Skip to content

Commit

Permalink
[Security] Fixes CSRF vulnerability, introduced by 53eef4f
Browse files Browse the repository at this point in the history
Reported by SourceClear, Inc.
  • Loading branch information
mshibuya committed Dec 25, 2016
1 parent 464440c commit b13e879
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 0 deletions.
2 changes: 2 additions & 0 deletions app/controllers/rails_admin/application_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ class ActionNotAllowed < ::StandardError
end

class ApplicationController < Config.parent_controller.constantize
protect_from_forgery with: :exception

before_action :_authenticate!
before_action :_authorize!
before_action :_audit!
Expand Down
13 changes: 13 additions & 0 deletions spec/integration/rails_admin_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -148,4 +148,17 @@
is_expected.to have_selector('.label-danger')
end
end

describe 'CSRF protection' do
before do
allow_any_instance_of(ActionController::Base).to receive(:protect_against_forgery?).and_return(true)
end

it 'is enforced' do
visit new_path(model_name: 'league')
fill_in 'league[name]', with: 'National league'
find('input[name="authenticity_token"]', visible: false).set("invalid token")
expect { click_button 'Save' }.to raise_error ActionController::InvalidAuthenticityToken
end
end
end

3 comments on commit b13e879

@Bartuz
Copy link

@Bartuz Bartuz commented on b13e879 Apr 12, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO for such crucial parts of the system there should be unstubed version of this spec (without allow_any_instance_of)

@tinbka
Copy link

@tinbka tinbka commented on b13e879 Jun 8, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW, after enabling the CSRF protection I ran into the problem:
rails/rails#21948 (comment)

It might or might not be related to how forms are created in RailsAdmin specifically.

@juanibiapina
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also can't submit forms because of this. Reported here: #2830

Please # to comment.