cuba-csrf 0.0.2 → 0.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/LICENSE +1 -1
  3. data/README.md +17 -4
  4. data/cuba-csrf.gemspec +1 -1
  5. data/lib/cuba/csrf.rb +9 -2
  6. data/makefile +1 -1
  7. data/test/csrf.rb +17 -2
  8. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 94e98c48283db2c21543133020a4c7e1bb6a13d1
4
- data.tar.gz: 412e34ab4a7759974478bfb6fdc24de8a09f44ff
3
+ metadata.gz: e90068b1138f718ffb414569573232216f4a5f87
4
+ data.tar.gz: aa11d64ba6805e470a61650b7cf0165c49235a26
5
5
  SHA512:
6
- metadata.gz: 6cc9730a59a1f11814b6cc035f988402919af9339cf597c6c54c08eb9bd5f3ee7908b67bb4fdbb6be91dba03662d2adf10aa3f208aa306eccd7595ac9b33ccb3
7
- data.tar.gz: 139fde650e30b59734b81ee0f925c202806919b1de39ed0cf242797ddebe78d242cbe155a0be3941040b08260aabcae38c8dd1d90e4739929ab6318256438716
6
+ metadata.gz: cf0209f12ee25accc870ad7e8fb05830e9d46d7c65d7755851154f7d5930ef079cf31f4c75b558646cc108e9250d7051d2215b0dbf02ba678450c08079526bac
7
+ data.tar.gz: 85537a9e17c131a9afa899d8dd7b1d65f02c30e157f02cc63e6ae7f5a1a74f43dd2b35500de439aee0f3d9e1672371dac5a63e35640697e23bfbe2625b6d30a5
data/LICENSE CHANGED
@@ -1,4 +1,4 @@
1
- Copyright (c) 2015-Present Francesco Rodríguez, Mayn Kjær
1
+ Copyright (c) 2015-Present Harmoni LLC
2
2
 
3
3
  Permission is hereby granted, free of charge, to any person obtaining a copy
4
4
  of this software and associated documentation files (the "Software"), to deal
data/README.md CHANGED
@@ -31,7 +31,7 @@ require "cuba/csrf"
31
31
  Cuba.plugin(Cuba::CSRF)
32
32
 
33
33
  Cuba.define do
34
- unless csrf_safe?
34
+ on !csrf_safe? do
35
35
  session.clear
36
36
 
37
37
  res.status = 403
@@ -64,9 +64,22 @@ HTTP compression or randomize secrets per request.
64
64
  If it's possible, disable HTTP compression. In Nginx, you can use
65
65
  the `gzip off` directive.
66
66
 
67
- This plugin doesn't generate or mask CSRF tokens per request. This means
68
- that if you plan to use HTTP compression, your application might be vulnerable
69
- to BREACH.
67
+ By default, this plugin doesn't generate or mask CSRF tokens per request.
68
+ This means that if you plan to use HTTP compression, your application might
69
+ be vulnerable to BREACH. However, generation of new secrets per request
70
+ can be done with:
71
+
72
+ ```ruby
73
+ Cuba.define do
74
+ on !csrf_safe? do
75
+ ...
76
+ end
77
+
78
+ session.delete(:csrf_token)
79
+
80
+ ...
81
+ end
82
+ ```
70
83
 
71
84
  We designed this library to fit our use case. We don't have HTTP compression
72
85
  enabled because we also have other sensitive information apart from the CSRF
data/cuba-csrf.gemspec CHANGED
@@ -1,6 +1,6 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = "cuba-csrf"
3
- s.version = "0.0.2"
3
+ s.version = "0.0.3"
4
4
  s.summary = "CSRF protection for Cuba applications."
5
5
  s.description = s.summary
6
6
  s.authors = ["Francesco Rodríguez", "Mayn Kjær"]
data/lib/cuba/csrf.rb CHANGED
@@ -3,14 +3,21 @@ require "securerandom"
3
3
 
4
4
  module Cuba::CSRF
5
5
  def csrf_safe?
6
- req.get? || req.head? || req[:csrf_token] == csrf_token
6
+ req.get? || req.head? ||
7
+ req[:csrf_token] == csrf_token ||
8
+ env["HTTP_X_CSRF_TOKEN"] == csrf_token
7
9
  end
8
10
 
9
11
  def csrf_token
10
12
  session[:csrf_token] ||= SecureRandom.base64(32)
11
13
  end
12
14
 
13
- def csrf_tag
15
+ def csrf_form_tag
14
16
  %Q(<input type="hidden" name="csrf_token" value="#{csrf_token}">)
15
17
  end
18
+ alias :csrf_tag :csrf_form_tag
19
+
20
+ def csrf_meta_tag
21
+ %Q(<meta name="csrf_token" content="#{csrf_token}">)
22
+ end
16
23
  end
data/makefile CHANGED
@@ -2,7 +2,7 @@ DEFAULT_GOAL := test
2
2
  .PHONY: test
3
3
 
4
4
  gem:
5
- gem build cuba-csrf.gemspec
5
+ gem build *.gemspec
6
6
 
7
7
  test:
8
8
  cutest test/*.rb
data/test/csrf.rb CHANGED
@@ -69,6 +69,17 @@ scope do
69
69
  end
70
70
  end
71
71
 
72
+ test "http header" do
73
+ csrf_token = SecureRandom.hex(32)
74
+
75
+ Cuba.define do
76
+ session[:csrf_token] = csrf_token
77
+ raise unless csrf_safe?
78
+ end
79
+
80
+ post "/", {}, { "HTTP_X_CSRF_TOKEN" => csrf_token }
81
+ end
82
+
72
83
  test "sub app raises too" do
73
84
  class App < Cuba
74
85
  define do
@@ -131,8 +142,12 @@ scope do
131
142
  end
132
143
 
133
144
  api = Api.new
134
- csrf_tag = %Q(<input type="hidden" name="csrf_token" value="#{api.csrf_token}">)
135
145
 
136
- assert_equal(csrf_tag, api.csrf_tag)
146
+ csrf_form_tag = %Q(<input type="hidden" name="csrf_token" value="#{api.csrf_token}">)
147
+ csrf_meta_tag = %Q(<meta name="csrf_token" content="#{api.csrf_token}">)
148
+
149
+ assert_equal(csrf_form_tag, api.csrf_tag)
150
+ assert_equal(csrf_form_tag, api.csrf_form_tag)
151
+ assert_equal(csrf_meta_tag, api.csrf_meta_tag)
137
152
  end
138
153
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cuba-csrf
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.2
4
+ version: 0.0.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Francesco Rodríguez
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2015-01-13 00:00:00.000000000 Z
12
+ date: 2015-02-07 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: cuba