padrino-csrf 0.1.0

data/.gitignore

@@ -0,0 +1,6 @@
+*.gem
+archive/*
+doc/*
+.yardoc
+.bundle
+Gemfile.lock

data/.yardopts

@@ -0,0 +1,9 @@
+--no-save
+--no-private
+--title Padrino Cross-Site Request Forgery
+--markup-provider redcarpet
+--markup markdown
+lib/**/*.rb
+-
+README.md
+LICENSE

data/Gemfile

@@ -0,0 +1,2 @@
+source :rubygems
+gemspec

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2012 Benjamin Bloch
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,66 @@
+### Overview
+
+Padrino CSRF is a plugin for the [Padrino](https://github.com/padrino/padrino-framework) web framework which adds [cross-site request forgery](http://en.wikipedia.org/wiki/Cross-site_request_forgery) protection.
+
+### Setup & Installation
+
+Include it in your project's `Gemfile` with Bundler:
+
+``` ruby
+gem 'padrino-csrf'
+```
+
+Modify your `app/app.rb` file to register the plugin:
+
+``` ruby
+class ExampleApplication < Padrino::Application
+  register Padrino::CSRF
+end
+```
+
+### Configuration
+
+`prevent_request_forgery`  
+When enabled, will automatically verify the CSRF authentication token on all `post`, `put`, and `delete` requests.
+
+You can of course disable this on a request by request basis:
+
+``` ruby
+enable :prevent_request_forgery
+
+post :register do
+  # request is checked
+end
+
+post :register, protect: false do
+  # request isn't checked
+end
+```
+
+Or if you prefer, you can disable it by default, and enable it on a request by request basis:
+
+``` ruby
+disable :prevent_request_forgery
+
+post :register do
+  # request isn't checked
+end
+
+post :register, protect: true do
+  # request is checked
+end
+```
+
+### Dependencies
+
+* [Padrino-Core](https://github.com/padrino/padrino-framework) and [Padrino-Helpers](https://github.com/padrino/padrino-framework)
+* [Ruby](http://www.ruby-lang.org/en) >= 1.9.2
+
+### TODO
+
+* Additional documentation
+* Tests
+
+### Copyright
+
+Copyright � 2012 Benjamin Bloch (Cirex). See LICENSE for details.

data/Rakefile

@@ -0,0 +1,7 @@
+require 'rake'
+require 'rake/testtask'
+
+Rake::TestTask.new do |test|
+  test.test_files = FileList['test/**/test_*.rb']
+  test.verbose = true
+end

data/lib/padrino-csrf/form_helpers.rb

@@ -0,0 +1,23 @@
+# encoding: utf-8
+module Padrino
+  module CSRF
+    module FormHelpers
+      ###
+      # Returns a hidden HTML input field with this sessions CSRF token
+      #
+      # @return [String]
+      #   Generated HTML for hidden CSRF input field
+      #
+      # @since 0.1.0
+      # @api semipublic
+      def token_field_tag
+        input_tag(:hidden, name: csrf_param, value: csrf_token)
+      end
+
+      # @private
+      def form_tag(url, options = {}, &block)
+        super(url, options) { token_field_tag + capture_html(&block) }
+      end
+    end # FormHelpers
+  end # CSRF
+end # Padrino

data/lib/padrino-csrf/helpers.rb

@@ -0,0 +1,54 @@
+# encoding: utf-8
+module Padrino
+  module CSRF
+   module Helpers
+      ###
+      # Returns whether or not the CSRF parameter is authentic
+      #
+      # @return [Boolean]
+      #   *true* if CSRF is valid, *false* otherwise
+      #
+      # @since 0.1.0
+      # @api semipublic
+      def csrf_valid?
+        csrf_token == params[csrf_param] || csrf_token == request.env['HTTP_X_CSRF_TOKEN']
+      end
+
+      ###
+      # Returns HTML meta tags for use with unobtrusive javascript helpers
+      #
+      # @return [String]
+      #   Generated HTML for CSRF meta tags
+      #
+      # @example
+      #   csrf_meta_tags
+      #   # => <meta name="csrf-token" content="71ab53190d2f863b5f3b12381d2d5986512f8e15b34d439e6b66e3daf41b5e35">
+      #   # => <meta name="csrf-param" content="_csrf_token">
+      #
+      # @since 0.1.0
+      # @api public
+      def csrf_meta_tags
+        [ meta_tag(csrf_token, name: 'csrf-token'),
+          meta_tag(csrf_param, name: 'csrf-param')
+        ].join("\n")
+      end
+
+      ###
+      # Returns the CSRF authentication token for the current session
+      #
+      # @return [String]
+      #   32 character CSRF token
+      #
+      # @since 0.1.0
+      # @api semipublic
+      def csrf_token
+        session[csrf_param] ||= SecureRandom.hex(32)
+      end
+
+      # @private
+      def csrf_param
+        :_csrf_token
+      end
+    end # Helpers
+  end # CSRF
+end # Padrino

