homura-runtime 0.3.3 → 0.3.4

data/vendor/rack/protection/escaped_params.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+require 'rack/utils'
+# require 'tempfile'
+
+# begin
+#   require 'escape_utils'
+# rescue LoadError
+# end
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   XSS
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_scripting
+    #
+    # Automatically escapes Rack::Request#params so they can be embedded in HTML
+    # or JavaScript without any further issues.
+    #
+    # Options:
+    # escape:: What escaping modes to use, should be Symbol or Array of Symbols.
+    #          Available: :html (default), :javascript, :url
+    class EscapedParams < Base
+      extend Rack::Utils
+
+      class << self
+        alias escape_url escape
+        public :escape_html
+      end
+
+      default_options escape: :html,
+                      escaper: defined?(EscapeUtils) ? EscapeUtils : self
+
+      def initialize(*)
+        super
+
+        modes       = Array options[:escape]
+        @escaper    = options[:escaper]
+        @html       = modes.include? :html
+        @javascript = modes.include? :javascript
+        @url        = modes.include? :url
+
+        return unless @javascript && (!@escaper.respond_to? :escape_javascript)
+
+        raise('Use EscapeUtils for JavaScript escaping.')
+      end
+
+      def call(env)
+        request  = Request.new(env)
+        get_was  = handle(request.GET)
+        post_was = begin
+          handle(request.POST)
+        rescue StandardError
+          nil
+        end
+        app.call env
+      ensure
+        request.GET.replace  get_was  if get_was
+        request.POST.replace post_was if post_was
+      end
+
+      def handle(hash)
+        was = hash.dup
+        hash.replace escape(hash)
+        was
+      end
+
+      def escape(object)
+        case object
+        when Hash   then escape_hash(object)
+        when Array  then object.map { |o| escape(o) }
+        when String then escape_string(object)
+        when Tempfile then object
+        end
+      end
+
+      def escape_hash(hash)
+        hash = hash.dup
+        hash.each { |k, v| hash[k] = escape(v) }
+        hash
+      end
+
+      def escape_string(str)
+        str = @escaper.escape_url(str)        if @url
+        str = @escaper.escape_html(str)       if @html
+        str = @escaper.escape_javascript(str) if @javascript
+        str
+      end
+    end
+  end
+end

data/vendor/rack/protection/form_token.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Only accepts submitted forms if a given access token matches the token
+    # included in the session. Does not expect such a token from Ajax request.
+    #
+    # This middleware is not used when using the Rack::Protection collection,
+    # since it might be a security issue, depending on your application
+    #
+    # Compatible with rack-csrf.
+    class FormToken < AuthenticityToken
+      def accepts?(env)
+        env['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' or super
+      end
+    end
+  end
+end

data/vendor/rack/protection/frame_options.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Clickjacking
+    # Supported browsers:: Internet Explorer 8, Firefox 3.6.9, Opera 10.50,
+    #                      Safari 4.0, Chrome 4.1.249.1042 and later
+    # More infos::         https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
+    #
+    # Sets X-Frame-Options header to tell the browser avoid embedding the page
+    # in a frame.
+    #
+    # Options:
+    #
+    # frame_options:: Defines who should be allowed to embed the page in a
+    #                 frame. Use :deny to forbid any embedding, :sameorigin
+    #                 to allow embedding from the same origin (default).
+    class FrameOptions < Base
+      default_options frame_options: :sameorigin
+
+      def frame_options
+        @frame_options ||= begin
+          frame_options = options[:frame_options]
+          frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str
+          frame_options.to_str
+        end
+      end
+
+      def call(env)
+        status, headers, body        = @app.call(env)
+        headers['x-frame-options'] ||= frame_options if html? headers
+        [status, headers, body]
+      end
+    end
+  end
+end

