cuba 3.3.0 → 3.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 51a2e9df839f23563e53c9a4a7bc93657b55a781
-  data.tar.gz: 43432f0a85b2133cc1b052dd2f8ac4bf88eea0a2
+  metadata.gz: 33341fdef71be26c9506be1f85b0d223721baaf3
+  data.tar.gz: f78025b8496068b945a4095a51115dbb9d939c08
 SHA512:
-  metadata.gz: a8e53ef5c9a833d709bd095138aeb9b57be355d3758428c396e864a4b81d381615594a0c33977cdd960b727588178ba1ef8d2e87bec379ca84054abcd1d7f173
-  data.tar.gz: aa4fb0f2247bb8568fba9b38374a423ddee945972fe4143d97d5f488bdad2a08832c2581bbdc51d8c3726446cf5daf4f9a715215df713c911f44629e05d39e46
+  metadata.gz: 933e16d3505eca916f1d86fbb36aaf2b58fc87256272b326d0ca52afcbd3dbc699e19bae18a4f5191d05194c53b12b882983e64240ab493691445613db2c327f
+  data.tar.gz: fa31afdad6c4f18337c88f5a4fd896f6585d972c53a92ca2e469bbe8eafcbe53927246e99fa46e09ce0d51a28d36628aa702cabb74d98215b3e6bec06e6157e9

data/.gems

@@ -1,4 +1,4 @@
-cutest -v 1.2.1
-rack -v 1.5.2
+cutest -v 1.2.2
+rack -v 1.6.0
 tilt -v 2.0.1
-rack-test -v 0.6.2
+rack-test -v 0.6.3

data/CHANGELOG

@@ -1,3 +1,8 @@
+3.4.0
+
+* Add `Cuba::Safe` plugin. This plugin contains security related
+  defaults.
+
 3.3.0
 
 * Restrict when to add the default content type.

data/LICENSE

@@ -1,4 +1,8 @@
-Copyright (c) 2010, 2011 Michel Martens, Damian Janowski and Cyril David
+Copyright (C) 2008-2009 Christian Neukirchen
+Copyright (c) 2010-2015 Michel Martens
+Copyright (c) 2010-2015 Damian Janowski
+Copyright (c) 2010-2015 Cyril David
+Copyright (c) 2013-2015 Francesco Rodríguez
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -217,7 +217,7 @@ Cuba.define do
   on get do
     on "hello" do
       on root do
-      	res.write "hello world"
+        res.write "hello world"
       end
     end
   end
@@ -274,36 +274,120 @@ end
 Security
 --------
 
-The favorite security layer for Cuba is
-[Rack::Protection][rack-protection]. It is not included by default
+The most important security consideration is to use `https` for all
+requests. If that's not the case, any attempt to secure the application
+could be in vain. The rest of this section assumes `https` is
+enforced.
+
+When building a web application, you need to include a security
+layer. Cuba ships with the `Cuba::Safe` plugin, which applies several
+security related headers to prevent attacks like clickjacking and
+cross-site scripting, among others. It is not included by default
 because there are legitimate uses for plain Cuba (for instance,
 when designing an API).
 
-If you are building a web application, by all means make sure
-to include a security layer. As it is the convention for unsafe
-operations, only POST, PUT and DELETE requests are monitored.
+Here's how to include it:
+
+```ruby
+Cuba.plugin(Cuba::Safe)
+```
 
 You should also always set a session secret to some undisclosed
 value. Keep in mind that the content in the session cookie is
 *not* encrypted.
 
