New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option to verify Origin header in CSRF checks #22263

Merged
merged 1 commit into from Nov 26, 2015

Conversation

Projects
None yet
7 participants
@mastahyeti
Contributor

mastahyeti commented Nov 11, 2015

We're trying to upstream some of the CSRF improvements we've made at GitHub. This first one is pretty simple. It checks the Origin header, if present, against request.base_url during the CSRF checks. This isn't fixing any existing problem, but adds another layer of defense to the Rails CSRF mitigations.

/cc @oreoshake @ptoomey3

@rails-bot

This comment has been minimized.

Show comment
Hide comment
@rails-bot

rails-bot Nov 11, 2015

Thanks for the pull request, and welcome! The Rails team is excited to review your changes, and you should hear from @kaspth (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

Please see the contribution instructions for more information.

rails-bot commented Nov 11, 2015

Thanks for the pull request, and welcome! The Rails team is excited to review your changes, and you should hear from @kaspth (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

Please see the contribution instructions for more information.

@mastahyeti

View changes

Show outdated Hide outdated actionpack/lib/action_controller/metal/request_forgery_protection.rb
@rafaelfranca

This comment has been minimized.

Show comment
Hide comment
@rafaelfranca
Member

rafaelfranca commented Nov 11, 2015

@jeremy

View changes

Show outdated Hide outdated actionpack/test/controller/request_forgery_protection_test.rb
# Controls whether the Origin header is checked in addition to the CSRF token.
config_accessor :forgery_protection_origin_check
self.forgery_protection_origin_check = false

This comment has been minimized.

@jeremy

jeremy Nov 11, 2015

Member

Seems this might be safely enabled by default without breaking back compat since we're permitting requests from older browsers without an Origin header. When an Origin is provided, it must match. Could see this breaking folks who deploy with a reverse proxy that rewrites the Host header, so every request would be a false-positive CSRF.

@jeremy

jeremy Nov 11, 2015

Member

Seems this might be safely enabled by default without breaking back compat since we're permitting requests from older browsers without an Origin header. When an Origin is provided, it must match. Could see this breaking folks who deploy with a reverse proxy that rewrites the Host header, so every request would be a false-positive CSRF.

This comment has been minimized.

@mastahyeti

mastahyeti Nov 11, 2015

Contributor

Yeah, it would also break apps that might run on multiple domains and POST between them. I'll defer to you folks' judgement on whether it should be enabled by default.

@mastahyeti

mastahyeti Nov 11, 2015

Contributor

Yeah, it would also break apps that might run on multiple domains and POST between them. I'll defer to you folks' judgement on whether it should be enabled by default.

This comment has been minimized.

@jeremy

jeremy Nov 24, 2015

Member

We could leave it off by default for existing apps, but turn it on by default for new apps by adding an initializer to the generator.

@jeremy

jeremy Nov 24, 2015

Member

We could leave it off by default for existing apps, but turn it on by default for new apps by adding an initializer to the generator.

This comment has been minimized.

@mastahyeti

mastahyeti Nov 25, 2015

Contributor

I added an initializer to the generator template in d17cba97dab393756c598af1019657263f101678.

@mastahyeti

mastahyeti Nov 25, 2015

Contributor

I added an initializer to the generator template in d17cba97dab393756c598af1019657263f101678.

@jeremy

View changes

Show outdated Hide outdated actionpack/lib/action_controller/metal/request_forgery_protection.rb
@kaspth

View changes

Show outdated Hide outdated actionpack/lib/action_controller/metal/request_forgery_protection.rb
@mastahyeti

This comment has been minimized.

Show comment
Hide comment
@mastahyeti

mastahyeti Nov 11, 2015

Contributor

I wrote a little Sinatra app to help test the Origin header behavior in different browsers:

require "sinatra"
require "useragent"
require "json"

get "*" do
<<HERE
<html>
  <head>
    <script>
      window.addEventListener('load', function(){
        document.querySelector('form').submit()
      })
    </script>
  </head>
  <body>
    <form action="/" method="post">
    </form>
  </body>
</html>
HERE
end

post "*" do
  JSON.dump(
    :browser  => UserAgent.parse(request.env['HTTP_USER_AGENT']).browser,
    :origin   => request.env['HTTP_ORIGIN'],
    :base_url => request.base_url
  )
end

Here's my results for port 80 and port 4567:

screen shot 2015-11-11 at 6 15 23 pm

screen shot 2015-11-11 at 6 16 08 pm

screen shot 2015-11-11 at 6 16 27 pm

screen shot 2015-11-11 at 6 16 51 pm

screen shot 2015-11-11 at 6 17 00 pm

screen shot 2015-11-11 at 6 17 11 pm

I haven't tested this with IE or over HTTPS.

Contributor

mastahyeti commented Nov 11, 2015

I wrote a little Sinatra app to help test the Origin header behavior in different browsers:

require "sinatra"
require "useragent"
require "json"

get "*" do
<<HERE
<html>
  <head>
    <script>
      window.addEventListener('load', function(){
        document.querySelector('form').submit()
      })
    </script>
  </head>
  <body>
    <form action="/" method="post">
    </form>
  </body>
</html>
HERE
end

post "*" do
  JSON.dump(
    :browser  => UserAgent.parse(request.env['HTTP_USER_AGENT']).browser,
    :origin   => request.env['HTTP_ORIGIN'],
    :base_url => request.base_url
  )
end

Here's my results for port 80 and port 4567:

screen shot 2015-11-11 at 6 15 23 pm

screen shot 2015-11-11 at 6 16 08 pm

screen shot 2015-11-11 at 6 16 27 pm

screen shot 2015-11-11 at 6 16 51 pm

screen shot 2015-11-11 at 6 17 00 pm

screen shot 2015-11-11 at 6 17 11 pm

I haven't tested this with IE or over HTTPS.

@timbreitkreutz

View changes

Show outdated Hide outdated actionpack/lib/action_controller/metal/request_forgery_protection.rb
@mastahyeti

This comment has been minimized.

Show comment
Hide comment
@mastahyeti

mastahyeti Nov 24, 2015

Contributor

@jeremy How is this looking? Anything else you'd like to see here before this merges?

Contributor

mastahyeti commented Nov 24, 2015

@jeremy How is this looking? Anything else you'd like to see here before this merges?

@mastahyeti

This comment has been minimized.

Show comment
Hide comment
@mastahyeti

mastahyeti Nov 24, 2015

Contributor

The CI is failing because of a timeout in unrelated code. Not sure how to re-run CI.

Contributor

mastahyeti commented Nov 24, 2015

The CI is failing because of a timeout in unrelated code. Not sure how to re-run CI.

@arthurnn

This comment has been minimized.

Show comment
Hide comment
@arthurnn

arthurnn Nov 24, 2015

Member

@mastahyeti i just retried that CI build

Member

arthurnn commented Nov 24, 2015

@mastahyeti i just retried that CI build

@mastahyeti

This comment has been minimized.

Show comment
Hide comment
@mastahyeti

mastahyeti Nov 24, 2015

Contributor

Thanks.

Contributor

mastahyeti commented Nov 24, 2015

Thanks.

@jeremy

View changes

Show outdated Hide outdated actionpack/lib/action_controller/metal/request_forgery_protection.rb
@jeremy

This comment has been minimized.

Show comment
Hide comment
@jeremy

jeremy Nov 24, 2015

Member

This is looking great to me. Got a couple tidbits of feedback, but +1 to merge master once someone else reviews as well.

Member

jeremy commented Nov 24, 2015

This is looking great to me. Got a couple tidbits of feedback, but +1 to merge master once someone else reviews as well.

@mastahyeti

This comment has been minimized.

Show comment
Hide comment
@mastahyeti

mastahyeti Nov 25, 2015

Contributor

I managed to test this with IE too:

screen shot 2015-11-25 at 9 00 07 am

screen shot 2015-11-25 at 9 00 21 am

screen shot 2015-11-25 at 9 02 21 am

screen shot 2015-11-25 at 9 02 32 am

Contributor

mastahyeti commented Nov 25, 2015

I managed to test this with IE too:

screen shot 2015-11-25 at 9 00 07 am

screen shot 2015-11-25 at 9 00 21 am

screen shot 2015-11-25 at 9 02 21 am

screen shot 2015-11-25 at 9 02 32 am

@rafaelfranca

View changes

Show outdated Hide outdated ...rs/rails/app/templates/config/initializers/request_forgery_protection.rb
@rafaelfranca

View changes

Show outdated Hide outdated actionpack/lib/action_controller/metal/request_forgery_protection.rb
@rafaelfranca

This comment has been minimized.

Show comment
Hide comment
@rafaelfranca

rafaelfranca Nov 25, 2015

Member

Awesome. Could you squash your commits? I'm going to merge it.

Member

rafaelfranca commented Nov 25, 2015

Awesome. Could you squash your commits? I'm going to merge it.

@jeremy

This comment has been minimized.

Show comment
Hide comment
@jeremy

jeremy Nov 25, 2015

Member

Great work on this! 👏

Member

jeremy commented Nov 25, 2015

Great work on this! 👏

@mastahyeti

This comment has been minimized.

Show comment
Hide comment
@mastahyeti

mastahyeti Nov 25, 2015

Contributor

Could you squash your commits?

I have a habit of merging master into my feature branches all the time. This makes squashing commits really difficult. I reverted all my merge commits, reset back to cb67c81 and re-committed the changes. I hope that's good enough.

Contributor

mastahyeti commented Nov 25, 2015

Could you squash your commits?

I have a habit of merging master into my feature branches all the time. This makes squashing commits really difficult. I reverted all my merge commits, reset back to cb67c81 and re-committed the changes. I hope that's good enough.

rafaelfranca added a commit that referenced this pull request Nov 26, 2015

Merge pull request #22263 from mastahyeti/csrf-origin-check
Add option to verify Origin header in CSRF checks

[Jeremy Daer + Rafael Mendonça França]

@rafaelfranca rafaelfranca merged commit e1e6499 into rails:master Nov 26, 2015

1 check failed

continuous-integration/travis-ci/pr The Travis CI build failed
Details
@rafaelfranca

This comment has been minimized.

Show comment
Hide comment
@rafaelfranca

rafaelfranca Nov 26, 2015

Member

❤️ 💚 💙 💛 💜

Member

rafaelfranca commented Nov 26, 2015

❤️ 💚 💙 💛 💜

@mastahyeti

This comment has been minimized.

Show comment
Hide comment
@mastahyeti

mastahyeti Nov 28, 2015

Contributor

💥

Contributor

mastahyeti commented Nov 28, 2015

💥

@reedloden reedloden referenced this pull request Dec 31, 2015

Merged

Per-form CSRF tokens #22275

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment