mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-28 01:56:01 -05:00
Merge pull request #790 from ZogStriP/fix-security-bug-XHR-check-bypass
FIX: [security bug] XHR check bypass
This commit is contained in:
commit
bb82d44ccc
2 changed files with 14 additions and 16 deletions
|
@ -38,7 +38,6 @@ class ApplicationController < ActionController::Base
|
|||
|
||||
# Some exceptions
|
||||
class RenderEmpty < Exception; end
|
||||
class NotLoggedIn < Exception; end
|
||||
|
||||
# Render nothing unless we are an xhr request
|
||||
rescue_from RenderEmpty do
|
||||
|
@ -246,10 +245,7 @@ class ApplicationController < ActionController::Base
|
|||
def check_xhr
|
||||
unless (controller_name == 'forums' || controller_name == 'user_open_ids')
|
||||
# bypass xhr check on PUT / POST / DELETE provided api key is there, otherwise calling api is annoying
|
||||
if !request.get? && request["api_key"]
|
||||
return
|
||||
end
|
||||
|
||||
return if !request.get? && request["api_key"] && SiteSetting.api_key_valid?(request["api_key"])
|
||||
raise RenderEmpty.new unless ((request.format && request.format.json?) || request.xhr?)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -17,20 +17,22 @@ describe 'api' do
|
|||
|
||||
# choosing an arbitrarily easy to mock trusted activity
|
||||
it 'allows users with api key to bookmark posts' do
|
||||
PostAction.expects(:act).with(user,post,PostActionType.types[:bookmark]).returns(true)
|
||||
put :bookmark, bookmarked: "true" ,post_id: post.id , api_key: SiteSetting.api_key, api_username: user.username
|
||||
PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).once
|
||||
put :bookmark, bookmarked: "true", post_id: post.id, api_key: SiteSetting.api_key, api_username: user.username, format: :json
|
||||
end
|
||||
|
||||
it 'disallows phonies to bookmark posts' do
|
||||
PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).never
|
||||
lambda do
|
||||
put :bookmark, bookmarked: "true" ,post_id: post.id , api_key: SecureRandom.hex(32), api_username: user.username
|
||||
put :bookmark, bookmarked: "true", post_id: post.id, api_key: SecureRandom.hex(32), api_username: user.username, format: :json
|
||||
end.should raise_error Discourse::NotLoggedIn
|
||||
end
|
||||
|
||||
it 'disallows blank api' do
|
||||
SiteSetting.stubs(:api_key).returns("")
|
||||
PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).never
|
||||
lambda do
|
||||
put :bookmark, bookmarked: "true" ,post_id: post.id , api_key: "", api_username: user.username
|
||||
put :bookmark, bookmarked: "true", post_id: post.id, api_key: "", api_username: user.username, format: :json
|
||||
end.should raise_error Discourse::NotLoggedIn
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue