rack-protection-monkey 1.5.3

data/lib/rack/protection/form_token.rb

@@ -0,0 +1,23 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Only accepts submitted forms if a given access token matches the token
+    # included in the session. Does not expect such a token from Ajax request.
+    #
+    # This middleware is not used when using the Rack::Protection collection,
+    # since it might be a security issue, depending on your application
+    #
+    # Compatible with Rails and rack-csrf.
+    class FormToken < AuthenticityToken
+      def accepts?(env)
+        env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest" or super
+      end
+    end
+  end
+end

data/lib/rack/protection/frame_options.rb

@@ -0,0 +1,37 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Clickjacking
+    # Supported browsers:: Internet Explorer 8, Firefox 3.6.9, Opera 10.50,
+    #                      Safari 4.0, Chrome 4.1.249.1042 and later
+    # More infos::         https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
+    #
+    # Sets X-Frame-Options header to tell the browser avoid embedding the page
+    # in a frame.
+    #
+    # Options:
+    #
+    # frame_options:: Defines who should be allowed to embed the page in a
+    #                 frame. Use :deny to forbid any embedding, :sameorigin
+    #                 to allow embedding from the same origin (default).
+    class FrameOptions < Base
+      default_options :frame_options => :sameorigin
+
+      def frame_options
+        @frame_options ||= begin
+          frame_options = options[:frame_options]
+          frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str
+          frame_options.to_str
+        end
+      end
+
+      def call(env)
+        status, headers, body        = @app.call(env)
+        headers['X-Frame-Options'] ||= frame_options if html? headers
+        [status, headers, body]
+      end
+    end
+  end
+end

data/lib/rack/protection/http_origin.rb

@@ -0,0 +1,34 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: Google Chrome 2, Safari 4 and later
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #                      http://tools.ietf.org/html/draft-abarth-origin
+    #
+    # Does not accept unsafe HTTP requests when value of Origin HTTP request header
+    # does not match default or whitelisted URIs.
+    class HttpOrigin < Base
+      DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
+      default_reaction :deny
+
+      def base_url(env)
+        request = Rack::Request.new(env)
+        port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme]
+        "#{request.scheme}://#{request.host}#{port}"
+      end
+
+      def accepts?(env)
+        origin = env['HTTP_ORIGIN']
+
+        return true if safe? env
+        return true unless origin && origin != 'null'
+        return true if base_url(env) == origin
+        Array(options[:origin_whitelist]).include? origin
+      end
+
+    end
+  end
+end

data/lib/rack/protection/ip_spoofing.rb

@@ -0,0 +1,23 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   IP spoofing
+    # Supported browsers:: all
+    # More infos::         http://blog.c22.cc/2011/04/22/surveymonkey-ip-spoofing/
+    #
+    # Detect (some) IP spoofing attacks.
+    class IPSpoofing < Base
+      default_reaction :deny
+
+      def accepts?(env)
+        return true unless env.include? 'HTTP_X_FORWARDED_FOR'
+        ips = env['HTTP_X_FORWARDED_FOR'].split(/\s*,\s*/)
+        return false if env.include? 'HTTP_CLIENT_IP' and not ips.include? env['HTTP_CLIENT_IP']
+        return false if env.include? 'HTTP_X_REAL_IP' and not ips.include? env['HTTP_X_REAL_IP']
+        true
+      end
+    end
+  end
+end

data/lib/rack/protection/json_csrf.rb

@@ -0,0 +1,35 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://flask.pocoo.org/docs/security/#json-security
+    #
+    # JSON GET APIs are vulnerable to being embedded as JavaScript while the
+    # Array prototype has been patched to track data. Checks the referrer
+    # even on GET requests if the content type is JSON.
+    class JsonCsrf < Base
+      alias react deny
+
+      def call(env)
+        request               = Request.new(env)
+        status, headers, body = app.call(env)
+
+        if has_vector? request, headers
+          warn env, "attack prevented by #{self.class}"
+          react(env) or [status, headers, body]
+        else
+          [status, headers, body]
+        end
+      end
+
+      def has_vector?(request, headers)
+        return false if request.xhr?
+        return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
+        origin(request.env).nil? and referrer(request.env) != request.host
+      end
+    end
+  end
+end

data/lib/rack/protection/path_traversal.rb

@@ -0,0 +1,47 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Directory traversal
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Directory_traversal
+    #
+    # Unescapes '/' and '.', expands +path_info+.
+    # Thus <tt>GET /foo/%2e%2e%2fbar</tt> becomes <tt>GET /bar</tt>.
+    class PathTraversal < Base
+      def call(env)
+        path_was         = env["PATH_INFO"]
+        env["PATH_INFO"] = cleanup path_was if path_was && !path_was.empty?
+        app.call env
+      ensure
+        env["PATH_INFO"] = path_was
+      end
+
+      def cleanup(path)
+        if path.respond_to?(:encoding)
+          # Ruby 1.9+ M17N
+          encoding = path.encoding
+          dot   = '.'.encode(encoding)
+          slash = '/'.encode(encoding)
+        else
+          # Ruby 1.8
+          dot   = '.'
+          slash = '/'
+        end
+
+        parts     = []
+        unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash)
+
+        unescaped.split(slash).each do |part|
+          next if part.empty? or part == dot
+          part == '..' ? parts.pop : parts << part
+        end
+
+        cleaned = slash + parts.join(slash)
+        cleaned << slash if parts.any? and unescaped =~ %r{/\.{0,2}$}
+        cleaned
+      end
+    end
+  end
+end

