gitlab-org--gitlab-foss/lib/gitlab/request_forgery_protection.rb

# frozen_string_literal: true

# A module to check CSRF tokens in requests.
# It's used in API helpers and OmniAuth.
# Usage: GitLab::RequestForgeryProtection.call(env)

module Gitlab
  module RequestForgeryProtection
    class Controller < ActionController::Base
      protect_from_forgery with: :exception, prepend: true

      rescue_from ActionController::InvalidAuthenticityToken do |e|
        logger.warn "This CSRF token verification failure is handled internally by `GitLab::RequestForgeryProtection`"
        logger.warn "Unlike the logs may suggest, this does not result in an actual 422 response to the user"
        logger.warn "For API requests, the only effect is that `current_user` will be `nil` for the duration of the request"

        raise e
      end

      def index
        head :ok
      end
    end

    def self.app
      @app ||= Controller.action(:index)
    end

    def self.call(env)
      app.call(env)
    end

    def self.verified?(env)
      call(env)

      true
    rescue ActionController::InvalidAuthenticityToken
      false
    end
  end
end
Enable frozen string for lib/gitlab/*.rb 2018-10-22 07:00:50 +00:00			`# frozen_string_literal: true`

Refactor CSRF protection 2017-06-21 06:52:54 +00:00			`# A module to check CSRF tokens in requests.`
			`# It's used in API helpers and OmniAuth.`
			`# Usage: GitLab::RequestForgeryProtection.call(env)`
Protect OmniAuth request phase against CSRF. 2015-04-24 15:03:18 +00:00
Add `rescue false`. 2017-06-22 05:19:14 +00:00			`module Gitlab`
Fix signin with OmniAuth providers 2015-12-08 13:41:19 +00:00			`module RequestForgeryProtection`
			`class Controller < ActionController::Base`
[Rails5] Force the `protect_from_forgery` callback run first Since Rails 5.0 the `protect_from_forgery` callback doesn't run first by default anymore. [1] Instead it gets inserted into callbacks chain where callbacks get called in order. This commit forces the callback to run first. [1]: https://github.com/rails/rails/commit/39794037817703575c35a75f1961b01b83791191 2018-06-21 10:44:31 +00:00			`protect_from_forgery with: :exception, prepend: true`
Protect OmniAuth request phase against CSRF. 2015-04-24 15:03:18 +00:00
Add log messages to clarify log messages about API CSRF token verification failure 2017-07-28 13:39:39 +00:00			`rescue_from ActionController::InvalidAuthenticityToken do \|e\|`
			logger.warn "This CSRF token verification failure is handled internally by `GitLab::RequestForgeryProtection`"
			`logger.warn "Unlike the logs may suggest, this does not result in an actual 422 response to the user"`
			logger.warn "For API requests, the only effect is that `current_user` will be `nil` for the duration of the request"

			`raise e`
			`end`

Fix signin with OmniAuth providers 2015-12-08 13:41:19 +00:00			`def index`
			`head :ok`
Protect OmniAuth request phase against CSRF. 2015-04-24 15:03:18 +00:00			`end`
			`end`

Fix signin with OmniAuth providers 2015-12-08 13:41:19 +00:00			`def self.app`
			`@app \|\|= Controller.action(:index)`
Protect OmniAuth request phase against CSRF. 2015-04-24 15:03:18 +00:00			`end`

Fix signin with OmniAuth providers 2015-12-08 13:41:19 +00:00			`def self.call(env)`
			`app.call(env)`
Protect OmniAuth request phase against CSRF. 2015-04-24 15:03:18 +00:00			`end`
Rescue only from ActionController::InvalidAuthenticityToken 2017-07-26 09:25:10 +00:00
			`def self.verified?(env)`
			`call(env)`

			`true`
			`rescue ActionController::InvalidAuthenticityToken`
			`false`
			`end`
Protect OmniAuth request phase against CSRF. 2015-04-24 15:03:18 +00:00			`end`
			`end`