Forked from mctaylorpants/request_forgery_protection.rb
Created
January 5, 2024 12:08
-
-
Save shotgundebugging/e1cc846c2c7bd9b7fff808d97922d2ac to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # actionpack/lib/action_controller/metal/request_forgery_protection.rb | |
| # Sets the token value for the current session. | |
| def form_authenticity_token(form_options: {}) | |
| masked_authenticity_token(session, form_options: form_options) | |
| end | |
| # Creates a masked version of the authenticity token that varies | |
| # on each request. The masking is used to mitigate SSL attacks | |
| # like BREACH. | |
| def masked_authenticity_token(session, form_options: {}) # :doc: | |
| # ... | |
| raw_token = if per_form_csrf_tokens && action && method | |
| # ... | |
| else | |
| real_csrf_token(session) | |
| end | |
| one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH) | |
| encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token) | |
| masked_token = one_time_pad + encrypted_csrf_token | |
| Base64.strict_encode64(masked_token) | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment