Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
8ce8b21f
Commit
8ce8b21f
authored
7 years ago
by
blackst0ne
Committed by
Douwe Maan
7 years ago
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Refactor CSRF protection
parent
29022350
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
8 additions
and
34 deletions
+8
-34
changelogs/unreleased/33601-add-csrf-token-verification-to-api.yml
...s/unreleased/33601-add-csrf-token-verification-to-api.yml
+1
-1
config/initializers/omniauth.rb
config/initializers/omniauth.rb
+1
-1
lib/api/helpers.rb
lib/api/helpers.rb
+2
-30
lib/gitlab/request_forgery_protection.rb
lib/gitlab/request_forgery_protection.rb
+4
-2
No files found.
changelogs/unreleased/33601-add-csrf-token-verification-to-api.yml
View file @
8ce8b21f
---
title
:
Add CSRF token verification to API
merge_request
:
12154
author
:
@
blackst0ne
author
:
Vitaliy @blackst0ne Klachkov
This diff is collapsed.
Click to expand it.
config/initializers/omniauth.rb
View file @
8ce8b21f
...
...
@@ -16,7 +16,7 @@ OmniAuth.config.allowed_request_methods = [:post]
# In case of auto sign-in, the GET method is used (users don't get to click on a button)
OmniAuth
.
config
.
allowed_request_methods
<<
:get
if
Gitlab
.
config
.
omniauth
.
auto_sign_in_with_provider
.
present?
OmniAuth
.
config
.
before_request_phase
do
|
env
|
OmniAuth
::
RequestForgeryProtection
.
call
(
env
)
GitLab
::
RequestForgeryProtection
.
call
(
env
)
end
if
Gitlab
.
config
.
omniauth
.
enabled
...
...
This diff is collapsed.
Click to expand it.
lib/api/helpers.rb
View file @
8ce8b21f
...
...
@@ -328,33 +328,6 @@ module API
private
def
xor_byte_strings
(
s1
,
s2
)
s2_bytes
=
s2
.
bytes
s1
.
each_byte
.
with_index
{
|
c1
,
i
|
s2_bytes
[
i
]
^=
c1
}
s2_bytes
.
pack
(
'C*'
)
end
# Check if CSRF tokens are equal.
# The header token is masked.
# So, before the comparison it must be unmasked.
def
csrf_tokens_valid?
(
request
)
session_token
=
request
.
session
[
'_csrf_token'
]
header_token
=
request
.
headers
[
'X-Csrf-Token'
]
session_token
=
Base64
.
strict_decode64
(
session_token
)
header_token
=
Base64
.
strict_decode64
(
header_token
)
# Decoded CSRF token passed from the frontend has to be 64 symbols long.
return
false
if
header_token
.
size
!=
64
header_token
=
xor_byte_strings
(
header_token
[
0
...
32
],
header_token
[
32
..-
1
])
ActiveSupport
::
SecurityUtils
.
secure_compare
(
session_token
,
header_token
)
rescue
false
end
def
private_token
params
[
APIGuard
::
PRIVATE_TOKEN_PARAM
]
||
env
[
APIGuard
::
PRIVATE_TOKEN_HEADER
]
end
...
...
@@ -363,10 +336,9 @@ module API
env
[
'warden'
]
end
# Check if CSRF tokens are valid.
def
verified_request?
request
=
Grape
::
Request
.
new
(
env
)
request
.
head?
||
request
.
get?
||
csrf_tokens_valid?
(
request
)
GitLab
::
RequestForgeryProtection
.
call
(
env
)
end
# Check the Rails session for valid authentication details
...
...
This diff is collapsed.
Click to expand it.
lib/
omni_auth
/request_forgery_protection.rb
→
lib/
gitlab
/request_forgery_protection.rb
View file @
8ce8b21f
# Protects OmniAuth request phase against CSRF.
# A module to check CSRF tokens in requests.
# It's used in API helpers and OmniAuth.
# Usage: GitLab::RequestForgeryProtection.call(env)
module
OmniAuth
module
GitLab
module
RequestForgeryProtection
class
Controller
<
ActionController
::
Base
protect_from_forgery
with: :exception
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment