mirror of
https://gitlab.com/gitlab-org/gitlab-foss.git
synced 2025-07-25 16:03:48 +00:00
49 lines
1.3 KiB
Ruby
49 lines
1.3 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
# A module to check CSRF tokens in requests.
|
|
# It's used in API helpers and OmniAuth.
|
|
# Usage: GitLab::RequestForgeryProtection.call(env)
|
|
|
|
module Gitlab
|
|
module RequestForgeryProtection
|
|
class Controller < BaseActionController
|
|
protect_from_forgery with: :exception, prepend: true
|
|
|
|
def initialize
|
|
super
|
|
|
|
# Squelch noisy and unnecessary "Can't verify CSRF token authenticity." messages.
|
|
# X-Csrf-Token is only one authentication mechanism for API helpers.
|
|
self.logger = ActiveSupport::Logger.new(File::NULL)
|
|
end
|
|
|
|
def index
|
|
head :ok
|
|
end
|
|
end
|
|
|
|
def self.app
|
|
@app ||= Controller.action(:index)
|
|
end
|
|
|
|
def self.call(env)
|
|
app.call(env)
|
|
end
|
|
|
|
def self.verified?(env)
|
|
minimal_env = env.slice('REQUEST_METHOD', 'rack.session', 'HTTP_X_CSRF_TOKEN')
|
|
.merge('rack.input' => '')
|
|
|
|
# The CSRF token for some requests is in the form instead of headers.
|
|
# This line of code is used to accommodate this situation. See: https://gitlab.com/gitlab-org/gitlab/-/issues/443398
|
|
minimal_env['HTTP_X_CSRF_TOKEN'] ||= Rack::Request.new(env.dup).params['authenticity_token']
|
|
|
|
call(minimal_env)
|
|
|
|
true
|
|
rescue ActionController::InvalidAuthenticityToken
|
|
false
|
|
end
|
|
end
|
|
end
|