Skip to content

Commit

Permalink
CAPT-2087 Skip CSRF checks for unwanted requests
Browse files Browse the repository at this point in the history
  • Loading branch information
kenfodder committed Dec 23, 2024
1 parent 2cd7f30 commit d47a1b8
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
1 change: 1 addition & 0 deletions app/controllers/application_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ class ApplicationController < ActionController::Base
TIMEOUT_WARNING_LENGTH_IN_MINUTES = 2

helper_method :timeout_warning_in_minutes
protect_from_forgery except: :handle_unwanted_requests

def handle_unwanted_requests
render file: Rails.root.join("public", "404.html"), status: :not_found, layout: false
Expand Down
19 changes: 19 additions & 0 deletions spec/requests/application_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
require "rails_helper"

RSpec.describe "Application", type: :request do
describe "#handle_unwanted_requests" do
before do
ActionController::Base.allow_forgery_protection = true
end

after do
ActionController::Base.allow_forgery_protection = false
end

# Stops Rollbar reporting requests routed to `handle_unwanted_requests` that then cause a CSRF failure
it "ignores CSRF checks" do
post "/RANDOMSTRING.txt", headers: {"X-CSRF-Token" => "invalid_token"}
expect(response.code).to eq "404"
end
end
end

0 comments on commit d47a1b8

Please sign in to comment.