Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
8ce8b21f
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
8ce8b21f
编写于
6月 21, 2017
作者:
B
blackst0ne
提交者:
Douwe Maan
7月 26, 2017
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Refactor CSRF protection
上级
29022350
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
8 addition
and
34 deletion
+8
-34
changelogs/unreleased/33601-add-csrf-token-verification-to-api.yml
...s/unreleased/33601-add-csrf-token-verification-to-api.yml
+1
-1
config/initializers/omniauth.rb
config/initializers/omniauth.rb
+1
-1
lib/api/helpers.rb
lib/api/helpers.rb
+2
-30
lib/gitlab/request_forgery_protection.rb
lib/gitlab/request_forgery_protection.rb
+4
-2
未找到文件。
changelogs/unreleased/33601-add-csrf-token-verification-to-api.yml
浏览文件 @
8ce8b21f
---
title
:
Add CSRF token verification to API
merge_request
:
12154
author
:
@
blackst0ne
author
:
Vitaliy @blackst0ne Klachkov
config/initializers/omniauth.rb
浏览文件 @
8ce8b21f
...
...
@@ -16,7 +16,7 @@ OmniAuth.config.allowed_request_methods = [:post]
# In case of auto sign-in, the GET method is used (users don't get to click on a button)
OmniAuth
.
config
.
allowed_request_methods
<<
:get
if
Gitlab
.
config
.
omniauth
.
auto_sign_in_with_provider
.
present?
OmniAuth
.
config
.
before_request_phase
do
|
env
|
OmniAuth
::
RequestForgeryProtection
.
call
(
env
)
GitLab
::
RequestForgeryProtection
.
call
(
env
)
end
if
Gitlab
.
config
.
omniauth
.
enabled
...
...
lib/api/helpers.rb
浏览文件 @
8ce8b21f
...
...
@@ -328,33 +328,6 @@ module API
private
def
xor_byte_strings
(
s1
,
s2
)
s2_bytes
=
s2
.
bytes
s1
.
each_byte
.
with_index
{
|
c1
,
i
|
s2_bytes
[
i
]
^=
c1
}
s2_bytes
.
pack
(
'C*'
)
end
# Check if CSRF tokens are equal.
# The header token is masked.
# So, before the comparison it must be unmasked.
def
csrf_tokens_valid?
(
request
)
session_token
=
request
.
session
[
'_csrf_token'
]
header_token
=
request
.
headers
[
'X-Csrf-Token'
]
session_token
=
Base64
.
strict_decode64
(
session_token
)
header_token
=
Base64
.
strict_decode64
(
header_token
)
# Decoded CSRF token passed from the frontend has to be 64 symbols long.
return
false
if
header_token
.
size
!=
64
header_token
=
xor_byte_strings
(
header_token
[
0
...
32
],
header_token
[
32
..-
1
])
ActiveSupport
::
SecurityUtils
.
secure_compare
(
session_token
,
header_token
)
rescue
false
end
def
private_token
params
[
APIGuard
::
PRIVATE_TOKEN_PARAM
]
||
env
[
APIGuard
::
PRIVATE_TOKEN_HEADER
]
end
...
...
@@ -363,10 +336,9 @@ module API
env
[
'warden'
]
end
# Check if CSRF tokens are valid.
def
verified_request?
request
=
Grape
::
Request
.
new
(
env
)
request
.
head?
||
request
.
get?
||
csrf_tokens_valid?
(
request
)
GitLab
::
RequestForgeryProtection
.
call
(
env
)
end
# Check the Rails session for valid authentication details
...
...
lib/
omni_auth
/request_forgery_protection.rb
→
lib/
gitlab
/request_forgery_protection.rb
浏览文件 @
8ce8b21f
# Protects OmniAuth request phase against CSRF.
# A module to check CSRF tokens in requests.
# It's used in API helpers and OmniAuth.
# Usage: GitLab::RequestForgeryProtection.call(env)
module
OmniAuth
module
GitLab
module
RequestForgeryProtection
class
Controller
<
ActionController
::
Base
protect_from_forgery
with: :exception
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录