cuba-csrf 0.0.2 → 0.0.3

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 94e98c48283db2c21543133020a4c7e1bb6a13d1
4
- data.tar.gz: 412e34ab4a7759974478bfb6fdc24de8a09f44ff
3
+ metadata.gz: e90068b1138f718ffb414569573232216f4a5f87
4
+ data.tar.gz: aa11d64ba6805e470a61650b7cf0165c49235a26
5
5
  SHA512:
6
- metadata.gz: 6cc9730a59a1f11814b6cc035f988402919af9339cf597c6c54c08eb9bd5f3ee7908b67bb4fdbb6be91dba03662d2adf10aa3f208aa306eccd7595ac9b33ccb3
7
- data.tar.gz: 139fde650e30b59734b81ee0f925c202806919b1de39ed0cf242797ddebe78d242cbe155a0be3941040b08260aabcae38c8dd1d90e4739929ab6318256438716
6
+ metadata.gz: cf0209f12ee25accc870ad7e8fb05830e9d46d7c65d7755851154f7d5930ef079cf31f4c75b558646cc108e9250d7051d2215b0dbf02ba678450c08079526bac
7
+ data.tar.gz: 85537a9e17c131a9afa899d8dd7b1d65f02c30e157f02cc63e6ae7f5a1a74f43dd2b35500de439aee0f3d9e1672371dac5a63e35640697e23bfbe2625b6d30a5
data/LICENSE CHANGED
@@ -1,4 +1,4 @@
1
- Copyright (c) 2015-Present Francesco Rodríguez, Mayn Kjær
1
+ Copyright (c) 2015-Present Harmoni LLC
2
2
 
3
3
  Permission is hereby granted, free of charge, to any person obtaining a copy
4
4
  of this software and associated documentation files (the "Software"), to deal
data/README.md CHANGED
@@ -31,7 +31,7 @@ require "cuba/csrf"
31
31
  Cuba.plugin(Cuba::CSRF)
32
32
 
33
33
  Cuba.define do
34
- unless csrf_safe?
34
+ on !csrf_safe? do
35
35
  session.clear
36
36
 
37
37
  res.status = 403
@@ -64,9 +64,22 @@ HTTP compression or randomize secrets per request.
64
64
  If it's possible, disable HTTP compression. In Nginx, you can use
65
65
  the `gzip off` directive.
66
66
 
67
- This plugin doesn't generate or mask CSRF tokens per request. This means
68
- that if you plan to use HTTP compression, your application might be vulnerable
69
- to BREACH.
67
+ By default, this plugin doesn't generate or mask CSRF tokens per request.
68
+ This means that if you plan to use HTTP compression, your application might
69
+ be vulnerable to BREACH. However, generation of new secrets per request
70
+ can be done with:
71
+
72
+ ```ruby
73
+ Cuba.define do
74
+ on !csrf_safe? do
75
+ ...
76
+ end
77
+
78
+ session.delete(:csrf_token)
79
+
80
+ ...
81
+ end
82
+ ```
70
83
 
71
84
  We designed this library to fit our use case. We don't have HTTP compression
72
85
  enabled because we also have other sensitive information apart from the CSRF
data/cuba-csrf.gemspec CHANGED
@@ -1,6 +1,6 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = "cuba-csrf"
3
- s.version = "0.0.2"
3
+ s.version = "0.0.3"
4
4
  s.summary = "CSRF protection for Cuba applications."
5
5
  s.description = s.summary
6
6
  s.authors = ["Francesco Rodríguez", "Mayn Kjær"]
data/lib/cuba/csrf.rb CHANGED
@@ -3,14 +3,21 @@ require "securerandom"
3
3
 
4
4
  module Cuba::CSRF
5
5
  def csrf_safe?
6
- req.get? || req.head? || req[:csrf_token] == csrf_token
6
+ req.get? || req.head? ||
7
+ req[:csrf_token] == csrf_token ||
8
+ env["HTTP_X_CSRF_TOKEN"] == csrf_token
7
9
  end
8
10
 
9
11
  def csrf_token
10
12
  session[:csrf_token] ||= SecureRandom.base64(32)
11
13
  end
12
14
 
13
- def csrf_tag
15
+ def csrf_form_tag
14
16
  %Q(<input type="hidden" name="csrf_token" value="#{csrf_token}">)
15
17
  end
18
+ alias :csrf_tag :csrf_form_tag
19
+
20
+ def csrf_meta_tag
21
+ %Q(<meta name="csrf_token" content="#{csrf_token}">)
22
+ end
16
23
  end
data/makefile CHANGED
@@ -2,7 +2,7 @@ DEFAULT_GOAL := test
2
2
  .PHONY: test
3
3
 
4
4
  gem:
5
- gem build cuba-csrf.gemspec
5
+ gem build *.gemspec
6
6
 
7
7
  test:
8
8
  cutest test/*.rb
data/test/csrf.rb CHANGED
@@ -69,6 +69,17 @@ scope do
69
69
  end
70
70
  end
71
71
 
72
+ test "http header" do
73
+ csrf_token = SecureRandom.hex(32)
74
+
75
+ Cuba.define do
76
+ session[:csrf_token] = csrf_token
77
+ raise unless csrf_safe?
78
+ end
79
+
80
+ post "/", {}, { "HTTP_X_CSRF_TOKEN" => csrf_token }
81
+ end
82
+
72
83
  test "sub app raises too" do
73
84
  class App < Cuba
74
85
  define do
@@ -131,8 +142,12 @@ scope do
131
142
  end
132
143
 
133
144
  api = Api.new
134
- csrf_tag = %Q(<input type="hidden" name="csrf_token" value="#{api.csrf_token}">)
135
145
 
136
- assert_equal(csrf_tag, api.csrf_tag)
146
+ csrf_form_tag = %Q(<input type="hidden" name="csrf_token" value="#{api.csrf_token}">)
147
+ csrf_meta_tag = %Q(<meta name="csrf_token" content="#{api.csrf_token}">)
148
+
149
+ assert_equal(csrf_form_tag, api.csrf_tag)
150
+ assert_equal(csrf_form_tag, api.csrf_form_tag)
151
+ assert_equal(csrf_meta_tag, api.csrf_meta_tag)
137
152
  end
138
153
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cuba-csrf
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.2
4
+ version: 0.0.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Francesco Rodríguez
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2015-01-13 00:00:00.000000000 Z
12
+ date: 2015-02-07 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: cuba