From 3223ba53c3840fc240a166488bfcdd86b9eb6de1 Mon Sep 17 00:00:00 2001 From: Jorge Manrubia Date: Fri, 28 Nov 2025 12:14:48 +0100 Subject: [PATCH] We need the check in both test/code --- .../concerns/request_forgery_protection.rb | 2 +- .../request_forgery_protection_test.rb | 18 ++++++++++-------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/app/controllers/concerns/request_forgery_protection.rb b/app/controllers/concerns/request_forgery_protection.rb index fadc88672..ddc47065f 100644 --- a/app/controllers/concerns/request_forgery_protection.rb +++ b/app/controllers/concerns/request_forgery_protection.rb @@ -42,7 +42,7 @@ module RequestForgeryProtection Rails.logger.info "CSRF protection check: " + info.map { it.join(" ") }.join(", ") - if defined?(Sentry) && (origin && token) != sec_fetch_site + if Fizzy.saas? && (origin && token) != sec_fetch_site Sentry.capture_message "CSRF protection mismatch", level: :info, extra: { info: info } end end diff --git a/test/controllers/concerns/request_forgery_protection_test.rb b/test/controllers/concerns/request_forgery_protection_test.rb index 797c2039a..f34790caa 100644 --- a/test/controllers/concerns/request_forgery_protection_test.rb +++ b/test/controllers/concerns/request_forgery_protection_test.rb @@ -33,7 +33,7 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest test "fail and report when token doesn't match, regardless of Sec-Fetch-Site" do assert_report - assert_log(includes: [ "CSRF protection check", "sec_fetch_site pass (same-origin)", "token fail" ]) do + assert_log(includes: ["CSRF protection check", "sec_fetch_site pass (same-origin)", "token fail"]) do assert_no_difference -> { Board.count } do post boards_path, params: { board: { name: "Test Board" }, authenticity_token: "invalid-token" }, @@ -45,8 +45,8 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest test "fail and report when Origin doesn't match, regardless of Sec-Fetch-Site" do assert_report - assert_log(includes: [ "CSRF protection check", "sec_fetch_site pass (same-origin)", - "token pass", "origin fail (evil-site.com)" ]) do + assert_log(includes: ["CSRF protection check", "sec_fetch_site pass (same-origin)", + "token pass", "origin fail (evil-site.com)"]) do assert_no_difference -> { Board.count } do post boards_path, params: { board: { name: "Test Board" }, authenticity_token: csrf_token }, @@ -58,7 +58,7 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest test "succeed and report when Sec-Fetch-Site is cross-site and CSRF token matches" do assert_report - assert_log(includes: [ "CSRF protection check", "sec_fetch_site fail (cross-site)", "token pass" ]) do + assert_log(includes: ["CSRF protection check", "sec_fetch_site fail (cross-site)", "token pass"]) do assert_difference -> { Board.count }, +1 do post boards_path, params: { board: { name: "Test Board" }, authenticity_token: csrf_token }, @@ -70,7 +70,7 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest test "succeed and report when Sec-Fetch-Site is none" do assert_report - assert_log(includes: [ "CSRF protection check", "sec_fetch_site fail (none)", "token pass" ]) do + assert_log(includes: ["CSRF protection check", "sec_fetch_site fail (none)", "token pass"]) do assert_difference -> { Board.count }, +1 do post boards_path, params: { board: { name: "Test Board" }, authenticity_token: csrf_token }, @@ -82,7 +82,7 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest test "succeed and report when Sec-Fetch-Site is missing" do assert_report - assert_log(includes: [ "CSRF protection check", "sec_fetch_site fail ()", "token pass" ]) do + assert_log(includes: ["CSRF protection check", "sec_fetch_site fail ()", "token pass"]) do assert_difference -> { Board.count }, +1 do post boards_path, params: { board: { name: "Test Board" }, authenticity_token: csrf_token } end @@ -134,8 +134,10 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest end def assert_report - Sentry.expects(:capture_message).with do |message, **kwargs| - message == "CSRF protection mismatch" && kwargs[:level] == :info + if Fizzy.saas? + Sentry.expects(:capture_message).with do |message, **kwargs| + message == "CSRF protection mismatch" && kwargs[:level] == :info + end end end