firebug 0.0.7

data/bin/setup

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install

data/firebug.gemspec

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'firebug/version'
+
+Gem::Specification.new do |spec| # rubocop:disable BlockLength
+  spec.name          = 'firebug'
+  spec.version       = Firebug::VERSION
+  spec.authors       = ['Aaron Frase']
+  spec.email         = ['aaron@rvshare.com']
+
+  spec.summary       = 'Gem for working with CodeIgniter sessions'
+  spec.description   = 'Gem for working with CodeIgniter sessions'
+  spec.homepage      = 'https://github.com/rvshare/firebug'
+  spec.license       = 'MIT'
+
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'actionpack', '~> 5.0'
+  spec.add_dependency 'activerecord', '~> 5.0'
+  spec.add_dependency 'ruby-mcrypt', '~> 0.2'
+
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rspec_junit_formatter'
+  spec.add_development_dependency 'rubocop'
+  spec.add_development_dependency 'rubocop-rspec'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'sqlite3'
+end

data/lib/action_dispatch/session/code_igniter_store.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+require 'action_dispatch'
+require_relative '../../firebug/session'
+
+module ActionDispatch
+  module Session
+    class CodeIgniterStore < AbstractStore
+      def initialize(app, options={})
+        super(app, { key: 'default_pyrocms' }.merge(options))
+      end
+
+      # Finds an existing session or creates a new one.
+      #
+      # @param [ActionDispatch::Request] req
+      # @param [String] sid
+      # @return [Array<String, Object>]
+      def find_session(req, sid)
+        model = find_session_model(req, sid)
+        # +Rack::Session::Abstract::Persisted#load_session+ expects this to return an Array with the first value being
+        # the session ID and the second the actual session data.
+        [model.session_id, model.user_data]
+      end
+
+      # Writes the session information to the database.
+      #
+      # @param [ActionDispatch::Request] req
+      # @param [String] sid
+      # @param [Hash] session
+      # @param [Hash] _options
+      # @return [String] encrypted and base64 encoded string of the session data.
+      def write_session(req, sid, session, _options)
+        model = find_session_model(req, sid)
+        model_params = {
+          session_id: model.session_id,
+          user_agent: req.user_agent || '', # user_agent can't be null
+          ip_address: req.remote_ip || '',  # ip_address can't be null
+          user_data: session
+        }
+        # Returning false will cause Rack to output a warning.
+        return false unless model.update(model_params)
+        # Return the encrypted cookie format of the data. Rack sets this value as the cookie in the response
+        model.cookie_data
+      end
+
+      # Deletes then creates a new session in the database.
+      #
+      # @param [ActionDispatch::Request] req
+      # @param [String] sid
+      # @param [Hash] _options
+      # @return [String] the new session id
+      def delete_session(req, sid, _options)
+        # Get the current database record for this session then delete it.
+        find_session_model(req, sid).delete
+        # Generate a new one and return it's ID
+        find_session_model(req).session_id
+      end
+
+      # Tries to find the session ID in the requests cookies.
+      #
+      # @param [ActionDispatch::Request] req
+      # @return [String, nil]
+      def extract_session_id(req)
+        sid = req.cookies[@key]
+        # returning `nil` just causes a new ID to be generated.
+        return if sid.nil?
+        # sometimes the cookie contains just the session ID.
+        return sid if sid.size <= 32
+        Firebug.decrypt_cookie(sid)[:session_id]
+      end
+
+      private
+
+      # @param [ActionDispatch::Request] req
+      # @param [String] sid
+      # @return [Firebug::Session]
+      def find_session_model(req, sid=nil)
+        if sid
+          model = Firebug::Session.find_by(session_id: sid)
+          return model if model
+        end
+
+        Firebug::Session.create!(
+          session_id: sid || generate_sid,
+          last_activity: Time.current.to_i,
+          user_agent: req.user_agent,
+          ip_address: req.remote_ip
+        )
+      end
+    end
+  end
+end

data/lib/firebug/configuration.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Firebug
+  # A configuration object.
+  #
+  # @attr [String] key the encryption key used to encrypt and decrypt cookies.
+  # @attr [String] table_name the name of the sessions table.
+  class Configuration
+    attr_reader :table_name
+
+    attr_accessor :key
+
+    # Sets the table name for +Firebug::Session+
+    #
+    # @param [String] value
+    def table_name=(value)
+      Firebug::Session.table_name = value
+      @table_name = value
+    end
+  end
+end

data/lib/firebug/crypto.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module Firebug
+  require 'digest'
+  require 'securerandom'
+  require 'mcrypt'
+
+  class Crypto
+    # @param [String] key
+    def initialize(key)
+      @key = Digest::MD5.hexdigest(key)
+    end
+
+    # @param [String] data
+    # @return [String]
+    def encrypt(data)
+      # Create a random 32 byte string to act as the initialization vector.
+      iv = SecureRandom.random_bytes(32)
+      # CodeIgniter pads the data with zeros
+      cipher = Mcrypt.new(:rijndael_256, :cbc, @key, iv, :zeros)
+      add_noise(iv + cipher.encrypt(data))
+    end
+
+    # @param [String] data
+    # @return [String]
+    def decrypt(data)
+      data = remove_noise(data)
+      # The first 32 bytes of the data is the original IV
+      iv = data[0..31]
+      cipher = Mcrypt.new(:rijndael_256, :cbc, @key, iv, :zeros)
+      cipher.decrypt(data[32..-1])
+    end
+
+    # CodeIgniter adds "noise" to the results of the encryption by adding the ordinal value of each character with a
+    # value in the key. The plaintext key is hashed with MD5 then SHA1.
+    #
+    # @param [String] data
+    def add_noise(data)
+      noise(data, :+)
+    end
+
+    # The "noise" is removed by subtracting the ordinals.
+    #
+    # @param [String] data
+    # @return [String]
+    def remove_noise(data)
+      noise(data, :-)
+    end
+
+    private
+
+    # @param [String] data
+    # @param [Symbol] operator
+    # @return [String]
+    def noise(data, operator)
+      key = Digest::SHA1.hexdigest(@key)
+      Array.new(data.size) { |i| (data[i].ord.send(operator, key[i % key.size].ord) % 256).chr }.join
+    end
+  end
+end

data/lib/firebug/serializer.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Firebug
+  class Serializer
+    # Convert a ruby object into a PHP serialized string.
+    #
+    # @param [Object] obj
+    # @raise [ArgumentError] for unsupported types
+    # @return [String]
+    def self.parse(obj) # rubocop:disable AbcSize,CyclomaticComplexity
+      case obj
+      when NilClass
+        'N;'
+      when TrueClass
+        'b:1;'
+      when FalseClass
+        'b:0;'
+      when Integer
+        "i:#{obj};"
+      when Float
+        "d:#{obj};"
+      when String, Symbol
+        "s:#{obj.to_s.bytesize}:\"#{obj}\";"
+      when Array
+        "a:#{obj.length}:{#{obj.collect.with_index { |e, i| "#{parse(i)}#{parse(e)}" }.join}}"
+      when Hash
+        "a:#{obj.length}:{#{obj.collect { |k, v| "#{parse(k)}#{parse(v)}" }.join}}"
+      else
+        raise ArgumentError, "unsupported type #{obj.class.name}"
+      end
+    end
+  end
+end

data/lib/firebug/session.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Firebug
+  require 'active_record'
+
+  # An ActiveRecord model of the CodeIgniter sessions table.
+  class Session < ActiveRecord::Base
+    self.table_name = 'default_ci_sessions'
+
+    # @return [Object]
+    def user_data
+      Firebug.unserialize(super || '')
+    end
+
+    # @param [Object] value
+    def user_data=(value)
+      super(Firebug.serialize(value))
+    end
+
+    # @return [String]
+    def cookie_data
+      data = { session_id: session_id, ip_address: ip_address, user_agent: user_agent, last_activity: last_activity }
+      Firebug.encrypt_cookie(data)
+    end
+
+    private
+
+    def timestamp_attributes_for_update
+      ['last_activity']
+    end
+  end
+end

