Project

last_line

0.0
No commit activity in last 3 years
No release in over 3 years
last_lineunclegene/last_lineHomepageDocumentationSource CodeBug TrackerWiki
Explicitly allow GET requests for specific actions, verify authenticity token on GET
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
6,644
Stars
1
Forks
0
Watchers
2
 Releases
Current version
0.0.2
Total releases
2
First release
2013-03-10
Latest release
2013-07-28
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2013-04-03
Reverse Dependencies
0

 Dependencies

Runtime

rails
~> 3.1
 Project Readme

Code Climate

LastLine

Last Line of CSRF Defence

Rails provides CSRF protection for your application out of the box. This protection covers only non-GET (or HEAD) requests, as GET requests are not supposed to change any state. Unfortunately, there are two main gaps in default CSRF prevention:

  • Routing information is handled independently from controller logic. It is not trivial to trace which actions are allowed to process GET requests. Most common example - un-commenting generic route match ':controller(/:action(/:id))(.:format)' (hidden at the end of routes.rb) opens all controller actions to GET requests.

  • Sometimes it is important to provide CSRF protection for GET requests too. Common use case for this - redirect from external service, like third party authentication.

LastLine is an attempt to bridge these gaps. It provides

  • Whitelisting actions for GET requests on controller level

  • A way to verify authenticity token for GET request

Installation

Include in your Gemfile

gem 'last_line'

and run

bundle install

Usage

Whitelisting GET actions

To require GET request whitelisting for the whole application, insert protect_from_gets in your ApplicationController after protect_from_forgery:

class ApplicationController < ActionController::Base
  protect_from_forgery
  protect_from_gets
  [...]
end

In case you want to whitelist GETs in a particular controller only, insert the same line in your controller instead of ApplicationController (not recommended)

If you want to whitelist GET actions in your application, but exclude some controller from whitelisting (not recommended):

class MySafeController < ApplicationController
  allow_gets :all
end

The best (easiest to trace) way to whitelist a particular action is to add allow_get :action after its definition:

def index
  [...]
end
allow_get :index

Alternatively you can whitelist all actions in the same place. For this include in your controller

allow_gets :only => [:action1, :action2]

There is also a simple way to do blacklisting instead of whitelisting (not recommended, as it is much less reliable):

allow_gets :except => [:action1, :action2]

CSRF protection for GET actions

You can protect specific action from CSRF by specifying it as a protected_get. Such protection will automatically whitelist corresponding action for GET requests.

def redirected
  [...]
end
protected_get :redirected

When this action is called without form_authenticity_token as explicit parameter or in the header, handle_unverified_request will be called (default Rails behavior is to clear session data)

You can add token as a parameter to your get request providing it explicitly

<%= link_to 'Protected get', some_defined_path(request_forgery_protection_token => form_authenticity_token) %>

Please be aware that protected_get adds its filter on top of filter chain to avoid potential side effects of other filters. It means that none of subsequent filters that rely on session data will work if request is not verified