-[rack-protection]: https://github.com/rkh/rack-protection
-
 ``` ruby
+Cuba.use(Rack::Session::Cookie, :secret => "__a_very_long_string__")
+```
+
+In the end, your application should look like this:
+
+```ruby
 require "cuba"
-require "rack/protection"
 
 Cuba.use Rack::Session::Cookie, :secret => "__a_very_long_string__"
-Cuba.use Rack::Protection
-Cuba.use Rack::Protection::RemoteReferrer
+
+Cuba.plugin Cuba::Safe
 
 Cuba.define do
+  on csrf.unsafe? do
+    csrf.reset!
+
+    res.status = 403
+    res.write("Not authorized")
+
+    halt(res.finish)
+  end
 
   # Now your app is protected against a wide range of attacks.
   ...
 end
 ```
 
+The `Cuba::Safe` plugin is composed of two modules:
+
+* `Cuba::Safe::SecureHeaders`
+* `Cuba::Safe::CSRF`
+
+You can include them individually, but while the modularity is good
+for development, it's very common to use them in tandem. As that's
+the normal use case, including `Cuba::Safe` is the preferred way.
+
+Cross-Site Request Forgery
+--------------------------
+
+The `Cuba::Safe::CSRF` plugin provides a `csrf` object with the
+following methods:
+
+* `token`: the current security token.
+* `reset!`: forces the token to be recreated.
+* `safe?`: returns `true` if the request is safe.
+* `unsafe?`: returns `true` if the request is unsafe.
+* `form_tag`: returns a string with the `csrf_token` hidden input tag.
+* `meta_tag`: returns a string with the `csrf_token` meta tag.
+
+Here's an example of how to use it:
+
+```ruby
+Cuba.plugin(Cuba::Safe)
+
+Cuba.define do
+  on csrf.unsafe? do
+    csrf.reset!
+
+    res.status = 403
+    res.write("Not authorized")
+
+    halt(res.finish)
+  end
+
+  # Here comes the rest of your application
+  # ...
+end
+```
+
+You have to include `csrf.form_tag` in your forms and `csrf.meta_tag`
+among your meta tags. Here's an example that assumes you are using
+`Cuba::Mote` from `cuba-contrib`:
+
+```html
+<!DOCTYPE html>
+<html>
+  <head>
+    {{ this.csrf.meta_tag }}
+    ...
+  </head>
+  ...
+  <body>
+    <form action="/foo" method="POST">
+      {{ this.csrf.form_tag }}
+      ...
+    </form>
+  ...
+  </body>
+</html>
+```
+
 HTTP Verbs
 ----------
 
@@ -370,7 +454,7 @@ In the second case, the substring `:id` gets replaced by `([^\\/]+)` and the
 string becomes `"users/([^\\/]+)"` before performing the match, thus it reverts
 to the first form we saw.
 
-In the third case, the symbol ––no matter what it says––gets replaced
+In the third case, the symbol ––no matter what it says––gets replaced
 by `"([^\\/]+)"`, and again we are in presence of case 1.
 
 The fourth case, again, reverts to the basic matcher: it generates the string

data/cuba.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name              = "cuba"
-  s.version           = "3.3.0"
+  s.version           = "3.4.0"
   s.summary           = "Microframework for web applications."
   s.description       = "Cuba is a microframework for web applications."
   s.authors           = ["Michel Martens"]

data/lib/cuba.rb

@@ -8,8 +8,8 @@ class Cuba
     attr :body
     attr :headers
 
-    def initialize(status = nil, headers = {})
-      @status  = status
+    def initialize(headers = {})
+      @status  = nil
       @headers = headers
       @body    = []
       @length  = 0
@@ -114,7 +114,7 @@ class Cuba
   def call!(env)
     @env = env
     @req = settings[:req].new(env)
-    @res = settings[:res].new
+    @res = settings[:res].new(settings[:default_headers].dup)
 
