From b13e879eb93b661204e9fb5e55f7afa4f397537a Mon Sep 17 00:00:00 2001
From: "M.Shibuya" <mit.shibuya@gmail.com>
Date: Sun, 25 Dec 2016 13:50:23 +0900
Subject: [PATCH] [Security] Fixes CSRF vulnerability, introduced by
 53eef4fe2ec0953381f4e3197c885adc0423dd49

Reported by SourceClear, Inc.
---
 .../rails_admin/application_controller.rb           |  2 ++
 spec/integration/rails_admin_spec.rb                | 13 +++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/app/controllers/rails_admin/application_controller.rb b/app/controllers/rails_admin/application_controller.rb
index d933063f96..ed7fee5cb0 100644
--- a/app/controllers/rails_admin/application_controller.rb
+++ b/app/controllers/rails_admin/application_controller.rb
@@ -11,6 +11,8 @@ class ActionNotAllowed < ::StandardError
   end
 
   class ApplicationController < Config.parent_controller.constantize
+    protect_from_forgery with: :exception
+
     before_action :_authenticate!
     before_action :_authorize!
     before_action :_audit!
diff --git a/spec/integration/rails_admin_spec.rb b/spec/integration/rails_admin_spec.rb
index 32406fdc6f..07e3d29642 100644
--- a/spec/integration/rails_admin_spec.rb
+++ b/spec/integration/rails_admin_spec.rb
@@ -148,4 +148,17 @@
       is_expected.to have_selector('.label-danger')
     end
   end
+
+  describe 'CSRF protection' do
+    before do
+      allow_any_instance_of(ActionController::Base).to receive(:protect_against_forgery?).and_return(true)
+    end
+
+    it 'is enforced' do
+      visit new_path(model_name: 'league')
+      fill_in 'league[name]', with: 'National league'
+      find('input[name="authenticity_token"]', visible: false).set("invalid token")
+      expect { click_button 'Save' }.to raise_error ActionController::InvalidAuthenticityToken
+    end
+  end
 end