This gem tries to help you detect CSRF vulnerabilities by making sure all requests that change the state of the application are verified.
Application state changes currently supported:
-
Database updates (via ActiveRecord).
This addresses to possible CSRF scenarios:
-
You have a GET method that modifies database. Rails skips verification for GET methods and thus your action is ripe for an CSRF exploit.
-
You had a POST action that wasn’t modifying the database, so you removed Rails CSRF protection on it. Later on someone added database access, making your action ripe for CSRF exploit.
In both cases this gem checks whether an action request verification occured. If not and database changes occured, it throws an exception.
This gem also modifies Rails verified_request? method to return false for GET requests. However, the behavior of allowing GET requests without verification (assuming they did not induce an application state change) is still permitted.
Database adapters tend to return a fixnum of rows affected for write queries. If return from the adapter is an enumerable (e.g. an array), it is considered read. Otherwise, it is considered write.
If you find an issue with this approach, please contact me.
All of the code is copyrighted by Google and is released under MIT license.