mirror of
https://github.com/mperham/sidekiq.git
synced 2022-11-09 13:52:34 -05:00
Fix handling of no session (#4731)
This commit is contained in:
parent
eeaf41c7fd
commit
09305a0909
2 changed files with 18 additions and 5 deletions
|
@ -90,13 +90,11 @@ module Sidekiq
|
||||||
end
|
end
|
||||||
|
|
||||||
sess = session(env)
|
sess = session(env)
|
||||||
|
|
||||||
# Checks that Rack::Session::Cookie did not return empty session
|
|
||||||
# object in case the digest verification failed
|
|
||||||
return false if sess.empty?
|
|
||||||
|
|
||||||
localtoken = sess[:csrf]
|
localtoken = sess[:csrf]
|
||||||
|
|
||||||
|
# Checks that Rack::Session::Cookie actualy contains the csrf toekn
|
||||||
|
return false if localtoken.nil?
|
||||||
|
|
||||||
# Rotate the session token after every use
|
# Rotate the session token after every use
|
||||||
sess[:csrf] = SecureRandom.base64(TOKEN_LENGTH)
|
sess[:csrf] = SecureRandom.base64(TOKEN_LENGTH)
|
||||||
|
|
||||||
|
|
|
@ -97,4 +97,19 @@ class TestCsrf < Minitest::Test
|
||||||
assert_equal 403, result[0]
|
assert_equal 403, result[0]
|
||||||
assert_equal ["Forbidden"], result[2]
|
assert_equal ["Forbidden"], result[2]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_empty_csrf_session_post
|
||||||
|
goodtoken = call(env) do |envy|
|
||||||
|
envy[:csrf_token]
|
||||||
|
end
|
||||||
|
assert goodtoken
|
||||||
|
|
||||||
|
# Make a POST without csrf session data and good token
|
||||||
|
result = call(env(:post, { "authenticity_token" => goodtoken }, { 'session_id' => 'foo' })) do
|
||||||
|
raise "shouldnt be called"
|
||||||
|
end
|
||||||
|
refute_nil result
|
||||||
|
assert_equal 403, result[0]
|
||||||
|
assert_equal ["Forbidden"], result[2]
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue