Forum: Ruby on Rails cross site scripting security

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
71477e5162d702dae2a072d66a855fec?d=identicon&s=25 wbsurfver@yahoo.com (Guest)
on 2009-03-26 18:51
(Received via mailing list)
I just changed my session store to use active record because it
appears session expiration and so on may be easier that way and it
seems like a better option.

In my base controller I have:

 protect_from_forgery :secret => 'hgfjh...kjhghglh' (whatever)

  self.allow_forgery_protection = false


 I had commented those out during development because certain actions
would error out because of these.
For instance, I think I called remote_function() from java script and
just added :width=>something.
That added width into params, but I guess since it wasn't part of the
routing the forgery protection
flagged an error on it, is my guess.

 Is the best way to go through and try to fix the routing for
everything ? I guess that might be the way I have to do it, I wanted
to check if I really need to do that for security as it's sort of a
pain in the neck to have to try to test
all the methods, fix the routing and such ..
280b78a61a968391b7e07e912be102a8?d=identicon&s=25 Robert Walker (robert4723)
on 2009-03-26 20:45
wbsurfver@yahoo.com wrote:
>  protect_from_forgery :secret => 'hgfjh...kjhghglh' (whatever)
>
>   self.allow_forgery_protection = false
>
>
>  I had commented those out during development because certain actions
> would error out because of these.

If you're concerned about security then commenting that out to resolve
the errors you were getting in development was probably a mistake.

> For instance, I think I called remote_function() from java script and
> just added :width=>something.
> That added width into params, but I guess since it wasn't part of the
> routing the forgery protection
> flagged an error on it, is my guess.
>
>  Is the best way to go through and try to fix the routing for
> everything ? I guess that might be the way I have to do it, I wanted
> to check if I really need to do that for security as it's sort of a
> pain in the neck to have to try to test
> all the methods, fix the routing and such ..

Also note that your subject line says Cross Site Scripting (XSS), which
is not the same as Cross Site Request Forgery (CSRF). The method
protect_from_forgery does nothing (as far as I understand it) to protect
against XSS. It only provides protection against CSRF.
71477e5162d702dae2a072d66a855fec?d=identicon&s=25 Larz (Guest)
on 2009-03-26 21:36
(Received via mailing list)
> If you're concerned about security then commenting that out to resolve
> the errors you were getting in development was probably a mistake.
>

 Right, well I had this funny feeling about it, but at the time I was
trying to get some javascript stuff to work ..

 Anyway, there is a javascript call like this:


function update_server(info)
{

 <%= remote_function(:url => {:action => 'resize_field'},
                     :with => '{col:info.col,width:info.width}')
                               %>
}

So I just set some routing, I'm not a routing expert, but I did this:

map.connect 'shgrid/resize_field/:col/:width',
              :controller => 'shgrid',
              :action => 'resize_field'

But I get the error (below). I'm not sure if there's a proper way to
do it with remote_function() ?
Anyway, first I did the main dev, now I am trying to learn more on
security ..

Processing ShgridController#resize_field (for 155.x.x.x at 2009-03-26
16:28:11) [POST]
  Session ID: 92c3ef636f552fbeff8e574d96bedb9f
  Parameters: {"col"=>"5", "action"=>"resize_field",
"controller"=>"shgrid", "width"=>"66"}
  User Load (0.000269)   SELECT * FROM "users" WHERE (name = 'Zack2')
LIMIT 1
  AdminSetting Load (0.000156)   SELECT * FROM "admin_settings" LIMIT
1


ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):
    /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.1.2/lib/
action_controller/request_forgery_protection.rb:86:in
`verify_authenticity_token'
    /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.2/lib/
active_support/callbacks.rb:173:in `send'
    /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.2/lib/
active_support/callbacks.rb:173:in `evaluate_method'
280b78a61a968391b7e07e912be102a8?d=identicon&s=25 Robert Walker (robert4723)
on 2009-03-26 21:46
Larz wrote:
> But I get the error (below). I'm not sure if there's a proper way to
> do it with remote_function() ?
> Anyway, first I did the main dev, now I am trying to learn more on
> security ..
>
> Processing ShgridController#resize_field (for 155.x.x.x at 2009-03-26
> 16:28:11) [POST]
>   Session ID: 92c3ef636f552fbeff8e574d96bedb9f
>   Parameters: {"col"=>"5", "action"=>"resize_field",
> "controller"=>"shgrid", "width"=>"66"}
>   User Load (0.000269)   SELECT * FROM "users" WHERE (name = 'Zack2')
> LIMIT 1
>   AdminSetting Load (0.000156)   SELECT * FROM "admin_settings" LIMIT
> 1
>
>
> ActionController::InvalidAuthenticityToken
> (ActionController::InvalidAuthenticityToken):
>     /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.1.2/lib/
> action_controller/request_forgery_protection.rb:86:in
> `verify_authenticity_token'
>     /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.2/lib/
> active_support/callbacks.rb:173:in `send'
>     /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.2/lib/
> active_support/callbacks.rb:173:in `evaluate_method'

Sure it will fail on that because there is no authenticity token in your
params:

Example:

Processing ThingsController#create (for 127.0.0.1 at 2009-03-26
16:42:40) [POST]
  Parameters: {"commit"=>"Create",
"authenticity_token"=>"wM7T6k++1upx4BO+fVy571jwqx0d4z0U92PPSGP+UUQ=",
"thing"=>{"name"=>"Widget"}}

You may just want to disable forgery protection for this one action, but
use it for all others. There might be a better solution than that, but
it should get you past this problem.
71477e5162d702dae2a072d66a855fec?d=identicon&s=25 Larz (Guest)
on 2009-03-26 21:58
(Received via mailing list)
Thanks,

 I'm still learning here, but what happens is if I copy the token from
some other action that works so I now have this:

 <%= remote_function(:url => {:action => 'resize_field',
                              :authenticity_token
=>"sda4354326hfghgfsf-whatever"},
                     :with => '{col:info.col,width:info.width}')
                               %>

then the :with part of the clause does not get into the parameters it
seems like ..
Aad37b5f7116c8d1f547d23b37566032?d=identicon&s=25 Greg Donald (destiney)
on 2009-03-26 22:04
(Received via mailing list)
On Thu, Mar 26, 2009 at 3:58 PM, Larz <wbsurfver@gmail.com> wrote:
>  I'm still learning here, but what happens is if I copy the token from
> some other action that works so I now have this:
>
>  <%= remote_function(:url => {:action => 'resize_field',
>                              :authenticity_token
> =>"sda4354326hfghgfsf-whatever"},


To make it dynamic, I would use form_authenticity_token, not the
actual value of it.

http://api.rubyonrails.org/classes/ActionControlle...



--
Greg Donald
http://destiney.com/
71477e5162d702dae2a072d66a855fec?d=identicon&s=25 Larz (Guest)
on 2009-03-26 22:34
(Received via mailing list)
>
> To make it dynamic, I would use form_authenticity_token, not the
> actual value of it.
>

Thanks,

 So I make the call like this, it works fine except I'm not sure why
the stuff in the :with part from javascript
 doesn't make it into params when I have authenticity_token in
the :url part:


 <%= remote_function(:url => {:action => 'resize_field',
                              :authenticity_token =>
form_authenticity_token,
                              },
                              :with =>
'{col:info.col,width:info.width}')
                               %>
71477e5162d702dae2a072d66a855fec?d=identicon&s=25 Larz (Guest)
on 2009-03-26 23:02
(Received via mailing list)
The other thing seems to be that if this is set in the base
controller:
protect_from_forgery :secret => '10aedsfsdafdasfasdfxvcxvhg'

Then it generates the authenticity tokens, regardless of whether the
check is made. That seems to break my remote_function call as
mentioned in the previous post (because the :with js stuff doesn't get
put into the url/ params.

since protect_from_forgery I guess it's called at the class level, I'm
not sure I can disable it for one action and have it turned on for
others ..

I can turn this off at the instance level:
self.allow_forgery_protection
but that doesn't fix my other problem ...
71477e5162d702dae2a072d66a855fec?d=identicon&s=25 Larz (Guest)
on 2009-03-27 18:56
(Received via mailing list)
Here is where I am at with this so far ...

I decied to try to change my code to be all javascript to get around
the strange problem I was having, so I followed the
advice from this site:

http://david-burger.blogspot.com/2008/01/rails-for...

Here is what my code looks like now which seems to work. I think I am
using jquery at this point. I've commented out the old code:

function update_server(info)
{


<%#= remote_function(:url => {:action => 'resize_field'},
                              :with =>
'{col:info.col,width:info.width}')
                               %>
$.ajax({data:
{col:info.col,width:info.width,authenticity_token:FORM_AUTH_TOKEN},
dataType:'script', type:'post', url:'/shgrid/resize_field'})


}
This topic is locked and can not be replied to.