bchiu-merb_forgery_protection 0.0.1

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2008 YOUR NAME
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README

@@ -0,0 +1,71 @@
+= merb_forgery_protection
+
+  Merb plugin that provides forgery protection against css attacks.
+  
+  Protect a controller's actions from CSRF attacks by ensuring that all forms
+  are coming from the current web application, not a forged link from another 
+  site. This is done by embedding a token based on the session (which an 
+  attacker wouldn't know) in all forms and Ajax requests generated by Merb 
+  and then verifying the authenticity of that token in the controller. Only
+  HTML/JavaScript requests are checked, so this will not protect your XML API
+  (presumably you'll have a different authentication scheme there anyway). 
+  Also, GET requests are not protected as these should be indempotent anyway.
+  
+  You turn this on with the #protect_from_forgery method, which will perform 
+  the check and raise a InvalidAuthenticityToken exception if the token doesn't
+  match what was expected. And it will add an authenticity_token parameter to 
+  all forms that are automatically generated by Merb. You can customize the 
+  error message given through public/422.html.
+  
+  Learn more about CSRF (Cross-Site Request Forgery) attacks:
+  
+  * http://isc.sans.org/diary.html?storyid=1750
+  * http://en.wikipedia.org/wiki/Cross-site_request_forgery
+  
+  Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security
+  blanket for your merb app. There are a few guidelines you should follow:
+  
+  * Keep your GET requests safe and idempotent.  More reading material:
+    * http://www.xml.com/pub/a/2002/04/24/deviant.html
+    * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
+  * Make sure the session cookies that Rails creates are non-persistent.  
+    Check in Firefox and look for "Expires: at end of session"
+  
+  If you need to construct a request yourself, but still want to take advantage
+  of forgery protection, you can grab the authenticity_token using the 
+  authenticity_token helper method and make it part of the parameters yourself.
+
+== Installation
+
+  git clone git://github.com/bchiu/merb_forgery_protection.git
+  cd merb_forgery_protection
+  rake install
+
+== Example
+
+  class Foo < Application
+    # uses the cookie session store (then you don't need a separate :secret)
+    protect_from_forgery :exclude => :index
+
+    # uses one of the other session stores that uses a session_id value.
+    protect_from_forgery :secret => 'my-little-pony', :exclude => :index
+
+    # you can disable csrf protection on controller-by-controller basis:
+    protect_from_forgery :enable => false
+  end
+
+== Configuration
+
+  To disable forgery protection globally put this in your init.rb:
+  Merb::Plugins.config[:forgery_protection] = { :enable => false }
+  
+  === Global Options:
+  :secret - salt used to generate the token (default :session_secret_key)
+  :enable - enable/disable protection for all controllers (default true)
+  :digest - message digest used for hashing (default 'SHA1')
+  :token_name - form field name for token (default :authenticity_token)
+  
+  === Controller Options:
+  :only/:exclude - set which controller actions are protected from forgery
+  :enable - enable/disable protection for this controller (default true)
+  :secret - salt used to generate the token (default :session_secret_key)

data/Rakefile

@@ -0,0 +1,55 @@
+require 'rubygems'
+require 'rake/gempackagetask'
+require 'rubygems/specification'
+require 'date'
+require 'merb_rake_helper'
+
+PLUGIN = "merb_forgery_protection"
+NAME = "merb_forgery_protection"
+GEM_VERSION = "0.0.1"
+AUTHOR = "Ben Chiu"
+EMAIL = "bchiu@yahoo.com"
+HOMEPAGE = "http://github.com/bchiu/merb_forgery_protection"
+SUMMARY = "Merb plugin that provides forgery protection against css attacks"
+
+spec = Gem::Specification.new do |s|
+  s.name = NAME
+  s.version = GEM_VERSION
+  s.platform = Gem::Platform::RUBY
+  s.has_rdoc = true
+  s.extra_rdoc_files = ["README", "LICENSE", 'TODO']
+  s.summary = SUMMARY
+  s.description = s.summary
+  s.author = AUTHOR
+  s.email = EMAIL
+  s.homepage = HOMEPAGE
+  s.add_dependency('merb', '>= 0.9.0')
+  s.require_path = 'lib'
+  s.autorequire = PLUGIN
+  s.files = %w(LICENSE README Rakefile TODO) + Dir.glob("{lib,spec}/**/*")
+end
+
+Rake::GemPackageTask.new(spec) do |pkg|
+  pkg.gem_spec = spec
+end
+
+desc "install the plugin locally"
+task :install => [:package] do
+  sh %{#{sudo} #{gemx} install pkg/#{NAME}-#{GEM_VERSION} --local --no-update-sources}
+end
+
+desc "create a gemspec file"
+task :make_spec do
+  File.open("#{NAME}.gemspec", "w") do |file|
+    file.puts spec.to_ruby
+  end
+end
+
+namespace :jruby do
+
+  desc "Run :package and install the resulting .gem with jruby"
+  task :install => :package do
+    sh %{#{sudo} jruby -S gem install pkg/#{NAME}-#{GEM_VERSION}.gem --no-rdoc --no-ri}
+  end
+
+end

