frikandel 1.0.0 → 2.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 5d21550e8f406f5cfadd7246e3a5b511e6719b2d
-  data.tar.gz: c205899f482cc2e2e6fc64f69070c7b5f4cdda59
+SHA256:
+  metadata.gz: 1d7333c87689c365122f6199098938f9af94a4956de807b0f7d4d00109598885
+  data.tar.gz: bbc4c5a50c8d122d99747475d29b6c910503793ef81f6357aade4bde6bf44b71
 SHA512:
-  metadata.gz: 40977fc969914d45e38951d1bcd37577bb8376f8e8c9e13dbf56d2076194973409de535136ee6af30e3c31b5ab34f52b1350e630cc6723c179b0c131f8288b0b
-  data.tar.gz: 62eb2c7883e57b57c297db621bc5eccf42ab4f653a93ff7e7867fa7bc57d386c7765fd11914cdb5f954085c1aea8842d1a27dc33346598b30ebdd7b79334630c
+  metadata.gz: 1fa2905e7460cc9dc79e28bc79dbc2aa05bce516b432b8bd4e6cff9e2d469e5f23c073955ce53aaa47c28c25eb5d6d3bfd014d2efc164dd5159417fbbbd5cc12
+  data.tar.gz: b6a744f3c6deecb734addc0e292f0d42c7b7274d8d9d708aeddfa40091a5ab4de173caeccbd678cd02a08b7c84f2448809c38eb7229b3e7968c7023d15dc34d4

data/.gitignore

@@ -4,7 +4,7 @@
 .config
 .ruby-*
 .yardoc
-Gemfile.lock
+Gemfile*.lock
 InstalledFiles
 _yardoc
 coverage

data/.travis.yml

@@ -1,7 +1,45 @@
 language: ruby
 rvm:
-  - 1.9.3
-  - 2.0.0
-  - 2.1.0
+  - "1.9.3"
+  - "2.0.0"
+  - "2.1.9"
+  - "2.2.5"
+  - "2.3.1"
+  - ruby-head
   - jruby-19mode
-
+gemfile:
+  - Gemfile.rails-3.2.x
+  - Gemfile.rails-4.0.x
+  - Gemfile.rails-4.1.x
+  - Gemfile.rails-4.2.x
+  - Gemfile.rails-5.0.x
+  - Gemfile.rails-5.1.x
+  - Gemfile.rails-head
+before_install:
+  - gem update --system
+  - gem install bundler --pre
+matrix:
+  allow_failures:
+    - rvm: ruby-head
+    - gemfile: Gemfile.rails-head
+  exclude:
+    - rvm: "2.2.5"
+      gemfile: Gemfile.rails-3.2.x
+    - rvm: "2.2.5"
+      gemfile: Gemfile.rails-4.0.x
+    - rvm: "1.9.3"
+      gemfile: Gemfile.rails-5.0.x
+    - rvm: "2.0.0"
+      gemfile: Gemfile.rails-5.0.x
+    - rvm: "2.1.9"
+      gemfile: Gemfile.rails-5.0.x
+    - rvm: "jruby-19mode"
+      gemfile: Gemfile.rails-5.0.x
+    - rvm: "1.9.3"
+      gemfile: Gemfile.rails-5.1.x
+    - rvm: "2.0.0"
+      gemfile: Gemfile.rails-5.1.x
+    - rvm: "2.1.9"
+      gemfile: Gemfile.rails-5.1.x
+    - rvm: "jruby-19mode"
+      gemfile: Gemfile.rails-5.1.x

data/Gemfile.rails-3.2.x

@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in frikandel.gemspec
+gemspec
+
+gem 'rails', '~> 3.2.0'
+gem 'mime-types', '< 3.0'
+gem 'listen', '< 3.1'
+gem 'sqlite3', '~> 1.3.6'

data/Gemfile.rails-4.0.x

@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in frikandel.gemspec
+gemspec
+
+gem 'rails', '~> 4.0.0'
+gem 'mime-types', '< 3.0'
+gem 'listen', '< 3.1'
+gem 'sqlite3', '~> 1.3.6'

data/Gemfile.rails-4.1.x

@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in frikandel.gemspec
+gemspec
+
+gem 'rails', '~> 4.1.0'
+gem 'mime-types', '< 3.0'
+gem 'listen', '< 3.1'
+gem 'sqlite3', '~> 1.3.6'

