Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
action_controller-stashed_redirects
Advanced tools
Pass between different controller flows via stashed redirects
Stash a redirect to execute a controller flow within another and return to the original flow later.
class ApplicationController < ActionController::Base
before_action :authenticate
private
def authenticate
# Pass `redirect_url:` to pass the URL we're currently on.
redirect_to new_session_url(redirect_url: request.url) unless Current.user
end
end
class SessionsController < ApplicationController
# Stash a redirect at the start of the session authentication flow,
# from `params[:redirect_url]` automatically.
stash_redirect_for :sign_in, on: :new
def new
end
def create
if User.authenticate_by(session_params)
# On success, redirect the user back to where they first tried to access before being authenticated.
redirect_from_stashed :sign_in
else
render :new, status: :unprocessable_entity
end
end
end
See the internal documentation for more usage information.
Only internal redirects are allowed, so attackers can't pass an external redirect_url
.
Consider a flow where you want to require super-user, or sudo, privileges for a given action, e.g. type in your password before you can change your credit card.
We'll make a require_sudo
API that we can annotate our controller with like this:
class Billing::CreditCardsController < ApplicationController
require_sudo # Require sudo on all actions in this controller.
# require_sudo_on :edit, :update # Or just for some actions.
def edit
end
def update
Current.user.billing.credit_cards.find(params[:id]).update!(credit_card_params)
end
end
require_sudo
or require_sudo_on
can come from a controller concern like this:
# app/controllers/concerns/sudo/examination.rb
module Sudo::Examination
def self.included(klass) = klass.singleton_class.class_eval do
def require_sudo_on(*actions, **) = require_sudo(only: *actions, **)
def require_sudo(...) = before_action(:require_sudo, ...)
end
private
def require_sudo
if sudo.exam_needed?
raise "Non-get: can't redirect back here, make sure you do …something with an interstitial page?" unless request.get?
redirect_to new_sudo_exams_url(redirect_url: request.url)
end
end
def sudo = Sudo.new(session)
end
# Which we include in ApplicationController:
class ApplicationController < ActionController::Base
include Sudo::Examination
end
Notice how in redirect_to new_sudo_exams_url(redirect_url: request.url)
we're passing the redirect_url:
along that ActionController::StashedRedirects
will need.
It's pointing back to the page we're on, which required sudo authentication, so we can redirect back to it after the sudo exam has been passed.
Next up, we can add an in-memory PORO model to give the behavior some better names:
# app/models/sudo.rb
class Sudo < Data.define(:store)
def passed!
store[:sudo_expires_at] = 15.minutes.from_now
end
def exam_needed?
expires_at = store[:sudo_expires_at]
expires_at.nil? || Time.parse(expires_at).past?
end
end
Next, we can add the authenticating sudo controller itself, where stash_redirect_for
will use the redirect_url:
from earlier:
# app/controllers/sudo/exams_controller.rb
class Sudo::ExamsController < ApplicationController
stash_redirect_for :sudo, on: :new
def new
redirect_from_stashed :sudo unless sudo.exam_needed?
end
def create
if pass_sudo_exam?
sudo.passed!
redirect_from_stashed :sudo
else
render :new, status: :unprocessable_entity
end
end
private def pass_sudo_exam? = Current.user.authenticate_password(params[:password])
end
Finally, we mount the routes for the controller:
# config/routes.rb
namespace :sudo do
resources :exams
end
Users can now fill-in their password, which will hit sudo/exams#create
and redirect them back to the edit form on the
credit cards flow if it's the correct password.
Install the gem and add to the application's Gemfile by executing:
$ bundle add action_controller-stashed_redirects
If bundler is not being used to manage dependencies, install the gem by executing:
$ gem install action_controller-stashed_redirects
After checking out the repo, run bin/setup
to install dependencies. Then, run rake test
to run the tests. You can also run bin/console
for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install
. To release a new version, update the version number in version.rb
, and then run bundle exec rake release
, which will create a git tag for the version, push git commits and the created tag, and push the .gem
file to rubygems.org.
Bug reports and pull requests are welcome on GitHub at https://github.com/kaspth/action_controller-stashed_redirects.
The gem is available as open source under the terms of the MIT License.
FAQs
Unknown package
We found that action_controller-stashed_redirects demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.