AutoForme 1.5.0 Release: Fixes CSRF Vulnerability

[jeremyevans]

Google Group Post: https://groups.google.com/g/ruby-forme/c/p1e3Gyl6wH0
Google Group Date: Fri, 18 Nov 2016 15:06:55 -0800
Google Group Sender: jeremy...@gmail.com

AutoForme 1.5.0 has been released!

This release fixes a CSRF vulnerability that has been present in AutoForme
since the initial 0.5.0 release.

Background on vulnerability:

Before AutoForme processes any action, it first checked that the action was
idempotent or the request was a post request:

def supported?
return false unless idempotent? || request.post?
...

However, the definition of idempotent? was changed during initial
development of the library and ended up relying on data that was not set
until later on in supported?, in order to avoid a denial of service
vulnerability due to arbitrary symbol creation on ruby <2.2:

@type = request.action_type.to_sym

The definition of idempotent? was:

def idempotent?
type == normalized_type
end

Because neither type nor normalized_type were initialized yet, they were
both nil, and nil == nil is true in ruby, and therefore idempotent? was
always returning true. This vulnerability was discovered when adding tests
to increase coverage, because request.post? was not covered by any tests,
when it should have been.

Remember, while 100% line coverage means nothing, <100% line coverage means
something.

Changelog:

• Allow autocompleting for associated objects even if current class doesn't
  support autocompleting (jeremyevans)

• [SECURITY] Fix check for non-idempotent GET requests (jeremyevans)

• Fix some deprecation warnings on Rails 5 (jeremyevans)

• Make sinatra routes handle namespaced models by default (jeremyevans)

Thanks,
Jeremy