Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Check for nil response on JsonCsrf protection #52

Merged
merged 2 commits into from

3 participants

@bugant

Some reaction do not return a response, think for example drop_session. In that case a nil response will be returned where a rack tuple is expected.

This should fix issue #50

bugant added some commits
@bugant bugant Add regression test for issue #50
Running specs you get

Failures:

  1) Rack::Protection::JsonCsrf with drop_session as default reaction reset the session
     Failure/Error: get('/', {}, 'HTTP_REFERER' => 'http://evil.com';, 'rack.session' => session)
     NoMethodError:
       undefined method `detect' for nil:NilClass
     # ./lib/rack/protection/base.rb:107:in `html?'
     # ./lib/rack/protection/frame_options.rb:32:in `call'
     # ./spec/json_csrf_spec.rb:54:in `block (3 levels) in <top (required)>'
d1f0300
@bugant bugant FIX: check for nil response on JsonCsrf protection
Some reaction do not return a response, think for example drop_session. In that case a nil response
would be returned, see issue #50.
eb7e4c9
@rkh rkh merged commit 7c4b33b into from
@dpiddy

Have any plans for a release including this? It'd let me get back to not needing to list rack-protection in my Gemfile which I'd appreciate. :sunglasses:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Apr 8, 2013
  1. @bugant

    Add regression test for issue #50

    bugant authored
    Running specs you get
    
    Failures:
    
      1) Rack::Protection::JsonCsrf with drop_session as default reaction reset the session
         Failure/Error: get('/', {}, 'HTTP_REFERER' => 'http://evil.com';, 'rack.session' => session)
         NoMethodError:
           undefined method `detect' for nil:NilClass
         # ./lib/rack/protection/base.rb:107:in `html?'
         # ./lib/rack/protection/frame_options.rb:32:in `call'
         # ./spec/json_csrf_spec.rb:54:in `block (3 levels) in <top (required)>'
  2. @bugant

    FIX: check for nil response on JsonCsrf protection

    bugant authored
    Some reaction do not return a response, think for example drop_session. In that case a nil response
    would be returned, see issue #50.
This page is out of date. Refresh to see the latest.
Showing with 16 additions and 1 deletion.
  1. +1 −1  lib/rack/protection/json_csrf.rb
  2. +15 −0 spec/json_csrf_spec.rb
View
2  lib/rack/protection/json_csrf.rb
@@ -19,7 +19,7 @@ def call(env)
if has_vector? request, headers
warn env, "attack prevented by #{self.class}"
- react(env)
+ react(env) or [status, headers, body]
else
[status, headers, body]
end
View
15 spec/json_csrf_spec.rb
@@ -31,6 +31,7 @@
it "accepts XHR requests" do
get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest').should be_ok
end
+
end
describe 'not json response' do
@@ -41,4 +42,18 @@
end
end
+
+ describe 'with drop_session as default reaction' do
+ it 'reset the session' do
+ mock_app do
+ use Rack::Protection, :reaction => :drop_session
+ run proc { |e| [200, {'Content-Type' => 'application/json'}, []]}
+ end
+
+ session = {:foo => :bar}
+ get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'rack.session' => session)
+ last_response.should be_ok
+ session.should be_empty
+ end
+ end
end
Something went wrong with that request. Please try again.