cookiefilter 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 661342b71d73b5849ad89f06d046a5fceec8d011
+  data.tar.gz: 0eae238747a3364560084e7e3173bf2d5de0a3b6
+SHA512:
+  metadata.gz: b01b281d624b06c45693b36fa0e363336ec1be8d65b0cda7cf3b0c33735cc8db149fe9b3d2650a770df0c089f0ead44bfe9996c81a63074bb2922f47012b1790
+  data.tar.gz: 92aaac588a58bacbf263c5e80d3b3cd1abe827df47387c32c5e79173e750bfbbbec93ac35badc01c8504e790f876ddb83a3dc3e48bccf48181c2241d5ef45357

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2017 Stefan Wallin
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,93 @@
+ [![Build Status](https://travis-ci.org/StefanWallin/cookiefilter-rails.svg?branch=master)](https://travis-ci.org/StefanWallin/cookiefilter-rails)
+# Cookiefilter
+Cookie Filter uses a developer defined safelist of allowed cookies and their
+values to filter cookies that are not allowed by the safelist configuration. 
+This gem filters both incoming cookies from the browser and what cookies can 
+be set from rails. I want to thank MittMedia DMU for allowing me to open source 
+this piece of code. We are always looking for new developers ;).
+
+## When would I use this?
+- If you want to be on top of what data is allowed to be passed to your server.
+- If you have third party code executing on your first party domain(ads) that set
+  arbitrary cookies.
+- If your amount and size of cookies can run out of control and exceed the http
+  header limit of 8186 bytes. (At which time certain cloud providers simply
+  interpret that request as an attack and serves back a white page)
+- If you're already running mod_security or similar web firewalls and need to
+  complement with cookie filtering.
+  
+## Performance
+Measurment has shown that this filter adds less than 1ms per request.
+
+This library has been in production on sites with 5 million weekly pageviews
+for 2 years before being packaged as a gem and open sourced.
+
+*This gem package has not been tested in production.*
+
+## Getting started
+Install the [cookiefilter](http://rubygems.org/StefanWallin/cookiefilter) gem;
+or add it to your Gemfile with bundler:
+
+Add this line to your application's `Gemfile`:
+```ruby
+gem 'cookiefilter'
+```
+
+And then execute:
+```bash
+$ bundle install
+```
+
+Tell your app to use the Cookiefilter middleware.
+For Rails 4+ apps:
+
+```ruby
+# In config/application.rb
+config.middleware.use Cookiefilter
+```
+
+Add a `cookiefilter.rb` file to `config/initializers/`:
+```ruby
+# In config/initializers/cookiefilter.rb
+class Cookiefilter
+  def self.safelist
+    # This is an array of hashes. It serves as a living documentation of our
+    # allowed cookies and their format. Need help with regex? Visit this site:
+    # http://rubular.com/
+
+    # Each hash in the array is per cookie with the following format:
+    #   description: Human readable string of what/who this cookie pertains.
+    #   key: A regex that matches the name of the cookie or cookies matching
+    #        the above description.
+    #   value: A regex that validates the content of the cookie, if the regex
+    #          is nil, no validation is done.
+    #   sacred: This is a boolean indicating that this cookie are not to be
+    #           removed to decrease the overall size of cookies per domain.
+    #           It will however be removed in second run if no other options
+    #           are left.
+    [
+      {
+        description: 'Rails Session Cookie',
+        key: /\Aproject_name_session\z/,
+        value: nil,
+        sacred: true
+      }
+    ]
+  end
+end
+```
+
+**Then restart your rails server.**
+
+Happy filtering!
+
+## License
+The gem is available as open source under the terms of the
+[MIT License](http://opensource.org/licenses/MIT).
+
+## Contribute
+All contributions are welcome, issues and PR's.
+Make sure tests pass by running them like so:
+```ruby
+rake test
+```

data/Rakefile

@@ -0,0 +1,33 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Cookiefilter'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+
+
+
+
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task default: :test

data/lib/cookiefilter.rb

@@ -0,0 +1,172 @@
+require 'cookiefilter/utils'
+require 'cookiefilter/rules'
+require 'cookiefilter/errors'
+require 'cookiefilter/validator'
+
+class Cookiefilter
+  class << self
+    def filter_request_cookies(http_cookie)
+      # Flag by replacing with cookie emoji(\u{1F36a}) as a token to identify
+      # and invalidate cookies later on in is_valid_cookie!
+      cookies = Cookiefilter::Utils.sanitize_utf8_string(
+        http_cookie,
+        Cookiefilter::Rules::DISALLOWED_CHARS,
+        Cookiefilter::Rules::INVALID_TOKEN
+      )
+      cookies = Cookiefilter::Utils.parse_request_cookies(cookies)
+      delete, keep = Cookiefilter.validate_request_cookies(cookies)
+      header = Cookiefilter::Utils.construct_request_header(keep)
+      { delete: delete, keep: keep, header: header.strip }
+    end
+
+    def filter_response_cookies(host, response_header, response_cookies)
+      keep, delete1 = response_cookies[:keep], response_cookies[:delete]
+      cookies = Cookiefilter::Utils.parse_set_cookie_header(response_header)
+      set, delete2 = Cookiefilter.validate_response_cookies(cookies)
+      cookies = Cookiefilter.merge_keep_and_set(keep, set)
+      cookies = Cookiefilter.sort_by_size(cookies)
+      keepers, limited = Cookiefilter.maintain_limits(cookies)
+      set = Cookiefilter.filter_out_keepers(keepers)
+      deleted = Cookiefilter.delete_cookies(delete1 + delete2, limited)
+      Cookiefilter::Utils.construct_response_header(host, deleted + set)
+    end
+
+    def validate_request_cookies(cookies)
+      cookies_to_keep = cookies.select do |cookie|
+        is_valid_cookie!(cookie)
+      end
+      cookies_to_delete = cookies.reject do |cookie|
+        is_valid_cookie!(cookie)
+      end
+      [cookies_to_delete, cookies_to_keep]
+    end
+
+    def validate_response_cookies(cookies)
+      cookies_to_set, cookies_to_delete = [], []
+      cookies.each do |cookie|
+        if is_valid_cookie!(cookie)
+          cookies_to_set << cookie
+        else
+          cookies_to_delete << cookie
+        end
+      end
+      [cookies_to_set, cookies_to_delete]
+    end
+
+    def delete_cookies(blocked, limited)
+      blocked.each do |cookie|
+        delete(cookie)
+      end
+      limited.each do |cookie|
+        delete(cookie)
+      end
+      blocked + limited
+    end
+
+    def delete(cookie)
+      cookie[:options] = ' max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000;'
+      cookie[:value] = 'unset'
+      cookie
+    end
+
+    def merge_keep_and_set(keep, set)
+      keep.each do |keeper|
+        keeper[:type] = :keep
+      end
+      set.each do |setter|
+        setter[:type] = :set
+      end
+      return keep + set
+    end
+
+    def maintain_limits(sized_cookies, kept_large = [], limited = [])
+      if Cookiefilter.cookie_size_too_large?(kept_large, sized_cookies)
+        removed = sized_cookies.shift if sized_cookies.count > 0
+        removed = kept_large.shift if removed.nil?
+        if removed[:sacred] && sized_cookies.count > 0
+          kept_large.push(removed)
+        else
+          limited.push(removed)
+        end
+        return Cookiefilter.maintain_limits(sized_cookies, kept_large, limited)
+      else
+        return [kept_large + sized_cookies, limited]
+      end
+    end
+
+    def filter_out_keepers(keepers)
+      keepers.select { |keeper| keeper[:type] == :set }
+    end
+
+    def sort_by_size(cookies)
+      cookies.sort! do |a, b|
+        b[:size] <=> a[:size]
+      end
+    end
+
+    def total_cookie_size(keep, set)
+      @size = 0
+      keep.each do |cookie|
+        @size += cookie[:size]
+      end
+      set.each do |cookie|
+        @size += cookie[:size]
+      end
+    end
+
+    def cookie_size_too_large?(keep, set)
+      Cookiefilter.total_cookie_size(keep, set)
+      @size >= Cookiefilter::Rules::COOKIE_DOMAIN_LIMIT
+    end
+
+    # This method will regex-check both key and value for
+    # this cookie against all safelisted cookies until match
+    # is found.
+    #   If a valid match is found, true is returned
+    #   Otherwise false is returned.
+
+    def is_valid_cookie!(cookie)
+      return false if "#{cookie[:key]}=#{cookie[:value]}".bytesize > Cookiefilter::Rules::COOKIE_LIMIT
+      return false if /[\u{1F36A}]/.match(cookie[:value])
+      Cookiefilter::Rules::safelist.each do |allowed_cookie|
+        if allowed_cookie[:key].match(cookie[:key])
+          regex = allowed_cookie[:value]
+
+          # Set sacred attribute
+          cookie[:sacred] = allowed_cookie[:sacred]
+
+          # Cookies with nil as value-regex, pass validation.
+          return true if regex.nil?
+
+          return true if regex.match(cookie[:value])
+
+          # Not matching value regex, fail validation.
+          return false
+        end
+      end
+      # Unknown cookie. Log this and fail
+      false
+    end
+  end # end class methods
+
+  def initialize(app)
+    Cookiefilter::Validator.validate_safelist(Cookiefilter::Rules.safelist)
+    @app = app
+    @size = 0
+  end
+
+  # entry point, executes directly after initialize
+  def call(env)
+    result = Cookiefilter.filter_request_cookies(env['HTTP_COOKIE'])
+    env['HTTP_COOKIE'] = result[:header]
+    status, headers, body = @app.call(env)
+    response = Rack::Response.new body, status, headers
+    header = Cookiefilter.filter_response_cookies(
+      env['HTTP_HOST'],
+      response.header['Set-Cookie'],
+      result
+    )
+    response.header['Set-Cookie'] = header
+    response.finish
+  end
+end

data/lib/cookiefilter/errors.rb

@@ -0,0 +1,15 @@
+class Cookiefilter::SafelistMissingError < StandardError
+  def message
+    'Please define your cookie safelist as documented in Readme and then\
+     restart your rails server.'
+  end
+  def backtrace
+    []
+  end
+end
+
+class Cookiefilter::MalformedSafelistError < StandardError
+  def backtrace
+    []
+  end
+end

data/lib/cookiefilter/rules.rb

@@ -0,0 +1,22 @@
+class Cookiefilter::Rules
+  COOKIE_DOMAIN_LIMIT = 8186
+  COOKIE_LIMIT = 4093
+  DISALLOWED_CHARS = [
+    "\192", "\193", "\245", "\246", "\247", "\248", "\249",
+    "\250", "\251", "\252", "\253", "\254", "\255"
+  ]
+  INVALID_TOKEN = "\u{1F36A}"
+
+
+  def self.method_missing(m, *args, &block)
+    if m.to_sym == :safelist
+      raise Cookiefilter::SafelistMissingError
+    else
+      raise ArgumentError.new("Method `#{m}` doesn't exist.")
+    end
+  end
+
+  def self.respond_to?(method_name, include_private = false)
+    method_name.to_sym == :safelist || super
+  end
+end

data/lib/cookiefilter/utils.rb

@@ -0,0 +1,66 @@
+require 'cookiefilter/errors'
+
+class Cookiefilter::Utils
+  class << self
+    def sanitize_utf8_string(cookie_string, banned_chars, replace_char)
+      result = ''
+      # blank? can'd handle broken utf-8 characters.
+      return result if cookie_string.nil?
+      cookie_string.each_char do |char|
+        if banned_chars.include? char
+          result << replace_char
+        else
+          result << char
+        end
+      end
+      result
+    end
+
+    def parse_request_cookies(cookie_string)
+      cookies = []
+      return cookies if cookie_string.blank?
+      cookie_strings = cookie_string.split(';')
+      cookie_strings.each do |cookie|
+        key, value = cookie.strip.split('=', 2)
+        cookies << { key: key, value: value, size: "#{key}=#{value}; ".bytesize }
+      end
+      cookies
+    end
+
+    def parse_set_cookie_header(header)
+      cookies = []
+      return cookies if header.blank?
+      header_cookies = header.split("\n")
+      header_cookies.each do |cookie|
+        key, rest = cookie.strip.split('=', 2)
+        value, options = rest.strip.split(';', 2)
+        options = '' if options.nil?
+        size = "#{key}=#{value}; ".bytesize
+        cookies << { key: key, value: value, options: options, size: size }
+      end
+      cookies
+    end
+
+    def construct_request_header(cookies_to_keep)
+      http_cookie = ''
+      cookies_to_keep.each do |cookie|
+        http_cookie << "#{cookie[:key]}=#{cookie[:value]}; "
+      end
+      #  Chopping last ';' since headers does not expect it.
+      http_cookie.strip.chomp(';')
+    end
+
+    def construct_response_header(host, set)
+      http_cookies = []
+      naked_host = host.sub!(/\Awww\./, '')
+      set.each do |cookie|
+        http_cookies << "#{cookie[:key]}=#{cookie[:value]};#{cookie[:options]}"
+        if cookie[:value] == 'unset'
+          http_cookies << "#{cookie[:key]}=#{cookie[:value]};Domain=.#{naked_host};#{cookie[:options]}"
+          http_cookies << "#{cookie[:key]}=#{cookie[:value]};Domain=www.#{naked_host};#{cookie[:options]}"
+        end
+      end
+      http_cookies.join("\n")
+    end
+  end
+end

