debian-mirror-gitlab/lib/gitlab/request_forgery_protection.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

46 lines
1.1 KiB
Ruby
Raw Permalink Normal View History

2018-12-13 13:39:08 +05:30
# frozen_string_literal: true
2017-09-10 17:25:29 +05:30
# A module to check CSRF tokens in requests.
# It's used in API helpers and OmniAuth.
# Usage: GitLab::RequestForgeryProtection.call(env)
module Gitlab
module RequestForgeryProtection
2022-10-11 01:57:18 +05:30
# rubocop:disable Rails/ApplicationController
2017-09-10 17:25:29 +05:30
class Controller < ActionController::Base
2018-11-08 19:23:39 +05:30
protect_from_forgery with: :exception, prepend: true
2017-09-10 17:25:29 +05:30
2023-01-13 00:05:48 +05:30
def initialize
super
# Squelch noisy and unnecessary "Can't verify CSRF token authenticity." messages.
# X-Csrf-Token is only one authentication mechanism for API helpers.
self.logger = ActiveSupport::Logger.new(File::NULL)
end
2017-09-10 17:25:29 +05:30
def index
head :ok
end
end
def self.app
@app ||= Controller.action(:index)
end
def self.call(env)
app.call(env)
end
def self.verified?(env)
2021-03-11 19:13:27 +05:30
minimal_env = env.slice('REQUEST_METHOD', 'rack.session', 'HTTP_X_CSRF_TOKEN')
.merge('rack.input' => '')
call(minimal_env)
2017-09-10 17:25:29 +05:30
true
rescue ActionController::InvalidAuthenticityToken
false
end
2022-10-11 01:57:18 +05:30
# rubocop:enable Rails/ApplicationController
2017-09-10 17:25:29 +05:30
end
end