enhanced_request_forgery_protection 0.9.0
Sign up to get free protection for your applications and to get access to all the features.
- data/.document +5 -0
- data/.rspec +1 -0
- data/Gemfile +19 -0
- data/Gemfile.lock +89 -0
- data/LICENSE.txt +22 -0
- data/README.rdoc +46 -0
- data/Rakefile +55 -0
- data/VERSION +1 -0
- data/features/enhanced_request_forgery_protection.feature +9 -0
- data/features/step_definitions/enhanced_request_forgery_protection_steps.rb +0 -0
- data/features/support/env.rb +13 -0
- data/install.rb +1 -0
- data/lib/enhanced_request_forgery_protection.rb +159 -0
- data/lib/tasks/enhanced_request_forgery_protection_tasks.rake +4 -0
- data/spec/controllers/enhanced_request_forgery_protection_spec.rb +190 -0
- data/spec/spec_helper.rb +18 -0
- data/uninstall.rb +1 -0
- metadata +220 -0
data/.document
ADDED
data/.rspec
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
--color
|
data/Gemfile
ADDED
@@ -0,0 +1,19 @@
|
|
1
|
+
source "http://rubygems.org"
|
2
|
+
gem "actionpack", "~> 3.0.7"
|
3
|
+
gem "activesupport", "~> 3.0.7"
|
4
|
+
|
5
|
+
# Add dependencies required to use your gem here.
|
6
|
+
# Example:
|
7
|
+
# gem "activesupport", ">= 2.3.5"
|
8
|
+
|
9
|
+
# Add dependencies to develop your gem here.
|
10
|
+
# Include everything needed to run rake, tests, features, etc.
|
11
|
+
group :development do
|
12
|
+
gem "rspec", "~> 2.6.0"
|
13
|
+
gem "cucumber", ">= 0"
|
14
|
+
gem "bundler", "~> 1.0.0"
|
15
|
+
gem "jeweler", "~> 1.5.2"
|
16
|
+
gem "rcov", ">= 0"
|
17
|
+
gem "ruby-debug", :platform => :ruby_18
|
18
|
+
gem "ruby-debug19", :require => "ruby-debug", :platform => :ruby_19
|
19
|
+
end
|
data/Gemfile.lock
ADDED
@@ -0,0 +1,89 @@
|
|
1
|
+
GEM
|
2
|
+
remote: http://rubygems.org/
|
3
|
+
specs:
|
4
|
+
abstract (1.0.0)
|
5
|
+
actionpack (3.0.7)
|
6
|
+
activemodel (= 3.0.7)
|
7
|
+
activesupport (= 3.0.7)
|
8
|
+
builder (~> 2.1.2)
|
9
|
+
erubis (~> 2.6.6)
|
10
|
+
i18n (~> 0.5.0)
|
11
|
+
rack (~> 1.2.1)
|
12
|
+
rack-mount (~> 0.6.14)
|
13
|
+
rack-test (~> 0.5.7)
|
14
|
+
tzinfo (~> 0.3.23)
|
15
|
+
activemodel (3.0.7)
|
16
|
+
activesupport (= 3.0.7)
|
17
|
+
builder (~> 2.1.2)
|
18
|
+
i18n (~> 0.5.0)
|
19
|
+
activesupport (3.0.7)
|
20
|
+
archive-tar-minitar (0.5.2)
|
21
|
+
builder (2.1.2)
|
22
|
+
columnize (0.3.2)
|
23
|
+
cucumber (0.10.0)
|
24
|
+
builder (>= 2.1.2)
|
25
|
+
diff-lcs (~> 1.1.2)
|
26
|
+
gherkin (~> 2.3.2)
|
27
|
+
json (~> 1.4.6)
|
28
|
+
term-ansicolor (~> 1.0.5)
|
29
|
+
diff-lcs (1.1.2)
|
30
|
+
erubis (2.6.6)
|
31
|
+
abstract (>= 1.0.0)
|
32
|
+
gherkin (2.3.3)
|
33
|
+
json (~> 1.4.6)
|
34
|
+
git (1.2.5)
|
35
|
+
i18n (0.5.0)
|
36
|
+
jeweler (1.5.2)
|
37
|
+
bundler (~> 1.0.0)
|
38
|
+
git (>= 1.2.5)
|
39
|
+
rake
|
40
|
+
json (1.4.6)
|
41
|
+
linecache (0.43)
|
42
|
+
linecache19 (0.5.12)
|
43
|
+
ruby_core_source (>= 0.1.4)
|
44
|
+
rack (1.2.2)
|
45
|
+
rack-mount (0.6.14)
|
46
|
+
rack (>= 1.0.0)
|
47
|
+
rack-test (0.5.7)
|
48
|
+
rack (>= 1.0)
|
49
|
+
rake (0.8.7)
|
50
|
+
rcov (0.9.9)
|
51
|
+
rspec (2.6.0)
|
52
|
+
rspec-core (~> 2.6.0)
|
53
|
+
rspec-expectations (~> 2.6.0)
|
54
|
+
rspec-mocks (~> 2.6.0)
|
55
|
+
rspec-core (2.6.3)
|
56
|
+
rspec-expectations (2.6.0)
|
57
|
+
diff-lcs (~> 1.1.2)
|
58
|
+
rspec-mocks (2.6.0)
|
59
|
+
ruby-debug (0.10.4)
|
60
|
+
columnize (>= 0.1)
|
61
|
+
ruby-debug-base (~> 0.10.4.0)
|
62
|
+
ruby-debug-base (0.10.4)
|
63
|
+
linecache (>= 0.3)
|
64
|
+
ruby-debug-base19 (0.11.25)
|
65
|
+
columnize (>= 0.3.1)
|
66
|
+
linecache19 (>= 0.5.11)
|
67
|
+
ruby_core_source (>= 0.1.4)
|
68
|
+
ruby-debug19 (0.11.6)
|
69
|
+
columnize (>= 0.3.1)
|
70
|
+
linecache19 (>= 0.5.11)
|
71
|
+
ruby-debug-base19 (>= 0.11.19)
|
72
|
+
ruby_core_source (0.1.5)
|
73
|
+
archive-tar-minitar (>= 0.5.2)
|
74
|
+
term-ansicolor (1.0.5)
|
75
|
+
tzinfo (0.3.26)
|
76
|
+
|
77
|
+
PLATFORMS
|
78
|
+
ruby
|
79
|
+
|
80
|
+
DEPENDENCIES
|
81
|
+
actionpack (~> 3.0.7)
|
82
|
+
activesupport (~> 3.0.7)
|
83
|
+
bundler (~> 1.0.0)
|
84
|
+
cucumber
|
85
|
+
jeweler (~> 1.5.2)
|
86
|
+
rcov
|
87
|
+
rspec (~> 2.6.0)
|
88
|
+
ruby-debug
|
89
|
+
ruby-debug19
|
data/LICENSE.txt
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
EnhancedRequestForgeryProtection, a Ruby on Rails plugin to enhance Rails' build in protection against Cross-Site Request Forgery
|
2
|
+
|
3
|
+
Copyright (C) 2007 Bart Teeuwisse <bart [dot] teeuwisse [at] thecodemill.biz>
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
6
|
+
a copy of this software and associated documentation files (the
|
7
|
+
"Software"), to deal in the Software without restriction, including
|
8
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
9
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
10
|
+
permit persons to whom the Software is furnished to do so, subject to
|
11
|
+
the following conditions:
|
12
|
+
|
13
|
+
The above copyright notice and this permission notice shall be
|
14
|
+
included in all copies or substantial portions of the Software.
|
15
|
+
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
17
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
18
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
19
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
20
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
21
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.rdoc
ADDED
@@ -0,0 +1,46 @@
|
|
1
|
+
= EnhancedRequestForgeryProtection
|
2
|
+
|
3
|
+
A plugin to protect against Cross-Site Request Forgery. From
|
4
|
+
http://en.wikipedia.org/wiki/Crsf:
|
5
|
+
|
6
|
+
<i>Cross-site request forgery, also known as one click attack or session
|
7
|
+
riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of
|
8
|
+
malicious exploit of websites. Although this type of attack has
|
9
|
+
similarities to cross-site scripting (XSS), cross-site scripting
|
10
|
+
requires the attacker to inject unauthorized code into a website,
|
11
|
+
while cross-site request forgery merely transmits unauthorized
|
12
|
+
commands from a user the website trusts.</i>
|
13
|
+
|
14
|
+
== Prevention
|
15
|
+
|
16
|
+
For the web site, switching from a persistent authentication method
|
17
|
+
(e.g. a cookie or HTTP authentication) to a transient authentication
|
18
|
+
method (e.g. a hidden field provided on every form) will help prevent
|
19
|
+
these attacks. Use RequestForgeryProtection to include a secret,
|
20
|
+
user-specific token in forms that is verified in addition to the cookie.
|
21
|
+
|
22
|
+
EnhancedRequestForgeryProtection extends Rails' RequestForgeryProtection with scopes and time windows. By default
|
23
|
+
authentication tokens are scoped to the controller, but can be arbitrarily defined. The default time window is 1 hour.
|
24
|
+
Form submissions that come in outside the time window will be rejected. Scopes and time windows are useful when you
|
25
|
+
want to protect certain areas more tightly then others. For example you might want to use a 15 minute time window for
|
26
|
+
all actions that modify the user's account.
|
27
|
+
|
28
|
+
Requests that fail authentication are redirected back to the referring URL. Typically this will be the page where the form
|
29
|
+
originated. The user will receive a new authentication token and can resubmit the form. If it is no referring URL then
|
30
|
+
the response will be Unprocessable Entity (HTTP code 422) just like the stock RequestForgeryProtection.
|
31
|
+
|
32
|
+
== Contributing to EnhancedRequestForgeryProtection
|
33
|
+
|
34
|
+
* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
|
35
|
+
* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
|
36
|
+
* Fork the project
|
37
|
+
* Start a feature/bugfix branch
|
38
|
+
* Commit and push until you are happy with your contribution
|
39
|
+
* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
|
40
|
+
* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
|
41
|
+
|
42
|
+
== Copyright
|
43
|
+
|
44
|
+
Copyright (c) 2007 Bart Teeuwisse. See LICENSE.txt for
|
45
|
+
further details.
|
46
|
+
|
data/Rakefile
ADDED
@@ -0,0 +1,55 @@
|
|
1
|
+
require 'rubygems'
|
2
|
+
require 'bundler'
|
3
|
+
begin
|
4
|
+
Bundler.setup(:default, :development)
|
5
|
+
rescue Bundler::BundlerError => e
|
6
|
+
$stderr.puts e.message
|
7
|
+
$stderr.puts "Run `bundle install` to install missing gems"
|
8
|
+
exit e.status_code
|
9
|
+
end
|
10
|
+
require 'rake'
|
11
|
+
|
12
|
+
require 'jeweler'
|
13
|
+
Jeweler::Tasks.new do |gem|
|
14
|
+
# gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
|
15
|
+
gem.name = "enhanced_request_forgery_protection"
|
16
|
+
gem.homepage = "http://github.com/bartt/enhanced_request_forgery_protection"
|
17
|
+
gem.license = "MIT"
|
18
|
+
gem.summary = "A Rails plugin to enhance Rails's basic protect against Cross-Site Request Forgery with scopes and time windows."