data/Gemfile.rails-4.2.x

@@ -0,0 +1,10 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in frikandel.gemspec
+gemspec
+
+gem 'rails', '~> 4.2.0'
+gem 'mime-types', '< 3.0'
+gem 'listen', '< 3.1'
+gem 'sqlite3', '~> 1.3.6'
+gem 'sprockets', '~> 3.7.2'

data/Gemfile.rails-5.0.x

@@ -0,0 +1,8 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in frikandel.gemspec
+gemspec
+
+gem 'rails', '~> 5.0.0'
+gem 'sqlite3', '~> 1.3.6'
+gem 'sprockets', '~> 3.7.2'

data/Gemfile.rails-5.1.x

@@ -0,0 +1,8 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in frikandel.gemspec
+gemspec
+
+gem 'rails', '~> 5.1.0'
+gem 'sqlite3', '~> 1.3.6'
+gem 'sprockets', '~> 3.7.2'

data/Gemfile.rails-5.2.x

@@ -0,0 +1,8 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in frikandel.gemspec
+gemspec
+
+gem 'rails', '~> 5.2.0'
+gem 'sqlite3', '~> 1.3.6'
+gem 'sprockets', '~> 3.7.2'

data/Gemfile.rails-head

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in frikandel.gemspec
+gemspec
+
+gem 'rails', 'github' => 'rails/rails'

data/Guardfile

@@ -3,8 +3,7 @@
 
 guard :rspec do
   watch(%r{^spec/.+_spec\.rb$})
-  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
-  watch('spec/spec_helper.rb')  { "spec" }
-
+  watch(%r{^lib/(.+)\.rb$})          { |m| ["spec/lib/#{m[1]}_spec.rb", "spec/controllers"] }
+  watch(%r{^spec/support/(.+)\.rb$}) { "spec" }
+  watch('spec/spec_helper.rb')       { "spec" }
 end
-

data/README.md

@@ -1,7 +1,20 @@
 # Frikandel
+[![Gem Version](https://badge.fury.io/rb/frikandel.png)](http://badge.fury.io/rb/frikandel)
+[![Build Status](https://api.travis-ci.org/taktsoft/frikandel.png)](https://travis-ci.org/taktsoft/frikandel)
+[![Code Climate](https://codeclimate.com/github/taktsoft/frikandel.png)](https://codeclimate.com/github/taktsoft/frikandel)
+[![Dependency Status](https://gemnasium.com/taktsoft/frikandel.svg)](https://gemnasium.com/taktsoft/frikandel)
 
-This Gem adds a TTL (Time To Live) Date to every cookie that your application sets. When the cookie has expired, the users session gets reset. This should help protect from Session-Fixation-Attacks.
+This gem aims to improve the security of your rails application. It allows you to add a TTL (Time To Live) to the session cookie and allows you to bind the session to an IP address.
 
+When the TTL expires or the IP address changes, the users session gets reset. This should help to make [session-fixation-attacks](http://guides.rubyonrails.org/security.html#session-fixation) harder to execute.
+
+
+## Security considerations
+
+Consider the following attack vector: The web application under attack is a rails application. The application writes the user id in the session after a successful login. The attacker has obtained a valid session cookie from an authenticated user.
+By default the cookie is valid indefinitely. If the application tries to "reset the session" it simply issues a new session cookie to the attackers browser. If the attacker just ignores the new session cookie and continues to use the old session cookie the application has no way of knowing that.
+
+By adding a TTL the attack window gets smaller. An stolen has to be used within a given time slot. A reauthentication is enforced after a given time has passed. By adding IP address binding the attacker has to use the same ip address as the victim the session was stolen from.
 
 ## Requirements
 
@@ -28,11 +41,15 @@ Or install it yourself as:
 
 ## Usage
 
-To activate frikandel's Session-Fixation-Protection for your application, you only need to include a module in your `ApplicationController`:
+You can use session TTL or the combination of TTL and IP address binding. Please be advised that the sole use of IP address binding doesn't protect from session-fixation-attacks.
+
+
+To activate Frikandel's session-fixation-protection for your application, you only need to include the proper module(s) in your `ApplicationController`:
 
 ```ruby
 class ApplicationController < ActionController::Base
   include Frikandel::LimitSessionLifetime
+  include Frikandel::BindSessionToIpAddress
 
   # ...
 end
@@ -47,33 +64,50 @@ Frikandel::Configuration.max_ttl = 2.days
 Frikandel::Configuration.ttl = 4.hours
 ```
 
-The value at `Frikandel::Configuration.max_ttl` is the absolute value in seconds that a cookie is valid. In this example, all cookies will be invalidated after two days in all cases. This timestamp doesn't get refreshed.
+The value at `Frikandel::Configuration.max_ttl` is the absolute value (in seconds) that a cookie is valid. In this example, all cookies will be invalidated after two days in all cases. This timestamp doesn't get refreshed. In a typical application that means the user has to re-login after this time. That's also the maximum time frame a stolen session can be used.
 
