hanami-controller 2.0.0.alpha1 → 2.0.0.alpha2

data/lib/hanami/action/csrf_protection.rb

@@ -0,0 +1,214 @@
+require "hanami/utils/blank"
+require "rack/utils"
+require "securerandom"
+
+module Hanami
+  # @api private
+  class Action
+    # Invalid CSRF Token
+    #
+    # @since 0.4.0
+    class InvalidCSRFTokenError < ::StandardError
+    end
+
+    # CSRF Protection
+    #
+    # This security mechanism is enabled automatically if sessions are turned on.
+    #
+    # It stores a "challenge" token in session. For each "state changing request"
+    # (eg. <tt>POST</tt>, <tt>PATCH</tt> etc..), we should send a special param:
+    # <tt>_csrf_token</tt>.
+    #
+    # If the param matches with the challenge token, the flow can continue.
+    # Otherwise the application detects an attack attempt, it reset the session
+    # and <tt>Hanami::Action::InvalidCSRFTokenError</tt> is raised.
+    #
+    # We can specify a custom handling strategy, by overriding <tt>#handle_invalid_csrf_token</tt>.
+    #
+    # Form helper (<tt>#form_for</tt>) automatically sets a hidden field with the
+    # correct token. A special view method (<tt>#csrf_token</tt>) is available in
+    # case the form markup is manually crafted.
+    #
+    # We can disable this check on action basis, by overriding <tt>#verify_csrf_token?</tt>.
+    #
+    # @since 0.4.0
+    #
+    # @see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
+    # @see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
+    #
+    # @example Custom Handling
+    #   module Web::Controllers::Books
+    #     class Create
+    #       include Web::Action
+    #
+    #       def call(params)
+    #         # ...
+    #       end
+    #
+    #       private
+    #
+    #       def handle_invalid_csrf_token
+    #         Web::Logger.warn "CSRF attack: expected #{ session[:_csrf_token] }, was #{ params[:_csrf_token] }"
+    #         # manual handling
+    #       end
+    #     end
+    #   end
+    #
+    # @example Bypass Security Check
+    #   module Web::Controllers::Books
+    #     class Create
+    #       include Web::Action
+    #
+    #       def call(params)
+    #         # ...
+    #       end
+    #
+    #       private
+    #
+    #       def verify_csrf_token?
+    #         false
+    #       end
+    #     end
+    #   end
+    module CSRFProtection
+      # Session and params key for CSRF token.
+      #
+      # This key is shared with <tt>hanami-controller</tt> and <tt>hanami-helpers</tt>
+      #
+      # @since 0.4.0
+      # @api private
+      CSRF_TOKEN = :_csrf_token
+
+      # Idempotent HTTP methods
+      #
+      # By default, the check isn't performed if the request method is included
+      # in this list.
+      #
+      # @since 0.4.0
+      # @api private
+      IDEMPOTENT_HTTP_METHODS = Hash[
+        "GET" => true,
+        "HEAD" => true,
+        "TRACE" => true,
+        "OPTIONS" => true
+      ].freeze
+
+      # @since 0.4.0
+      # @api private
+      def self.included(action)
+        action.class_eval do
+          before :set_csrf_token, :verify_csrf_token
+        end unless Hanami.respond_to?(:env?) && Hanami.env?(:test)
+      end
+
+      private
+
+      # Set CSRF Token in session
+      #
+      # @since 0.4.0
+      # @api private
+      def set_csrf_token(req, res)
+        res.session[CSRF_TOKEN] ||= generate_csrf_token
+      end
+
+      # Verify if CSRF token from params, matches the one stored in session.
+      # If not, it raises an error.
+      #
+      # Don't override this method.
+      #
+      # To bypass the security check, please override <tt>#verify_csrf_token?</tt>.
+      # For custom handling of an attack, please override <tt>#handle_invalid_csrf_token</tt>.
+      #
+      # @since 0.4.0
+      # @api private
+      def verify_csrf_token(req, res)
+        handle_invalid_csrf_token(req, res) if invalid_csrf_token?(req, res)
+      end
+
+      # Verify if CSRF token from params, matches the one stored in session.
+      #
+      # Don't override this method.
+      #
+      # @since 0.4.0
+      # @api private
+      def invalid_csrf_token?(req, res)
+        return false unless verify_csrf_token?(req, res)
+
+        missing_csrf_token?(req, res) ||
+          !::Rack::Utils.secure_compare(req.session[CSRF_TOKEN], req.params[CSRF_TOKEN])
+      end
+
+      # Verify the CSRF token was passed in params.
+      #
+      # @api private
+      def missing_csrf_token?(req, res)
+        Hanami::Utils::Blank.blank?(req.params[CSRF_TOKEN])
+      end
+
+      # Generates a random CSRF Token
+      #
+      # @since 0.4.0
+      # @api private
+      def generate_csrf_token
+        SecureRandom.hex(32)
+      end
+
+      # Decide if perform the check or not.
+      #
+      # Override and return <tt>false</tt> if you want to bypass security check.
+      #
+      # @since 0.4.0
+      #
+      # @example
+      #   module Web::Controllers::Books
+      #     class Create
+      #       include Web::Action
+      #
+      #       def call(params)
+      #         # ...
+      #       end
+      #
+      #       private
+      #
+      #       def verify_csrf_token?
+      #         false
+      #       end
+      #     end
+      #   end
+      def verify_csrf_token?(req, res)
+        !IDEMPOTENT_HTTP_METHODS[req.request_method]
+      end
+
+      # Handle CSRF attack.
+      #
+      # The default policy resets the session and raises an exception.
+      #
+      # Override this method, for custom handling.
+      #
+      # @raise [Hanami::Action::InvalidCSRFTokenError]
+      #
+      # @since 0.4.0
+      #
+      # @example
+      #   module Web::Controllers::Books
+      #     class Create
+      #       include Web::Action
+      #
+      #       def call(params)
+      #         # ...
+      #       end
+      #
+      #       private
+      #
+      #       def handle_invalid_csrf_token
+      #         # custom invalid CSRF management goes here
+      #       end
+      #     end
+      #   end
+      def handle_invalid_csrf_token(req, res)
+        res.session.clear
+        raise InvalidCSRFTokenError
+      end
+    end
+  end
+end

