Skip to content

fix: Changing headers on base class doesn't change them in subclasses #359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix: Changing headers on base class doesn't change them in subclasses #359

wants to merge 1 commit into from

Conversation

@adrien-k
Copy link
Contributor

@adrien-k adrien-k commented Apr 26, 2021
edited
Loading

This can lead to a serious security issue if used as advised in the README

You can also set any specific HTTP header using the same way. As mentioned above, headers are thread-safe, so you can set headers dynamically, even in a multi-threaded environment:

ActiveResource::Base.headers['Authorization'] = current_session_api_token

If we consider this simple model:

ApiModel < ActiveResource::Base
  self.site = "http://api.some-site.com"
end

And the following sequence:

ActiveResource::Base.headers['Authorization'] = "Bob's TOKEN"
# Request made in Bob's name
ApiModel.find(1) 

ActiveResource::Base.headers['Authorization'] = "Alice's TOKEN"
# The request is still made with Bob's credentials, as ApiMode did read the header and kept a stale copy of it!!!
ApiModel.find(1)

The fix should be compatible with the thread-safe attribute, although the code may need a second look.

@adrien-k adrien-k force-pushed the fix-headers-inheritance branch from 48cc3de to c0174ee Compare April 26, 2021 09:57
@adrien-k adrien-k mentioned this pull request Apr 26, 2021
Closed
@adrien-k adrien-k force-pushed the fix-headers-inheritance branch 2 times, most recently from d763924 to cc0bdc8 Compare April 26, 2021 16:40
@adrien-k adrien-k force-pushed the fix-headers-inheritance branch from cc0bdc8 to 0f41a56 Compare April 26, 2021 16:49
@rails-bot
Copy link

rails-bot bot commented Jul 25, 2021

This issue has been automatically marked as stale because it has not been commented on for at least three months.
The resources of the Rails team are limited, and so we are asking for your help.

If it is an issue and you can still reproduce this error on the master branch,
please reply with all of the information you have about it in order to keep the issue open.

If it is a pull request and you are still interested on having it merged please make sure it can be merged clearly.

Thank you for all your contributions.

@rails-bot rails-bot bot added stale and removed stale labels Jul 25, 2021
@rails-bot
Copy link

rails-bot bot commented Oct 27, 2021

This issue has been automatically marked as stale because it has not been commented on for at least three months.
The resources of the Rails team are limited, and so we are asking for your help.

If it is an issue and you can still reproduce this error on the master branch,
please reply with all of the information you have about it in order to keep the issue open.

If it is a pull request and you are still interested on having it merged please make sure it can be merged clearly.

Thank you for all your contributions.

@rails-bot rails-bot bot added the stale label Oct 27, 2021
@rails-bot rails-bot bot closed this Nov 3, 2021
rafaelfranca added a commit that referenced this pull request Jan 7, 2022
@rafaelfranca
Merge PR #359
366604d
@fabianof fabianof mentioned this pull request Jan 11, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adrien-k