     # This `catch` statement will either receive a
     # rack response tuple via a `halt`, or will
@@ -339,7 +339,51 @@ class Cuba
   def halt(response)
     throw :halt, response
   end
+
+  # Adds ability to pass information to a nested Cuba application.
+  # It receives two parameters: a hash that represents the passed
+  # information and a block. The #vars method is used to retrieve
+  # a hash with the passed information.
+  #
+  #   class Platforms < Cuba
+  #     define do
+  #       platform = vars[:platform]
+  #
+  #       on default do
+  #         res.write(platform) # => "heroku" or "salesforce"
+  #       end
+  #     end
+  #   end
+  #
+  #   Cuba.define do
+  #     on "(heroku|salesforce)" do |platform|
+  #       with(platform: platform) do
+  #         run(Platforms)
+  #       end
+  #     end
+  #   end
+  #
+  def with(dict = {})
+    old, env["cuba.vars"] = vars, vars.merge(dict)
+    yield
+  ensure
+    env["cuba.vars"] = old
+  end
+
+  # Returns a hash with the information set by the #with method.
+  #
+  #   with(role: "admin", site: "main") do
+  #     on default do
+  #       res.write(vars.inspect)
+  #     end
+  #   end
+  #   # => '{:role=>"admin", :site=>"main"}'
+  #
+  def vars
+    env["cuba.vars"] ||= {}
+  end
 end
 
 Cuba.settings[:req] = Rack::Request
 Cuba.settings[:res] = Cuba::Response
+Cuba.settings[:default_headers] = {}

data/lib/cuba/render.rb

@@ -13,6 +13,7 @@ class Cuba
     end
 
     def render(template, locals = {}, layout = settings[:render][:layout])
+      res.headers["Content-Type"] ||= "text/html; charset=utf-8"
       res.write(view(template, locals, layout))
     end
 

data/lib/cuba/safe.rb

@@ -0,0 +1,23 @@
+require_relative "safe/csrf"
+require_relative "safe/secure_headers"
+
+class Cuba
+  # == Cuba::Safe
+  #
+  # This plugin contains security related features for Cuba
+  # applications. It takes ideas from secureheaders[1].
+  #
+  # == Usage
+  #
+  #     require "cuba"
+  #     require "cuba/safe"
+  #
+  #     Cuba.plugin(Cuba::Safe)
+  #
+  module Safe
+    def self.setup(app)
+      app.plugin(Safe::SecureHeaders)
+      app.plugin(Safe::CSRF)
+    end
+  end
+end

data/lib/cuba/safe/csrf.rb

@@ -0,0 +1,47 @@
+class Cuba
+  module Safe
+    module CSRF
+      def csrf
+        @csrf ||= Cuba::Safe::CSRF::Helper.new(req)
+      end
+
+      class Helper
+        attr :req
+
+        def initialize(req)
+          @req = req
+        end
+
+        def token
+          session[:csrf_token] ||= SecureRandom.base64(32)
+        end
+
+        def reset!
+          session.delete(:csrf_token)
+        end
+
+        def safe?
+          return req.get? || req.head? ||
+            req[:csrf_token] == token ||
+            req.env["HTTP_X_CSRF_TOKEN"] == token
+        end
+
+        def unsafe?
+          return !safe?
+        end
+
+        def form_tag
+          return %Q(<input type="hidden" name="csrf_token" value="#{ token }">)
+        end
+
+        def meta_tag
+          return %Q(<meta name="csrf_token" content="#{ token }">)
+        end
+
+        def session
+          return req.env["rack.session"]
+        end
+      end
+    end
+  end
+end

data/lib/cuba/safe/secure_headers.rb

@@ -0,0 +1,40 @@
+# == Secure HTTP Headers
+#
+# This plugin will automatically apply several headers that are
+# related to security. This includes:
+#
+#   - HTTP Strict Transport Security (HSTS) [2].
+#   - X-Frame-Options [3].
+#   - X-XSS-Protection [4].
+#   - X-Content-Type-Options [5].
+#   - X-Download-Options [6].
+#   - X-Permitted-Cross-Domain-Policies [7].
+#
+# == References
+#
+# [1]: https://github.com/twitter/secureheaders
+# [2]: https://tools.ietf.org/html/rfc6797
+# [3]: https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02
+# [4]: http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx
+# [5]: http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
+# [6]: http://msdn.microsoft.com/en-us/library/ie/jj542450(v=vs.85).aspx
+# [7]: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
+#
+class Cuba
+  module Safe
+    module SecureHeaders
+      HEADERS = {
+        "X-Content-Type-Options" => "nosniff",
+        "X-Download-Options" => "noopen",
+        "X-Frame-Options" => "SAMEORIGIN",
+        "X-Permitted-Cross-Domain-Policies" => "none",
+        "X-XSS-Protection" => "1; mode=block",
+        "Strict-Transport-Security" => "max-age=631138519; includeSubdomains; preload"
+      }
+
+      def self.setup(app)
+        app.settings[:default_headers].merge!(HEADERS)
+      end
+    end
+  end
+end

