pakyow-routing 1.0.0.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,73 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "uri"
4
+
5
+ require "pakyow/security/base"
6
+
7
+ module Pakyow
8
+ module Security
9
+ module CSRF
10
+ # Protects against Cross-Site Forgery Requests (CSRF).
11
+ # https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
12
+ #
13
+ # Allows requests if the origin or referer matches the request uri, or is whitelisted through
14
+ # the +config.origin.whitelist+ config option. The request is not allowed if values for both
15
+ # origin and referer are missing.
16
+ #
17
+ #
18
+ class VerifySameOrigin < Base
19
+ def initialize(*)
20
+ super
21
+
22
+ @whitelisted_origins = @config[:origin_whitelist].to_a.map { |origin|
23
+ parse_uri(origin)
24
+ }.compact
25
+ end
26
+
27
+ def allowed?(connection)
28
+ origin_uris(connection).yield_self { |origins|
29
+ !origins.empty? && origins.all? { |origin|
30
+ whitelisted_origin?(origin) || matching_origin?(origin, connection)
31
+ }
32
+ }
33
+ end
34
+
35
+ private
36
+
37
+ def origin_uris(connection)
38
+ origins = []
39
+
40
+ if connection.request_header?("origin")
41
+ origins.concat(connection.request_header("origin"))
42
+ end
43
+
44
+ if connection.request_header?("referer")
45
+ origins << connection.request_header("referer")
46
+ end
47
+
48
+ origins.map! { |value| parse_uri(value) }
49
+ end
50
+
51
+ def parse_uri(value)
52
+ URI.parse(value.to_s)
53
+ rescue URI::InvalidURIError
54
+ nil
55
+ end
56
+
57
+ def uris_match?(uri1, uri2)
58
+ uri1.scheme == uri2.scheme && uri1.host == uri2.host && uri1.port == uri2.port
59
+ end
60
+
61
+ def whitelisted_origin?(origin)
62
+ @whitelisted_origins.any? { |whitelisted|
63
+ uris_match?(whitelisted, origin)
64
+ }
65
+ end
66
+
67
+ def matching_origin?(origin, connection)
68
+ uris_match?(origin, parse_uri("#{connection.scheme}://#{connection.authority}"))
69
+ end
70
+ end
71
+ end
72
+ end
73
+ end
@@ -0,0 +1,19 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "pakyow/error"
4
+
5
+ module Pakyow
6
+ module Security
7
+ class Error < Pakyow::Error
8
+ end
9
+
10
+ class InsecureRequest < Error
11
+ end
12
+
13
+ class InsecureRedirect < Error
14
+ class_state :messages, default: {
15
+ default: "Cannot redirect to remote, untrusted location `{location}'"
16
+ }.freeze
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,15 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "pakyow/support/message_verifier"
4
+
5
+ module Pakyow
6
+ module Security
7
+ module Helpers
8
+ module CSRF
9
+ def authenticity_client_id
10
+ @authenticity_client_id ||= Support::MessageVerifier.key
11
+ end
12
+ end
13
+ end
14
+ end
15
+ end
@@ -0,0 +1,24 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "pakyow/support/pipeline"
4
+
5
+ module Pakyow
6
+ module Security
7
+ module Pipelines
8
+ module CSRF
9
+ extend Support::Pipeline
10
+
11
+ action :verify_same_origin
12
+ action :verify_authenticity_token
13
+
14
+ def verify_same_origin
15
+ config.security.csrf.protection[:origin].call(@connection)
16
+ end
17
+
18
+ def verify_authenticity_token
