Make CSRF failure logging optional/configurable. #14280

Merged
merged 1 commit into from Mar 8, 2014

Conversation

Projects
None yet
5 participants
Contributor

joho commented Mar 5, 2014

Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection
which is on by default.

My reasoning being that I'm using papertrailapp on an app that is maybe 80% API and I'm explicitly using null_session to ignore CSRF problems on my API endpoints safely, but am getting a lot of log noise which isn't very helpful. I thought about overriding verify_authenticity_token in my app code, but the comments suggest that is a bad idea and I agree, but as the logging happens in there rather than in any of the protection method classes, I can't override the behaviour the preferred way.

The other implementation options I've thought of:

  • push all the logging down into the classes in ProtectionMethods and then I re-implement NullSession in my own app code as QuietNullSession
  • add a QuietNullSession to ProtectionMethods

I prefer it to be a config option because that way I don't have to worry about keeping my CSRF stuff in sync with rails over time, because honestly I'm unlikely to, and then security will happen to me.

Make CSRF failure logging optional/configurable.
Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection
which is on by default.

dnch commented Mar 5, 2014

👍

@robin850 robin850 added the actionpack label Mar 5, 2014

@robin850 robin850 added this to the 4.2.0 milestone Mar 5, 2014

Contributor

joho commented Mar 7, 2014

@NZKoz as the committer that had a bunch to do with #7616 have you any thoughts?

Member

NZKoz commented Mar 7, 2014

a config option to silence the log message sounds simplest and I have no objection to it being included.

Contributor

joho commented Mar 7, 2014

So... last time I put in a patch everything was still lighthouse and patchfiles.

What now?

spastorino added a commit that referenced this pull request Mar 8, 2014

Merge pull request #14280 from joho/make_csrf_failure_logging_optional
Make CSRF failure logging optional/configurable.

@spastorino spastorino merged commit 2af7a7b into rails:master Mar 8, 2014

1 check passed

default The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment