Module: Ramaze::Helper::CSRF
- Defined in:
- lib/ramaze/helper/csrf.rb
Overview
A relatively basic yet useful helper that can be used to protect your application from CSRF attacks/exploits. Note that this helper merely generates the required data, and provides several methods. You still need to manually add the token to each form.
The reason for this is because this is quite simple. Ramaze is meant as a framework that works with any given helper, ORM, template engine and so on. If we were to automatically load this helper and include (a perhaps more advanced) CSRF system that would mean that every form helper, official or third-party, would have to support that specific system. However, there’s no need to panic as it’s very easy to setup a basic anti CSRF system.
Usage
In order to enable CSRF protection we need to do two things. Load the helper and create a before_all block in a controller. Take a look at the following code:
class BaseController < Ramaze::Controller before_all do puts "Hello, before_all!" end end
This would output "Hello, before_all!" to the console upon each request. Not very useful but it does show what the before_all block can do. On to actual CSRF related code!
class BaseController < Ramaze::Controller before_all do csrf_protection :save do # .... end end end
This example introduces an extra block that validates the current request. Whenever a user requests a controller that either extends BaseController or has it’s own before_all block Ramaze will check if the current request data contains a CSRF token. Of course an if/end isn’t very useful if it doesn’t do anything, let’s add some code.
class BaseController < Ramaze::Controller before_all do csrf_protection :save do puts "Hello, unsafe data!" end end end
The code above checks if the current method is "save" (or any other of the provided methods) and checks if an CSRF token is supplied if the method matches. Protected methods require a token in ALL HTTP requests (GET, POST, etc). While this may seem weird since GET is generally used for safe actions it actually makes sense. Ramaze stores both the POST and GET parameters in the request.params hash. While this makes it easy to work with POST/GET data this also makes it easier to spoof POST requests using a GET request, thus this helper protects ALL request methods.
If you’re a lazy person you can copy-paste the example below and adapt it to your needs.
class BaseController < Ramaze::Controller before_all do csrf_protection :save do respond("The supplied CSRF token is invalid.", 401) end end end
Instance Method Summary (collapse)
-
- (Object) csrf_protection(*methods, &block)
Method that can be used to protect the specified methods against CSRF exploits.
-
- (Void) generate_csrf_token(args = {})
Generate a new token and create the session array that will be used to validate the client.
-
- (String) get_csrf_token
Retrieves the current value of the CSRF token.
-
- (Bool) validate_csrf_token(input_token)
Validates the request based on the current session date stored in _csrf.
Instance Method Details
- (Object) csrf_protection(*methods, &block)
Method that can be used to protect the specified methods against CSRF exploits. Each protected method will require the token to be stored in a field called "csrf_token". This method will then validate that token against the current token in the session.
100 101 102 103 104 105 106 107 108 |
# File 'lib/ramaze/helper/csrf.rb', line 100 def csrf_protection *methods, &block # Only protect the specified methods if methods.include?(action.name) or methods.include?(action.name.to_sym) # THINK: For now the field name is hard-coded to "csrf_token". While # this is perfectly fine in most cases it might be a good idea # to allow developers to change the name of this field (for whatever the reason). yield unless validate_csrf_token(request.params['csrf_token']) end end |
- (Void) generate_csrf_token(args = {})
Generate a new token and create the session array that will be used to validate the client. The following items are stored in the session:
- token: An unique hash that will be stored in each form
- agent: The visitor’s user agent
- ip: The IP address of the visitor
- time: Timestamp that indicates at what time the data was generated.
Note that this method will be automatically called if no CSRF token exists.
125 |
# File 'lib/ramaze/helper/csrf.rb', line 125 def generate_csrf_token args = {} |
- (String) get_csrf_token
Retrieves the current value of the CSRF token.
162 163 164 165 166 167 168 169 |
# File 'lib/ramaze/helper/csrf.rb', line 162 def get_csrf_token if !session[:_csrf] || !self.validate_csrf_token(session[:_csrf][:token]) self.generate_csrf_token end # Land ho! return session[:_csrf][:token] end |
- (Bool) validate_csrf_token(input_token)
Validates the request based on the current session date stored in _csrf. The following items are verified:
- Do the user agent, ip and token match those supplied by the visitor?
- Has the token been expired? (after 15 minutes).
If any of these checks fail this method will return FALSE. It’s your job to take action based on the results of this method.
192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 |
# File 'lib/ramaze/helper/csrf.rb', line 192 def validate_csrf_token(input_token) # Check if the CSRF data has been generated and generate it if this # hasn't been done already (usually on the first request). if !session[:_csrf] or session[:_csrf].empty? self.generate_csrf_token end _csrf = session[:_csrf] # Mirror mirror on the wall, who's the most secure of them all? session[:_csrf][:token] == input_token && (Time.now.to_f - _csrf[:time]) <= _csrf[:ttl] && _csrf[:host] == request.env['REMOTE_HOST'] && _csrf[:ip] == request.env['REMOTE_ADDR'] && _csrf[:agent] == request.env['HTTP_USER_AGENT'] end |