Last active
January 1, 2016 13:29
-
-
Save jvennix-r7/8151392 to your computer and use it in GitHub Desktop.
Universal patch for rails RJS XSS issue (see http://homakov.blogspot.com/2013/11/rjs-leaking-vulnerability-in-multiple.html). The only downside here is that your app will break for users behind proxies that strip referers. Additionally, this patch will not work for you if you plan on serving cross-domain javascripts (e.g. for a hosted javascript…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This patch adds a before_filter to all controllers that prevents xdomain | |
# .js requests from being rendered successfully. | |
module RemoteJavascriptRefererCheck | |
extend ActiveSupport::Concern | |
included do | |
require 'uri' | |
before_filter :check_rjs_referer, :if => ->(controller) { controller.request.format.js? } | |
end | |
# prevent generated rjs scripts from being exfiltrated by remote sites | |
# see http://homakov.blogspot.com/2013/11/rjs-leaking-vulnerability-in-multiple.html | |
def check_rjs_referer | |
referer_uri = begin | |
URI.parse(request.env["HTTP_REFERER"]) | |
rescue URI::InvalidURIError | |
nil | |
end | |
# if request comes from a cross domain document | |
if referer_uri.blank? or | |
(request.host.present? and referer_uri.host != request.host) or | |
(request.port.present? and referer_uri.port != request.port) | |
head :unauthorized | |
end | |
end | |
end | |
# shove the check into the base controller so it gets hit on every route | |
ApplicationController.class_eval do | |
include RemoteJavascriptRefererCheck | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment