ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
canvas-lms/lib
History
Jacob Fugal 371ec30967 refactor CSRF handling for clarity and rails3+ 
closes CNVS-18870

CNVS-18870 as described in the ticket description is not a bug. see
comments on the ticket for more details. but while investigating and
confirming that, it became obvious that the odd structure and scattered
implementation of the CSRF protection was both making it hard to reason
about and easy to introduce new bugs. after the refactor, we still:

* don't perform CSRF validation on GET requests
* don't perform it on token-authenticated API requests
* do perform it on session-authenticated API requests
* do perform it on non-API requests regardless of authentication method

additionally, we now:

* don't perform CSRF validation on HEAD requests

finally, we _don't_ support a csrf_token in the session anymore. that's
been deprecated forever; we can remove the code now.

test-plan:
 - should not perform CSRF validation for:
   - GET requests
   - token-authenticated POST requests to API endpoints (path prefixed
     by /api/) without an authenticity_token parameter or X-CSRF-Token
     header
   - token-authenticated POST requests to API endpoints even with an
     authenticity_token parameter
   - token-authenticated POST requests to API endpoints even with an
     X-CSRF-Token header

 - should perform CSRF validation for:
   - POST requests to non-API endpoints
   - session-authenticated POST requests to API endpoints

 - when CSRF validation should occur, but the user has cookies off:
   - POST requests to non-API endpoints should redirect to a "need
     cookies" page
   - XHR POST requests to non-API endpoints should not redirect
   - POST requests to API endpoints should not redirect

