cuba-csrf 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: ae35f030c53ae173c8271c445993701b070d7565
+  data.tar.gz: 5b686325d6e707461182e3be78c57b4f41b9fa84
+SHA512:
+  metadata.gz: 19fe159769620cb10305d0c2bd2c7b729ddd5d1bcea8ea8c8eaa2a5f4d1e7f583ecb69dd6abb5f45ded7fd45d8dff7031741825a00a90cbffa925d8936d5469c
+  data.tar.gz: 6e60f4477fcc17a4ab6ad57db483c5d1c241ff3a4eb59eb5b375157d3547fafa05a0b5751902ac0d8ac0597710dc47e94f6483cbb1fa491362491ba4a917afa6

data/.gems

@@ -0,0 +1,3 @@
+cuba -v 3.3.0
+cutest -v 1.2.2
+rack-test -v 0.6.3

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2015-Present Francesco Rodríguez, Mayn Kjær
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,91 @@
+cuba-csrf
+=========
+
+[Cross-Site Request Forgery][csrf] protection for Cuba applications.
+
+Description
+-----------
+
+This library adopts the [Synchronizer Token][pattern] pattern.
+
+This scheme protects the application by including a token in the
+HTML forms of your application. This token is stored as a random
+string in the user's current session. When a request reaches the
+application, it verifies the received token with the token in the
+session. This scheme ensures that the user actually intended to
+submit the desired requests.
+
+By default, `GET` and `HEAD` requests are not protected since they
+don't have side effects like writing to the database and don't leak
+sensitive information.
+
+Usage
+-----
+
+To enable `Cuba::CSRF`, do:
+
+```ruby
+require "cuba"
+require "cuba/csrf"
+
+Cuba.plugin(Cuba::CSRF)
+
+Cuba.define do
+  begin
+    protect_from_forgery!
+  rescue Cuba::CSRF::InvalidToken
+    # In this case, if the verification fails
+    # we want to reset user's session.
+    session.clear
+
+    res.status = 403
+    res.write("Not Authorized")
+    halt(res.finish)
+  end
+end
+```
+
+Then, use the `csrf_tag` helper method to include
+the security token in your HTML forms:
+
+```html
+<form action="/account/delete" method="post">
+  {{ csrf_tag }}
+</form>
+```
+
+BREACH
+------
+
+BREACH is a security exploit against HTTPS when using [HTTP compression][compression]
+(GZIP/DEFLATE). This means that if your page is **served with HTTP compression
+enabled** and **reflects user input**, an attacker can recover sensitive data
+from an HTTP response body (e.g. a CSRF token).
+
+There are two effective ways to mitigate BREACH: disable
+HTTP compression or randomize secrets per request.
+
+If it's possible, disable HTTP compression. In Nginx, you can use
+the `gzip off` directive.
+
+This plugin doesn't generate or mask CSRF tokens per request. This means
+that if you plan to use HTTP compression, your application might be vulnerable
+to BREACH.
+
+We designed this library to fit our use case. We don't have HTTP compression
+enabled because we also have other sensitive information apart from the CSRF
+tokens that would require additional masking. Maybe we will add support for
+masking tokens per request in the future.
+
+For more information about BREACH, see <http://breachattack.com>.
+
+Installation
+------------
+
+```
+$ gem install cuba-csrf
+```
+
+[compression]: https://en.wikipedia.org/wiki/HTTP_compression
+[csrf]: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
+[pattern]: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern

data/cuba-csrf.gemspec

@@ -0,0 +1,15 @@
+Gem::Specification.new do |s|
+  s.name = "cuba-csrf"
+  s.version = "0.0.1"
+  s.summary = "CSRF protection for Cuba applications."
+  s.description = s.summary
+  s.authors = ["Francesco Rodríguez", "Mayn Kjær"]
+  s.email = ["frodsan@me.com", "mayn.kjaer@gmail.com"]
+  s.homepage = "https://github.com/harmoni/cuba-csrf"
+  s.license = "MIT"
+
+  s.files = `git ls-files`.split("\n")
+
+  s.add_dependency "cuba"
+  s.add_development_dependency "cutest"
+end

