Fix bug in csrf token validation for mass update

null-open-security-community · Mar 13, 2020 · a49cc9e · a49cc9e
1 parent c46360e
commit a49cc9e
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 8 deletions.
diff --git a/app/controllers/leads/event_registrations_controller.rb b/app/controllers/leads/event_registrations_controller.rb
@@ -15,7 +15,7 @@ def mass_update
     @event_registrations = @event.event_registrations
 
     errors = []
-    if params[:token] == form_authenticity_token
+    if verified_request?
       params[:event_registrations].each do |event_registration|
         begin
           @event_registrations.find(event_registration[:id]).set_state!(event_registration[:state])
@@ -26,10 +26,14 @@ def mass_update
           }
         end
       end
+    else
+      errors << {
+        error_message: 'Form authenticity token mismatch'
+      }
     end
 
     respond_to do |format|
-      if errors.any?
+      unless errors.any?
         format.json { render :json => {'status' => 'OK'} }
       else
         # Some or all have raised error

diff --git a/app/models/event_registration.rb b/app/models/event_registration.rb
@@ -43,10 +43,11 @@ def as_json(*args)
     super(:only => [:id, :event_id, :user_id, :accepted, :created_at, :updated_at, :state, :visible])
   end
 
-  def set_state!(state)
-    raise "Invalid State" unless STATE_ALL.include?(state)
+  def set_state!(new_state)
+    raise "Invalid State" unless STATE_ALL.include?(new_state)
+    return if self.state == new_state
 
-    self.state = state
+    self.state = new_state
     self.save!
   end
 

diff --git a/app/views/leads/event_registrations/index.html.erb b/app/views/leads/event_registrations/index.html.erb
@@ -52,8 +52,7 @@
 <script type='text/javascript'>
   $('#registration_update_btn').click(function() {
     var update_map = { 
-      'event_registrations': [],
-      'token': '<%= form_authenticity_token %>'
+      'event_registrations': []
     };
 
     $.each($('.event_registration_select'), function(index, value) {
@@ -65,9 +64,13 @@
 
     $.ajax({
       'type': 'PUT',
-      'url': '<%= mass_update_leads_event_event_registrations_path(@event) %>',
+      'url': '<%= mass_update_leads_event_event_registrations_path(@event, format: 'json') %>',
       'data': JSON.stringify(update_map),
       'contentType': 'application/json',
+      'headers': {
+        'accept': 'application/json',
+        'X-CSRF-Token': $('meta[name="csrf-token"]').attr('content')
+      },
       'success': function(result) {
         alert('Successfully updated records.');
       },