search

publiclab / plots2

a collaborative knowledge-exchange platform in Rails; we welcome first-time contributors! :balloon:
https://publiclab.org
GNU General Public License v3.0
957 stars 1.83k forks source link

Add CSRF protection in entire application - Long term project #744

Open lalithr95 opened 8 years ago

lalithr95 commented 8 years ago

What happened just before the problem occurred

This could be added as sub-project for next GSOC. Most of the forms used in PublicLab doesn't contain csrf token parameter as we don't use rails form helpers form_tag form_for

It could be nice to replace <form tag with form_tag with will add csrf token automatically. Once if you can get work with one form and get it working, it would be same for other forms as well. Solving this issue could actually introduce you to different views and features of PublicLab.

Tests

As functional tests doesn't have csrf enabled. you need to add a test something like below one to test csrf protection.

  test "#generate_token ensures CSRF protection" do
    assert_raise ActionController::InvalidAuthenticityToken do
      with_forgery_protection do
        post :some_action, authenticity_token: :random
      end
  end
  private
  def with_forgery_protection
    old_value = ActionController::Base.allow_forgery_protection
    ActionController::Base.allow_forgery_protection = true
    yield
  ensure
    ActionController::Base.allow_forgery_protection = old_value
  end

PublicLab.org username

Lalithr95 (to help reproduce the issue)

cc: @jywarren

jywarren commented 8 years ago

Hi, Lalith - will this be a help-wanted tag? Maybe we should add links to CSRF token controller code. I also believe that rails.js ( https://github.com/rails/jquery-ujs) has csrf token functions built in.

Note also that a CSRF token is sent with inline image uploads on the old system, at https://publiclab.org/post/ --

https://github.com/publiclab/plots2/issues/739 shows how I'm trying to ensure this works in the new Rich Editor as well.

On Sun, Aug 28, 2016 at 2:33 PM, Lalith Rallabhandi < notifications@github.com> wrote:

What happened just before the problem occurred

This could be added as sub-project for next GSOC. Most of the forms used in PublicLab doesn't contain csrf token parameter as we don't use rails form helpers form_tag form_for

It could be nice to replace <form tag with form_tag with will add csrf token automatically. Once if you can get work with one form and get it working, it would be same for other forms as well. Solving this issue could actually introduce you to different views and features of PublicLab. Tests

As functional tests doesn't have csrf enabled. you need to add a test something like below one to test csrf protection.

test "#generate_token ensures CSRF protection" do assert_raise ActionController::InvalidAuthenticityToken do with_forgery_protection do post :some_action, authenticity_token: :random end end private def with_forgery_protection old_value = ActionController::Base.allow_forgery_protection ActionController::Base.allow_forgery_protection = true yield ensure ActionController::Base.allow_forgery_protection = old_value end

PublicLab.org username

Lalithr95 (to help reproduce the issue)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/publiclab/plots2/issues/744, or mute the thread https://github.com/notifications/unsubscribe-auth/AABfJ6SxoImyUMs0npDyKZl0sFGeFZ8eks5qkdSBgaJpZM4Ju_EV .

grvsachdeva commented 5 years ago

@jywarren do we need this issue?

jywarren commented 5 years ago

I think it's a good idea for someone to go through and ensure we are using this properly; best keep open. Thanks!

On Mon, Mar 25, 2019 at 2:45 PM Gaurav Sachdeva notifications@github.com wrote:

@jywarren https://github.com/jywarren do we need this issue?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/publiclab/plots2/issues/744#issuecomment-476328950, or mute the thread https://github.com/notifications/unsubscribe-auth/AABfJ_12idnyf_FvEfN4bozlmJbEU8RYks5vaRkcgaJpZM4Ju_EV .

anirudhprabhakaran3 commented 3 years ago

Isn't CSRF protection in-built to Rails?

Also, in application_controller.rb, we have

protect_from_forgery unless: -> { is_dataurl_post }

In app/views/comments/_form.html.erb, in the form we have

    <input 
      type="hidden" 
      name="authenticity_token" 
      value="<%= form_authenticity_token %>"
    />

Is this how it should be extended to other forms?