data/vendor/rack/protection/http_origin.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: Google Chrome 2, Safari 4 and later
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #                      http://tools.ietf.org/html/draft-abarth-origin
+    #
+    # Does not accept unsafe HTTP requests when value of Origin HTTP request header
+    # does not match default or permitted URIs.
+    #
+    # If you want to permit a specific domain, you can pass in as the `:permitted_origins` option:
+    #
+    #     use Rack::Protection, permitted_origins: ["http://localhost:3000", "http://127.0.01:3000"]
+    #
+    # The `:allow_if` option can also be set to a proc to use custom allow/deny logic.
+    class HttpOrigin < Base
+      DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
+      default_reaction :deny
+      default_options allow_if: nil
+
+      def base_url(env)
+        request = Rack::Request.new(env)
+        port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme]
+        "#{request.scheme}://#{request.host}#{port}"
+      end
+
+      def accepts?(env)
+        return true if safe? env
+        return true unless (origin = env['HTTP_ORIGIN'])
+        return true if base_url(env) == origin
+        return true if options[:allow_if]&.call(env)
+
+        permitted_origins = options[:permitted_origins]
+        Array(permitted_origins).include? origin
+      end
+    end
+  end
+end

data/vendor/rack/protection/ip_spoofing.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   IP spoofing
+    # Supported browsers:: all
+    # More infos::         http://blog.c22.cc/2011/04/22/surveymonkey-ip-spoofing/
+    #
+    # Detect (some) IP spoofing attacks.
+    class IPSpoofing < Base
+      default_reaction :deny
+
+      def accepts?(env)
+        return true unless env.include? 'HTTP_X_FORWARDED_FOR'
+
+        ips = env['HTTP_X_FORWARDED_FOR'].split(',').map(&:strip)
+        return false if env.include?('HTTP_CLIENT_IP') && (!ips.include? env['HTTP_CLIENT_IP'])
+        return false if env.include?('HTTP_X_REAL_IP') && (!ips.include? env['HTTP_X_REAL_IP'])
+
+        true
+      end
+    end
+  end
+end

data/vendor/rack/protection/json_csrf.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://flask.pocoo.org/docs/0.10/security/#json-security
+    #                      http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
+    #
+    # JSON GET APIs are vulnerable to being embedded as JavaScript when the
+    # Array prototype has been patched to track data. Checks the referrer
+    # even on GET requests if the content type is JSON.
+    #
+    # If request includes Origin HTTP header, defers to HttpOrigin to determine
+    # if the request is safe. Please refer to the documentation for more info.
+    #
+    # The `:allow_if` option can be set to a proc to use custom allow/deny logic.
+    class JsonCsrf < Base
+      default_options allow_if: nil
+
+      alias react deny
+
+      def call(env)
+        request               = Request.new(env)
+        status, headers, body = app.call(env)
+
+        if has_vector?(request, headers)
+          warn env, "attack prevented by #{self.class}"
+
+          react_and_close(env, body) or [status, headers, body]
+        else
+          [status, headers, body]
+        end
+      end
+
+      def has_vector?(request, headers)
+        return false if request.xhr?
+        return false if options[:allow_if]&.call(request.env)
+        return false unless headers['content-type'].to_s.split(';', 2).first =~ %r{^\s*application/json\s*$}
+
+        origin(request.env).nil? and referrer(request.env) != request.host
+      end
+
+      def react_and_close(env, body)
+        reaction = react(env)
+
+        close_body(body) if reaction
+
+        reaction
+      end
+
+      def close_body(body)
+        body.close if body.respond_to?(:close)
+      end
+    end
+  end
+end

data/vendor/rack/protection/path_traversal.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Directory traversal
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Directory_traversal
+    #
+    # Unescapes '/' and '.', expands +path_info+.
+    # Thus <tt>GET /foo/%2e%2e%2fbar</tt> becomes <tt>GET /bar</tt>.
+    class PathTraversal < Base
+      def call(env)
+        path_was         = env['PATH_INFO']
+        env['PATH_INFO'] = cleanup path_was if path_was && !path_was.empty?
+        app.call env
+      ensure
+        env['PATH_INFO'] = path_was
+      end
+
+      def cleanup(path)
+        encoding = path.encoding
+        dot   = '.'.encode(encoding)
+        slash = '/'.encode(encoding)
+        backslash = '\\'.encode(encoding)
+
+        parts     = []
+        unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
+        unescaped = unescaped.gsub(backslash, slash)
+
+        unescaped.split(slash).each do |part|
+          next if part.empty? || (part == dot)
+
+          part == '..' ? parts.pop : parts << part
+        end
+
+        cleaned = slash + parts.join(slash)
+        cleaned << slash if parts.any? && unescaped =~ (%r{/\.{0,2}$})
+        cleaned
+      end
+    end
+  end
+end