data/lib/hanami/action/flash.rb

@@ -1,269 +1,164 @@
-require 'hanami/utils/json'
+# frozen_string_literal: true
 
 module Hanami
   class Action
-    # Container useful to transport data with the HTTP session
-    # It has a life span of one HTTP request or redirect.
+    # A container to transport data with the HTTP session, with a lifespan of
+    # just one HTTP request or redirect.
+    #
+    # Behaves like a hash, returning entries for the current request, except for
+    # {#[]=}, which updates the hash for the next request.
+    #
+    # This implementation is derived from Roda's FlashHash, also released under
+    # the MIT Licence:
+    #
+    # Copyright (c) 2014-2020 Jeremy Evans
+    # Copyright (c) 2010-2014 Michel Martens, Damian Janowski and Cyril David
+    # Copyright (c) 2008-2009 Christian Neukirchen
     #
     # @since 0.3.0
-    # @api private
+    # @api public
     class Flash
-      # Session key where the data is stored
-      #
-      # @since 0.3.0
-      # @api private
-      SESSION_KEY = :__flash
-
-      # Session key where keep data is store for redirect
-      #
-      # @since 1.3.0
-      # @api private
-      KEPT_KEY = :__kept_key
-
-      # Initialize a new Flash instance
-      #
-      # @param session [Rack::Session::Abstract::SessionHash] the session
+      # @return [Hash] The flash hash for the next request, written to by {#[]=}.
       #
-      # @return [Hanami::Action::Flash] the flash
+      # @see #[]=
       #
-      # @see http://www.rubydoc.info/gems/rack/Rack/Session/Abstract/SessionHash
-      # @see Hanami::Action::Rack#session_id
-      def initialize(session)
-        @session         = session
-        @keep            = false
-
-        session[KEPT_KEY] ||= []
-        session[SESSION_KEY] = {}
-      end
-
-      # Set the given value for the given key
-      #
-      # @param key [#to_s] the key
-      # @param value [Object] the value
-      #
-      # @since 0.3.0
-      # @api private
-      def []=(key, value)
-        _data[key] = value
-      end
+      # @since 2.0.0
+      # @api public
+      attr_reader :next
 
