Skip to content

Commit

Permalink
Add 'protect_from_forgery` to turn on Rail's built-in protection.
Browse files Browse the repository at this point in the history
Since the Doorkeeper controllers inherit from Doorkeeper::Application (which inherits directly from ActionController::Base) and not ApplicationController, they never call `protect_from_forgery`, which means that non-GET methods don’t validate CSRF tokens. Thus, it’s possible for an attacker to host a form on an arbitrary URL, and if a users is logged into a site that uses Doorkeeper visits the URL, the attacker can grant access to a application on that site.
  • Loading branch information
phillbaker committed Dec 10, 2014
1 parent ed26117 commit c1b5c45
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 0 deletions.
6 changes: 6 additions & 0 deletions app/controllers/doorkeeper/application_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,12 @@ module Doorkeeper
class ApplicationController < ActionController::Base
include Helpers::Controller

if ::Rails.version.to_i < 4
protect_from_forgery
else
protect_from_forgery with: :exception
end

helper 'doorkeeper/dashboard'
end
end
23 changes: 23 additions & 0 deletions spec/requests/endpoints/authorization_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -51,4 +51,27 @@
i_should_see_translated_error_message :unsupported_response_type
end
end

context 'forgery protection enabled' do
before do
ActionController::Base.allow_forgery_protection = true
end

after do
ActionController::Base.allow_forgery_protection = false
end

background do
create_resource_owner
sign_in
end

scenario 'raises exception on forged requests' do
ActionController::Base.any_instance.should_receive(:handle_unverified_request)
post "/oauth/authorize",
client_id: @client.uid,
redirect_uri: @client.redirect_uri,
response_type: 'code'
end
end
end

2 comments on commit c1b5c45

@duduribeiro
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@renatovico
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cool, but a option for skip this check if necessary is interesting

Please sign in to comment.