data/TODO

@@ -0,0 +1 @@
+TODO:

data/lib/merb_forgery_protection.rb

@@ -0,0 +1,23 @@
+if defined?(Merb::Plugins)
+  require 'merb_forgery_protection/forgery_protection'
+  require 'merb_forgery_protection/form_helpers'
+
+  DEFAULT_CONFIG = {
+    :secret => Merb::Config[:session_secret_key],
+    :enable => true,
+    :digest => 'SHA1',
+    :token_name => :authenticity_token
+  }
+
+  Merb::Plugins.config[:merb_forgery_protection] = DEFAULT_CONFIG.update(
+    Merb::Plugins.config[:merb_forgery_protection]||{}
+  )
+
+  Merb::BootLoader.before_app_loads do
+  end
+
+  Merb::BootLoader.after_app_loads do
+  end
+
+  Merb::Plugins.add_rakefiles "merb_forgery_protection/merbtasks"
+end

data/lib/merb_forgery_protection/forgery_protection.rb

@@ -0,0 +1,65 @@
+module Merb::ControllerExceptions
+  class InvalidAuthenticityToken < ClientError
+    self.status = 401
+  end
+end
+
+class Merb::Controller
+   attr_accessor :protection_options
+   @protection_options = {}
+
+  def self.protect_from_forgery(opts = {})
+    with = {}
+    [:secret,:enable].each {|k| with[k] = opts.delete(k) if opts.key?(k) }
+    before :verify_token, opts.merge(:with => [with])
+  end
+
+  # controller instance methods
+
+  def authenticity_token
+    token_name = @protection_options[:token_name].to_s
+    if @protection_options[:secret]
+      { :name => token_name, :value => token_from_session_id }.to_mash
+    elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest)
+      { :name => token_name, :value => token_from_cookie_session }.to_mash
+    elsif session.nil?
+      raise Merb::ControllerExceptions::InvalidAuthenticityToken, "Forgery Protection requires a valid session. Please disable it or use a valid session."
+    else
+      raise Merb::ControllerExceptions::InvalidAuthenticityToken, "No :secret given. Set that or use a session store capable of generating its own keys (Cookie Session Store)."
+    end      
+  end
+
+  def protect_against_forgery?
+    @protection_options && @protection_options[:enable]
+  end
+
+  private
+  
+  def verify_token(opts = {})
+    @protection_options ||= Merb::Plugins.config[:merb_forgery_protection].update(opts)
+    verified_request? || raise(Merb::ControllerExceptions::InvalidAuthenticityToken)
+  end
+
+  def verified_request?
+    request.method == :get ||
+    !@protection_options[:enable] ||
+    ![:html,:js].include?(content_type) ||
+    params[@protection_options[:token_name]] == authenticity_token
+  end
+
+  def token_from_session_id
+    if @protection_options[:secret].respond_to?(:call)
+      key = @protection_options[:secret].call(session)
+    else
+      key = @protection_options[:secret]
+    end
+    digest = @protection_options[:digest]
+    session_id = cookies[_session_id_key]
+    OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(digest), key.to_s, session_id)
+  end
+
+  def token_from_cookie_session
+    session[:csrf_id] ||= rand_uuid
+    session.dbman.generate_digest(session[:csrf_id])
+  end
+end