 The second value `Frikandel::Configuration.ttl` states how long (in seconds) a session/cookie is valid, when the cookie timestamp gets not refreshed. The timestamp gets refrehed everytime a user visits the site.
 
 The default values are `24.hours` for `max_ttl` and `2.hours` for `ttl`. If you are okay with this settings, you don't need to create an initializer for frikandel.
 
 
-### Customize on_expired_session behavior
+### Customize on_invalid_session behavior
 
-You can also overwrite what should happen when a cookie times out on the controller-level. The default behaviour is to do a `reset_session` and `redirect_to root_path`. For example, if you want to overwrite the default behavior when a user is on the `PublicController`, you want to overwrite the `on_expired_session`-method in your controller:
+You can also overwrite what should happen when a cookie times out on the controller-level. The default behaviour is to do a `reset_session` and `redirect_to root_path`. For example, if you want to overwrite the default behavior when a user is on the `PublicController`, you want to overwrite the `on_invalid_session`-method in your controller:
 
 ```ruby
 class PublicController < ApplicationController
-  def on_expired_session
+  def on_invalid_session
     raise "Your Session Has Expired! Oh No!"
   end
 end
 ```
 
-If you want to revert the original behavior in a sub-class of your `PublicController`, you simply re-alias the method to `original_on_expired_session` like this:
+If you want to revert the original behavior in a sub-class of your `PublicController`, you simply re-alias the method to `original_on_invalid_session` like this:
 
 ```ruby
 class AdminController < PublicController
-  alias on_expired_session original_on_expired_session
+  alias on_invalid_session original_on_invalid_session
 end
 ```
 
+## Changes
+
+2.1.0 -- Reset session only once if using the combination of TTL and IP address binding.
+2.0.0 -- Added IP address binding. Renamed callback from 'on_expired_session' to 'on_invalid_session'.
+
+## Test
+
+To run the test suite with different rails version by selecting the corresponding gemfile. You can use this one liners:
+
+    $ export BUNDLE_GEMFILE=Gemfile.rails-3.2.x && bundle update && bundle exec rake spec
+    $ export BUNDLE_GEMFILE=Gemfile.rails-4.0.x && bundle update && bundle exec rake spec
+    $ export BUNDLE_GEMFILE=Gemfile.rails-4.1.x && bundle update && bundle exec rake spec
+    $ export BUNDLE_GEMFILE=Gemfile.rails-4.2.x && bundle update && bundle exec rake spec
+    $ export BUNDLE_GEMFILE=Gemfile.rails-5.0.x && bundle update && bundle exec rake spec
+    $ export BUNDLE_GEMFILE=Gemfile.rails-5.1.x && bundle update && bundle exec rake spec
+    $ export BUNDLE_GEMFILE=Gemfile.rails-5.2.x && bundle update && bundle exec rake spec
+
 ## Contributing
 1. Fork it
 2. Create your feature branch (git checkout -b my-new-feature)

data/frikandel.gemspec

@@ -18,14 +18,18 @@ Gem::Specification.new do |spec|
   spec.test_files    = Dir["spec/**/*"]
   spec.require_paths = ["lib"]
 
+  spec.required_ruby_version     = '>= 1.9.3'
+  spec.required_rubygems_version = ">= 1.3.6"
+
   spec.add_development_dependency "bundler", "~> 1.5"
   spec.add_development_dependency "rake"
   spec.add_development_dependency "sqlite3" unless RUBY_PLATFORM == 'java'
   spec.add_development_dependency "jdbc-sqlite3" if RUBY_PLATFORM == 'java'
   spec.add_development_dependency "activerecord-jdbcsqlite3-adapter" if RUBY_PLATFORM == 'java'
-  spec.add_development_dependency "rspec-rails"
+  spec.add_development_dependency "rspec-rails", ["> 3.0", "< 3.6"]
   spec.add_development_dependency "guard-rspec"
   spec.add_development_dependency "pry"
+  spec.add_development_dependency "test-unit"
 
-  spec.add_dependency "rails", ['>= 3.2.0', '< 5.0']
+  spec.add_dependency "rails", [">= 3.2.0", "< 6.0"]
 end

data/lib/frikandel.rb

@@ -1,32 +1,5 @@
 require "frikandel/version"
 require "frikandel/configuration"
-
-module Frikandel
-  module LimitSessionLifetime
-    extend ActiveSupport::Concern
-
-    included do
-      append_before_filter :validate_session_timestamp
-      append_after_filter :persist_session_timestamp
-    end
-
-  private
-
-    def validate_session_timestamp
-      if session.key?(:ttl) && session.key?(:max_ttl) && (session[:ttl] < Frikandel::Configuration.ttl.ago || session[:max_ttl] < Time.now)
-        on_expired_session
-      end
-    end
-
-    def persist_session_timestamp
-      session[:ttl] = Time.now
-      session[:max_ttl] ||= Frikandel::Configuration.max_ttl.from_now
-    end
-
-    def on_expired_session
-      reset_session
-      redirect_to root_path
-    end
-    alias original_on_expired_session on_expired_session
-  end
-end
+require 'frikandel/session_invalidation'
+require 'frikandel/limit_session_lifetime'
+require 'frikandel/bind_session_to_ip_address'

data/lib/frikandel/bind_session_to_ip_address.rb

@@ -0,0 +1,43 @@
+module Frikandel
+  module BindSessionToIpAddress
+    extend ActiveSupport::Concern
+    include SessionInvalidation
+
+    included do
+      if respond_to?(:before_action)
+        append_before_action :validate_session_ip_address
+      else
+        append_before_filter :validate_session_ip_address
+      end
+    end
+
+  private
+
+    def validate_session_ip_address
+      if session.key?(:ip_address) && !ip_address_match_with_current?
+        on_invalid_session
+      elsif !session.key?(:ip_address)
+        reset_session
+      else # session ip address is valid
+        persist_session_ip_address
+      end
+    end
+
+    def persist_session_ip_address
+      session[:ip_address] = current_ip_address
+    end
+
+    def current_ip_address
+      request.remote_ip
+    end
+
+    def ip_address_match_with_current?
+      session[:ip_address] == current_ip_address
+    end
+
+    def reset_session
+      super
+      persist_session_ip_address
+    end
+  end
+end

data/lib/frikandel/configuration.rb

@@ -1,7 +1,9 @@
+require 'singleton'
+
 module Frikandel
   class Configuration
-    include Singleton
-    extend SingleForwardable
+    include ::Singleton
+    extend ::SingleForwardable
 
     attr_accessor :ttl, :max_ttl
 

data/lib/frikandel/limit_session_lifetime.rb

@@ -0,0 +1,44 @@
+module Frikandel
+  module LimitSessionLifetime
+    extend ActiveSupport::Concern
+    include SessionInvalidation
+
+    included do
+      if respond_to?(:before_action)
+        append_before_action :validate_session_timestamp
+      else
+        append_before_filter :validate_session_timestamp
+      end
+    end
+
+  private
+
+    def validate_session_timestamp
+      if session.key?(:ttl) && session.key?(:max_ttl) && (reached_ttl? || reached_max_ttl?)
+        on_invalid_session
+      elsif !session.key?(:ttl) || !session.key?(:max_ttl)
+        reset_session
+      else # session timestamp is valid
+        persist_session_timestamp
+      end
+    end
+
+    def reached_ttl?
+      session[:ttl] < Frikandel::Configuration.ttl.ago
+    end
+
+    def reached_max_ttl?
+      session[:max_ttl] < Time.now
+    end
+
+    def persist_session_timestamp
+      session[:ttl] = Time.now
+      session[:max_ttl] ||= Frikandel::Configuration.max_ttl.since
+    end
+
+    def reset_session
+      super
+      persist_session_timestamp
+    end
+  end
+end

data/lib/frikandel/session_invalidation.rb

@@ -0,0 +1,12 @@
+module Frikandel
+  module SessionInvalidation
+
+    private
+
+    def on_invalid_session
+      reset_session
+      redirect_to root_path
+    end
+    alias original_on_invalid_session on_invalid_session
+  end
+end