data/vendor/rack/protection/referrer_policy.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Secret leakage, third party tracking
+    # Supported browsers:: mixed support
+    # More infos::         https://www.w3.org/TR/referrer-policy/
+    #                      https://caniuse.com/#search=referrer-policy
+    #
+    # Sets Referrer-Policy header to tell the browser to limit the Referer header.
+    #
+    # Options:
+    # referrer_policy:: The policy to use (default: 'strict-origin-when-cross-origin')
+    class ReferrerPolicy < Base
+      default_options referrer_policy: 'strict-origin-when-cross-origin'
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        headers['referrer-policy'] ||= options[:referrer_policy]
+        [status, headers, body]
+      end
+    end
+  end
+end

data/vendor/rack/protection/remote_referrer.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Does not accept unsafe HTTP requests if the Referer [sic] header is set to
+    # a different host.
+    class RemoteReferrer < Base
+      default_reaction :deny
+
+      def accepts?(env)
+        safe?(env) or referrer(env) == Request.new(env).host
+      end
+    end
+  end
+end

data/vendor/rack/protection/remote_token.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Only accepts unsafe HTTP requests if a given access token matches the token
+    # included in the session *or* the request comes from the same origin.
+    #
+    # Compatible with rack-csrf.
+    class RemoteToken < AuthenticityToken
+      default_reaction :deny
+
+      def accepts?(env)
+        super or referrer(env) == Request.new(env).host
+      end
+    end
+  end
+end

data/vendor/rack/protection/session_hijacking.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Session Hijacking
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Session_hijacking
+    #
+    # Tracks request properties like the user agent in the session and empties
+    # the session if those properties change. This essentially prevents attacks
+    # from Firesheep. Since all headers taken into consideration can be
+    # spoofed, too, this will not prevent determined hijacking attempts.
+    class SessionHijacking < Base
+      default_reaction :drop_session
+      default_options tracking_key: :tracking,
+                      track: %w[HTTP_USER_AGENT]
+
+      def accepts?(env)
+        session = session env
+        key     = options[:tracking_key]
+        if session.include? key
+          session[key].all? { |k, v| v == encode(env[k]) }
+        else
+          session[key] = {}
+          options[:track].each { |k| session[key][k] = encode(env[k]) }
+        end
+      end
+
+      def encode(value)
+        value.to_s.downcase
+      end
+    end
+  end
+end

data/vendor/rack/protection/strict_transport.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Protects against against protocol downgrade attacks and cookie hijacking.
+    # Supported browsers:: all
+    # More infos::         https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+    #
+    # browser will prevent any communications from being sent over HTTP
+    # to the specified domain and will instead send all communications over HTTPS.
+    # It also prevents HTTPS click through prompts on browsers.
+    #
+    # Options:
+    #
+    # max_age:: How long future requests to the domain should go over HTTPS; specified in seconds
+    # include_subdomains:: If all present and future subdomains will be HTTPS
+    # preload:: Allow this domain to be included in browsers HSTS preload list. See https://hstspreload.appspot.com/
+
+    class StrictTransport < Base
+      default_options max_age: 31_536_000, include_subdomains: false, preload: false
+
+      def strict_transport
+        @strict_transport ||= begin
+          strict_transport = "max-age=#{options[:max_age]}"
+          strict_transport += '; includeSubDomains' if options[:include_subdomains]
+          strict_transport += '; preload' if options[:preload]
+          strict_transport.to_str
+        end
+      end
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        headers['strict-transport-security'] ||= strict_transport
+        [status, headers, body]
+      end
+    end
+  end
+end

