I am just getting into rails again after a multi-year stint of
mod_perl jobs, which might grant me some newbie-indemnity for the time
being - but I've found an issue I think warrants discussion.
As discussed here - http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html
- the CSRF protection feature does not kick in for GET requests. This
is under the assumption that GET requests are idempotent.
There is a (big, IMO) problem with this: unless the controller action
which receives the POST request manually validates that the request is
a POST as expected, it is wide open to CSRF. All the attacker has to
do is construct the same form submission that would be a POST as an
unexpected GET request instead, which is actually easier to do from a
remote CSRF attackers point of view. The controller will then happily
do all the work requested of it without the token being present at
all.
How many rails developers do we think put a POST-method validation
filter around all their form processing code, and yet expect
protect_from_forgery stills somehow protects the actions?
Also, it appears that the authenticity token is not inserted into
forms automatically when the form is specified as a GET. While GET
requests *should* be idempotent, it is quite common for them not to
be. Consider for instance on Yahoo! search which remembers (server-
side) your most recent searches. Searches then are effectively non-
idempotent GET requests and should include a CSRF protection as a
result.
So in reality, GET vs POST is much more of an HTTP distinction than an
application distinction, and framework-level "blessed" security
measures should not hinge on adherence to protocol practices that are
easily and often pragmatically bent or broken, especially when it's up
to the attacker which method to invoke.
IMO this feature is providing a rather false sense of security to the
community without documenting the clear steps needed to take in order
to actually obtain CSRF protection for a particular action.
JSW
On Apr 1, 1:52 am, JSW <yetanotherj...@gmail.com> wrote:
> How many rails developers do we think put a POST-method validation
> filter around all their form processing code, and yet expect
> protect_from_forgery stills somehow protects the actions?
>
Without getting into the debate about how idempotent GET requests
really are I'd suspect that these days most people are using restful
routes. If you use restful routes and remove the default route then
it's not possible invoke (eg) a create action from a get request.
Fred
Without getting into the debate about how idempotent GET requests
really are I'd suspect that these days most people are using restful
routes. If you use restful routes and remove the default route then
it's not possible invoke (eg) a create action from a get request.
So in your post example, if you didn't want to restrict some
controller method based on a route rule (ie ...
map.connect ... :conditions=>{:method=>:post} ...), then all you'd
have to do is add a simple check in your controller meth, like:
...
if request.post?
# do post-related work ...
end
...
or alternatively:
...
if not request.post?
# log, redirect with err msg ...
end
...
Bottom line is that an app is only as secure as the developer makes
it.
Jeff
On Apr 1, 1:42 am, Josh _ <yetanotherj...@gmail.com> wrote:
> On Thu, Apr 1, 2010 at 1:08 AM, Frederick Cheung <frederick.che...@gmail.com
This seems like a non-issue to me that can and should be handled by
the developer of the app, regardless of what lang/framework you're
using, by following basic best-practices for securing your app against
csrf or sql-injection or ... attack.