data/lib/padrino-csrf/routing.rb

@@ -0,0 +1,58 @@
+# encoding: utf-8
+module Padrino
+  module CSRF
+    module Routing
+      ###
+      # Routing condition which lets you manually toggle CSRF authentication
+      #
+      # @param [Boolean] protect
+      #   Should the request be authenticated
+      #
+      # @raise [InvalidToken]
+      #   Raised when the CSRF parameter is invalid
+      #
+      # @example
+      #   enable :prevent_request_forgery
+      #
+      #   post :register do
+      #     # request is checked
+      #   end
+      #
+      #   post :register, protect: false do
+      #     # request isn't checked
+      #   end
+      #
+      # @example
+      #   disable :prevent_request_forgery
+      #
+      #   post :register do
+      #     # request isn't checked
+      #   end
+      #
+      #   post :register, protect: true do
+      #     # request is checked
+      #   end
+      #
+      # @since 0.1.0
+      # @api public
+      def protect(protect = false)
+        condition do
+          if protect
+            raise InvalidToken unless csrf_valid?
+          end
+        end
+      end
+
+      # @private
+      def route(verb, path, options = {}, &block)
+        if REQUEST_BLACKLIST.include?(verb)
+          options[:protect] = settings.prevent_request_forgery if options[:protect] == nil
+        else
+          options.delete(:protect)
+        end
+
+        super(verb, path, options, &block)
+      end
+    end # Routing
+  end # CSRF
+end # Padrino

data/lib/padrino-csrf/version.rb

@@ -0,0 +1,6 @@
+# encoding: utf-8
+module Padrino
+  module CSRF
+    VERSION = '0.1.0'
+  end
+end

data/lib/padrino-csrf.rb

@@ -0,0 +1,34 @@
+# encoding: utf-8
+require 'padrino-core'
+require 'padrino-helpers'
+
+FileSet.glob_require('padrino-csrf/**/*.rb', __FILE__)
+
+module Padrino
+  module CSRF
+    REQUEST_BLACKLIST = %w(POST PUT DELETE)
+
+    class InvalidToken < RuntimeError 
+      # @private
+      def http_status
+        403
+      end
+    end
+
+    class << self
+      # @private
+      def registered(app)
+        app.helpers Helpers
+        app.helpers FormHelpers
+        app.enable :prevent_request_forgery
+
+        app.extend Routing
+
+        if defined?(Padrino::Assets)
+          Padrino::Assets.load_paths << File.expand_path('../../vendor/assets', __FILE__)
+          app.precompile_assets << 'jquery.unobtrusive.js'
+        end
+      end
+    end # self
+  end # CSRF
+end # Padrino

data/padrino-csrf.gemspec

@@ -0,0 +1,24 @@
+# encoding: utf-8
+$:.push File.expand_path('../lib', __FILE__)
+require 'padrino-csrf/version'
+
+Gem::Specification.new do |s|
+  s.name        = 'padrino-csrf'
+  s.version     = Padrino::CSRF::VERSION
+  s.authors     = ['Benjamin Bloch']
+  s.email       = ['cirex@gamesol.org']
+  s.homepage    = 'https://github.com/Cirex/padrino-csrf'
+  s.description = 'A plugin for the Padrino web framework which adds CSRF protection'
+  s.summary     = s.description
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ['lib']
+
+  s.add_dependency 'padrino-core'
+  s.add_dependency 'padrino-helpers'
+
+  s.add_development_dependency 'minitest'
+  s.add_development_dependency 'webrat'
+end