data/lib/frikandel/version.rb

@@ -1,3 +1,3 @@
 module Frikandel
-  VERSION = "1.0.0"
+  VERSION = "2.2.2"
 end

data/spec/controllers/bind_session_to_ip_address_controller_spec.rb

@@ -0,0 +1,162 @@
+require "rails_helper"
+require "support/application_controller"
+
+
+class BindSessionToIpAddressController < ApplicationController
+  include Frikandel::BindSessionToIpAddress
+
+  if respond_to?(:before_action)
+    before_action :flash_alert_and_redirect_home, only: [:redirect_home]
+  else
+    before_filter :flash_alert_and_redirect_home, only: [:redirect_home]
+  end
+
+  def home
+    if Rails::VERSION::MAJOR >= 5
+      render plain: "bind test"
+    else
+      render text: "bind test"
+    end
+  end
+
+  def redirect_home
+  end
+
+protected
+
+  def flash_alert_and_redirect_home
+    flash[:alert] = "alert test"
+    redirect_to bind_session_to_ip_address_home_url
+  end
+end
+
+
+RSpec.describe BindSessionToIpAddressController do
+  context "requests" do
+    it "writes current ip address to session" do
+      expect(session[:ip_address]).to be_nil
+
+      get :home
+
+      expect(session[:ip_address]).to eql("0.0.0.0")
+    end
+
+    it "writes current ip address to session even on redirect in another before filter" do
+      expect(session[:ip_address]).to be_nil
+
+      simulate_redirect!(:redirect_home, :home)
+
+      expect(session[:ip_address]).to eql("0.0.0.0")
+
+      expect(flash).not_to be_empty
+      expect(flash[:alert]).to eql("alert test")
+    end
+
+    it "raises an exception if session address and current ip address don't match" do
+      session[:ip_address] = "1.2.3.4"
+      expect(controller).to receive(:on_invalid_session)
+
+      get :home
+    end
+
+
+    context "ip address isn't present in session" do
+      it "resets the session and persists the ip address" do
+        session[:user_id] = 4337
+        session.delete(:ip_address)
+        session[:ttl] = "SomeTTL"
+        session[:max_ttl] = "SomeMaxTTL"
+
+        expect(controller).to receive(:reset_session).and_call_original
+        expect(controller).to receive(:persist_session_ip_address).and_call_original
+        get :home
+
+        expect(session[:user_id]).to be_blank
+        expect(session[:ip_address]).to be_present
+        expect(session[:ip_address]).to eql("0.0.0.0")
+        expect(session[:ttl]).to be_blank
+        expect(session[:max_ttl]).to be_blank
+      end
+
+      it "allows the request to be rendered as normal" do
+        get :home
+
+        expect(response.body).to eql("bind test")
+      end
+    end
+  end
+
+
+  context ".validate_session_ip_address" do
+    it "calls on_invalid_session if ip address doesn't match with current" do
+      session[:ip_address] = "1.3.3.7"
+
+      expect(controller).to receive(:ip_address_match_with_current?).and_return(false)
+      expect(controller).to receive(:on_invalid_session)
+
+      controller.send(:validate_session_ip_address)
+    end
+
+    it "calls reset_session if ip address isn't persisted in session" do
+      session.delete(:ip_address)
+
+      expect(controller).not_to receive(:ip_address_match_with_current?)
+      expect(controller).to receive(:reset_session)
+
+      controller.send(:validate_session_ip_address)
+    end
+
+    it "calls persist_session_ip_address if validation passes" do
+      session[:ip_address] = "1.3.3.7"
+
+      expect(controller).to receive(:ip_address_match_with_current?).and_return(true)
+      expect(controller).to receive(:persist_session_ip_address)
+
+      controller.send(:validate_session_ip_address)
+    end
+  end
+
+
+  context ".persist_session_ip_address" do
+    it "sets the current ip address in session on key ip_address" do
+      expect {
+        expect(controller).to receive(:current_ip_address).and_return("1.3.3.7")
+        controller.send(:persist_session_ip_address)
+      }.to change {
+        session[:ip_address]
+      }.from(nil).to("1.3.3.7")
+    end
+  end
+
+
+  context ".current_ip_address" do
+    it "returns the remote_ip from request" do
+      expect(request).to receive(:remote_ip).and_return(:request_remote_ip)
+
+      expect(controller.send(:current_ip_address)).to eql(:request_remote_ip)
+    end
+  end
+
+
+  context ".ip_address_match_with_current?" do
+    it "compares ip address from session with the current ip address" do
+      allow(controller).to receive(:current_ip_address).and_return("1.3.3.7")
+
+      session[:ip_address] = "1.3.3.7"
+
+      expect(controller.send(:ip_address_match_with_current?)).to be_truthy
+
+      session[:ip_address] = "7.3.3.1"
+
+      expect(controller.send(:ip_address_match_with_current?)).to be_falsey
+    end
+  end
+
+
+  context ".reset_session" do
+    it "calls persist_session_ip_address" do
+      expect(controller).to receive(:persist_session_ip_address).and_call_original
+      controller.send(:reset_session)
+    end
+  end
+end