CSRF Vulnerability with :null_session or :reset_session

[nicolaracco]

During some penetration tests we found that the gem seems to be vulnerable to CSRF attacks when the forgery protection strategy is set to :null_session or :reset_session.

The problem seems to be related to Devise::InvitationsController

def current_inviter
  @current_inviter ||= authenticate_inviter!
end

The value is memoized before the session is checked, so the session is cleaned but the current inviter remains memoized.

In our application we overridden this method with

def current_inviter
  @current_inviter = authenticate_inviter!
end

and the problems seems to be solved.

[scambra]

@current_inviter was there to avoid calling authenticate_inviter! serveral times, do you think this change can have some undesired consequences?

[nicolaracco]

At the moment we had no issues removing the memoization. Indeed devise
itself does not memoize current_#{resource_name}

In any case, it's better a bug than a CSRF vulnerability in a gem like this
;)
Il 14/apr/2014 09:20 "Sergio Cambra" notifications@github.com ha scritto:

@current_inviter was there to avoid calling authenticate_inviter! serveral
times, do you think this change can have some undesired consequences?

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/457#issuecomment-40338969
.