New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request Forgery takes relative paths into account #32770
Conversation
Hello Rails team, I also stumbled upon the bug this PR is designed to fix. Also, I think it also has a security concern because if user developers of Rails cannot do workaround the bug and decided to turn off |
@eileencodes not sure if you're aware of this PR or the linked issue or if you think it makes sense for either to have the security label. |
@hiroshi You can just |
The problem is not how to avoid the pitfall. I learnt where the pitfall is at least, but others can fall. |
A collegue ran into this bug again in production, after not receiving after upgrading a older client Rails app to later Rails versions... This bug might slip through test, because by default in Test there is no CSRF protection enabled. Could a maintainer please check if this could be merged? :) Pinging @rafaelfranca and @amatsuda because both of you had merges in that code region. Please tell me, if there is a chance to have this merged/fixed. |
hi @zealot128 I wonder if you still suffer the issue in the latest version of Rails. |
As the method in the main branch is still the same as of 5 years ago, it would guess it would still be an issue. I might try to revive the branch and bring it up to date, but in the last 5 years there was no interest to merge it. So my motivation is quite low. I see, my original PR here also has test files attached, so it would be possible to check those test failures for compliance with the RFC URI spec. |
2cc36b6
to
57a41f0
Compare
Passing relative paths into form_for and related helpers led to invalid token generations, as the tokens did not match the request.path on the POST endpoint. Variants, such as: form_for url: * "" * "./" * "./post_one" * "post_one" are now handled according to [RFC 3986 5.2 - 5.4](https://tools.ietf.org/html/rfc3986#section-5.2) Limitations: double dots are not handled (../../path) relevant issue: rails#31191
57a41f0
to
e2a8bfa
Compare
Thanks @rafaelfranca for finding the time to have a look and merge it! 👍 |
Passing relative paths into form_for and related / derived helpers led to invalid
token generations, as the tokens did not match the request.path on the
POST endpoint. Variants, such as:
Wouldn't generate a matching csrf-token and led to an InvalidAuthenticityToken.
I've added test + code to handle the common cases, such as:
are now handled according to RFC 3986 5.2 - 5.4.
Not implemented from RFC: double dots are not handled (../../path)
relevant/ fixing issue: #31191