Class: Rack::Protection::JsonCsrf

Inherits:

Base

• Object
• Base
• Rack::Protection::JsonCsrf

Defined in:

lib/vendor/rack-protection-1.5.1/lib/rack/protection/json_csrf.rb

Overview

Prevented attack

CSRF

Supported browsers

all

More infos

flask.pocoo.org/docs/security/#json-security

JSON GET APIs are vulnerable to being embedded as JavaScript while the Array prototype has been patched to track data. Checks the referrer even on GET requests if the content type is JSON.

Constant Summary

Constants inherited from Base

Base::DEFAULT_OPTIONS

Instance Attribute Summary

Attributes inherited from Base

#app, #options

Instance Method Summary

• #call(env) ⇒ Object
• #has_vector?(request, headers) ⇒ Boolean

Methods inherited from Base

#accepts?, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #initialize, #instrument, #origin, #random_string, #referrer, #report, #safe?, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#call(env) ⇒ Object

# File 'lib/vendor/rack-protection-1.5.1/lib/rack/protection/json_csrf.rb', line 16

def call(env)
  request               = Request.new(env)
  status, headers, body = app.call(env)

  if has_vector? request, headers
    warn env, "attack prevented by #{self.class}"
    react(env) or [status, headers, body]
  else
    [status, headers, body]
  end
end

#has_vector?(request, headers) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/vendor/rack-protection-1.5.1/lib/rack/protection/json_csrf.rb', line 28

def has_vector?(request, headers)
  return false if request.xhr?
  return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
  origin(request.env).nil? and referrer(request.env) != request.host
end