From d47a1b89ac713b94c2bddea429e236a54f196fe1 Mon Sep 17 00:00:00 2001 From: Kenneth Lee Date: Mon, 23 Dec 2024 16:19:53 +0000 Subject: [PATCH] CAPT-2087 Skip CSRF checks for unwanted requests --- app/controllers/application_controller.rb | 1 + spec/requests/application_spec.rb | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 spec/requests/application_spec.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 2f1e90e448..26b5bf83e4 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -2,6 +2,7 @@ class ApplicationController < ActionController::Base TIMEOUT_WARNING_LENGTH_IN_MINUTES = 2 helper_method :timeout_warning_in_minutes + protect_from_forgery except: :handle_unwanted_requests def handle_unwanted_requests render file: Rails.root.join("public", "404.html"), status: :not_found, layout: false diff --git a/spec/requests/application_spec.rb b/spec/requests/application_spec.rb new file mode 100644 index 0000000000..71a46f98b9 --- /dev/null +++ b/spec/requests/application_spec.rb @@ -0,0 +1,19 @@ +require "rails_helper" + +RSpec.describe "Application", type: :request do + describe "#handle_unwanted_requests" do + before do + ActionController::Base.allow_forgery_protection = true + end + + after do + ActionController::Base.allow_forgery_protection = false + end + + # Stops Rollbar reporting requests routed to `handle_unwanted_requests` that then cause a CSRF failure + it "ignores CSRF checks" do + post "/RANDOMSTRING.txt", headers: {"X-CSRF-Token" => "invalid_token"} + expect(response.code).to eq "404" + end + end +end