|
19
|
+
gem.description = "Add scopes and time windows to Rails's CSRF protection. Redirect to referrer with a flash message when possible."
|
20
|
+
gem.email = "bart.teeuwisse@thecodemill.biz"
|
21
|
+
gem.authors = ["Bart Teeuwisse"]
|
22
|
+
# Include your dependencies below. Runtime dependencies are required when using your gem,
|
23
|
+
# and development dependencies are only needed for development (ie running rake tasks, tests, etc)
|
24
|
+
# gem.add_runtime_dependency 'jabber4r', '> 0.1'
|
25
|
+
# gem.add_development_dependency 'rspec', '> 1.2.3'
|
26
|
+
end
|
27
|
+
Jeweler::RubygemsDotOrgTasks.new
|
28
|
+
|
29
|
+
require 'rspec/core'
|
30
|
+
require 'rspec/core/rake_task'
|
31
|
+
RSpec::Core::RakeTask.new(:spec) do |spec|
|
32
|
+
spec.pattern = FileList['spec/**/*_spec.rb']
|
33
|
+
end
|
34
|
+
|
35
|
+
RSpec::Core::RakeTask.new(:rcov) do |spec|
|
36
|
+
spec.pattern = 'spec/**/*_spec.rb'
|
37
|
+
spec.rcov = true
|
38
|
+
end
|
39
|
+
|
40
|
+
require 'cucumber/rake/task'
|
41
|
+
Cucumber::Rake::Task.new(:features)
|
42
|
+
|
43
|
+
task :default => :spec
|
44
|
+
|
45
|
+
require 'rake/rdoctask'
|
46
|
+
desc 'Generate documentation for the enhanced_request_forgery_protection plugin.'
|
47
|
+
Rake::RDocTask.new do |rdoc|
|
48
|
+
version = File.exist?('VERSION') ? File.read('VERSION') : ""
|
49
|
+
|
50
|
+
rdoc.rdoc_dir = 'rdoc'
|
51
|
+
rdoc.title = "enhanced_request_forgery_protection #{version}"
|
52
|
+
rdoc.options << '--line-numbers' << '--inline-source'
|
53
|
+
rdoc.rdoc_files.include('README*')
|
54
|
+
rdoc.rdoc_files.include('lib/**/*.rb')
|
55
|
+
end
|
data/VERSION
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
0.9.0
|
File without changes
|
@@ -0,0 +1,13 @@
|
|
1
|
+
require 'bundler'
|
2
|
+
begin
|
3
|
+
Bundler.setup(:default, :development)
|
4
|
+
rescue Bundler::BundlerError => e
|
5
|
+
$stderr.puts e.message
|
6
|
+
$stderr.puts "Run `bundle install` to install missing gems"
|
7
|
+
exit e.status_code
|
8
|
+
end
|
9
|
+
|
10
|
+
$LOAD_PATH.unshift(File.dirname(__FILE__) + '/../../lib')
|
11
|
+
require 'enhanced_request_forgery_protection'
|
12
|
+
|
13
|
+
require 'rspec/expectations'
|
data/install.rb
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
# Install hook code here
|
@@ -0,0 +1,159 @@
|
|
1
|
+
require 'openssl'
|
2
|
+
|
3
|
+
# A plugin to protect against {Cross-Site Request Forgery}[http://en.wikipedia.org/wiki/Crsf].
|
4
|
+
#
|
5
|
+
# = Class variables
|
6
|
+
#
|
7
|
+
# Because authenticity_token verification is a request filter one can't pass
|
8
|
+
# variables to a +verify_authenticity_token+. But because EnhancedRequestForgeryProtection gets mixed into
|
9
|
+
# ActionController one can use class instance variables to pass
|
10
|
+
# information to +verify_authenticity_token+ and +hexdigest+. EnhancedRequestForgeryProtection uses the
|
11
|
+
# following attributes:
|
12
|
+
#
|
13
|
+
# <tt>authenticity_scope</tt>::
|
14
|
+
# The scope of actions that use compatible authenticity tokens. Defaults to
|
15
|
+
# <i>the ActionController's class name</i> which means that
|
16
|
+
# +verify_authenticity_token+ only validates actions of that controller.
|
17
|
+
# Override to broaden the scope. Setting the scope in 2
|
18
|
+
# controllers to the same value makes their authenticity tokens compatible.
|
19
|
+
# <tt>authenticity_window</tt>::
|
20
|
+
# The time window within which the form has to be submitted and
|
21
|
+
# verified. Defaults to <i>1 hour</i>.
|
22
|
+
# <tt>authenticity_flash_timed_out_msg</tt>::
|
23
|
+
# The message to passed to the session flash if the authenticity
|
24
|
+
# token arrives outside the authenticity window. Defaults to
|
25
|
+
# <i>Form submission timed out. Please resubmit.</i>.
|
26
|
+
# <tt>authenticity_flash_invalid_msg</tt>::
|
27
|
+
# The message to passed to the session flash if the authenticity_token doesn't
|
28
|
+
# validate. Defaults to: <i>Possible form data tampering. Please
|
29
|
+
# resubmit.</i>
|
30
|
+
module EnhancedRequestForgeryProtection
|
31
|
+
extend ActiveSupport::Concern
|
32
|
+
|
33
|
+
include AbstractController::Helpers
|
34
|
+
|
35
|
+
included do
|
36
|
+
helper_method :form_authenticity_token
|
37
|
+
end
|
38
|
+
|
39
|
+
module ClassMethods #:nodoc:
|
40
|
+
def authenticity_scope
|
41
|
+
@authenticity_scope ||= self.name
|
42
|
+
end
|
43
|
+
|
44
|
+
def authenticity_window
|
45
|
+
@authenticity_window ||= 1.hour
|
46
|
+
end
|
47
|
+
|
48
|
+
def authenticity_timed_out_msg
|
49
|
+
@authenticity_timed_out_msg ||= 'Form submission timed out. Please resubmit.'
|
50
|
+
end
|
51
|
+
|
52
|
+
def authenticity_invalid_msg
|
53
|
+
@authenticity_invalid_msg ||= 'Possible form data tampering. Please resubmit.'
|
54
|
+
end
|
55
|
+
end
|
56
|
+
|
57
|
+
module InstanceMethods #:doc:
|
58
|
+
protected
|
59
|
+
# The actual before_filter that is used. Modify this to change how you handle unverified requests.
|
60
|
+
def verify_authenticity_token
|
61
|
+
verified_request? || handle_unverified_request
|
62
|
+
end
|
63
|
+
|
64
|
+
def handle_unverified_request
|
65
|
+
if request.env['HTTP_REFERER']
|
66
|
+
redirect_to request.env['HTTP_REFERER']
|
67
|
+
else
|
68
|
+
reset_session
|
69
|
+
end
|
70
|
+
end
|
71
|
+
|
72
|
+
# Returns true or false if a request is verified. Checks:
|
73
|
+
#
|
74
|
+
# * is it a GET request? Gets should be safe and idempotent
|
75
|
+
# * Does the form_authenticity_token match the given token value from the params?
|
76
|
+
# * Does the X-CSRF-Token header match the form_authenticity_token
|
77
|
+
def verified_request?
|
78
|
+
return true if !protect_against_forgery? || request.get?
|
79
|
+
@token = params[request_forgery_protection_token]
|
80
|
+
@stamped_at, @digest = split_request_authenticity_token
|
81
|
+
if @digest == hexdigest
|
82
|
+
within_authenticity_window?
|
83
|
+
else
|
84
|
+
if request.headers['X-CSRF-Token']
|
85
|
+
@token = request.headers['X-CSRF-Token']
|
86
|
+
@stamped_at, @digest = split_request_authenticity_token
|
87
|
+
if @digest == hexdigest
|
88
|
+
within_authenticity_window?
|
89
|
+
else
|
90
|
+
log_authenticity_mismatch("Invalid X-CSRF-Token header")
|
91
|
+
flash[:warning] = self.class.authenticity_invalid_msg
|
92
|
+
false
|
93
|
+
end
|
94
|
+
else
|
95
|
+
log_authenticity_mismatch("Invalid #{request_forgery_protection_token}")
|
96
|
+
flash[:warning] = self.class.authenticity_invalid_msg
|
97
|
+
false
|
98
|
+
end
|
99
|
+
end
|
100
|
+
end
|
101
|
+
|
102
|
+
# Generates a timestamped authenticity token
|
103
|
+
def form_authenticity_token
|
104
|
+
@private_form_authenticity_token ||= begin
|
105
|
+
@stamped_at = timestamp
|
106
|
+
"#{@stamped_at}#{hexdigest}"
|
107
|
+
end
|
108
|
+
end
|
109
|
+
|
110
|
+
# Sets the token value for the current session.
|
111
|
+
def csrf_token
|
112
|
+
session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32)
|
113
|
+
end
|
114
|
+
|
115
|
+
# Create a 10 digit timestamp for the current time
|
116
|
+
def timestamp
|
117
|
+
"%010d" % Time.now().to_i
|
118
|
+
end
|
119
|
+
|
120
|
+
# Create a hexadecimal digest of the request's remote IP address, the timestamp of the form authenticity token,
|
121
|
+
# the CSRF token and the class' authenticity scope
|
122
|
+
def hexdigest
|
123
|
+
OpenSSL::Digest::SHA1.hexdigest("#{request.remote_ip}#{@stamped_at}#{csrf_token}#{self.class.authenticity_scope}")
|
124
|
+
end
|
125
|
+
|
126
|
+
# Split the request's authenticity token into the 2 components it is made up from: the timestamp of the token and
|
127
|
+
# the hexadecimal digest.
|
128
|
+
def split_request_authenticity_token
|
129
|
+
@token.respond_to?(:[]) ? [@token[0..9], @token[10..-1]] : [nil, nil]
|
130
|
+
end
|
131
|
+
|
132
|
+
# Check if the request falls within the authenticity window of the class.
|
133
|
+
def within_authenticity_window?