19
+ config.security.csrf.protection[:authenticity].call(@connection)
20
+ end
21
+ end
22
+ end
23
+ end
24
+ end
metadata ADDED
@@ -0,0 +1,98 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: pakyow-routing
3
+ version: !ruby/object:Gem::Version
4
+ version: 1.0.0.rc1
5
+ platform: ruby
6
+ authors:
7
+ - Bryan Powell
8
+ - Bret Young
9
+ autorequire:
10
+ bindir: bin
11
+ cert_chain: []
12
+ date: 2019-07-03 00:00:00.000000000 Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
15
+ name: pakyow-core
16
+ requirement: !ruby/object:Gem::Requirement
17
+ requirements:
18
+ - - '='
19
+ - !ruby/object:Gem::Version
20
+ version: 1.0.0.rc1
21
+ type: :runtime
22
+ prerelease: false
23
+ version_requirements: !ruby/object:Gem::Requirement
24
+ requirements:
25
+ - - '='
26
+ - !ruby/object:Gem::Version
27
+ version: 1.0.0.rc1
28
+ - !ruby/object:Gem::Dependency
29
+ name: pakyow-support
30
+ requirement: !ruby/object:Gem::Requirement
31
+ requirements:
32
+ - - '='
33
+ - !ruby/object:Gem::Version
34
+ version: 1.0.0.rc1
35
+ type: :runtime
36
+ prerelease: false
37
+ version_requirements: !ruby/object:Gem::Requirement
38
+ requirements:
39
+ - - '='
40
+ - !ruby/object:Gem::Version
41
+ version: 1.0.0.rc1
42
+ description: Routing functionality for Pakyow
43
+ email: bryan@metabahn.com
44
+ executables: []
45
+ extensions: []
46
+ extra_rdoc_files: []
47
+ files:
48
+ - CHANGELOG.md
49
+ - LICENSE
50
+ - README.md
51
+ - lib/pakyow/behavior/definition.rb
52
+ - lib/pakyow/routing.rb
53
+ - lib/pakyow/routing/actions/respond_missing.rb
54
+ - lib/pakyow/routing/controller.rb
55
+ - lib/pakyow/routing/controller/behavior/error_handling.rb
56
+ - lib/pakyow/routing/controller/behavior/param_verification.rb
57
+ - lib/pakyow/routing/expansion.rb
58
+ - lib/pakyow/routing/extensions.rb
59
+ - lib/pakyow/routing/extensions/resource.rb
60
+ - lib/pakyow/routing/framework.rb
61
+ - lib/pakyow/routing/helpers/exposures.rb
62
+ - lib/pakyow/routing/route.rb
63
+ - lib/pakyow/security/base.rb
64
+ - lib/pakyow/security/behavior/config.rb
65
+ - lib/pakyow/security/behavior/disabling.rb
66
+ - lib/pakyow/security/behavior/helpers.rb
67
+ - lib/pakyow/security/behavior/insecure.rb
68
+ - lib/pakyow/security/behavior/pipeline.rb
69
+ - lib/pakyow/security/csrf/verify_authenticity_token.rb
70
+ - lib/pakyow/security/csrf/verify_same_origin.rb
71
+ - lib/pakyow/security/errors.rb
72
+ - lib/pakyow/security/helpers/csrf.rb
73
+ - lib/pakyow/security/pipelines/csrf.rb
74
+ homepage: https://pakyow.org
75
+ licenses:
76
+ - LGPL-3.0
77
+ metadata: {}
78
+ post_install_message:
79
+ rdoc_options: []
80
+ require_paths:
81
+ - lib
82
+ required_ruby_version: !ruby/object:Gem::Requirement
83
+ requirements:
84
+ - - ">="
85
+ - !ruby/object:Gem::Version
86
+ version: 2.5.0
87
+ required_rubygems_version: !ruby/object:Gem::Requirement
88
+ requirements:
89
+ - - ">"
90
+ - !ruby/object:Gem::Version
91
+ version: 1.3.1
92
+ requirements: []
93
+ rubyforge_project:
94
+ rubygems_version: 2.7.6
95
+ signing_key:
96
+ specification_version: 4
97
+ summary: Pakyow Routing
98
+ test_files: []