FIX: Skip CSRF token check on webhook routes (#16982)

The `WebhookController` inherits directly from `ActionController::Base`. Since Rails 5.2, forgery protection has been enabled by default. When we applied those new defaults in 0403a8633b, it took effect on this controller and broke integrations.

This commit explicitly disables CSRF protection on these webhook routes, and updates the specs so they'll catch this kind of regression in future.
This commit is contained in:
Wolftallemo 2022-06-13 10:36:45 -04:00 committed by GitHub
parent 77632d2d36
commit be556ef17b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 0 deletions

View File

@ -3,6 +3,7 @@
require "openssl" require "openssl"
class WebhooksController < ActionController::Base class WebhooksController < ActionController::Base
skip_before_action :verify_authenticity_token
def mailgun def mailgun
return mailgun_failure if SiteSetting.mailgun_api_key.blank? return mailgun_failure if SiteSetting.mailgun_api_key.blank?

View File

@ -15,6 +15,11 @@ describe WebhooksController do
before do before do
SiteSetting.mailgun_api_key = "key-8221462f0c915af3f6f2e2df7aa5a493" SiteSetting.mailgun_api_key = "key-8221462f0c915af3f6f2e2df7aa5a493"
ActionController::Base.allow_forgery_protection = true # Ensure the endpoint works, even with CSRF protection generally enabled
end
after do
ActionController::Base.allow_forgery_protection = false
end end
it "works (deprecated)" do it "works (deprecated)" do