gitlab-org--gitlab-foss/lib/gitlab/request_forgery_protection.rb

# frozen_string_literal: true

# A module to check CSRF tokens in requests.
# It's used in API helpers and OmniAuth.
# Usage: GitLab::RequestForgeryProtection.call(env)

module Gitlab
  module RequestForgeryProtection
    class Controller < ActionController::Base
      protect_from_forgery with: :exception, prepend: true

      def index
        head :ok
      end
    end

    def self.app
      @app ||= Controller.action(:index)
    end

    def self.call(env)
      app.call(env)
    end

    def self.verified?(env)
      minimal_env = env.slice('REQUEST_METHOD', 'rack.session', 'HTTP_X_CSRF_TOKEN')
                      .merge('rack.input' => '')
      call(minimal_env)

      true
    rescue ActionController::InvalidAuthenticityToken
      false
    end
  end
end
Enable frozen string for lib/gitlab/*.rb 2018-10-22 03:00:50 -04:00			`# frozen_string_literal: true`

Refactor CSRF protection 2017-06-21 02:52:54 -04:00			`# A module to check CSRF tokens in requests.`
			`# It's used in API helpers and OmniAuth.`
			`# Usage: GitLab::RequestForgeryProtection.call(env)`
Protect OmniAuth request phase against CSRF. 2015-04-24 11:03:18 -04:00
Add `rescue false`. 2017-06-22 01:19:14 -04:00			`module Gitlab`
Fix signin with OmniAuth providers 2015-12-08 08:41:19 -05:00			`module RequestForgeryProtection`
			`class Controller < ActionController::Base`
[Rails5] Force the `protect_from_forgery` callback run first Since Rails 5.0 the `protect_from_forgery` callback doesn't run first by default anymore. [1] Instead it gets inserted into callbacks chain where callbacks get called in order. This commit forces the callback to run first. [1]: https://github.com/rails/rails/commit/39794037817703575c35a75f1961b01b83791191 2018-06-21 06:44:31 -04:00			`protect_from_forgery with: :exception, prepend: true`
Protect OmniAuth request phase against CSRF. 2015-04-24 11:03:18 -04:00
Fix signin with OmniAuth providers 2015-12-08 08:41:19 -05:00			`def index`
			`head :ok`
Protect OmniAuth request phase against CSRF. 2015-04-24 11:03:18 -04:00			`end`
			`end`

Fix signin with OmniAuth providers 2015-12-08 08:41:19 -05:00			`def self.app`
			`@app \|\|= Controller.action(:index)`
Protect OmniAuth request phase against CSRF. 2015-04-24 11:03:18 -04:00			`end`

Fix signin with OmniAuth providers 2015-12-08 08:41:19 -05:00			`def self.call(env)`
			`app.call(env)`
Protect OmniAuth request phase against CSRF. 2015-04-24 11:03:18 -04:00			`end`
Rescue only from ActionController::InvalidAuthenticityToken 2017-07-26 05:25:10 -04:00
			`def self.verified?(env)`
Add latest changes from gitlab-org/gitlab@master 2021-02-10 13:09:02 -05:00			`minimal_env = env.slice('REQUEST_METHOD', 'rack.session', 'HTTP_X_CSRF_TOKEN')`
			`.merge('rack.input' => '')`
			`call(minimal_env)`
Rescue only from ActionController::InvalidAuthenticityToken 2017-07-26 05:25:10 -04:00
			`true`
			`rescue ActionController::InvalidAuthenticityToken`
			`false`
			`end`
Protect OmniAuth request phase against CSRF. 2015-04-24 11:03:18 -04:00			`end`
			`end`