data/lib/firebug/unserializer.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+module Firebug
+  require 'strscan'
+
+  # This class will unserialize a PHP serialized string into a ruby object.
+  #
+  # @note Hashes will be returned with symbolized keys.
+  #
+  # @attr [StringScanner] str
+  class Unserializer
+    attr_accessor :str
+
+    # @param [String] string
+    def initialize(string)
+      self.str = StringScanner.new(string)
+    end
+
+    # Convenience method for unserializing a PHP serialized string.
+    #
+    # @param [String] value
+    # @return [Object]
+    def self.parse(value)
+      new(value).parse
+    end
+
+    # @raise [ParserError]
+    def parse # rubocop:disable AbcSize,CyclomaticComplexity
+      ch = str.getch
+      return if ch.nil?
+
+      case ch
+      when 'a'
+        parse_enumerable.tap { expect('}') }
+      when 's'
+        parse_string.tap { expect(';') }
+      when 'i'
+        parse_int.tap { expect(';') }
+      when 'd'
+        parse_double.tap { expect(';') }
+      when 'b'
+        parse_bool.tap { expect(';') }
+      when 'N'
+        expect(';')
+      else
+        raise ParserError, "Unknown token '#{ch}' at position #{str.pos} (#{str.string})"
+      end
+    end
+
+    private
+
+    # @raise [ParseError]
+    # @return [Hash, Array]
+    def parse_enumerable # rubocop:disable AbcSize
+      size = parse_int
+      expect('{')
+      return [] if size.zero?
+      if str.peek(1) == 'i'
+        # Multiply the size by 2 since the array index isn't counted in the size.
+        # Odd number element will be the index value so drop it.
+        Array.new(size * 2) { parse }.select.with_index { |_, i| i.odd? }
+      else
+        Array.new(size) { [parse.to_sym, parse] }.to_h
+      end
+    end
+
+    # @return [String]
+    def parse_string
+      size = parse_int
+      str.getch # consume quote '"'
+      read(size).tap { str.getch }
+    end
+
+    # @raise [ParserError]
+    # @return [Integer]
+    def parse_int
+      str.scan(/:(\d+):?/)
+      raise ParserError, "Failed to parse integer at position #{str.pos}" unless str.matched?
+      str[1].to_i
+    end
+
+    # @raise [ParserError]
+    # @return [Float]
+    def parse_double
+      str.scan(/:(\d+(?:\.\d+)?)/)
+      raise ParserError, "Failed to parse double at position #{str.pos}" unless str.matched?
+      str[1].to_f
+    end
+
+    # @raise [ParserError]
+    # @return [Boolean]
+    def parse_bool
+      str.scan(/:([01])/)
+      raise ParserError, "Failed to parse boolean at position #{str.pos}" unless str.matched?
+      str[1] == '1'
+    end
+
+    # @param [Integer] size
+    # @return [String]
+    def read(size)
+      Array.new(size) { str.get_byte }.join
+    end
+
+    # @param [String] s
+    # @raise [ParserError] if the next character is not `s`
+    def expect(s)
+      char = str.getch
+      raise ParserError, "expected '#{s}' but got '#{char}' at position #{str.pos}" unless char == s
+    end
+  end
+
+  class ParserError < StandardError
+  end
+end

data/lib/firebug/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Firebug
+  VERSION = '0.0.7'
+end

data/lib/firebug.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require_relative 'firebug/version'
+require_relative 'firebug/crypto'
+require_relative 'firebug/serializer'
+require_relative 'firebug/unserializer'
+require_relative 'firebug/configuration'
+require_relative 'action_dispatch/session/code_igniter_store'
+
+module Firebug
+  class << self
+    attr_writer :configuration
+  end
+
+  # @return [Firebug::Configuration]
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  # @yieldparam [Firebug::Configuration] config
+  def self.configure
+    yield configuration
+  end
+
+  # Serialize a ruby object into a PHP serialized string.
+  #
+  # @param [Object] value
+  # @return [String]
+  def self.serialize(value)
+    Serializer.parse(value)
+  end
+
+  # Unserialize a PHP serialized string into a ruby object.
+  #
+  # @param [String] value
+  # @return [Object]
+  def self.unserialize(value)
+    Unserializer.parse(value)
+  end
+
+  # Encrypt data the way CodeIgniter does.
+  #
+  # @param [Object] data
+  # @param [String] key if `nil` use +Firebug::Configuration.key+
+  def self.encrypt(data, key=nil)
+    key = configuration.key if key.nil?
+    Crypto.new(key).encrypt(data)
+  end
+
+  # Decrypt data encrypted using CodeIgniters encryption.
+  #
+  # @param [Object] data
+  # @param [String] key if `nil` use +Firebug::Configuration.key+
+  def self.decrypt(data, key=nil)
+    key = configuration.key if key.nil?
+    Crypto.new(key).decrypt(data)
+  end
+
+  # Serializes, encrypts, and base64 encodes the data.
+  #
+  # @param [Object] data
+  # @return [String] a base64 encoded string
+  def self.encrypt_cookie(data)
+    Base64.strict_encode64(Firebug.encrypt(Firebug.serialize(data)))
+  end
+
+  # Decodes the base64 encoded string, decrypts, and unserializes.
+  #
+  # @param [String] data a base64 encoded encrypted string
+  # @return [Object] the unserialized data
+  def self.decrypt_cookie(data)
+    return {} if data.nil?
+    Firebug.unserialize(Firebug.decrypt(Base64.strict_decode64(data)))
+  end
+end