Skip to content

Commit

Permalink
check if session object is not empty in csrf protection (#4672)
Browse files Browse the repository at this point in the history 
Co-authored-by: basherru <alexander.baz@okwork.io>
  • Loading branch information
basherru and basherru committed Aug 19, 2020
1 parent 431e864 commit df702a1
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 3 deletions.
5 changes: 5 additions & 0 deletions lib/sidekiq/web/csrf_protection.rb
View file
Expand Up @@ -90,6 +90,11 @@ def valid_token?(env, giventoken)
end

sess = session(env)

# Checks that Rack::Session::Cookie did not return empty session
# object in case the digest verification failed
return false if sess.empty?

localtoken = sess[:csrf]

# Rotate the session token after every use
Expand Down
21 changes: 18 additions & 3 deletions test/test_csrf.rb
View file
Expand Up @@ -6,11 +6,11 @@ def session
@session ||= {}
end

def env(method=:get, form_hash={})
def env(method=:get, form_hash={}, rack_session=session)
imp = StringIO.new("")
{
"REQUEST_METHOD" => method.to_s.upcase,
"rack.session" => session,
"rack.session" => rack_session,
"rack.logger" => ::Logger.new(@logio ||= StringIO.new("")),
"rack.input" => imp,
"rack.request.form_input" => imp,
Expand Down Expand Up @@ -59,7 +59,6 @@ def test_bad_post
end

def test_good_and_bad_posts
goodtoken = nil
# Make a GET to set up the session with a good token
goodtoken = call(env) do |envy|
envy[:csrf_token]
Expand All @@ -82,4 +81,20 @@ def test_good_and_bad_posts
assert_equal 403, result[0]
assert_equal ["Forbidden"], result[2]
end

def test_empty_session_post
# Make a GET to set up the session with a good token
goodtoken = call(env) do |envy|
envy[:csrf_token]
end
assert goodtoken

# Make a POST with an empty session data and good token
result = call(env(:post, { "authenticity_token" => goodtoken }, {})) do
raise "shouldnt be called"
end
refute_nil result
assert_equal 403, result[0]
assert_equal ["Forbidden"], result[2]
end
end

0 comments on commit df702a1

Please sign in to comment.