|
134
|
+
if Time.at(@stamped_at.to_i) + self.class.authenticity_window > Time.now
|
135
|
+
true
|
136
|
+
else
|
137
|
+
log_authenticity_mismatch("Authenticity token outside time window")
|
138
|
+
# Replace the authenticity_invalid_msg if there was one.
|
139
|
+
flash[:warning] = self.class.authenticity_timed_out_msg
|
140
|
+
false
|
141
|
+
end
|
142
|
+
end
|
143
|
+
|
144
|
+
# Log details of a authenticity_token mismatch to the application log.
|
145
|
+
def log_authenticity_mismatch(msg)
|
146
|
+
logger.warn("#{msg}:
|
147
|
+
#{request_forgery_protection_token} = #{@token}
|
148
|
+
timestamp = #{@stamped_at}
|
149
|
+
remote_ip = #{request.remote_ip}
|
150
|
+
csrf_token = #{csrf_token}
|
151
|
+
scope = #{self.class.authenticity_scope}
|
152
|
+
hexdigest = #{hexdigest}")
|
153
|
+
end
|
154
|
+
end
|
155
|
+
end
|
156
|
+
|
157
|
+
if defined?(ActionController::RequestForgeryProtection)
|
158
|
+
ActionController::Base.send(:include, EnhancedRequestForgeryProtection)
|
159
|
+
end
|
@@ -0,0 +1,190 @@
|
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
|
2
|
+
|
3
|
+
class ApplicationController < ActionController::Base
|
4
|
+
end
|
5
|
+
|
6
|
+
describe "EnhancedRequestForgeryProtection" do
|
7
|
+
describe "ClassMethods" do
|
8
|
+
it "should assign an anonimous class the correct defaults" do
|
9
|
+
klass = Class.new
|
10
|
+
klass.send(:include, EnhancedRequestForgeryProtection)
|
11
|
+
klass.authenticity_scope.to_s.should eq ""
|
12
|
+
klass.authenticity_window.should eq 1.hour
|
13
|
+
klass.authenticity_timed_out_msg.should eq 'Form submission timed out. Please resubmit.'
|
14
|
+
klass.authenticity_invalid_msg.should eq 'Possible form data tampering. Please resubmit.'
|
15
|
+
end
|
16
|
+
|
17
|
+
it "should assign a named class the correct defaults" do
|
18
|
+
class Klass
|
19
|
+
include EnhancedRequestForgeryProtection
|
20
|
+
end
|
21
|
+
Klass.authenticity_scope.should eq 'Klass'
|
22
|
+
Klass.authenticity_window.should eq 1.hour
|
23
|
+
Klass.authenticity_timed_out_msg.should eq 'Form submission timed out. Please resubmit.'
|
24
|
+
Klass.authenticity_invalid_msg.should eq 'Possible form data tampering. Please resubmit.'
|
25
|
+
end
|
26
|
+
|
27
|
+
it "should override defaults through class instance variables" do
|
28
|
+
klass = Class.new do
|
29
|
+
include EnhancedRequestForgeryProtection
|
30
|
+
@authenticity_scope = "my scope"
|
31
|
+
@authenticity_window = 1.day
|
32
|
+
@authenticity_timed_out_msg = "Slow poke!"
|
33
|
+
@authenticity_invalid_msg = "Invalid"
|
34
|
+
end
|
35
|
+
klass.authenticity_scope.should eq "my scope"
|
36
|
+
klass.authenticity_window.should eq 1.day
|
37
|
+
klass.authenticity_timed_out_msg.should eq 'Slow poke!'
|
38
|
+
klass.authenticity_invalid_msg.should eq 'Invalid'
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
describe "InstanceMethods" do
|
43
|
+
before :each do
|
44
|
+
class Object
|
45
|
+
remove_const :Klass
|
46
|
+
end
|
47
|
+
class Klass
|
48
|
+
include EnhancedRequestForgeryProtection
|
49
|
+
end
|
50
|
+
end
|
51
|
+
|
52
|
+
it "should verify authenticity when the request is verified" do
|
53
|
+
klass = Klass.new
|
54
|
+
klass.stub(:verified_request?) { true }
|
55
|
+
klass.send(:verify_authenticity_token).should eq true
|
56
|
+
end
|
57
|
+
|
58
|
+
it "should reset the session when there is no referrer" do
|
59
|
+
klass = Klass.new
|
60
|
+
klass.stub(:verified_request?) { false }
|
61
|
+
klass.stub_chain(:request, :env) { {} }
|
62
|
+
klass.stub(:reset_session) { :reset_session }
|
63
|
+
klass.send(:verify_authenticity_token).should eq :reset_session
|
64
|
+
end
|
65
|
+
|
66
|
+
it "should redirect to the referrer" do
|
67
|
+
klass = Klass.new
|
68
|
+
klass.stub(:verified_request?) { false }
|
69
|
+
klass.stub_chain(:request, :env) { {"HTTP_REFERER" => :URL} }
|
70
|
+
klass.stub(:redirect_to) do |arg|
|
71
|
+
arg
|
72
|
+
end
|
73
|
+
klass.send(:verify_authenticity_token).should eq :URL
|
74
|
+
end
|
75
|
+
|
76
|
+
it "should return the same form authenticity token for a single request" do
|
77
|
+
klass = Klass.new
|
78
|
+
klass.stub_chain(:request, :remote_ip) { "127.0.0.1" }
|
79
|
+
klass.stub(:session) { {:_csrf_token => "2b5194e50c68243dca0bde800d0d1473c3cbc"} }
|
80
|
+
first_token = klass.send(:form_authenticity_token)
|
81
|
+
sleep 1
|
82
|
+
first_token.should eq klass.send(:form_authenticity_token)
|
83
|
+
end
|
84
|
+
|
85
|
+
it "should be able to split an incoming authenticity token into a timestamp and digest" do
|
86
|
+
klass = Klass.new
|
87
|
+
klass.stub_chain(:request, :remote_ip) { "127.0.0.1" }
|
88
|
+
klass.stub(:session) { {:_csrf_token => "2b5194e50c68243dca0bde800d0d1473c3cbc"} }
|
89
|
+
klass.instance_eval { @token = klass.send(:form_authenticity_token) }
|
90
|
+
klass.instance_eval { @token }.should eq klass.send(:form_authenticity_token)
|
91
|
+
time_stamp, digest = klass.send(:split_request_authenticity_token)
|
92
|
+
digest.should eq klass.send(:hexdigest)
|
93
|
+
time_stamp.should eq klass.instance_eval { @stamped_at }
|
94
|
+
end
|
95
|
+
|
96
|
+
it "should reject requests outside the class's authenticity window" do
|
97
|
+
klass = Klass.new
|
98
|
+
class Klass
|
99
|
+
@authenticity_window = -1.day
|
100
|
+
end
|
101
|
+
Klass.authenticity_window.should eq -1.day
|
102
|
+
logger = double("Logger")
|
103
|
+
logger.stub(:warn) { |arg| arg }
|
104
|
+
klass.stub(:logger) { logger }
|
105
|
+
klass.stub(:request_forgery_protection_token) { "" }
|
106
|
+
klass.stub(:flash) { {} }
|
107
|
+
klass.stub_chain(:request, :remote_ip) { "127.0.0.1" }
|
108
|
+
klass.stub(:session) { {:_csrf_token => "2b5194e50c68243dca0bde800d0d1473c3cbc"} }
|
109
|
+
klass.send(:form_authenticity_token)
|
110
|
+
klass.send(:within_authenticity_window?).should eq false
|
111
|
+
end
|
112
|
+
|
113
|
+
it "should accept requests inside the class's authenticity window" do
|
114
|
+
klass = Klass.new
|
115
|
+
klass.stub_chain(:request, :remote_ip) { "127.0.0.1" }
|
116
|
+
klass.stub(:session) { {:_csrf_token => "2b5194e50c68243dca0bde800d0d1473c3cbc"} }
|
117
|
+
klass.send(:form_authenticity_token)
|
118
|
+
klass.send(:within_authenticity_window?).should eq true
|
119
|
+
end
|
120
|
+
|
121
|
+
it "should verify GET requests" do
|
122
|
+
klass = Klass.new
|
123
|
+
klass.stub(:protect_against_forgery?) { true }
|
124
|
+
klass.stub_chain(:request, :get?) { true }
|
125
|
+
klass.send(:verified_request?).should eq true
|
126
|
+
end
|
127
|
+
|
128
|
+
it "should verify non GET requests when protection against forgery is turned off" do
|
129
|
+
klass = Klass.new
|
130
|
+
klass.stub(:protect_against_forgery?) { false }
|
131
|
+
klass.stub_chain(:request, :get?) { false }
|
132
|
+
klass.send(:verified_request?).should eq true
|
133
|
+
end
|
134
|
+
|
135
|
+
it "should verify a request forgery protection token passed in as a parameter" do
|
136
|
+
klass = Klass.new
|
137
|
+
klass.stub(:protect_against_forgery?) { true }
|
138
|
+
klass.stub_chain(:request, :get?) { false }
|
139
|
+
klass.stub(:request_forgery_protection_token) { :_token }
|
140
|
+
klass.stub_chain(:request, :remote_ip) { "127.0.0.1" }
|
141
|
+
klass.stub(:session) { {:_csrf_token => "2b5194e50c68243dca0bde800d0d1473c3cbc"} }
|
142
|
+
klass.stub(:params) { {:_token => klass.send(:form_authenticity_token)} }
|
143
|
+
klass.send(:verified_request?).should eq true
|
144
|
+
end
|
145
|
+
|
146
|
+
it "should verify a request forgery protection token passed in as a header" do
|
147
|
+
klass = Klass.new
|
148
|
+
klass.stub(:protect_against_forgery?) { true }
|
149
|
+
klass.stub_chain(:request, :get?) { false }
|
150
|
+
klass.stub(:params) { {:_token => ""} }
|
151
|
+
klass.stub(:request_forgery_protection_token) { :_token }
|
152
|
+
klass.stub_chain(:request, :remote_ip) { "127.0.0.1" }
|
153
|
+
klass.stub(:session) { {:_csrf_token => "2b5194e50c68243dca0bde800d0d1473c3cbc"} }
|
154
|
+
klass.stub_chain(:request, :headers) { {'X-CSRF-Token' => klass.send(:form_authenticity_token)} }
|
155
|
+
logger = double("Logger")
|
156
|
+
logger.stub(:warn) { |arg| arg }
|
157
|
+
klass.stub(:logger) { logger }
|
158
|
+
klass.send(:verified_request?)
