Rails - Mar 2009 - cross site scripting security

I just changed my session store to use active record because it
appears session expiration and so on may be easier that way and it
seems like a better option.

In my base controller I have:

 protect_from_forgery :secret => ''hgfjh...kjhghglh''
(whatever)

  self.allow_forgery_protection = false


 I had commented those out during development because certain actions
would error out because of these.
For instance, I think I called remote_function() from java script and
just added :width=>something.
That added width into params, but I guess since it wasn''t part of the
routing the forgery protection
flagged an error on it, is my guess.

 Is the best way to go through and try to fix the routing for
everything ? I guess that might be the way I have to do it, I wanted
to check if I really need to do that for security as it''s sort of a
pain in the neck to have to try to test
all the methods, fix the routing and such ..

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

wbsurfver-/E1597aS9LQAvxtiuMwx3w@public.gmane.org wrote:
>  protect_from_forgery :secret => ''hgfjh...kjhghglh''
(whatever)
> 
>   self.allow_forgery_protection = false
> 
> 
>  I had commented those out during development because certain actions
> would error out because of these.
If you''re concerned about security then commenting that out to resolve 
the errors you were getting in development was probably a mistake.
> For instance, I think I called remote_function() from java script and
> just added :width=>something.
> That added width into params, but I guess since it wasn''t part of
the
> routing the forgery protection
> flagged an error on it, is my guess.
> 
>  Is the best way to go through and try to fix the routing for
> everything ? I guess that might be the way I have to do it, I wanted
> to check if I really need to do that for security as it''s sort of
a
> pain in the neck to have to try to test
> all the methods, fix the routing and such ..
Also note that your subject line says Cross Site Scripting (XSS), which 
is not the same as Cross Site Request Forgery (CSRF). The method 
protect_from_forgery does nothing (as far as I understand it) to protect 
against XSS. It only provides protection against CSRF.
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

> If you''re concerned about security then commenting that out to
resolve
> the errors you were getting in development was probably a mistake.
>
 Right, well I had this funny feeling about it, but at the time I was
trying to get some javascript stuff to work ..

 Anyway, there is a javascript call like this:


function update_server(info)
{

 <%= remote_function(:url => {:action =>
''resize_field''},
                     :with =>
''{col:info.col,width:info.width}'')
                               %>
}

So I just set some routing, I''m not a routing expert, but I did this:

map.connect ''shgrid/resize_field/:col/:width'',
              :controller => ''shgrid'',
              :action => ''resize_field''

But I get the error (below). I''m not sure if there''s a proper
way to
do it with remote_function() ?
Anyway, first I did the main dev, now I am trying to learn more on
security ..

Processing ShgridController#resize_field (for 155.x.x.x at 2009-03-26
16:28:11) [POST]
  Session ID: 92c3ef636f552fbeff8e574d96bedb9f
  Parameters: {"col"=>"5",
"action"=>"resize_field",
"controller"=>"shgrid",
"width"=>"66"}
  User Load (0.000269)   SELECT * FROM "users" WHERE (name =
''Zack2'')
LIMIT 1
  AdminSetting Load (0.000156)   SELECT * FROM "admin_settings" LIMIT
1


ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):
    /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.1.2/lib/
action_controller/request_forgery_protection.rb:86:in
`verify_authenticity_token''
    /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.2/lib/
active_support/callbacks.rb:173:in `send''
    /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.2/lib/
active_support/callbacks.rb:173:in `evaluate_method''



