Commit 6fef87f1 authored by blackst0ne's avatar blackst0ne

[Rails5] Force the `protect_from_forgery` callback run first

Since Rails 5.0 the `protect_from_forgery` callback doesn't run first by
default anymore. [1]

Instead it gets inserted into callbacks chain where callbacks get
called in order.

This commit forces the callback to run first.

[1]: https://github.com/rails/rails/commit/39794037817703575c35a75f1961b01b83791191
parent e40aa397
...@@ -27,7 +27,7 @@ class ApplicationController < ActionController::Base ...@@ -27,7 +27,7 @@ class ApplicationController < ActionController::Base
after_action :set_page_title_header, if: -> { request.format == :json } after_action :set_page_title_header, if: -> { request.format == :json }
protect_from_forgery with: :exception protect_from_forgery with: :exception, prepend: true
helper_method :can? helper_method :can?
helper_method :import_sources_enabled?, :github_import_enabled?, :gitea_import_enabled?, :github_import_configured?, :gitlab_import_enabled?, :gitlab_import_configured?, :bitbucket_import_enabled?, :bitbucket_import_configured?, :google_code_import_enabled?, :fogbugz_import_enabled?, :git_import_enabled?, :gitlab_project_import_enabled? helper_method :import_sources_enabled?, :github_import_enabled?, :gitea_import_enabled?, :github_import_configured?, :gitlab_import_enabled?, :gitlab_import_configured?, :bitbucket_import_enabled?, :bitbucket_import_configured?, :google_code_import_enabled?, :fogbugz_import_enabled?, :git_import_enabled?, :gitlab_project_import_enabled?
......
class HealthController < ActionController::Base class HealthController < ActionController::Base
protect_from_forgery with: :exception, except: :storage_check protect_from_forgery with: :exception, except: :storage_check, prepend: true
include RequiresWhitelistedMonitoringClient include RequiresWhitelistedMonitoringClient
CHECKS = [ CHECKS = [
......
class MetricsController < ActionController::Base class MetricsController < ActionController::Base
include RequiresWhitelistedMonitoringClient include RequiresWhitelistedMonitoringClient
protect_from_forgery with: :exception protect_from_forgery with: :exception, prepend: true
def index def index
response = if Gitlab::Metrics.prometheus_metrics_enabled? response = if Gitlab::Metrics.prometheus_metrics_enabled?
......
...@@ -2,7 +2,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController ...@@ -2,7 +2,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
include AuthenticatesWithTwoFactor include AuthenticatesWithTwoFactor
include Devise::Controllers::Rememberable include Devise::Controllers::Rememberable
protect_from_forgery except: [:kerberos, :saml, :cas3] protect_from_forgery except: [:kerberos, :saml, :cas3], prepend: true
def handle_omniauth def handle_omniauth
omniauth_flow(Gitlab::Auth::OAuth) omniauth_flow(Gitlab::Auth::OAuth)
......
---
title: "[Rails5] Force the callback run first"
merge_request: 20055
author: "@blackst0ne"
type: fixed
...@@ -5,7 +5,7 @@ ...@@ -5,7 +5,7 @@
module Gitlab module Gitlab
module RequestForgeryProtection module RequestForgeryProtection
class Controller < ActionController::Base class Controller < ActionController::Base
protect_from_forgery with: :exception protect_from_forgery with: :exception, prepend: true
rescue_from ActionController::InvalidAuthenticityToken do |e| rescue_from ActionController::InvalidAuthenticityToken do |e|
logger.warn "This CSRF token verification failure is handled internally by `GitLab::RequestForgeryProtection`" logger.warn "This CSRF token verification failure is handled internally by `GitLab::RequestForgeryProtection`"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment