123456789_123456789_123456789_123456789_123456789_

Class: Rack::Protection::JsonCsrf

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, Base
Instance Chain:
self, Base
Inherits: Rack::Protection::Base
Defined in: rack-protection/lib/rack/protection/json_csrf.rb

Overview

Prevented attack:: CSRF Supported browsers:: all More infos:: http://flask.pocoo.org/docs/0.10/security/#json-security http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx

JSON GET APIs are vulnerable to being embedded as JavaScript when the Array prototype has been patched to track data. Checks the referrer even on GET requests if the content type is JSON.

If request includes Origin HTTP header, defers to HttpOrigin to determine if the request is safe. Please refer to the documentation for more info.

The :allow_if option can be set to a proc to use custom allow/deny logic.

Constant Summary

Base - Inherited

DEFAULT_OPTIONS

Class Method Summary

Base - Inherited

.default_options, .default_reaction, .new

Instance Attribute Summary

Base - Inherited

#app, #options

Instance Method Summary

Base - Inherited

#accepts?, #call, #debug, #default_options,
#default_reaction

Alias for Base#deny.
#deny, #drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#call(env)

[ GitHub ] 

  


# File 'rack-protection/lib/rack/protection/json_csrf.rb', line 26



def call(env)
  request               = Request.new(env)
  status, headers, body = app.call(env)

  if has_vector?(request, headers)
    warn env, "attack prevented by #{self.class}"

    react_and_close(env, body) or [status, headers, body]
  else
    [status, headers, body]
  end
end


  








  

    #close_body(body)  
  

  [ GitHub ]


  

  


# File 'rack-protection/lib/rack/protection/json_csrf.rb', line 55



def close_body(body)
  body.close if body.respond_to?(:close)
end


  








  

    #has_vector?(request, headers)  ⇒ Boolean 
  



  

    
  





  


  [ GitHub ]


  

  


# File 'rack-protection/lib/rack/protection/json_csrf.rb', line 39



def has_vector?(request, headers)
  return false if request.xhr?
  return false if options[:allow_if]&.call(request.env)
  return false unless headers['content-type'].to_s.split(';', 2).first =~ %r{^\s*application/json\s*$}

  origin(request.env).nil? and referrer(request.env) != request.host
end


  








  

    #react(env)  
  



  

    
Alias for Base#deny.


  



  [ GitHub ]


  

  


# File 'rack-protection/lib/rack/protection/json_csrf.rb', line 24



alias react deny


  








  

    #react_and_close(env, body)  
  

  [ GitHub ]


  

  


# File 'rack-protection/lib/rack/protection/json_csrf.rb', line 47



def react_and_close(env, body)
  reaction = react(env)

  close_body(body) if reaction

  reaction
end