-      # Get the value associated to the given key, if any
+      # Initializes a new flash instance
       #
-      # @return [Object,NilClass] the value
+      # @param hash [Hash, nil] the flash hash for the current request. nil will become an empty hash.
       #
       # @since 0.3.0
-      # @api private
-      def [](key)
-        _data.fetch(key) { search_in_kept_data(key) }
+      # @api public
+      def initialize(hash = {})
+        @flash = hash || {}
+        @next = {}
       end
 
-      # Iterates through current request data and kept data
-      #
-      # @param blk [Proc]
+      # @return [Hash] The flash hash for the current request
       #
-      # @since 1.2.0
-      def each(&blk)
-        _values.each(&blk)
+      # @since 2.0.0
+      # @api public
+      def now
+        @flash
       end
 
-      # Iterates through current request data and kept data
+      # Returns the value for the given key in the current hash
       #
-      # @param blk [Proc]
-      # @return [Array]
-      #
-      # @since 1.2.0
-      def map(&blk)
-        _values.map(&blk)
-      end
-
-      # Removes entirely the flash from the session if it has stale contents
-      # or if empty.
+      # @param key [Object] the key
       #
-      # @return [void]
+      # @return [Object, nil] the value
       #
       # @since 0.3.0
-      # @api private
-      def clear
-        # FIXME we're just before a release and I can't find a proper way to reproduce
-        # this bug that I've found via a browser.
-        #
-        # It may happen that `#flash` is nil, and those two methods will fail
-        unless _data.nil?
-          update_kept_request_count
-          keep_data if @keep
-          expire_kept
-          remove
-        end
+      # @api public
+      def [](key)
+        @flash[key]
       end
 
-      # Check if there are contents stored in the flash from the current or the
-      # previous request.
+      # Updates the next hash with the given key and value
       #
-      # @return [TrueClass,FalseClass] the result of the check
+      # @param key [Object] the key
+      # @param value [Object] the value
       #
       # @since 0.3.0
-      # @api private
-      def empty?
-        _values.empty?
-      end
-
-      # @return [String]
-      #
-      # @since 1.0.0
-      def inspect
-        "#<#{self.class}:#{'0x%x' % (__id__ << 1)} {:data=>#{_data.inspect}, :kept=>#{kept_data.inspect}} >"
-      end
-
-      # Set @keep to true, is use when triggering a redirect, and the content of _data is not empty.
-      # @return [TrueClass, NilClass]
-      #
-      # @since 1.3.0
-      # @api private
-      #
-      # @see Hanami::Action::Flash#empty?
-      def keep!
-        return if empty?
-        @keep = true
+      # @api public
+      def []=(key, value)
+        @next[key] = value
       end
 
-      private
-
-      # The flash registry that holds the data for the current requests
+      # Calls the given block once for each element in the current hash
       #
-      # @return [Hash] the flash
+      # @param block [Proc]
       #
-      # @since 0.3.0
-      # @api private
-      def _data
-        @session[SESSION_KEY] || {}
+      # @since 1.2.0
+      # @api public
+      def each(&block)
+        @flash.each(&block)
       end
 
-      # Remove the flash entirely from the session if empty.
+      # Returns a new array with the results of running block once for every
+      # element in the current hash
       #
-      # @return [void]
-      #
-      # @since 0.3.0
-      # @api private
+      # @param block [Proc]
+      # @return [Array]
       #
-      # @see Hanami::Action::Flash#empty?
-      def remove
-        if empty?
-          @session.delete(SESSION_KEY)
-          @session.delete(KEPT_KEY)
-        end
+      # @since 1.2.0
+      # @api public
+      def map(&block)
+        @flash.map(&block)
       end
 
-      # Returns the values from current session and kept.
+      # Returns `true` if the current hash contains no elements.
       #
-      # @return [Hash]
+      # @return [Boolean]
       #
       # @since 0.3.0
-      # @api private
-      def _values
-        _data.merge(kept_data)
+      # @api public
+      def empty?
+        @flash.empty?
       end
 