data/lib/cuba/csrf.rb

@@ -0,0 +1,22 @@
+require "cuba"
+require "securerandom"
+
+module Cuba::CSRF
+  InvalidToken = Class.new(StandardError)
+
+  def protect_from_forgery!
+    raise InvalidToken unless _csrf_safe?
+  end
+
+  def csrf_token
+    session[:csrf_token] ||= SecureRandom.base64(32)
+  end
+
+  def csrf_tag
+    %Q(<input type="hidden" name="csrf_token" value="#{csrf_token}">)
+  end
+
+  def _csrf_safe?
+    req.get? || req.head? || req[:csrf_token] == csrf_token
+  end
+end

data/makefile

@@ -0,0 +1,8 @@
+DEFAULT_GOAL := test
+.PHONY: test
+
+gem:
+	gem build cuba-csrf.gemspec
+
+test:
+	cutest test/*.rb

data/test/csrf.rb

@@ -0,0 +1,142 @@
+require "cutest"
+require "cuba"
+require "cuba/test"
+require_relative "../lib/cuba/csrf"
+
+def assert_no_raise
+  yield
+  success
+end
+
+scope do
+  setup do
+    Cuba.reset!
+
+    Cuba.use(Rack::Session::Cookie, secret: "_this_must_be_secret")
+    Cuba.plugin(Cuba::CSRF)
+  end
+
+  test "safe http methods" do
+    Cuba.define do
+      protect_from_forgery!
+
+      on default do
+        res.write("safe")
+      end
+    end
+
+    assert_no_raise do
+      get  "/"
+      head "/"
+    end
+  end
+
+  test "invalid csrf param" do
+    Cuba.define do
+      protect_from_forgery!
+    end
+
+    assert_raise(Cuba::CSRF::InvalidToken) do
+      post "/", "csrf_token" => nil
+    end
+
+    assert_raise(Cuba::CSRF::InvalidToken) do
+      post "/", "csrf_token" => ""
+    end
+
+    assert_raise(Cuba::CSRF::InvalidToken) do
+      post "/", "csrf_token" => "nonsense"
+    end
+  end
+
+  test "valid csrf param" do
+    Cuba.define do
+      protect_from_forgery!
+
+      on get do
+        res.write(csrf_token)
+      end
+
+      on post do
+        res.write("safe")
+      end
+    end
+
+    get "/"
+
+    csrf_token = last_response.body
+
+    assert(!csrf_token.empty?)
+
+    assert_no_raise do
+      post "/", "csrf_token" => csrf_token
+    end
+  end
+
+  test "sub app raises too" do
+    class App < Cuba
+      define do
+        on post do
+          res.write("unsafe")
+        end
+      end
+    end
+
+    Cuba.define do
+      protect_from_forgery!
+
+      on "app" do
+        run(App)
+      end
+    end
+
+    assert_raise(Cuba::CSRF::InvalidToken) do
+      post "/app"
+    end
+  end
+
+  test "only sub app" do
+    class App < Cuba
+      define do
+        protect_from_forgery!
+
+        on post do
+          res.write("unsafe")
+        end
+      end
+    end
+
+    Cuba.define do
+      on "app" do
+        run(App)
+      end
+
+      on default do
+        res.write("safe")
+      end
+    end
+
+    assert_no_raise do
+      post "/"
+    end
+
+    assert_raise(Cuba::CSRF::InvalidToken) do
+      post "/app"
+    end
+  end
+
+  test "html helpers" do
+    Cuba.plugin(Cuba::CSRF)
+
+    class Api < Cuba
+      def session
+        @session ||= {}
+      end
+    end
+
+    api = Api.new
+    csrf_tag = %Q(<input type="hidden" name="csrf_token" value="#{api.csrf_token}">)
+
+    assert_equal(csrf_tag, api.csrf_tag)
+  end
+end

metadata

@@ -0,0 +1,81 @@
+--- !ruby/object:Gem::Specification
+name: cuba-csrf
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Francesco Rodríguez
+- Mayn Kjær
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-01-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: cuba
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cutest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: CSRF protection for Cuba applications.
+email:
+- frodsan@me.com
+- mayn.kjaer@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gems"
+- LICENSE
+- README.md
+- cuba-csrf.gemspec
+- lib/cuba/csrf.rb
+- makefile
+- test/csrf.rb
+homepage: https://github.com/harmoni/cuba-csrf
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: CSRF protection for Cuba applications.
+test_files: []