data/vendor/assets/jquery.unobtrusive.js

@@ -0,0 +1,76 @@
+$('form[data-remote=true]').live('submit', function(e) {
+  e.preventDefault(); e.stopped = true;
+  var element = $(this);
+  var message = element.data('confirm');
+  if (message && !confirm(message)) { return false; }
+  Padrino.sendRequest(element, {
+    dataType: element.data('type')   || ($.ajaxSettings && $.ajaxSettings.dataType) || 'script',
+    verb:     element.data('method') || element.attr('method') || 'post',
+    url:      element.attr('action'),
+    params:   element.serializeArray()
+  });
+});
+
+$('a[data-confirm]').live('click', function(e) {
+  var message = $(this).data('confirm');
+  if (!confirm(message)) { e.preventDefault(); e.stopped = true; }
+});
+
+$('a[data-remote=true]').live('click', function(e) {
+  var element = $(this);
+  if (e.stopped) return;
+  e.preventDefault(); e.stopped = true;
+  Padrino.sendRequest(element, {
+    verb: element.data('method') || 'get',
+    url:  element.attr('href')
+  });
+});
+
+$('a[data-method]:not([data-remote])').live('click', function(e) {
+  if (e.stopped) return;
+  Padrino.sendMethod($(e.target));
+  e.preventDefault(); e.stopped = true;
+});
+
+$.ajaxPrefilter(function(options, originalOptions, xhr){ if (!options.crossDomain) { Padrino.CSRFilter(xhr); }});
+
+var Padrino = {
+  sendRequest : function(element, options) {
+    var verb = options.verb, url = options.url, params = options.params, dataType = options.dataType;
+    var event = element.trigger('ajax:before');
+    if (event.stopped) return false;
+    $.ajax({
+      url: url,
+      type: verb.toUpperCase() || 'POST',
+      data: params || [],
+      dataType: dataType,
+
+      beforeSend: function(request) { element.trigger('ajax:loading',  [ request ]); },
+      complete:   function(request) { element.trigger('ajax:complete', [ request ]); },
+      success:    function(request) { element.trigger('ajax:success',  [ request ]); },
+      error:      function(request) { element.trigger('ajax:failure',  [ request ]); }
+    });
+    element.trigger('ajax:after');
+  },
+
+  sendMethod : function(element) {
+    var verb = element.data('method');
+    var url  = element.attr('href');
+    var csrf_token = $('meta[name=csrf-token]').attr('content');
+    var csrf_param = $('meta[name=csrf-param]').attr('content');
+    
+    var form = $('<form method="post" action="' + url + '"></form>');
+    form.append('<input type="hidden" name="_method" value="' + verb + '">')
+    if (csrf_param !== undefined && csrf_token !== undefined) {
+      form.append('<input name="' + csrf_param + '" value="' + csrf_token + '" type="hidden">');
+    }
+
+    form.hide().appendTo('body');
+    form.submit();
+  },
+
+  CSRFilter: function(xhr) {
+    var token = $('meta[name="csrf-token"]').attr('content');
+    if (token) { xhr.setRequestHeader('X-CSRF-Token', token); }
+  },
+};

metadata

@@ -0,0 +1,103 @@
+--- !ruby/object:Gem::Specification
+name: padrino-csrf
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Benjamin Bloch
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-02-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: padrino-core
+  requirement: &18997080 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *18997080
+- !ruby/object:Gem::Dependency
+  name: padrino-helpers
+  requirement: &18961296 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *18961296
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: &18729264 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *18729264
+- !ruby/object:Gem::Dependency
+  name: webrat
+  requirement: &15937272 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *15937272
+description: A plugin for the Padrino web framework which adds CSRF protection
+email:
+- cirex@gamesol.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .yardopts
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- lib/padrino-csrf.rb
+- lib/padrino-csrf/form_helpers.rb
+- lib/padrino-csrf/helpers.rb
+- lib/padrino-csrf/routing.rb
+- lib/padrino-csrf/version.rb
+- padrino-csrf.gemspec
+- vendor/assets/jquery.unobtrusive.js
+homepage: https://github.com/Cirex/padrino-csrf
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.15
+signing_key: 
+specification_version: 3
+summary: A plugin for the Padrino web framework which adds CSRF protection
+test_files: []
+has_rdoc: