couchrest_session_store 0.0.9 → 0.1.0

data/lib/couchrest_session_store.rb

@@ -51,7 +51,7 @@ class CouchRestSessionStore < ActionDispatch::Session::AbstractStore
 
   def get_session(env, sid)
     if sid
-      doc = database.get(sid)
+      doc = secure_get(sid)
       session = self.class.unmarshal(doc["data"])
       [sid, session]
     else
@@ -69,21 +69,27 @@ class CouchRestSessionStore < ActionDispatch::Session::AbstractStore
   end
 
   def destroy_session(env, sid, options)
-    doc = database.get(sid)
+    doc = secure_get(sid)
     database.delete_doc(doc)
     options[:drop] ? nil : generate_sid
   rescue RestClient::ResourceNotFound
     # already destroyed - we're done.
   end
 
-
   def build_or_update_doc(sid, data)
-    doc = database.get(sid)
+    doc = secure_get(sid)
     doc["data"] = data
     return doc
   rescue RestClient::ResourceNotFound
     return CouchRest::Document.new "_id" => sid, "data" => data
   end
 
+  # prevent access to design docs
+  # this should be prevented on a couch permission level as well.
+  # but better be save than sorry.
+  def secure_get(sid)
+    raise RestClient::ResourceNotFound if /^_design\/(.*)/ =~ sid
+    database.get(sid)
+  end
 end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: couchrest_session_store
 version: !ruby/object:Gem::Version
-  version: 0.0.9
+  version: 0.1.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-02-09 00:00:00.000000000 Z
+date: 2013-02-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: couchrest