Steffen van Bergerem
Dennis Schubert
parent
6ad9000f8c
commit
c3de77e0fc
10 changed files with 85 additions and 1 deletions
|
|
@ -4,6 +4,7 @@
|
|||
* Indicate proper way to report bugs in the sidebar [#7039](https://github.com/diaspora/diaspora/pull/7039)
|
||||
* Remove text color from notification mails and fix sender avatar [#7054](https://github.com/diaspora/diaspora/pull/7054)
|
||||
* Make the session cookies HttpOnly again [#7041](https://github.com/diaspora/diaspora/pull/7041)
|
||||
* Invalidate sessions with invalid CSRF tokens [#7050](https://github.com/diaspora/diaspora/pull/7050)
|
||||
|
||||
## Bug fixes
|
||||
* Post comments no longer get collapsed when interacting with a post [#7040](https://github.com/diaspora/diaspora/pull/7040)
|
||||
|
|
|
|||
|
|
@ -8,7 +8,11 @@ class ApplicationController < ActionController::Base
|
|||
protect_from_forgery except: :receive, with: :exception
|
||||
|
||||
rescue_from ActionController::InvalidAuthenticityToken do
|
||||
sign_out current_user
|
||||
if user_signed_in?
|
||||
logger.warn "#{current_user.diaspora_handle} CSRF token fail. referer: #{request.referer || 'empty'}"
|
||||
Workers::Mail::CsrfTokenFail.perform_async(current_user.id)
|
||||
sign_out current_user
|
||||
end
|
||||
flash[:error] = I18n.t("error_messages.csrf_token_fail")
|
||||
redirect_to new_user_session_path format: request[:format]
|
||||
end
|
||||
|
|
|
|||
7
app/mailers/notification_mailers/csrf_token_fail.rb
Normal file
7
app/mailers/notification_mailers/csrf_token_fail.rb
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
module NotificationMailers
|
||||
class CsrfTokenFail < NotificationMailers::Base
|
||||
def set_headers
|
||||
@headers[:subject] = I18n.t("notifier.csrf_token_fail.subject", name: @recipient.name)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -87,6 +87,10 @@ class Notifier < ActionMailer::Base
|
|||
send_notification(:confirm_email, recipient_id)
|
||||
end
|
||||
|
||||
def csrf_token_fail(recipient_id)
|
||||
send_notification(:csrf_token_fail, recipient_id)
|
||||
end
|
||||
|
||||
private
|
||||
def send_notification(type, *args)
|
||||
@notification = NotificationMailers.const_get(type.to_s.camelize).new(*args)
|
||||
|
|
|
|||
1
app/views/notifier/csrf_token_fail.markerb
Normal file
1
app/views/notifier/csrf_token_fail.markerb
Normal file
|
|
@ -0,0 +1 @@
|
|||
<%= t("notifier.csrf_token_fail.body", name: @notification.recipient_first_name, link: "https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)") %>
|
||||
11
app/workers/mail/csrf_token_fail.rb
Normal file
11
app/workers/mail/csrf_token_fail.rb
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
module Workers
|
||||
module Mail
|
||||
class CsrfTokenFail < Base
|
||||
sidekiq_options queue: :low
|
||||
|
||||
def perform(user_id)
|
||||
Notifier.csrf_token_fail(user_id).deliver_now
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -696,6 +696,18 @@ en:
|
|||
confirm_email:
|
||||
subject: "Please activate your new email address %{unconfirmed_email}"
|
||||
click_link: "To activate your new email address %{unconfirmed_email}, please follow this link:"
|
||||
csrf_token_fail:
|
||||
subject: "We received an unauthorized request from your account, %{name}"
|
||||
body: |-
|
||||
Hello %{name},
|
||||
|
||||
We received a request with a wrong/missing CSRF token from your account. To prevent any possible damage you have been logged out.
|
||||
|
||||
For more information on CSRF see [%{link}](%{link}).
|
||||
|
||||
Sorry,
|
||||
|
||||
The diaspora* email robot!
|
||||
report_email:
|
||||
type:
|
||||
post: "post"
|
||||
|
|
|
|||
|
|
@ -37,6 +37,12 @@ describe ApplicationController, type: :request do
|
|||
expect(flash[:error]).to eq(I18n.t("error_messages.csrf_token_fail"))
|
||||
end
|
||||
|
||||
it "sends an email to the current user if the token validation failed" do
|
||||
expect_any_instance_of(UsersController).to receive(:verified_request?).and_return(false)
|
||||
expect(Workers::Mail::CsrfTokenFail).to receive(:perform_async).with(alice.id)
|
||||
put edit_user_path, user: {language: "en"}
|
||||
end
|
||||
|
||||
it "doesn't sign out users if the token was correct" do
|
||||
expect_any_instance_of(UsersController).to receive(:verified_request?).and_return(true)
|
||||
put edit_user_path, user: {language: "en"}
|
||||
|
|
|
|||
|
|
@ -432,6 +432,26 @@ describe Notifier, type: :mailer do
|
|||
end
|
||||
end
|
||||
|
||||
describe ".csrf_token_fail" do
|
||||
let(:email) { Notifier.csrf_token_fail(alice.id) }
|
||||
|
||||
it "goes to the right person" do
|
||||
expect(email.to).to eq([alice.email])
|
||||
end
|
||||
|
||||
it "has the correct subject" do
|
||||
expect(email.subject).to eq(I18n.translate("notifier.csrf_token_fail.subject", name: alice.name))
|
||||
end
|
||||
|
||||
it "has the receivers name in the body" do
|
||||
expect(email.body.encoded).to include(alice.person.profile.first_name)
|
||||
end
|
||||
|
||||
it "has some informative text in the body" do
|
||||
expect(email.body.encoded).to include("https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)")
|
||||
end
|
||||
end
|
||||
|
||||
describe "hashtags" do
|
||||
it "escapes hashtags" do
|
||||
mails = Notifier.admin("#Welcome to bureaucracy!", [bob])
|
||||
|
|
|
|||
18
spec/workers/mail/csrf_token_fail_spec.rb
Normal file
18
spec/workers/mail/csrf_token_fail_spec.rb
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
# Copyright (c) 2010-2011, Diaspora Inc. This file is
|
||||
# licensed under the Affero General Public License version 3 or later. See
|
||||
# the COPYRIGHT file.
|
||||
|
||||
require "spec_helper"
|
||||
|
||||
describe Workers::Mail::CsrfTokenFail do
|
||||
describe "#perfom" do
|
||||
it "should call .deliver on the notifier object" do
|
||||
user = alice
|
||||
mail_double = double
|
||||
expect(mail_double).to receive(:deliver_now)
|
||||
expect(Notifier).to receive(:csrf_token_fail).with(user.id).and_return(mail_double)
|
||||
|
||||
Workers::Mail::CsrfTokenFail.new.perform(user.id)
|
||||
end
|
||||
end
|
||||
end
|
||||
Loading…
Reference in a new issue