Add CSRF protection in entire application - Long term project

[lalithr95]

What happened just before the problem occurred

This could be added as sub-project for next GSOC.
Most of the forms used in PublicLab doesn't contain csrf token parameter as we don't use rails form helpers form_tag form_for

It could be nice to replace <form tag with form_tag with will add csrf token automatically. Once if you can get work with one form and get it working, it would be same for other forms as well. Solving this issue could actually introduce you to different views and features of PublicLab.

Tests

As functional tests doesn't have csrf enabled. you need to add a test something like below one to test csrf protection.

  test "#generate_token ensures CSRF protection" do
    assert_raise ActionController::InvalidAuthenticityToken do
      with_forgery_protection do
        post :some_action, authenticity_token: :random
      end
  end
  private
  def with_forgery_protection
    old_value = ActionController::Base.allow_forgery_protection
    ActionController::Base.allow_forgery_protection = true
    yield
  ensure
    ActionController::Base.allow_forgery_protection = old_value
  end

PublicLab.org username

Lalithr95
(to help reproduce the issue)

cc: @jywarren

[jywarren]

Hi, Lalith - will this be a help-wanted tag? Maybe we should add links to
CSRF token controller code. I also believe that rails.js (
https://github.com/rails/jquery-ujs) has csrf token functions built in.

Note also that a CSRF token is sent with inline image uploads on the old
system, at https://publiclab.org/post/ --

#739 shows how I'm trying to
ensure this works in the new Rich Editor as well.

On Sun, Aug 28, 2016 at 2:33 PM, Lalith Rallabhandi <
notifications@github.com> wrote:

What happened just before the problem occurred

This could be added as sub-project for next GSOC.
Most of the forms used in PublicLab doesn't contain csrf token parameter
as we don't use rails form helpers form_tag form_for

It could be nice to replace <form tag with form_tag with will add csrf
token automatically. Once if you can get work with one form and get it
working, it would be same for other forms as well. Solving this issue could
actually introduce you to different views and features of PublicLab.
Tests

As functional tests doesn't have csrf enabled. you need to add a test
something like below one to test csrf protection.

test "#generate_token ensures CSRF protection" do
assert_raise ActionController::InvalidAuthenticityToken do
with_forgery_protection do
post :some_action, authenticity_token: :random
end
end
private
def with_forgery_protection
old_value = ActionController::Base.allow_forgery_protection
ActionController::Base.allow_forgery_protection = true
yield
ensure
ActionController::Base.allow_forgery_protection = old_value
end

PublicLab.org username

Lalithr95
(to help reproduce the issue)

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#744, or mute the thread
https://github.com/notifications/unsubscribe-auth/AABfJ6SxoImyUMs0npDyKZl0sFGeFZ8eks5qkdSBgaJpZM4Ju_EV
.

[grvsachdeva]

@jywarren do we need this issue?

[jywarren]

I think it's a good idea for someone to go through and ensure we are using this properly; best keep open. Thanks!

…

On Mon, Mar 25, 2019 at 2:45 PM Gaurav Sachdeva ***@***.***> wrote: @jywarren <https://github.com/jywarren> do we need this issue? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#744 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABfJ_12idnyf_FvEfN4bozlmJbEU8RYks5vaRkcgaJpZM4Ju_EV> .

[anirudhprabhakaran3]

Isn't CSRF protection in-built to Rails?

Also, in application_controller.rb, we have

protect_from_forgery unless: -> { is_dataurl_post }

In app/views/comments/_form.html.erb, in the form we have

    <input 
      type="hidden" 
      name="authenticity_token" 
      value="<%= form_authenticity_token %>"
    />

Is this how it should be extended to other forms?