Commit c3de77e0 authored by Steffen van Bergerem's avatar Steffen van Bergerem Committed by Dennis Schubert

Send notification mails on CSRF fails

closes #7050
parent 6ad9000f
......@@ -4,6 +4,7 @@
* Indicate proper way to report bugs in the sidebar [#7039](https://github.com/diaspora/diaspora/pull/7039)
* Remove text color from notification mails and fix sender avatar [#7054](https://github.com/diaspora/diaspora/pull/7054)
* Make the session cookies HttpOnly again [#7041](https://github.com/diaspora/diaspora/pull/7041)
* Invalidate sessions with invalid CSRF tokens [#7050](https://github.com/diaspora/diaspora/pull/7050)
## Bug fixes
* Post comments no longer get collapsed when interacting with a post [#7040](https://github.com/diaspora/diaspora/pull/7040)
......
......@@ -8,7 +8,11 @@ class ApplicationController < ActionController::Base
protect_from_forgery except: :receive, with: :exception
rescue_from ActionController::InvalidAuthenticityToken do
sign_out current_user
if user_signed_in?
logger.warn "#{current_user.diaspora_handle} CSRF token fail. referer: #{request.referer || 'empty'}"
Workers::Mail::CsrfTokenFail.perform_async(current_user.id)
sign_out current_user
end
flash[:error] = I18n.t("error_messages.csrf_token_fail")
redirect_to new_user_session_path format: request[:format]
end
......
module NotificationMailers
class CsrfTokenFail < NotificationMailers::Base
def set_headers
@headers[:subject] = I18n.t("notifier.csrf_token_fail.subject", name: @recipient.name)
end
end
end
......@@ -87,6 +87,10 @@ class Notifier < ActionMailer::Base
send_notification(:confirm_email, recipient_id)
end
def csrf_token_fail(recipient_id)
send_notification(:csrf_token_fail, recipient_id)
end
private
def send_notification(type, *args)
@notification = NotificationMailers.const_get(type.to_s.camelize).new(*args)
......
<%= t("notifier.csrf_token_fail.body", name: @notification.recipient_first_name, link: "https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)") %>
module Workers
module Mail
class CsrfTokenFail < Base
sidekiq_options queue: :low
def perform(user_id)
Notifier.csrf_token_fail(user_id).deliver_now
end
end
end
end
......@@ -696,6 +696,18 @@ en:
confirm_email:
subject: "Please activate your new email address %{unconfirmed_email}"
click_link: "To activate your new email address %{unconfirmed_email}, please follow this link:"
csrf_token_fail:
subject: "We received an unauthorized request from your account, %{name}"
body: |-
Hello %{name},
We received a request with a wrong/missing CSRF token from your account. To prevent any possible damage you have been logged out.
For more information on CSRF see [%{link}](%{link}).
Sorry,
The diaspora* email robot!
report_email:
type:
post: "post"
......
......@@ -37,6 +37,12 @@ describe ApplicationController, type: :request do
expect(flash[:error]).to eq(I18n.t("error_messages.csrf_token_fail"))
end
it "sends an email to the current user if the token validation failed" do
expect_any_instance_of(UsersController).to receive(:verified_request?).and_return(false)
expect(Workers::Mail::CsrfTokenFail).to receive(:perform_async).with(alice.id)
put edit_user_path, user: {language: "en"}
end
it "doesn't sign out users if the token was correct" do
expect_any_instance_of(UsersController).to receive(:verified_request?).and_return(true)
put edit_user_path, user: {language: "en"}
......
......@@ -432,6 +432,26 @@ describe Notifier, type: :mailer do
end
end
describe ".csrf_token_fail" do
let(:email) { Notifier.csrf_token_fail(alice.id) }
it "goes to the right person" do
expect(email.to).to eq([alice.email])
end
it "has the correct subject" do
expect(email.subject).to eq(I18n.translate("notifier.csrf_token_fail.subject", name: alice.name))
end
it "has the receivers name in the body" do
expect(email.body.encoded).to include(alice.person.profile.first_name)
end
it "has some informative text in the body" do
expect(email.body.encoded).to include("https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)")
end
end
describe "hashtags" do
it "escapes hashtags" do
mails = Notifier.admin("#Welcome to bureaucracy!", [bob])
......
# Copyright (c) 2010-2011, Diaspora Inc. This file is
# licensed under the Affero General Public License version 3 or later. See
# the COPYRIGHT file.
require "spec_helper"
describe Workers::Mail::CsrfTokenFail do
describe "#perfom" do
it "should call .deliver on the notifier object" do
user = alice
mail_double = double
expect(mail_double).to receive(:deliver_now)
expect(Notifier).to receive(:csrf_token_fail).with(user.id).and_return(mail_double)
Workers::Mail::CsrfTokenFail.new.perform(user.id)
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment