Default protect from forgery

[lugray]

Summary

Fixes #29193.

Protect from forgery by default: Rather than protecting from forgery in the generated ApplicationController, add it to ActionController::Base by config. This configuration defaults to false to support older versions which have removed it from their ApplicationController, but is set to true for Rails 5.2.

Also adds ActionController::Base.skip_forgery_protection as a wrapper to skip_before_action :verify_authenticity_token for disabling forgery protection.

[lugray]

r? @rafaelfranca

[rafaelfranca]

This is also going to run for ActionController::Api, so it is better to use on_load(:action_controller_base here. That way we can do:

ActiveSupport.on_load(:action_controller_base) do
  if app.config.action_controller.default_protect_from_forgery
    protect_from_forgery with: :exception
  end
end

[rafaelfranca]

We need to add this config to the configurations.md guide.

[lugray]

Done.

[Edouard-chin]

Small nitpicks, might use plus sign +skip_before_action+ for rdoc

[lugray]

Thanks!

[rafaelfranca]

Last thing. Could you add a CHANGELOG entry?

[eugeneius]

This isn't necessary, since referencing ActionController::Base on the next line will run the lazy load hooks. It's only needed when testing ActionController::Parameters options, as loading that class won't trigger the hooks.

[eugeneius]

The behaviour here doesn't depend on the environment, so I'd ✂️ "on production" from the test name.

[eugeneius]

The rest of the tests in this file set this as "development" when the behaviour doesn't depend on the particular environment; we should probably do the same here for consistency.

[eugeneius]

ActionController:Base -> ActionController::Base (with backticks 😊)

[eugeneius]

This line needs a full stop at the end.

[eugeneius]

I think there should be a colon here:

This is a wrapper for:

[lugray]

Thanks @eugeneius, updated as per your review.

[eugeneius]

This looks great! 👏

My only remaining question is whether there should be an entry in new_framework_defaults_5_2.rb for this, so that upgraded apps can opt-in to the new behaviour if they want it. My understanding of that file is that it should mirror the options from Rails::Application::Configuration#load_defaults.

[lugray]

@eugeneius That makes sense. I added to new_framework_defaults_5_2.rb.tt

[UlrichThomasGabor]

There is a typo applocation

[lugray]

Thanks, I'll get a fix up.

[lugray]

Actually, it already got fixed in e01b240.

[wnm]

This configuration defaults to false to support older versions which have removed it from their ApplicationController, but is set to true for Rails 5.2.

@lugray don't older versions have it in ApplicationController, and the new default is there to move it to ActionController::Base so we can remove it from ApplicationController?

[lugray]

@wnm By default, older versions do have it in ApplicationController. The point I'm making is that the way to turn it off in older versions would have been to remove the line from the generated ApplicationController. If someone has actively removed it because they don't want it, upgrading should not change the behavior. But new applications will get the 5.2 defaults, which set it to true. If you're upgrading an older version of rails, and you want to remove it from ApplicationController, you'll need to change the configuration you use, since you won't have the 5.2 defaults.

[wnm]

@lugray ah I see... totally makes sense. thanks for the quick response!!

[octavpo]

I think it would be better if the default_protect_from_forgery config could take the :with parameter as a value.

There's also an inconsistency in approach that if you use default_protect_from_forgery = true in config it defaults to :exception, while if you use protect_from_forgery with no parameters in the controller it defaults to :null_session.

[collimarco]

There's also an inconsistency in approach that if you use default_protect_from_forgery = true in config it defaults to :exception, while if you use protect_from_forgery with no parameters in the controller it defaults to :null_session.

I totally agree! It is not clear from the docs that the default behavior is :exception.

[swrobel]

@lugray can you explain this?

There's also an inconsistency in approach that if you use default_protect_from_forgery = true in config it defaults to :exception, while if you use protect_from_forgery with no parameters in the controller it defaults to :null_session.

[rafaelfranca]

Yes, we change the default to be :exception because :null_session was a bad default.

[swrobel]

@rafaelfranca that does not seem to be the case:
https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L138
https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-protect_from_forgery

[rafaelfranca]

It was the case already before this patch. https://github.com/rails/rails/pull/29742/files#diff-8380e0e11d4efeb2b0b142ae9e4cf512L3 Even that the default of the method is null_session, rails already generated the application using exception. That was the new default for applications not for the method.

[swrobel]

@rafaelfranca I understand what you're saying, but for the 99.9% of Rails users who don't dig into the source code at this level, they're going to look at the docs for protect_from_forgery and see that null_session is the default and not understand why their 5.2 app is using exception. I don't see this anywhere in the 5.2 release notes, and while it's mentioned in the security guide I still think this creates a huge opportunity for confusion.

Would you at least be open to changing the default for protect_from_forgery to exception in 6.0 so it's consistent?

[rafaelfranca]

I think it is worth considering it, but it will be a really annoying experience to most of the users given they will have to be explicit about the default to remove the deprecation warning. But I guess it will avoid confusion.