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Larz wrote:
> But I get the error (below). I''m not sure if there''s a
proper way to
> do it with remote_function() ?
> Anyway, first I did the main dev, now I am trying to learn more on
> security ..
> 
> Processing ShgridController#resize_field (for 155.x.x.x at 2009-03-26
> 16:28:11) [POST]
>   Session ID: 92c3ef636f552fbeff8e574d96bedb9f
>   Parameters: {"col"=>"5",
"action"=>"resize_field",
> "controller"=>"shgrid",
"width"=>"66"}
>   User Load (0.000269)   SELECT * FROM "users" WHERE (name =
''Zack2'')
> LIMIT 1
>   AdminSetting Load (0.000156)   SELECT * FROM "admin_settings"
LIMIT
> 1
> 
> 
> ActionController::InvalidAuthenticityToken
> (ActionController::InvalidAuthenticityToken):
>     /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.1.2/lib/
> action_controller/request_forgery_protection.rb:86:in
> `verify_authenticity_token''
>     /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.2/lib/
> active_support/callbacks.rb:173:in `send''
>     /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.2/lib/
> active_support/callbacks.rb:173:in `evaluate_method''
Sure it will fail on that because there is no authenticity token in your 
params:

Example:

Processing ThingsController#create (for 127.0.0.1 at 2009-03-26 
16:42:40) [POST]
  Parameters: {"commit"=>"Create", 
"authenticity_token"=>"wM7T6k++1upx4BO+fVy571jwqx0d4z0U92PPSGP+UUQ=",
"thing"=>{"name"=>"Widget"}}

You may just want to disable forgery protection for this one action, but 
use it for all others. There might be a better solution than that, but 
it should get you past this problem.
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Thanks,

 I''m still learning here, but what happens is if I copy the token from
some other action that works so I now have this:

 <%= remote_function(:url => {:action =>
''resize_field'',
                              :authenticity_token
=>"sda4354326hfghgfsf-whatever"},
                     :with =>
''{col:info.col,width:info.width}'')
                               %>

then the :with part of the clause does not get into the parameters it
seems like ..


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On Thu, Mar 26, 2009 at 3:58 PM, Larz
<wbsurfver-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>  I''m still learning here, but what happens is if I copy the token
from
> some other action that works so I now have this:
>
>  <%= remote_function(:url => {:action =>
''resize_field'',
>                              :authenticity_token
> =>"sda4354326hfghgfsf-whatever"},

To make it dynamic, I would use form_authenticity_token, not the
actual value of it.

http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html#M000491



-- 
Greg Donald
http://destiney.com/

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

>
> To make it dynamic, I would use form_authenticity_token, not the
> actual value of it.
>
Thanks,

 So I make the call like this, it works fine except I''m not sure why
the stuff in the :with part from javascript
 doesn''t make it into params when I have authenticity_token in
the :url part:


 <%= remote_function(:url => {:action =>
''resize_field'',
                              :authenticity_token =>
form_authenticity_token,
                              },
                              :with =>
''{col:info.col,width:info.width}'')
                               %>


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

The other thing seems to be that if this is set in the base
controller:
protect_from_forgery :secret =>
''10aedsfsdafdasfasdfxvcxvhg''

Then it generates the authenticity tokens, regardless of whether the
check is made. That seems to break my remote_function call as
mentioned in the previous post (because the :with js stuff doesn''t get
put into the url/ params.

since protect_from_forgery I guess it''s called at the class level,
I''m
not sure I can disable it for one action and have it turned on for
others ..

I can turn this off at the instance level:
self.allow_forgery_protection
but that doesn''t fix my other problem ...



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Here is where I am at with this so far ...

I decied to try to change my code to be all javascript to get around
the strange problem I was having, so I followed the
advice from this site:

http://david-burger.blogspot.com/2008/01/rails-forgery-protection-csrf-and-ajax.html

Here is what my code looks like now which seems to work. I think I am
using jquery at this point. I''ve commented out the old code:

function update_server(info)
{


<%#= remote_function(:url => {:action =>
''resize_field''},
                              :with =>
''{col:info.col,width:info.width}'')
                               %>
$.ajax({data:
{col:info.col,width:info.width,authenticity_token:FORM_AUTH_TOKEN},
dataType:''script'', type:''post'',
url:''/shgrid/resize_field''})


}
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---