Security: Turn on protect_from_forgery for admin/

The Rails protect_from_forgery function helps protect against cross-site
request forgery attacks, as described on Wikipedia:

  http://en.wikipedia.org/wiki/Cross-site_request_forgery

These attacks involve a hostile site sending requests to a site where
the user is logged in, exploiting the user's session cookie to do
various bad things.

The protect_from_forgery function works by requiring all POST (and PUT
and UPDATE) requests to have an authenticity_token parameter that
corresponds to a value in the user's session.  This is automatically
included in generated forms by the various form helpers, and checked in
the controller.  However, we still need to deal with some cases
(specifically Ajax.Request) manually.

We make several types of changes to get everything working again:
  - Some POST requests were changed to GET requests, when appropriate.
  - The token was added manually to other POST requests.  This was
    done using the new init_mephisto_authenticity_token.
  - Forgery protection was disabled in the test environment.

Note that we still need to review the authentication controller closely,
and eliminate various XSS attacks against our application before this
protection will do much good.

I tested this code by manually using the admin/ interface, editing
articles, adding users, and working with assets.  There's probably still
some breakage somewhere that I missed, so let me know if you have problems.

I also updated the TODO list for Rails 2.2 and added security-auditing
notes.

RAILS-2.2-TODO.txt

@@ -1,22 +1,11 @@
 This is a list of issues that we need to fix before making a Mephisto
 release based on Rails 2.2.
 
+/ Try to upgrade to gem version of coderay
+  Make sure both old- and new-style plugins work
+  Security audit--see blow
   Drop TZInfo completely--see app/models/site.rb (fix docs, too)
-  Handle inactive users with named scopes, not acts_as_versioned
-  SECURITY: Don't ship :session_key in environment.rb!
-  Try to upgrade to gem version of coderay
   We need to review our TODO comments
-  Clean out the issue tracker: http://ar-code.lighthouseapp.com/projects/34-mephisto
-  rake rails:update:javascripts => complicated because mephisto/application.js depends on older versions.
-
-== Other issues
-
-When running the unit tests, we need theme directories in themes/site-$ID.
-But this namespace is also used by the development and production
-databases.  Are the test suites clobbering user themes accidentally?  See
-spec/models/membership_spec.rb for one quick-and-dirty workaround.  Perhaps
-for all non-production environments, we should prepend RAILS-ENV to the
-theme name, giving us themes/test-site-$ID?
 
 == Security
 
@@ -26,13 +15,39 @@ We need to do a basic security audit.
     Make sure cookies are HTTP-only whenever possible
     Can we restrict admin cookies to /admin ?
     Make sure logging out clears all relevant cookies and tokens
+    Check for session fixation attacks
+    Expire sessions after a while?
   Cross-site scripting
+/   Turn on protect_against_forgery
     Check all fields in comments
+      It looks like the failed comment error form has issues
     Check macro:* bodies and parameters
       filtered_column_code_macro
       filtered_column_flikr_macro
     Do we have trackback support to check?
     Do we need to upgrade to an industrial-strength HTML sanitizer?
     For now, we'll assume that users with access to /admin don't try XSS
+  Password change
+    Make change-password forms safe against CSRF
+    Require the user to enter the old password when changing it
+    Require password to change e-mail address
   Everything else
+/   Don't ship :session_key in environment.rb!
+    Do we need to override verifiable_request_format?
+    Review mass assignment in public controllers
     Review http://guides.rubyonrails.org/security.html
+    Can we use SafeERB?
+
+  Admin only
+    Filter file names for uploads
+    Review mass assignment in admin controllers
+
+== After next release
+
+  Handle inactive users with named scopes, not acts_as_versioned
+  Clean out the issue tracker
+    http://ar-code.lighthouseapp.com/projects/34-mephisto
+  rake rails:update:javascripts
+    (complicated because mephisto/application.js depends on older versions)
+  Fix sidebar tabs to do something sensible with unsaved articles
+

app/controllers/admin/base_controller.rb

@@ -7,6 +7,9 @@ class Admin::BaseController < ApplicationController
   before_filter :login_from_cookie
   before_filter :login_required, :except => :feed
 
+  # See ActionController::RequestForgeryProtection for details.
+  protect_from_forgery
+
   protected
     def protect_action
       if request.get?

app/helpers/application_helper.rb

@@ -49,6 +49,12 @@ def relative_url_root
     ActionController::Base.relative_url_root
   end
 
+  # Make our form_authenticity_token token available to JavaScript.
+  def init_mephisto_authenticity_token
+    return "" unless protect_against_forgery?
+    "Mephisto.token = '#{form_authenticity_token}';"
+  end
+
   if RAILS_ENV == 'development'
     def gravatar_url_for(user, size = 80)
       'mephisto/avatar.gif'

app/views/layouts/application.rhtml

@@ -6,7 +6,7 @@
     <title><%= site.title %>: Admin <%= controller.controller_name %></title>
     <%= stylesheet_link_tag 'mephisto/mephisto' %>
     <%= javascript_include_tag 'mephisto/prototype', 'mephisto/effects', 'mephisto/dragdrop', 'mephisto/lowpro', 'mephisto/application' %>
-    <script type="text/javascript">Mephisto.root = '<%= relative_url_root %>';</script>
+    <script type="text/javascript">Mephisto.root = '<%= relative_url_root %>'; <%= init_mephisto_authenticity_token %></script>
     <%= yield :head %>
   </head>
   <body>

config/environments/test.rb

@@ -3,4 +3,7 @@
 config.action_controller.consider_all_requests_local = true
 config.action_controller.perform_caching             = true
 config.action_controller.page_cache_directory        = File.join(RAILS_ROOT, 'tmp/cache')
-config.action_mailer.delivery_method = :test
+config.action_mailer.delivery_method = :test
+
+# Disable request forgery protection in test environment
+config.action_controller.allow_forgery_protection    = false

lib/mephisto/routing.rb

@@ -28,7 +28,7 @@ def self.connect_with(map)
       map.overview 'admin/overview.xml', :controller => 'admin/overview', :action => 'feed'
       map.admin    'admin', :controller => 'admin/overview', :action => 'index'
       map.resources :assets, :path_prefix => '/admin', :controller => 'admin/assets', :member => { :add_bucket => :post },
-        :collection => { :latest => :post, :search => :post, :upload => :post, :clear_bucket => :post }
+        :collection => { :latest => [:get, :post], :search => [:get, :post], :upload => :post, :clear_bucket => :post }
 
       # Where oh where is my xmlrpc code?
       # map.connect 'xmlrpc', :controller => 'backend', :action => 'xmlrpc' 

public/javascripts/mephisto/application.js

@@ -157,7 +157,7 @@ TinyTab.callbacks ={
   'search-files': function(q) {
     if(!q) return;
     $('spinner').show();
-    new Ajax.Request(Mephisto.root + '/admin/assets/search', {parameters: 'q=' + escape(q)});
+    new Ajax.Request(Mephisto.root + '/admin/assets/search', {method: 'get', parameters: 'q=' + escape(q)});
   }
 };
 
@@ -300,23 +300,27 @@ var ArticleForm = {
     var articleId = location.href.match(/\/([0-9]+)\/(edit|upload)/)[1];
     var attached  = $('attached-widget-' + assetId);
     if(attached) return;
-    new Ajax.Request('/admin/articles/attach/' + articleId + '/' + assetId);
+    new Ajax.Request('/admin/articles/attach/' + articleId + '/' + assetId,
+                     { parameters: 'authenticity_token=' + Mephisto.token });
     $$('.widget').each(function(asset) { if(assetId == asset.getAttribute('id').match(/-(\d+)$/)[1]) asset.addClassName('selected-widget'); });
   },
 
   labelAsset: function(assetId) {
     var articleId = location.href.match(/\/([0-9]+)\/(edit|upload)/)[1];
     var attached  = $('attached-widget-' + assetId);
     var label     = $('attached-widget-version-' + assetId);
-    new Ajax.Request('/admin/articles/label/' + articleId + '/' + assetId + '?label=' + escape(label.value));
+    new Ajax.Request('/admin/articles/label/' + articleId + '/' + assetId,
+                     { parameters: 'authenticity_token=' + Mephisto.token +
+                         '&label=' + escape(label.value) });
     if(attached) return;
   },
 
   detachAsset: function(assetId) {
     var articleId = location.href.match(/\/([0-9]+)\/(edit|upload)/)[1];
     var attached  = $('attached-widget-' + assetId);
     if(!attached) return;
-    new Ajax.Request('/admin/articles/detach/' + articleId + '/' + assetId);
+    new Ajax.Request('/admin/articles/detach/' + articleId + '/' + assetId,
+                     { parameters: 'authenticity_token=' + Mephisto.token });
     new Effect.DropOut(attached, {afterFinish: function() { attached.remove(); }});
     $$('.widget').each(function(asset) { if(assetId == asset.getAttribute('id').match(/-(\d+)$/)[1]) asset.removeClassName('selected-widget'); });
   },

spec/controllers/admin/articles_controller_spec.rb

@@ -0,0 +1,15 @@
+require File.dirname(__FILE__) + '/../../spec_helper'
+
+describe Admin::ArticlesController do
+  controller_name "admin/articles"
+  integrate_views
+
+  it "should route /admin/articles/attach and friends correctly" do
+    params = { :controller => "admin/articles", :action => "attach",
+               :id => '1', :version => "2" }
+    params_from(:post, "/admin/articles/attach/1/2").should == params
+    params = { :controller => "admin/articles", :action => "detach",
+               :id => '1', :version => "2" }
+    params_from(:post, "/admin/articles/detach/1/2").should == params
+  end
+end