data/lib/cookiefilter/validator.rb

@@ -0,0 +1,69 @@
+class Cookiefilter::Validator
+  class << self
+    def validate_safelist(safelist)
+      err = Cookiefilter::MalformedSafelistError
+      Cookiefilter::Validator.validate_array(err, safelist)
+
+      safelist.each_index do |index|
+        obj = safelist[index]
+        Cookiefilter::Validator.validate_hash(err, index, obj)
+        Cookiefilter::Validator.validate_keys(err, index, obj)
+        Cookiefilter::Validator.validate_description(err, index, obj)
+        Cookiefilter::Validator.validate_key(err, index, obj)
+        Cookiefilter::Validator.validate_value(err, index, obj)
+        Cookiefilter::Validator.validate_sacred(err, index, obj)
+      end
+      true
+    end
+
+    def validate_array(err, list)
+      raise err, 'safelist method does not return Array' if list.class != Array
+    end
+
+    def validate_hash(err, index, obj)
+      if obj.class != Hash
+        raise err, "safelist child with index #{index}: Is not an Hash Object"
+      end
+    end
+
+    def validate_keys(err, index, obj)
+      %w(description key value sacred).each do |key|
+        unless obj.has_key?(key.to_sym)
+          raise err, "safelist child with index #{index}: Missing key :#{key}"
+        end
+      end
+    end
+
+    def validate_description(err, index, obj)
+      description = obj[:description]
+      if description.class != String
+        return raise err, "safelist child with index #{index}: ':description' \
+          must be of class String, got #{description.class}"
+      end
+    end
+
+    def validate_key(err, index, obj)
+      key = obj[:key]
+      if key.class != Regexp
+        return raise err, "safelist child with index #{index}: ':key' \
+          must be of class Regexp, got #{key.class}"
+      end
+    end
+
+    def validate_value(err, index, obj)
+      value = obj[:value]
+      if value.class != Regexp && value.class != NilClass
+        return raise err, "safelist child with index #{index}: ':value' \
+          must be of class Regexp or NilClass, got #{value.class}"
+      end
+    end
+
+    def validate_sacred(err, index, obj)
+      sacred = obj[:sacred]
+      if obj[:sacred].class != TrueClass && obj[:sacred].class != FalseClass
+        return raise err, "safelist child with index #{index}: ':sacred' \
+          must be of class TrueClass or FalseClass, got #{sacred.class}"
+      end
+    end
+  end
+end

data/lib/cookiefilter/version.rb

@@ -0,0 +1,3 @@
+class Cookiefilter
+  VERSION = '1.0.0'
+end

data/lib/tasks/cookiefilter_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :cookiefilter do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,99 @@
+--- !ruby/object:Gem::Specification
+name: cookiefilter
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Stefan Wallin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-11-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.1.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.1.3
+- !ruby/object:Gem::Dependency
+  name: faker
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |-
+  Cookie Filter uses a developer defined whitelist of \
+                    allowed cookies and their values to filter cookies that do \
+                    not live up to the standard.
+email:
+- cookiefilter@stefan-wallin.se
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- lib/cookiefilter.rb
+- lib/cookiefilter/errors.rb
+- lib/cookiefilter/rules.rb
+- lib/cookiefilter/utils.rb
+- lib/cookiefilter/validator.rb
+- lib/cookiefilter/version.rb
+- lib/tasks/cookiefilter_tasks.rake
+homepage: https://github.com/StefanWallin/cookiefilter
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.13
+signing_key: 
+specification_version: 4
+summary: Whitelist your users cookies for your domain.
+test_files: []