data/vendor/rack/protection/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Rack
+  module Protection
+    VERSION = '4.0.0'
+  end
+end

data/vendor/rack/protection/xss_header.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Non-permanent XSS
+    # Supported browsers:: Internet Explorer 8+ and Chrome
+    # More infos::         http://blogs.msdn.com/b/ie/archive/2008/07/01/ie8-security-part-iv-the-xss-filter.aspx
+    #
+    # Sets X-XSS-Protection header to tell the browser to block attacks.
+    #
+    # Options:
+    # xss_mode:: How the browser should prevent the attack (default: :block)
+    class XSSHeader < Base
+      default_options xss_mode: :block, nosniff: true
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        headers['x-xss-protection']       ||= "1; mode=#{options[:xss_mode]}" if html? headers
+        headers['x-content-type-options'] ||= 'nosniff'                       if options[:nosniff]
+        [status, headers, body]
+      end
+    end
+  end
+end

data/vendor/rack/protection.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'rack/protection/version'
+require 'rack'
+
+module Rack
+  module Protection
+    autoload :AuthenticityToken,     'rack/protection/authenticity_token'
+    autoload :Base,                  'rack/protection/base'
+    autoload :CookieTossing,         'rack/protection/cookie_tossing'
+    autoload :ContentSecurityPolicy, 'rack/protection/content_security_policy'
+    autoload :EscapedParams,         'rack/protection/escaped_params'
+    autoload :FormToken,             'rack/protection/form_token'
+    autoload :FrameOptions,          'rack/protection/frame_options'
+    autoload :HttpOrigin,            'rack/protection/http_origin'
+    autoload :IPSpoofing,            'rack/protection/ip_spoofing'
+    autoload :JsonCsrf,              'rack/protection/json_csrf'
+    autoload :PathTraversal,         'rack/protection/path_traversal'
+    autoload :ReferrerPolicy,        'rack/protection/referrer_policy'
+    autoload :RemoteReferrer,        'rack/protection/remote_referrer'
+    autoload :RemoteToken,           'rack/protection/remote_token'
+    autoload :SessionHijacking,      'rack/protection/session_hijacking'
+    autoload :StrictTransport,       'rack/protection/strict_transport'
+    autoload :XSSHeader,             'rack/protection/xss_header'
+
+    def self.new(app, options = {})
+      except = Array options[:except]
+      use_these = Array options[:use]
+
+      if options.fetch(:without_session, false)
+        except += %i[remote_token]
+      end
+
+      Rack::Builder.new do
+        # Off by default, unless added
+        use ::Rack::Protection::AuthenticityToken,     options if use_these.include? :authenticity_token
+        use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
+        use ::Rack::Protection::CookieTossing,         options if use_these.include? :cookie_tossing
+        use ::Rack::Protection::EscapedParams,         options if use_these.include? :escaped_params
+        use ::Rack::Protection::FormToken,             options if use_these.include? :form_token
+        use ::Rack::Protection::ReferrerPolicy,        options if use_these.include? :referrer_policy
+        use ::Rack::Protection::RemoteReferrer,        options if use_these.include? :remote_referrer
+        use ::Rack::Protection::SessionHijacking,      options if use_these.include? :session_hijacking
+        use ::Rack::Protection::StrictTransport,       options if use_these.include? :strict_transport
+
+        # On by default, unless skipped
+        use ::Rack::Protection::FrameOptions,          options unless except.include? :frame_options
+        use ::Rack::Protection::HttpOrigin,            options unless except.include? :http_origin
+        use ::Rack::Protection::IPSpoofing,            options unless except.include? :ip_spoofing
+        use ::Rack::Protection::JsonCsrf,              options unless except.include? :json_csrf
+        use ::Rack::Protection::PathTraversal,         options unless except.include? :path_traversal
+        use ::Rack::Protection::RemoteToken,           options unless except.include? :remote_token
+        use ::Rack::Protection::XSSHeader,             options unless except.include? :xss_header
+        run app
+      end.to_app
+    end
+  end
+end