data/test/csrf.rb

@@ -0,0 +1,139 @@
+require_relative "helper"
+require "cuba/safe/csrf"
+require "cuba/test"
+
+def assert_no_raise
+  yield
+  success
+end
+
+class UnsafeRequest < RuntimeError; end
+
+scope do
+  setup do
+    Cuba.reset!
+
+    Cuba.use(Rack::Session::Cookie, secret: "_this_must_be_secret")
+    Cuba.plugin(Cuba::Safe::CSRF)
+  end
+
+  test "safe http methods" do
+    Cuba.define do
+      raise UnsafeRequest if csrf.unsafe?
+    end
+
+    assert_no_raise do
+      get  "/"
+      head "/"
+    end
+  end
+
+  test "invalid csrf param" do
+    Cuba.define do
+      if csrf.unsafe?
+        csrf.reset!
+      end
+
+      res.write(csrf.token)
+    end
+
+    get "/"
+
+    old_token = last_response.body
+
+    post "/", "csrf_token" => "nonsense"
+
+    new_token = last_response.body
+
+    assert(old_token != new_token)
+  end
+
+  test "valid csrf param" do
+    Cuba.define do
+      raise unless csrf.safe?
+
+      on get do
+        res.write(csrf.token)
+      end
+
+      on post do
+        res.write("safe")
+      end
+    end
+
+    get "/"
+
+    csrf_token = last_response.body
+
+    assert(!csrf_token.empty?)
+
+    assert_no_raise do
+      post "/", "csrf_token" => csrf_token
+    end
+  end
+
+  test "http header" do
+    csrf_token = SecureRandom.hex(32)
+
+    Cuba.define do
+      session[:csrf_token] = csrf_token
+      raise if csrf.unsafe?
+    end
+
+    assert_no_raise do
+      post "/", {}, { "HTTP_X_CSRF_TOKEN" => csrf_token }
+    end
+  end
+
+  test "sub app raises too" do
+    class App < Cuba
+      define do
+        on post do
+          res.write("unsafe")
+        end
+      end
+    end
+
+    Cuba.define do
+      raise UnsafeRequest unless csrf.safe?
+
+      on "app" do
+        run(App)
+      end
+    end
+
+    assert_raise(UnsafeRequest) do
+      post "/app"
+    end
+  end
+
+  test "only sub app" do
+    class App < Cuba
+      define do
+        raise UnsafeRequest unless csrf.safe?
+
+        on post do
+          res.write("unsafe")
+        end
+      end
+    end
+
+    Cuba.define do
+      on "app" do
+        run(App)
+      end
+
+      on default do
+        res.write("safe")
+      end
+    end
+
+    assert_no_raise do
+      post "/"
+    end
+
+    assert_raise(UnsafeRequest) do
+      post "/app"
+    end
+  end
+end

data/test/render.rb

@@ -111,3 +111,18 @@ test "overrides layout" do
 
   assert_response body, ["<title>Alternative Layout: Home</title>\n<h1>Home</h1>\n<p>Hello Agent Smith</p>\n"]
 end
+
+test "ensures content-type header is set" do
+  Cuba.plugin(Cuba::Render)
+
+  Cuba.define do
+    on default do
+      res.status = 403
+      render("about", title: "Hello Cuba")
+    end
+  end
+
+  _, headers, _ = Cuba.call({})
+
+  assert_equal("text/html; charset=utf-8", headers["Content-Type"])
+end

data/test/safe.rb

@@ -0,0 +1,74 @@
+require_relative "helper"
+require "cuba/safe"
+
+scope do
+  test "secure headers" do
+    Cuba.plugin(Cuba::Safe)
+
+    class Hello < Cuba
+      define do
+        on root do
+          res.write("hello")
+        end
+      end
+    end
+
+    Cuba.define do
+      on root do
+        res.write("home")
+      end
+
+      on "hello" do
+        run(Hello)
+      end
+    end
+
+    secure_headers = Cuba::Safe::SecureHeaders::HEADERS
+
+    _, headers, _ = Cuba.call("PATH_INFO" => "/", "SCRIPT_NAME" => "/")
+    secure_headers.each do |header, value|
+      assert_equal(value, headers[header])
+    end
+
+    _, headers, _ = Cuba.call("PATH_INFO" => "/hello", "SCRIPT_NAME" => "/")
+    secure_headers.each do |header, value|
+      assert_equal(value, headers[header])
+    end
+  end
+
+  test "secure headers only in sub app" do
+    Cuba.settings[:default_headers] = {}
+
+    class About < Cuba
+      plugin(Cuba::Safe)
+
+      define do
+        on root do
+          res.write("about")
+        end
+      end
+    end
+
+    Cuba.define do
+      on root do
+        res.write("home")
+      end
+
+      on "about" do
+        run(About)
+      end
+    end
+
+    secure_headers = Cuba::Safe::SecureHeaders::HEADERS
+
+    _, headers, _ = Cuba.call("PATH_INFO" => "/", "SCRIPT_NAME" => "/")
+    secure_headers.each do |header, _|
+      assert(!headers.key?(header))
+    end
+
+    _, headers, _ = Cuba.call("PATH_INFO" => "/about", "SCRIPT_NAME" => "/")
+    secure_headers.each do |header, value|
+      assert_equal(value, headers[header])
+    end
+  end
+end

data/test/with.rb

@@ -0,0 +1,42 @@
+require_relative "helper"
+
+test do
+  class UserPhotos < Cuba
+    define do
+      on root do
+        res.write "uid: %d" % vars[:user_id]
+        res.write "site: %s" % vars[:site]
+      end
+    end
+  end
+
+  class Photos < Cuba
+    define do
+      on ":id/photos" do |id|
+        with user_id: id do
+          _, _, body = UserPhotos.call(req.env)
+
+          body.each do |line|
+            res.write line
+          end
+        end
+
+        res.write vars.inspect
+      end
+    end
+  end
+
+  Cuba.define do
+    on "users" do
+      with user_id: "default", site: "main" do
+        run Photos
+      end
+    end
+  end
+
+  _, _, body = Cuba.call({ "PATH_INFO" => "/users/1001/photos",
+                           "SCRIPT_NAME" => "" })
+
+  assert_response body, ["uid: 1001", "site: main",
+                         '{:user_id=>"default", :site=>"main"}']
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cuba
 version: !ruby/object:Gem::Version
-  version: 3.3.0
+  version: 3.4.0
 platform: ruby
 authors:
 - Michel Martens
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-08-19 00:00:00.000000000 Z
+date: 2015-03-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -87,12 +87,16 @@ files:
 - lib/cuba.rb
 - lib/cuba/capybara.rb
 - lib/cuba/render.rb
+- lib/cuba/safe.rb
+- lib/cuba/safe/csrf.rb
+- lib/cuba/safe/secure_headers.rb
 - lib/cuba/test.rb
 - makefile
 - test/accept.rb
 - test/captures.rb
 - test/composition.rb
 - test/cookie.rb
+- test/csrf.rb
 - test/extension.rb
 - test/helper.rb
 - test/host.rb
@@ -109,6 +113,7 @@ files:
 - test/render.rb
 - test/root.rb
 - test/run.rb
+- test/safe.rb
 - test/segment.rb
 - test/session.rb
 - test/settings.rb
@@ -126,6 +131,7 @@ files:
 - test/views/layout.mote
 - test/views/layout.str
 - test/views/test.erb
+- test/with.rb
 homepage: https://github.com/soveran/cuba
 licenses:
 - MIT
@@ -146,7 +152,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.3
+rubygems_version: 2.0.14
 signing_key: 
 specification_version: 4
 summary: Microframework for web applications.