module ActionController::RequestForgeryProtection
def compare_with_real_token(token, session)
def compare_with_real_token(token, session) ActiveSupport::SecurityUtils.secure_compare(token, real_csrf_token(session)) end
def form_authenticity_param
def form_authenticity_param params[request_forgery_protection_token] end
def form_authenticity_token
def form_authenticity_token masked_authenticity_token(session) end
def handle_unverified_request
def handle_unverified_request forgery_protection_strategy.new(self).handle_unverified_request end
def mark_for_same_origin_verification!
def mark_for_same_origin_verification! @marked_for_same_origin_verification = request.get? end
def marked_for_same_origin_verification?
If the `verify_authenticity_token` before_action ran, verify that
def marked_for_same_origin_verification? @marked_for_same_origin_verification ||= false end
def masked_authenticity_token(session)
on each request. The masking is used to mitigate SSL attacks
Creates a masked version of the authenticity token that varies
def masked_authenticity_token(session) one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH) encrypted_csrf_token = xor_byte_strings(one_time_pad, real_csrf_token(session)) masked_token = one_time_pad + encrypted_csrf_token Base64.strict_encode64(masked_token) end
def non_xhr_javascript_response?
def non_xhr_javascript_response? content_type =~ %r(\Atext/javascript) && !request.xhr? end
def protect_against_forgery?
def protect_against_forgery? allow_forgery_protection end
def real_csrf_token(session)
def real_csrf_token(session) session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH) Base64.strict_decode64(session[:_csrf_token]) end
def valid_authenticity_token?(session, encoded_masked_token)
session token. Essentially the inverse of
Checks the client's masked token to see if it matches the
def valid_authenticity_token?(session, encoded_masked_token) if encoded_masked_token.nil? || encoded_masked_token.empty? || !encoded_masked_token.is_a?(String) return false end begin masked_token = Base64.strict_decode64(encoded_masked_token) rescue ArgumentError # encoded_masked_token is invalid Base64 return false end # See if it's actually a masked token or not. In order to # deploy this code, we should be able to handle any unmasked # tokens that we've issued without error. if masked_token.length == AUTHENTICITY_TOKEN_LENGTH # This is actually an unmasked token. This is expected if # you have just upgraded to masked tokens, but should stop # happening shortly after installing this gem compare_with_real_token masked_token, session elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2 # Split the token into the one-time pad and the encrypted # value and decrypt it one_time_pad = masked_token[0...AUTHENTICITY_TOKEN_LENGTH] encrypted_csrf_token = masked_token[AUTHENTICITY_TOKEN_LENGTH..-1] csrf_token = xor_byte_strings(one_time_pad, encrypted_csrf_token) compare_with_real_token csrf_token, session else false # Token is malformed end end
def verified_request?
* Does the form_authenticity_token match the given token value from the params?
* is it a GET or HEAD request? Gets should be safe and idempotent
Returns true or false if a request is verified. Checks:
def verified_request? !protect_against_forgery? || request.get? || request.head? || valid_authenticity_token?(session, form_authenticity_param) || valid_authenticity_token?(session, request.headers['X-CSRF-Token']) end
def verify_authenticity_token
verify that JavaScript responses are for XHR requests, ensuring they
enabled on an action, this before_action flags its after_action to
due for same-origin request verification. If protect_from_forgery is
Lean on the protect_from_forgery declaration to mark which actions are
`