breach-mitigation-rails 0.0.2 → 0.0.3

data/.rspec

@@ -0,0 +1 @@
+--color

data/README.md

@@ -22,12 +22,6 @@ prevent plaintext recovery, but it can slow the attack and it's
 relatively inexpensive to implement. Unlike the CSRF token masking,
 length hiding protects the entire page body from recovery.
 
-In addition to these mitigations, you should check out Twitter's
-[secure_headers](https://github.com/twitter/secureheaders) gem.
-Setting the X-Frame-Options header can make it harder for an attacker
-to carry out this attack (by making it impossible to put your site in
-an iframe).
-
 ## Warning!
 
 BREACH and CRIME are **complicated and wide-ranging attacks**, and this

data/breach-mitigation-rails.gemspec

@@ -19,5 +19,6 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rspec"
   spec.add_development_dependency "rake"
 end

data/lib/breach_mitigation/length_hiding.rb

@@ -39,9 +39,9 @@ module BreachMitigation
       # data itself doesn't need to be strongly random; it just needs
       # to be resistant to compression
       length = SecureRandom.random_number(MAX_LENGTH)
-      junk = ALPHABET.sample(length).join
+      junk = (0...length).inject("") { |junk| junk << ALPHABET[rand(ALPHABET.size)] }
 
-      "\n<!-- This is a random-length HTML comment: #{junk} -->"
+      "\n<!-- This is a random-length HTML comment: #{junk} -->".html_safe
     end
   end
 end

data/lib/breach_mitigation/masking_secrets.rb

@@ -19,7 +19,11 @@ module BreachMitigation
       def valid_authenticity_token?(session, encoded_masked_token)
         return false if encoded_masked_token.nil? || encoded_masked_token.empty?
 
-        masked_token = Base64.strict_decode64(encoded_masked_token)
+        begin
+          masked_token = Base64.strict_decode64(encoded_masked_token)
+        rescue ArgumentError # encoded_masked_token is invalid Base64
+          return false
+        end
 
         # See if it's actually a masked token or not. In order to
         # deploy this code, we should be able to handle any unmasked

data/lib/breach_mitigation/railtie.rb

@@ -4,7 +4,7 @@ require 'breach_mitigation/masking_secrets'
 module BreachMitigation
   class Railtie < Rails::Railtie
     initializer "breach-mitigation-rails.insert_middleware" do |app|
-      app.config.middleware.use "BreachMitigation::LengthHiding"
+      app.config.middleware.insert_before 'Rack::ETag', "BreachMitigation::LengthHiding"
     end
   end
 end

data/lib/breach_mitigation/version.rb

@@ -1,3 +1,3 @@
 module BreachMitigation
-  VERSION = "0.0.2"
+  VERSION = "0.0.3"
 end

data/spec/length_hiding_spec.rb

@@ -0,0 +1,17 @@
+require "spec_helper"
+require "breach_mitigation/length_hiding"
+
+describe BreachMitigation::LengthHiding do
+  let(:length_hiding) { BreachMitigation::LengthHiding.new(double()) }
+
+  describe "#random_html_comment" do
+    it "should have different lengths on different runs" do
+      lengths = []
+      10.times do
+        random_comment = length_hiding.send(:random_html_comment)
+        lengths << random_comment.size
+      end
+      lengths.uniq.size.should > 1
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,16 @@
+require 'rubygems'
+require 'bundler/setup'
+
+require 'breach-mitigation-rails'
+
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+end

metadata

@@ -2,14 +2,14 @@
 name: breach-mitigation-rails
 version: !ruby/object:Gem::Version
   prerelease: 
-  version: 0.0.2
+  version: 0.0.3
 platform: ruby
 authors:
 - Bradley Buda
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-08-03 00:00:00.000000000 Z
+date: 2013-08-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   version_requirements: !ruby/object:Gem::Requirement
@@ -27,6 +27,22 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.3'
     none: false
+- !ruby/object:Gem::Dependency
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
+  name: rspec
+  type: :development
+  prerelease: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+    none: false
 - !ruby/object:Gem::Dependency
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
@@ -51,6 +67,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - .gitignore
+- .rspec
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -61,6 +78,8 @@ files:
 - lib/breach_mitigation/masking_secrets.rb
 - lib/breach_mitigation/railtie.rb
 - lib/breach_mitigation/version.rb
+- spec/length_hiding_spec.rb
+- spec/spec_helper.rb
 homepage: https://github.com/meldium/breach-mitigation-rails
 licenses:
 - MIT
@@ -87,5 +106,7 @@ signing_key:
 specification_version: 3
 summary: Uses length-hiding and CSRF token masking to make it more difficult for an
   attacker to recover plaintext from HTTP responses. See README.md for details.
-test_files: []
+test_files:
+- spec/length_hiding_spec.rb
+- spec/spec_helper.rb
 has_rdoc: