Merge branch 'bvl-request-forgery-protection-metrics' into 'master'

Don't modify env in request forgery protection See merge request gitlab-org/gitlab!53609

Merge branch 'bvl-request-forgery-protection-metrics' into 'master'
Don't modify env in request forgery protection See merge request gitlab-org/gitlab!53609
a8073782 · Robert Speicher · 35132c45 · 33554c93 · a8073782 · a8073782
Commit a8073782 authored Feb 10, 2021 by Robert Speicher
Showing with 8 additions and 1 deletion

lib/gitlab/request_forgery_protection.rb lib/gitlab/request_forgery_protection.rb +3 -1

spec/lib/gitlab/request_forgery_protection_spec.rb spec/lib/gitlab/request_forgery_protection_spec.rb +5 -0

No files found.
--- a/lib/gitlab/request_forgery_protection.rb
+++ b/lib/gitlab/request_forgery_protection.rb
@@ -23,7 +23,9 @@ module Gitlab
    end

    def self.verified?(env)
-      call(env)
+      minimal_env = env.slice('REQUEST_METHOD', 'rack.session', 'HTTP_X_CSRF_TOKEN')
+                      .merge('rack.input' => '')
+      call(minimal_env)

      true
    rescue ActionController::InvalidAuthenticityToken

--- a/spec/lib/gitlab/request_forgery_protection_spec.rb
+++ b/spec/lib/gitlab/request_forgery_protection_spec.rb
@@ -52,6 +52,11 @@ RSpec.describe Gitlab::RequestForgeryProtection, :allow_forgery_protection do
  end

  describe '.verified?' do
+    it 'does not modify the env' do
+      env['REQUEST_METHOD'] = "GET"
+      expect { described_class.verified?(env) }.not_to change { env }
+    end
+
    context 'when the request method is GET' do
      before do
        env['REQUEST_METHOD'] = 'GET'