2e4c1a66a520087b217e9e7 (diff) |
Merge branch '33601-add-csrf-token-verification-to-api' into 'master'
Resolve "Add CSRF token verification to API"
Closes #33601
See merge request !12154
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/helpers.rb | 10 | ||||
-rw-r--r-- | lib/gitlab/request_forgery_protection.rb (renamed from lib/omni_auth/request_forgery_protection.rb) | 14 |
2 files changed, 18 insertions, 6 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 57e3e93500f..234825480f2 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -336,12 +336,14 @@ module API env['warden'] end + # Check if the request is GET/HEAD, or if CSRF token is valid. + def verified_request? + Gitlab::RequestForgeryProtection.verified?(env) + end + # Check the Rails session for valid authentication details - # - # Until CSRF protection is added to the API, disallow this method for - # state-changing endpoints def find_user_from_warden - warden.try(:authenticate) if %w[GET HEAD].include?(env['REQUEST_METHOD']) + warden.try(:authenticate) if verified_request? end def initial_current_user diff --git a/lib/omni_auth/request_forgery_protection.rb b/lib/gitlab/request_forgery_protection.rb index 69155131d8d..48dd0487790 100644 --- a/lib/omni_auth/request_forgery_protection.rb +++ b/lib/gitlab/request_forgery_protection.rb @@ -1,6 +1,8 @@ -# Protects OmniAuth request phase against CSRF. +# A module to check CSRF tokens in requests. +# It's used in API helpers and OmniAuth. +# Usage: GitLab::RequestForgeryProtection.call(env) -module OmniAuth +module Gitlab module RequestForgeryProtection class Controller < ActionController::Base protect_from_forgery with: :exception @@ -17,5 +19,13 @@ module OmniAuth def self.call(env) app.call(env) end + + def self.verified?(env) + call(env) + + true + rescue ActionController::InvalidAuthenticityToken + false + end end end |