Change-Id: I3dbb3a68623bc9d03a3e744a9d4e1f038a32709c
Reviewed-on: https://gerrit.instructure.com/65103
Reviewed-by: Simon Williams <simon@instructure.com>
Tested-by: Jenkins
QA-Review: August Thornton <august@instructure.com>
Product-Review: Jacob Fugal <jacob@instructure.com>
 		2016-01-11 23:31:47 +00:00
..
api only most recent submission 2016-01-11 18:00:37 +00:00
app_center Rebuilt App Center in React 2015-01-05 21:34:02 +00:00
basic_lti Better error logs and responses for grade passback 2015-11-05 22:49:25 +00:00
canvas refactor CSRF handling for clarity and rails3+ 2016-01-11 23:31:47 +00:00
cc prevent locked content in ePub from redirecting to Canvas web 2016-01-07 19:56:34 +00:00
data_fixup rails 4.2: s/destroy!/destroy_permanently! 2016-01-07 14:00:13 +00:00
external_auth_observation s/account_authorization_configs/authentication_providers/ (the association) 2015-08-27 04:44:58 +00:00
features correct i18n translation issue with DA 2015-08-20 22:38:59 +00:00
lti LTI Reregistration 2015-12-17 23:26:05 +00:00
messageable_user permit admins to send messages through gradebook 2015-12-11 17:30:43 +00:00
outcomes use rails 4.2 preloader format 2015-12-30 14:58:10 +00:00
reporting rails4.2: Fixnum#ago is deprecated 2015-12-29 21:14:11 +00:00
scribd add dummy Scribd::Document 2014-10-21 22:44:36 +00:00
services add feature flag and dynamic config for RCE service 2015-12-02 20:32:42 +00:00
sis set completed_at when completing enrollments through sis 2016-01-06 16:42:25 +00:00
stubs remove rails 2 support 2014-08-06 18:16:19 +00:00
tasks webpack via file config 2016-01-09 18:09:48 +00:00
turnitin add error message for exceded turnitin lti retries 2015-09-15 20:55:57 +00:00
utils fixing date time with assignments 2015-05-13 22:28:23 +00:00
account_services.rb prevent marshalling errors from allowable_services 2015-12-30 17:53:46 +00:00
action_controller_test_process.rb remove rails 2 support 2014-08-06 18:16:19 +00:00
api.rb get sub account branding and custom css/includes working 2015-12-19 02:47:39 +00:00
api_route_set.rb LTI Reregistration 2015-12-17 23:26:05 +00:00
api_routes.rb LTI Reregistration 2015-12-17 23:26:05 +00:00
asset_signature.rb fix Lint/StringConversionInInterpolation issue 2015-04-27 20:53:25 +00:00
assignment_override_applicator.rb use rails 4.2 preloader format 2015-12-30 14:58:10 +00:00
authentication_methods.rb refactor CSRF handling for clarity and rails3+ 2016-01-11 23:31:47 +00:00
basic_lti.rb implement lti outbound adapter 2014-03-26 16:49:22 +00:00
brand_config_helpers.rb get sub account branding and custom css/includes working 2015-12-19 02:47:39 +00:00
brandable_css.rb translate brandable css variable names 2015-10-27 18:26:39 +00:00
browser.rb don't autorequire a bunch of gems that are rarely used 2015-04-09 18:47:50 +00:00
bulk_bounce_count_resetter.rb Add API to bulk fetch and reset communication channels 2016-01-11 21:19:42 +00:00
canvadocs.rb associate c(anva|roco)docs with submissions 2015-11-05 18:47:48 +00:00
canvas.rb expose installation uuid in health_check 2015-11-06 04:37:36 +00:00
canvas_logger.rb remove rails 3 support 2015-12-23 21:36:43 +00:00
canvas_yaml.rb whitelist floats with exponents in YAML 2016-01-11 20:14:50 +00:00
cc.rb rubyzip 1.0.0 upgrade 2013-11-22 19:23:34 +00:00
config_file.rb cleanup refactor of Rubocop's Lint/DeprecatedClassMethods 2015-04-28 18:38:24 +00:00
content_licenses.rb data model and API for file usage rights 2014-11-19 16:14:00 +00:00
content_notices.rb content migration import-in-progress notice 2014-08-20 16:25:15 +00:00
content_zipper.rb Allows downloading all submissions for a hard concluded course 2016-01-08 23:06:15 +00:00
copy_authorized_links.rb no more dynamic finders (lib) 2014-09-23 16:53:56 +00:00
course_link_validator.rb even more course link validator improvements 2016-01-11 17:14:47 +00:00
custom_validations.rb catch URI::Error instead of URI::InvalidURIError 2015-07-28 02:17:49 +00:00
cuty_capt.rb cleanup refactor of Rubocop's Lint/DeprecatedClassMethods 2015-04-28 18:38:24 +00:00
dates_overridable.rb return multiple due date info for survey quizzes on modules page 2015-12-07 18:12:29 +00:00
delayed_message_scrubber.rb remove messages older than 360 days 2013-11-07 17:19:59 +00:00
delicious.rb don't autorequire a bunch of gems that are rarely used 2015-04-09 18:47:50 +00:00
differentiable_assignment.rb add more caching + performance improvements 2015-08-18 16:01:33 +00:00
due_date_cacher.rb fix DueDateCacher quoting table names 2015-10-27 01:59:40 +00:00
email_address_validator.rb SIS Import validates email address 2015-10-13 14:51:50 +00:00
ember_bundle.rb cleanup refactor of Rubocop's Lint/DeprecatedClassMethods 2015-04-28 18:38:24 +00:00
enrollments_from_user_list.rb allow enrollments in multiple sections via Add People dialog 2014-12-22 17:21:18 +00:00
eportfolio_page.rb don't try to render url for eportfolio category with blank slug 2015-12-08 19:50:19 +00:00
external_feed_aggregator.rb catch more errors for external feed failure 2015-07-06 14:10:14 +00:00
external_statuses.rb deprecate Setting.get_cached 2013-10-10 00:42:52 +00:00
