Forum: Ruby on Rails CSRF protection and verify :method

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
B7fdf3bab39125ecd7525bad17f8c561?d=identicon&s=25 James Salter (novocaine)
on 2009-02-24 09:09
(Received via mailing list)
Hi rortalk,

I've been looking at my under development site's exposure to csrf
attacks. While it is a good thing that rails provides request forgery
protection for not-gets, it seems to me that for it to actually be
meaningful you need to  take the additional step of restricting the
methods of your actions.

for example, say i have a destroy method in a controller of a restful
app. by convention i invoke this using DELETE, and if i do so, request
forgery protection applies. however, by default it is also possible to
invoke it using GET, unless i explicitly do something like
verify :method => :delete, :only => [ :destroy ]

this is potentially very bad .. as an example, attackers could use
something cheesy like a lot of

<img src="http://mysite.com/valuabledocuments/destroy/1">

for 1....99999

on any page to have visiting users destroy all their valuable
documents. obviously similar problems apply in terms of the ability to
invoke update and create using GET without an explicit verify :method.

it seems to me like it would be sensible to provide an option
(possibly a default) to verify that restful resources are accessed
using only the correct http verbs.

one alternative is to have in the ApplicationController:

verify :method => :post, :only => [ :post ]
verify :method => :put, :only => [ :update ]
verify :method => :delete, :only => [ :destroy ]

which seems to work ok .. although it breaks the tests for
restful_authentication, apparently (yet to look into it)

thoughts?
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2009-02-24 09:10
(Received via mailing list)
On Feb 24, 5:47 am, James Salter <iterat...@gmail.com> wrote:
> it seems to me like it would be sensible to provide an option
> (possibly a default) to verify that restful resources are accessed
> using only the correct http verbs.
>
> one alternative is to have in the ApplicationController:
>
> verify :method => :post, :only => [ :post ]
> verify :method => :put, :only => [ :update ]
> verify :method => :delete, :only => [ :destroy ]

Or if you delete the default route from routes.rb then you don't need
this.

Fred
B7fdf3bab39125ecd7525bad17f8c561?d=identicon&s=25 James Salter (novocaine)
on 2009-02-24 22:37
(Received via mailing list)
aha. thanks fred

On Feb 24, 7:09 pm, Frederick Cheung <frederick.che...@gmail.com>
This topic is locked and can not be replied to.