Module: Gitlab::RequestForgeryProtection

Defined in:: lib/gitlab/request_forgery_protection.rb

Defined Under Namespace

Class Method Summary collapse

Class Method Details

.app ⇒ `Object`



25
26
27

# File 'lib/gitlab/request_forgery_protection.rb', line 25

def self.app
  @app ||= Controller.action(:index)
end

.call(env) ⇒ `Object`



29
30
31

# File 'lib/gitlab/request_forgery_protection.rb', line 29

def self.call(env)
  app.call(env)
end

.verified?(env) ⇒ `Boolean`

Returns:

(Boolean)

# File 'lib/gitlab/request_forgery_protection.rb', line 33

def self.verified?(env)
  minimal_env = env.slice('REQUEST_METHOD', 'rack.session', 'HTTP_X_CSRF_TOKEN')
                  .merge('rack.input' => '')

  # The CSRF token for some requests is in the form instead of headers.
  # This line of code is used to accommodate this situation. See: https://gitlab.com/gitlab-org/gitlab/-/issues/443398
  minimal_env['HTTP_X_CSRF_TOKEN'] ||= Rack::Request.new(env.dup).params['authenticity_token']

  call(minimal_env)

  true
rescue ActionController::InvalidAuthenticityToken
  false
end

Module: Gitlab::RequestForgeryProtection

Defined Under Namespace

Class Method Summary collapse

Class Method Details

.app ⇒ Object

.call(env) ⇒ Object

.verified?(env) ⇒ Boolean

.app ⇒ `Object`

.call(env) ⇒ `Object`

.verified?(env) ⇒ `Boolean`