feature.rb Turn International SMS back off by default 2016-01-07 18:51:51 +00:00
feature_flags.rb remove some kludge-caching of :nil 2015-08-17 19:27:27 +00:00
file_in_context.rb handle failed attachments better in UnzipAttachment 2015-10-21 14:54:58 +00:00
file_splitter.rb Initial commit. 2011-01-31 18:57:29 -07:00
grade_calculator.rb add graded_at column to enrollments table 2016-01-04 23:08:47 +00:00
gradebook_exporter.rb always include sis login id in gradebook export 2015-12-02 17:03:52 +00:00
gradebook_importer.rb always include sis login id in gradebook export 2015-12-02 17:03:52 +00:00
gradebook_transformer.rb gradebook csv: show correct totals for mgp 2015-11-16 21:48:56 +00:00
has_content_tags.rb publish-module-item performance fix 2015-11-10 19:17:54 +00:00
host_url.rb fix Style/EmptyLineBetweenDefs issue 2015-04-29 16:28:39 +00:00
i18n_time_zone.rb i18nliner(.rb) 2014-10-29 21:59:39 +00:00
imported_html_converter.rb catch URI::Error instead of URI::InvalidURIError 2015-07-28 02:17:49 +00:00
kaltura.rb set a .csv file extension when using kaltura bulk api 2013-02-16 08:40:21 -07:00
learning_outcome_context.rb rails 4 style associations 2015-12-01 20:01:34 +00:00
locale_selection.rb i18nliner(.rb) 2014-10-29 21:59:39 +00:00
logging_filter.rb filter params recursively in error reports 2014-02-04 03:33:45 +00:00
login_hooks.rb build login hooks functionality 2015-01-16 14:04:22 +00:00
message_dispatcher.rb don't dispatch cancelled messages, fixes #7397 2012-02-24 12:21:21 -07:00
message_scrubber.rb scrub old unsent messages 2015-12-11 22:36:30 +00:00
messageable_user.rb rails4: various api spec fixes 2015-07-21 15:44:32 +00:00
model_cache.rb rails 4.2: allow bootup 2015-12-30 18:30:27 +00:00
multi_cache.rb fix MultiCache delete deleting from all nodes 2015-05-19 17:59:22 +00:00
mutable.rb rails4: deprecate Relation#all in favor of Relation#to_a 2015-07-24 21:28:14 +00:00
net_ldap_extensions.rb don't autorequire a bunch of gems that are rarely used 2015-04-09 18:47:50 +00:00
notification_message_creator.rb Reducing memory usage 2015-05-14 20:56:53 +00:00
open_object.rb Fetch grading periods for all related accounts 2015-03-24 17:41:46 +00:00
permissions.rb allow registering new permissions in plugins 2012-03-02 09:38:06 -07:00
progress_runner.rb add a batch_update method to conversations api 2013-02-14 09:36:36 -07:00
request_cache.rb performance improvements for enrollments and state_based_on_date 2015-07-02 15:51:16 +00:00
request_error.rb outcome gradebook: add export link 2014-03-28 20:37:03 +00:00
rubric_context.rb rails 4 style associations 2015-12-01 20:01:34 +00:00
scope_filter.rb decouple assignments scope permission logic from api index 2015-07-17 17:01:36 +00:00
search_term_helper.rb add search_term to files, modules, and module item apis 2013-08-02 20:12:04 +00:00
send_to_inbox.rb get sentry into canvas 2015-04-13 22:26:15 +00:00
send_to_stream.rb get sentry into canvas 2015-04-13 22:26:15 +00:00
sentry_proxy.rb setup a generalized way to leave out errors from sentry reporting 2015-06-23 22:41:26 +00:00
simple_stats.rb quiz item analysis generation, closes CNVS-3421 2013-04-23 15:50:36 +00:00
simple_tags.rb no more dynamic finders (lib) 2014-09-23 16:53:56 +00:00
sis.rb remove unnecessary lib/sis requires 2013-04-02 15:58:29 +00:00
sorts_assignments.rb change symbol array syntax for ruby 1.9 2015-03-03 20:47:03 +00:00
ssl_common.rb extract multipart gem 2014-02-28 23:00:09 +00:00
stats.rb fix confusing whitespace in lib/stats 2015-08-17 21:52:30 +00:00
sticky_sis_fields.rb use prepend instead of alias_method_chain in SisStickiness 2015-06-16 19:54:30 +00:00
submission_list.rb rails4: deprecate Relation#all in favor of Relation#to_a 2015-07-24 21:28:14 +00:00
summary_message_consolidator.rb switch to Shackles gem 2013-04-17 16:25:06 +00:00
syslog_wrapper.rb fix Style/EmptyLineBetweenDefs issue 2015-04-29 16:28:39 +00:00
temp_cache.rb performance improvements for enrollments and state_based_on_date 2015-07-02 15:51:16 +00:00
text_helper.rb localize values in datetime picker fields 2015-08-14 20:25:02 +00:00
time_zone_helper.rb remove rails 2 support 2014-08-06 18:16:19 +00:00
timed_cache.rb clear shard and special account caches based on age 2014-08-26 20:29:55 +00:00
tour.rb Agenda Tour and Tour popup restyle 2015-01-23 17:18:22 +00:00
turnitin.rb turnitin assignments are created using the current utc date 2015-11-09 22:07:27 +00:00
turnitin_id.rb make Turnitin::Client#id shard aware 2015-10-07 20:57:02 +00:00
unzip_attachment.rb avoid raw sql updates in several places 2015-06-16 16:14:48 +00:00
user_content.rb stop stripping alt tag when generating mathml 2015-12-14 17:08:47 +00:00
user_list.rb moar qualified name fixes found by specs 2015-10-27 15:10:23 +00:00
user_merge.rb rails 4.2: s/destroy!/destroy_permanently! 2016-01-07 14:00:13 +00:00
user_search.rb allow inactive enrollment type 2015-12-01 18:00:55 +00:00
visibility_plucking_helper.rb DA - module evaluation efficiency 2014-10-28 19:11:47 +00:00
zip_extractor.rb ignore zip entries containing '..' elements or symlinks 2014-07-24 15:41:21 +00:00