diff --git a/app/controllers/concerns/request_forgery_protection.rb b/app/controllers/concerns/request_forgery_protection.rb index fadc88672..ddc47065f 100644 --- a/app/controllers/concerns/request_forgery_protection.rb +++ b/app/controllers/concerns/request_forgery_protection.rb @@ -42,7 +42,7 @@ module RequestForgeryProtection Rails.logger.info "CSRF protection check: " + info.map { it.join(" ") }.join(", ") - if defined?(Sentry) && (origin && token) != sec_fetch_site + if Fizzy.saas? && (origin && token) != sec_fetch_site Sentry.capture_message "CSRF protection mismatch", level: :info, extra: { info: info } end end diff --git a/test/controllers/concerns/request_forgery_protection_test.rb b/test/controllers/concerns/request_forgery_protection_test.rb index 797c2039a..f34790caa 100644 --- a/test/controllers/concerns/request_forgery_protection_test.rb +++ b/test/controllers/concerns/request_forgery_protection_test.rb @@ -33,7 +33,7 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest test "fail and report when token doesn't match, regardless of Sec-Fetch-Site" do assert_report - assert_log(includes: [ "CSRF protection check", "sec_fetch_site pass (same-origin)", "token fail" ]) do + assert_log(includes: ["CSRF protection check", "sec_fetch_site pass (same-origin)", "token fail"]) do assert_no_difference -> { Board.count } do post boards_path, params: { board: { name: "Test Board" }, authenticity_token: "invalid-token" }, @@ -45,8 +45,8 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest test "fail and report when Origin doesn't match, regardless of Sec-Fetch-Site" do assert_report - assert_log(includes: [ "CSRF protection check", "sec_fetch_site pass (same-origin)", - "token pass", "origin fail (evil-site.com)" ]) do + assert_log(includes: ["CSRF protection check", "sec_fetch_site pass (same-origin)", + "token pass", "origin fail (evil-site.com)"]) do assert_no_difference -> { Board.count } do post boards_path, params: { board: { name: "Test Board" }, authenticity_token: csrf_token }, @@ -58,7 +58,7 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest test "succeed and report when Sec-Fetch-Site is cross-site and CSRF token matches" do assert_report - assert_log(includes: [ "CSRF protection check", "sec_fetch_site fail (cross-site)", "token pass" ]) do + assert_log(includes: ["CSRF protection check", "sec_fetch_site fail (cross-site)", "token pass"]) do assert_difference -> { Board.count }, +1 do post boards_path, params: { board: { name: "Test Board" }, authenticity_token: csrf_token }, @@ -70,7 +70,7 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest test "succeed and report when Sec-Fetch-Site is none" do assert_report - assert_log(includes: [ "CSRF protection check", "sec_fetch_site fail (none)", "token pass" ]) do + assert_log(includes: ["CSRF protection check", "sec_fetch_site fail (none)", "token pass"]) do assert_difference -> { Board.count }, +1 do post boards_path, params: { board: { name: "Test Board" }, authenticity_token: csrf_token }, @@ -82,7 +82,7 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest test "succeed and report when Sec-Fetch-Site is missing" do assert_report - assert_log(includes: [ "CSRF protection check", "sec_fetch_site fail ()", "token pass" ]) do + assert_log(includes: ["CSRF protection check", "sec_fetch_site fail ()", "token pass"]) do assert_difference -> { Board.count }, +1 do post boards_path, params: { board: { name: "Test Board" }, authenticity_token: csrf_token } end @@ -134,8 +134,10 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest end def assert_report - Sentry.expects(:capture_message).with do |message, **kwargs| - message == "CSRF protection mismatch" && kwargs[:level] == :info + if Fizzy.saas? + Sentry.expects(:capture_message).with do |message, **kwargs| + message == "CSRF protection mismatch" && kwargs[:level] == :info + end end end