Class: Rack::Protection::JsonCsrf
- Defined in:
- lib/rack/protection/json_csrf.rb
Overview
- Prevented attack
-
CSRF
- Supported browsers
-
all
- More infos
-
flask.pocoo.org/docs/0.10/security/#json-security haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
JSON GET APIs are vulnerable to being embedded as JavaScript when the Array prototype has been patched to track data. Checks the referrer even on GET requests if the content type is JSON.
If request includes Origin HTTP header, defers to HttpOrigin to determine if the request is safe. Please refer to the documentation for more info.
The ‘:allow_if` option can be set to a proc to use custom allow/deny logic.
Constant Summary
Constants inherited from Base
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
- #call(env) ⇒ Object
- #close_body(body) ⇒ Object
- #has_vector?(request, headers) ⇒ Boolean
- #react_and_close(env, body) ⇒ Object
Methods inherited from Base
#accepts?, #debug, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #initialize, #instrument, #origin, #random_string, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn
Constructor Details
This class inherits a constructor from Rack::Protection::Base
Instance Method Details
#call(env) ⇒ Object
26 27 28 29 30 31 32 33 34 35 36 37 |
# File 'lib/rack/protection/json_csrf.rb', line 26 def call(env) request = Request.new(env) status, headers, body = app.call(env) if has_vector?(request, headers) warn env, "attack prevented by #{self.class}" react_and_close(env, body) or [status, headers, body] else [status, headers, body] end end |
#close_body(body) ⇒ Object
55 56 57 |
# File 'lib/rack/protection/json_csrf.rb', line 55 def close_body(body) body.close if body.respond_to?(:close) end |
#has_vector?(request, headers) ⇒ Boolean
39 40 41 42 43 44 45 |
# File 'lib/rack/protection/json_csrf.rb', line 39 def has_vector?(request, headers) return false if request.xhr? return false if [:allow_if]&.call(request.env) return false unless headers['content-type'].to_s.split(';', 2).first =~ %r{^\s*application/json\s*$} origin(request.env).nil? and referrer(request.env) != request.host end |
#react_and_close(env, body) ⇒ Object
47 48 49 50 51 52 53 |
# File 'lib/rack/protection/json_csrf.rb', line 47 def react_and_close(env, body) reaction = react(env) close_body(body) if reaction reaction end |