data/lib/merb_forgery_protection/form_helpers.rb

@@ -0,0 +1,57 @@
+module Merb::Helpers::Form
+
+  # Generates a form tag, which accepts a block that is not directly based on resource attributes
+  # 
+  #     <% form_tag(:action => url(:controller => "foo", :action => "bar", :id => 1)) do %>
+  #       <%= text_field :name => 'first_name', :label => 'First Name' %>
+  #       <%= submit_button 'Create' %>
+  #     <% end %>
+  #
+  # The HTML generated for this would be:
+  #
+  #     <form action="/foo/bar/1" method="post">
+  #       <label for="first_name">First Name</label><input id="first_name" name="first_name" size="30" type="text" />
+  #       <input name="commit" type="submit" value="Create" />
+  #     </form>
+  def form_tag(attrs = {}, &block)
+    set_multipart_attribute!(attrs)
+    fake_form_method = set_form_method(attrs)
+    concat(open_tag("form", attrs), block.binding)
+    concat(generate_fake_form_method(fake_form_method), block.binding) if fake_form_method        
+    concat(capture(&block), block.binding)
+    concat(token_field, block.binding) if attrs[:method] == :post
+    concat("</form>", block.binding)
+  end
+  
+  # Generates a resource specific form tag which accepts a block, this also provides automatic resource routing.
+  #     <% form_for :person, :action => url(:people) do %>
+  #       <%= text_control :first_name, :label => 'First Name' %>
+  #       <%= text_control :last_name,  :label => 'Last Name' %>
+  #       <%= submit_button 'Create' %>
+  #     <% end %>
+  #
+  # The HTML generated for this would be:
+  #
+  #     <form action="/people/create" method="post">
+  #       <label for="person[first_name]">First Name</label><input id="person_first_name" name="person[first_name]" size="30" type="text" />
+  #       <label for="person[last_name]">Last Name</label><input id="person_last_name" name="person[last_name]" size="30" type="text" />
+  #       <input name="commit" type="submit" value="Create" />
+  #     </form>
+  def form_for(obj, attrs={}, &block)
+    set_multipart_attribute!(attrs)
+    obj = obj_from_ivar_or_sym(obj)
+    fake_form_method = set_form_method(attrs, obj)
+    concat(open_tag("form", attrs), block.binding)
+    concat(generate_fake_form_method(fake_form_method), block.binding) if fake_form_method
+    fields_for(obj, attrs, &block)
+    concat(token_field, block.binding) if attrs[:method] == :post
+    concat("</form>", block.binding)
+  end
+  
+  private
+
+  def token_field
+    return '' if !protect_against_forgery?
+    hidden_field(:name => authenticity_token[:name], :value => authenticity_token[:value])
+  end
+end

data/lib/merb_forgery_protection/merbtasks.rb

@@ -0,0 +1,6 @@
+namespace :merb_forgery_protection do
+  desc "Do something for merb_forgery_protection"
+  task :default do
+    puts "merb_forgery_protection doesn't do anything"
+  end
+end

data/spec/merb_forgery_protection_spec.rb

@@ -0,0 +1,7 @@
+require File.dirname(__FILE__) + '/spec_helper'
+
+describe "merb_forgery_protection" do
+  it "should do nothing" do
+    true.should == true
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,2 @@
+$TESTING=true
+$:.push File.join(File.dirname(__FILE__), '..', 'lib')

metadata

@@ -0,0 +1,73 @@
+--- !ruby/object:Gem::Specification 
+name: bchiu-merb_forgery_protection
+version: !ruby/object:Gem::Version 
+  version: 0.0.1
+platform: ruby
+authors: 
+- Ben Chiu
+autorequire: merb_forgery_protection
+bindir: bin
+cert_chain: []
+
+date: 2008-06-02 00:00:00 -07:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: merb
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.9.0
+    version: 
+description: Merb plugin that provides forgery protection against css attacks
+email: bchiu@yahoo.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README
+- LICENSE
+- TODO
+files: 
+- LICENSE
+- README
+- Rakefile
+- TODO
+- lib/merb_forgery_protection
+- lib/merb_forgery_protection/forgery_protection.rb
+- lib/merb_forgery_protection/form_helpers.rb
+- lib/merb_forgery_protection/merbtasks.rb
+- lib/merb_forgery_protection.rb
+- spec/merb_forgery_protection_spec.rb
+- spec/spec_helper.rb
+has_rdoc: true
+homepage: http://github.com/bchiu/merb_forgery_protection
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.0.1
+signing_key: 
+specification_version: 2
+summary: Merb plugin that provides forgery protection against css attacks
+test_files: []
+