pakyow-routing 1.0.0.rc1

data/lib/pakyow/security/csrf/verify_same_origin.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require "uri"
+
+require "pakyow/security/base"
+
+module Pakyow
+  module Security
+    module CSRF
+      # Protects against Cross-Site Forgery Requests (CSRF).
+      # https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
+      #
+      # Allows requests if the origin or referer matches the request uri, or is whitelisted through
+      # the +config.origin.whitelist+ config option. The request is not allowed if values for both
+      # origin and referer are missing.
+      #
+      #
+      class VerifySameOrigin < Base
+        def initialize(*)
+          super
+
+          @whitelisted_origins = @config[:origin_whitelist].to_a.map { |origin|
+            parse_uri(origin)
+          }.compact
+        end
+
+        def allowed?(connection)
+          origin_uris(connection).yield_self { |origins|
+            !origins.empty? && origins.all? { |origin|
+              whitelisted_origin?(origin) || matching_origin?(origin, connection)
+            }
+          }
+        end
+
+        private
+
+        def origin_uris(connection)
+          origins = []
+
+          if connection.request_header?("origin")
+            origins.concat(connection.request_header("origin"))
+          end
+
+          if connection.request_header?("referer")
+            origins << connection.request_header("referer")
+          end
+
+          origins.map! { |value| parse_uri(value) }
+        end
+
+        def parse_uri(value)
+          URI.parse(value.to_s)
+        rescue URI::InvalidURIError
+          nil
+        end
+
+        def uris_match?(uri1, uri2)
+          uri1.scheme == uri2.scheme && uri1.host == uri2.host && uri1.port == uri2.port
+        end
+
+        def whitelisted_origin?(origin)
+          @whitelisted_origins.any? { |whitelisted|
+            uris_match?(whitelisted, origin)
+          }
+        end
+
+        def matching_origin?(origin, connection)
+          uris_match?(origin, parse_uri("#{connection.scheme}://#{connection.authority}"))
+        end
+      end
+    end
+  end
+end

data/lib/pakyow/security/errors.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "pakyow/error"
+
+module Pakyow
+  module Security
+    class Error < Pakyow::Error
+    end
+
+    class InsecureRequest < Error
+    end
+
+    class InsecureRedirect < Error
+      class_state :messages, default: {
+        default: "Cannot redirect to remote, untrusted location `{location}'"
+      }.freeze
+    end
+  end
+end

data/lib/pakyow/security/helpers/csrf.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "pakyow/support/message_verifier"
+
+module Pakyow
+  module Security
+    module Helpers
+      module CSRF
+        def authenticity_client_id
+          @authenticity_client_id ||= Support::MessageVerifier.key
+        end
+      end
+    end
+  end
+end

data/lib/pakyow/security/pipelines/csrf.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require "pakyow/support/pipeline"
+
+module Pakyow
+  module Security
+    module Pipelines
+      module CSRF
+        extend Support::Pipeline
+
+        action :verify_same_origin
+        action :verify_authenticity_token
+
+        def verify_same_origin
+          config.security.csrf.protection[:origin].call(@connection)
+        end
+
+        def verify_authenticity_token
+          config.security.csrf.protection[:authenticity].call(@connection)
+        end
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,98 @@
+--- !ruby/object:Gem::Specification
+name: pakyow-routing
+version: !ruby/object:Gem::Version
+  version: 1.0.0.rc1
+platform: ruby
+authors:
+- Bryan Powell
+- Bret Young
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-07-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: pakyow-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.0.0.rc1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.0.0.rc1
+- !ruby/object:Gem::Dependency
+  name: pakyow-support
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.0.0.rc1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.0.0.rc1
+description: Routing functionality for Pakyow
+email: bryan@metabahn.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE
+- README.md
+- lib/pakyow/behavior/definition.rb
+- lib/pakyow/routing.rb
+- lib/pakyow/routing/actions/respond_missing.rb
+- lib/pakyow/routing/controller.rb
+- lib/pakyow/routing/controller/behavior/error_handling.rb
+- lib/pakyow/routing/controller/behavior/param_verification.rb
+- lib/pakyow/routing/expansion.rb
+- lib/pakyow/routing/extensions.rb
+- lib/pakyow/routing/extensions/resource.rb
+- lib/pakyow/routing/framework.rb
+- lib/pakyow/routing/helpers/exposures.rb
+- lib/pakyow/routing/route.rb
+- lib/pakyow/security/base.rb
+- lib/pakyow/security/behavior/config.rb
+- lib/pakyow/security/behavior/disabling.rb
+- lib/pakyow/security/behavior/helpers.rb
+- lib/pakyow/security/behavior/insecure.rb
+- lib/pakyow/security/behavior/pipeline.rb
+- lib/pakyow/security/csrf/verify_authenticity_token.rb
+- lib/pakyow/security/csrf/verify_same_origin.rb
+- lib/pakyow/security/errors.rb
+- lib/pakyow/security/helpers/csrf.rb
+- lib/pakyow/security/pipelines/csrf.rb
+homepage: https://pakyow.org
+licenses:
+- LGPL-3.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: Pakyow Routing
+test_files: []