|
159
|
+
klass.send(:verified_request?).should eq true
|
160
|
+
end
|
161
|
+
|
162
|
+
it "should log an invalid request forgery protection token" do
|
163
|
+
# Invalid token in the parameters with valid timestamp and no token in the header
|
164
|
+
klass = Klass.new
|
165
|
+
klass.stub(:protect_against_forgery?) { true }
|
166
|
+
klass.stub_chain(:request, :get?) { false }
|
167
|
+
klass.stub(:params) { {:_token => klass.instance_eval {timestamp} } }
|
168
|
+
klass.stub(:request_forgery_protection_token) { :_token }
|
169
|
+
klass.stub_chain(:request, :remote_ip) { "127.0.0.1" }
|
170
|
+
klass.stub(:session) { {:_csrf_token => "2b5194e50c68243dca0bde800d0d1473c3cbc"} }
|
171
|
+
klass.stub_chain(:request, :headers) { {} }
|
172
|
+
klass.stub(:log_authenticity_mismatch) { |arg| arg.should eq "Invalid _token" }
|
173
|
+
hsh = Hash.new
|
174
|
+
klass.stub(:flash) { hsh }
|
175
|
+
klass.send(:verified_request?).should eq false
|
176
|
+
klass.instance_eval{ flash[:warning] }.should eq Klass.authenticity_invalid_msg
|
177
|
+
|
178
|
+
# No token at all
|
179
|
+
klass.stub(:params) { {} }
|
180
|
+
klass.send(:verified_request?).should eq false
|
181
|
+
klass.instance_eval{ flash[:warning] }.should eq Klass.authenticity_invalid_msg
|
182
|
+
|
183
|
+
# No token in the parameters, invalid token in the header
|
184
|
+
klass.stub_chain(:request, :headers) { {"X-CSRF-Token" => klass.instance_eval {timestamp} } }
|
185
|
+
klass.stub(:log_authenticity_mismatch) { |arg| arg.should eq "Invalid X-CSRF-Token header" }
|
186
|
+
klass.send(:verified_request?).should eq false
|
187
|
+
klass.instance_eval{ flash[:warning] }.should eq Klass.authenticity_invalid_msg
|
188
|
+
end
|
189
|
+
end
|
190
|
+
end
|
data/spec/spec_helper.rb
ADDED
@@ -0,0 +1,18 @@
|
|
1
|
+
require 'rubygems'
|
2
|
+
require 'bundler/setup'
|
3
|
+
|
4
|
+
Bundler.require(:development)
|
5
|
+
|
6
|
+
require 'action_controller'
|
7
|
+
require "active_support/all"
|
8
|
+
|
9
|
+
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
|
10
|
+
$LOAD_PATH.unshift(File.dirname(__FILE__))
|
11
|
+
require 'enhanced_request_forgery_protection'
|
12
|
+
|
13
|
+
# Requires supporting files with custom matchers and macros, etc,
|
14
|
+
# in ./support/ and its subdirectories.
|
15
|
+
Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
|
16
|
+
|
17
|
+
RSpec.configure do |config|
|
18
|
+
end
|
data/uninstall.rb
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
# Uninstall hook code here
|
metadata
ADDED
@@ -0,0 +1,220 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: enhanced_request_forgery_protection
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
hash: 59
|
5
|
+
prerelease:
|
6
|
+
segments:
|
7
|
+
- 0
|
8
|
+
- 9
|
9
|
+
- 0
|
10
|
+
version: 0.9.0
|
11
|
+
platform: ruby
|
12
|
+
authors:
|
13
|
+
- Bart Teeuwisse
|
14
|
+
autorequire:
|
15
|
+
bindir: bin
|
16
|
+
cert_chain: []
|
17
|
+
|
18
|
+
date: 2011-06-03 00:00:00 -07:00
|
19
|
+
default_executable:
|
20
|
+
dependencies:
|
21
|
+
- !ruby/object:Gem::Dependency
|
22
|
+
prerelease: false
|
23
|
+
type: :runtime
|
24
|
+
requirement: &id001 !ruby/object:Gem::Requirement
|
25
|
+
none: false
|
26
|
+
requirements:
|
27
|
+
- - ~>
|
28
|
+
- !ruby/object:Gem::Version
|
29
|
+
hash: 9
|
30
|
+
segments:
|
31
|
+
- 3
|
32
|
+
- 0
|
33
|
+
- 7
|
34
|
+
version: 3.0.7
|
35
|
+
name: actionpack
|
36
|
+
version_requirements: *id001
|
37
|
+
- !ruby/object:Gem::Dependency
|
38
|
+
prerelease: false
|
39
|
+
type: :runtime
|
40
|
+
requirement: &id002 !ruby/object:Gem::Requirement
|
41
|
+
none: false
|
42
|
+
requirements:
|
43
|
+
- - ~>
|
44
|
+
- !ruby/object:Gem::Version
|
45
|
+
hash: 9
|
46
|
+
segments:
|
47
|
+
- 3
|
48
|
+
- 0
|
49
|
+
- 7
|
50
|
+
version: 3.0.7
|
51
|
+
name: activesupport
|
52
|
+
version_requirements: *id002
|
53
|
+
- !ruby/object:Gem::Dependency
|
54
|
+
prerelease: false
|
55
|
+
type: :development
|
56
|
+
requirement: &id003 !ruby/object:Gem::Requirement
|
57
|
+
none: false
|
58
|
+
requirements:
|
59
|
+
- - ~>
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
hash: 23
|
62
|
+
segments:
|
63
|
+
- 2
|
64
|
+
- 6
|
65
|
+
- 0
|
66
|
+
version: 2.6.0
|
67
|
+
name: rspec
|
68
|
+
version_requirements: *id003
|
69
|
+
- !ruby/object:Gem::Dependency
|
70
|
+
prerelease: false
|
71
|
+
type: :development
|
72
|
+
requirement: &id004 !ruby/object:Gem::Requirement
|
73
|
+
none: false
|
74
|
+
requirements:
|
75
|
+
- - ">="
|
76
|
+
- !ruby/object:Gem::Version
|
77
|
+
hash: 3
|
78
|
+
segments:
|
79
|
+
- 0
|
80
|
+
version: "0"
|
81
|
+
name: cucumber
|
82
|
+
version_requirements: *id004
|
83
|
+
- !ruby/object:Gem::Dependency
|
84
|
+
prerelease: false
|
85
|
+
type: :development
|
86
|
+
requirement: &id005 !ruby/object:Gem::Requirement
|
87
|
+
none: false
|
88
|
+
requirements:
|
89
|
+
- - ~>
|
90
|
+
- !ruby/object:Gem::Version
|
91
|
+
hash: 23
|
92
|
+
segments:
|
93
|
+
- 1
|
94
|
+
- 0
|
95
|
+
- 0
|
96
|
+
version: 1.0.0
|
97
|
+
name: bundler
|
98
|
+
version_requirements: *id005
|
99
|
+
- !ruby/object:Gem::Dependency
|
100
|
+
prerelease: false
|
101
|
+
type: :development
|
102
|
+
requirement: &id006 !ruby/object:Gem::Requirement
|
103
|
+
none: false
|
104
|
+
requirements:
|
105
|
+
- - ~>
|
106
|
+
- !ruby/object:Gem::Version
|
107
|
+
hash: 7
|
108
|
+
segments:
|
109
|
+
- 1
|
110
|
+
- 5
|
111
|
+
- 2
|
112
|
+
version: 1.5.2
|
113
|
+
name: jeweler
|
114
|
+
version_requirements: *id006
|
115
|
+
- !ruby/object:Gem::Dependency
|
116
|
+
prerelease: false
|
117
|
+
type: :development
|
118
|
+
requirement: &id007 !ruby/object:Gem::Requirement
|
119
|
+
none: false
|
120
|
+
requirements:
|
121
|
+
- - ">="
|
122
|
+
- !ruby/object:Gem::Version
|
123
|
+
hash: 3
|
124
|
+
segments:
|
125
|
+
- 0
|
126
|
+
version: "0"
|
127
|
+
name: rcov
|
128
|
+
version_requirements: *id007
|
129
|
+
- !ruby/object:Gem::Dependency
|
130
|
+
prerelease: false
|
131
|
+
type: :development
|
132
|
+
requirement: &id008 !ruby/object:Gem::Requirement
|
133
|
+
none: false
|
134
|
+
requirements:
|
135
|
+
- - ">="
|
136
|
+
- !ruby/object:Gem::Version
|
137
|
+
hash: 3
|
138
|
+
segments:
|
139
|
+
- 0
|
140
|
+
version: "0"
|
141
|
+
name: ruby-debug
|
142
|
+
version_requirements: *id008
|
143
|
+
- !ruby/object:Gem::Dependency
|
144
|
+
prerelease: false
|
145
|
+
type: :development
|
146
|
+
requirement: &id009 !ruby/object:Gem::Requirement
|
147
|
+
none: false
|
148
|
+
requirements:
|
149
|
+
- - ">="
|
150
|
+
- !ruby/object:Gem::Version
|
151
|
+
hash: 3
|
152
|
+
segments:
|
153
|
+
- 0
|
154
|
+
version: "0"
|
155
|
+
name: ruby-debug19
|
156
|
+
version_requirements: *id009
|
157
|
+
description: Add scopes and time windows to Rails's CSRF protection. Redirect to referrer with a flash message when possible.
|
158
|
+
email: bart.teeuwisse@thecodemill.biz
|
159
|
+
executables: []
|
160
|
+
|
161
|
+
extensions: []
|
162
|
+
|
163
|
+
extra_rdoc_files:
|
164
|
+
- LICENSE.txt
|
165
|
+
- README.rdoc
|
166
|
+
files:
|
167
|
+
- .document
|
168
|
+
- .rspec
|
169
|
+
- Gemfile
|
170
|
+
- Gemfile.lock
|
171
|
+
- LICENSE.txt
|
172
|
+
- README.rdoc
|
173
|
+
- Rakefile
|
174
|
+
- VERSION
|
175
|
+
- features/enhanced_request_forgery_protection.feature
|
176
|
+
- features/step_definitions/enhanced_request_forgery_protection_steps.rb
|
177
|
+
- features/support/env.rb
|
178
|
+
- install.rb
|
179
|
+
- lib/enhanced_request_forgery_protection.rb
|
180
|
+
- lib/tasks/enhanced_request_forgery_protection_tasks.rake
|
181
|
+
- spec/controllers/enhanced_request_forgery_protection_spec.rb
|
182
|
+
- spec/spec_helper.rb
|
183
|
+
- uninstall.rb
|
184
|
+
has_rdoc: true
|
185
|
+
homepage: http://github.com/bartt/enhanced_request_forgery_protection
|
186
|
+
licenses:
|
187
|
+
- MIT
|
188
|
+
post_install_message:
|
189
|
+
rdoc_options: []
|
190
|
+
|
191
|
+
require_paths:
|
192
|
+
- lib
|
193
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
194
|
+
none: false
|
195
|
+
requirements:
|
196
|
+
- - ">="
|
197
|
+
- !ruby/object:Gem::Version
|
198
|
+
hash: 3
|
199
|
+
segments:
|
200
|
+
- 0
|
201
|
+
version: "0"
|
202
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
203
|
+
none: false
|
204
|
+
requirements:
|
205
|
+
- - ">="
|
206
|
+
- !ruby/object:Gem::Version
|
207
|
+
hash: 3
|
208
|
+
segments:
|
209
|
+
- 0
|
210
|
+
version: "0"
|
211
|
+
requirements: []
|
212
|
+
|
213
|
+
rubyforge_project:
|
214
|
+
rubygems_version: 1.6.2
|
215
|
+
signing_key:
|
216
|
+
specification_version: 3
|
217
|
+
summary: A Rails plugin to enhance Rails's basic protect against Cross-Site Request Forgery with scopes and time windows.
|
218
|
+
test_files:
|
219
|
+
- spec/controllers/enhanced_request_forgery_protection_spec.rb
|
220
|
+
- spec/spec_helper.rb
|