-      # Get the kept request data
+      # Returns `true` if the given key is present in the current hash.
       #
-      # @return [Array]
+      # @return [Boolean]
       #
-      # @since 1.3.0
-      # @api private
-      def kept
-        @session[KEPT_KEY] || []
+      # @since 2.0.0
+      # @api public
+      def key?(key)
+        @flash.key?(key)
       end
 
-      # Merge current data into KEPT_KEY hash
+      # Removes entries from the next hash
       #
-      # @return [Hash] the current value of KEPT_KEY
+      # @overload discard(key)
+      #   Removes the given key from the next hash
       #
-      # @since 1.3.0
-      # @api private
-      def keep_data
-        new_kept_data = kept << Hanami::Utils::Json.generate({ count: 0, data: _data })
-
-        update_kept(new_kept_data)
-      end
-
-      # Removes from kept data those who have lived for more than two requests
+      #   @param key [Object] key to discard
       #
-      # @return [Hash] the current value of KEPT_KEY
+      # @overload discard
+      #   Clears the next hash
       #
-      # @since 1.3.0
-      # @api private
-      def expire_kept
-        new_kept_data = kept.reject do |kept_data|
-          parsed = Hanami::Utils::Json.parse(kept_data)
-          parsed['count'] >= 2 if is_hash?(parsed) && parsed['count'].is_a?(Integer)
+      # @since 2.0.0
+      # @api public
+      def discard(key = (no_arg = true))
+        if no_arg
+          @next.clear
+        else
+          @next.delete(key)
         end
-
-        update_kept(new_kept_data)
       end
 
-      # Update the count of request for each kept data
+      # Copies entries from the current hash to the next hash
       #
-      # @return [Hash] the current value of KEPT_KEY
+      # @overload keep(key)
+      #   Copies the entry for the given key from the current hash to the next
+      #   hash
       #
-      # @since 1.3.0
-      # @api private
-      def update_kept_request_count
-        new_kept_data = kept.map do |kept_data|
-          parsed = Hanami::Utils::Json.parse(kept_data)
-          parsed['count'] += 1 if is_hash?(parsed) && parsed['count'].is_a?(Integer)
-          Hanami::Utils::Json.generate(parsed)
-        end
-
-        update_kept(new_kept_data)
-      end
-
-      # Search in the kept data for a match on the key
+      #   @param key [Object] key to copy
       #
-      # @param key [#to_s] the key
-      # @return [Object, NilClass]
+      # @overload keep
+      #   Copies all entries from the current hash to the next hash
       #
-      # @since 1.3.0
-      # @api private
-      def search_in_kept_data(key)
-        string_key = key.to_s
-
-        data = kept.find do |kept_data|
-          parsed = Hanami::Utils::Json.parse(kept_data)
-          parsed['data'].fetch(string_key, nil) if is_hash?(parsed['data'])
+      # @since 2.0.0
+      # @api public
+      def keep(key = (no_arg = true))
+        if no_arg
+          @next.merge!(@flash)
+        else
+          self[key] = self[key]
         end
-
-        Hanami::Utils::Json.parse(data)['data'][string_key] if data
-      end
-
-      # Set the given new_kept_data to KEPT_KEY
-      #
-      # @param new_kept_data
-      # @return [Hash] the current value of KEPT_KEY
-      #
-      # @since 1.3.0
-      # @api private
-      def update_kept(new_kept_data)
-        @session[KEPT_KEY] = new_kept_data
-      end
-
-      # Values from kept
-      #
-      # @return [Hash]
-      #
-      # @since 1.3.0
-      # @api private
-      def kept_data
-        kept.each_with_object({}) { |kept_data, result| result.merge!(Hanami::Utils::Json.parse(kept_data)['data']) }
       end
 
-      # Check if data is a hash
-      #
-      # @param data
-      # @return [TrueClass, FalseClass]
+      # Replaces the current hash with the next hash and clears the next hash
       #
-      # @since 1.3.0
-      # @api private
-      def is_hash?(data)
-        data && data.is_a?(::Hash)
+      # @since 2.0.0
+      # @api public
+      def sweep
+        @flash = @next.dup
+        @next.clear
+        self
       end
     end
   end