data/lib/rack/protection/remote_referrer.rb

@@ -0,0 +1,20 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Does not accept unsafe HTTP requests if the Referer [sic] header is set to
+    # a different host.
+    class RemoteReferrer < Base
+      default_reaction :deny
+
+      def accepts?(env)
+        safe?(env) or referrer(env) == Request.new(env).host
+      end
+    end
+  end
+end

data/lib/rack/protection/remote_token.rb

@@ -0,0 +1,22 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Only accepts unsafe HTTP requests if a given access token matches the token
+    # included in the session *or* the request comes from the same origin.
+    #
+    # Compatible with Rails and rack-csrf.
+    class RemoteToken < AuthenticityToken
+      default_reaction :deny
+
+      def accepts?(env)
+        super or referrer(env) == Request.new(env).host
+      end
+    end
+  end
+end

data/lib/rack/protection/session_hijacking.rb

@@ -0,0 +1,36 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Session Hijacking
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Session_hijacking
+    #
+    # Tracks request properties like the user agent in the session and empties
+    # the session if those properties change. This essentially prevents attacks
+    # from Firesheep. Since all headers taken into consideration can be
+    # spoofed, too, this will not prevent determined hijacking attempts.
+    class SessionHijacking < Base
+      default_reaction :drop_session
+      default_options :tracking_key => :tracking, :encrypt_tracking => true,
+        :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_LANGUAGE]
+
+      def accepts?(env)
+        session = session env
+        key     = options[:tracking_key]
+        if session.include? key
+          session[key].all? { |k,v| v == encrypt(env[k]) }
+        else
+          session[key] = {}
+          options[:track].each { |k| session[key][k] = encrypt(env[k]) }
+        end
+      end
+
+      def encrypt(value)
+        value = value.to_s.downcase
+        options[:encrypt_tracking] ? super(value) : value
+      end
+    end
+  end
+end

data/lib/rack/protection/version.rb

@@ -0,0 +1,16 @@
+module Rack
+  module Protection
+    def self.version
+      VERSION
+    end
+
+    SIGNATURE = [1, 5, 3]
+    VERSION   = SIGNATURE.join('.')
+
+    VERSION.extend Comparable
+    def VERSION.<=>(other)
+      other = other.split('.').map { |i| i.to_i } if other.respond_to? :split
+      SIGNATURE <=> Array(other)
+    end
+  end
+end

data/lib/rack/protection/xss_header.rb

@@ -0,0 +1,25 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Non-permanent XSS
+    # Supported browsers:: Internet Explorer 8 and later
+    # More infos::         http://blogs.msdn.com/b/ie/archive/2008/07/01/ie8-security-part-iv-the-xss-filter.aspx
+    #
+    # Sets X-XSS-Protection header to tell the browser to block attacks.
+    #
+    # Options:
+    # xss_mode:: How the browser should prevent the attack (default: :block)
+    class XSSHeader < Base
+      default_options :xss_mode => :block, :nosniff => true
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        headers['X-XSS-Protection']       ||= "1; mode=#{options[:xss_mode]}" if html? headers
+        headers['X-Content-Type-Options'] ||= 'nosniff'                       if options[:nosniff]
+        [status, headers, body]
+      end
+    end
+  end
+end

data/rack-protection.gemspec

@@ -0,0 +1,123 @@
+# Run `rake rack-protection.gemspec` to update the gemspec.
+Gem::Specification.new do |s|
+  # general infos
+  s.name        = "rack-protection-monkey"
+  s.version     = "1.5.3"
+  s.description = "You should use protection! - Monkey Version"
+  s.homepage    = "http://github.com/sinatra/rack-protection"
+  s.summary     = s.description
+  s.license     = 'MIT'
+
+  # generated from git shortlog -sn
+  s.authors = [
+    "Konstantin Haase",
+    "Alex Rodionov",
+    "Patrick Ellis",
+    "Jason Staten",
+    "ITO Nobuaki",
+    "Jeff Welling",
+    "Matteo Centenaro",
+    "Egor Homakov",
+    "Florian Gilcher",
+    "Fojas",
+    "Igor Bochkariov",
+    "Mael Clerambault",
+    "Martin Mauch",
+    "Renne Nissinen",
+    "SAKAI, Kazuaki",
+    "Stanislav Savulchik",
+    "Steve Agalloco",
+    "TOBY",
+    "Thais Camilo and Konstantin Haase",
+    "Vipul A M",
+    "Akzhan Abdulin",
+    "brookemckim",
+    "Bj\u{f8}rge N\u{e6}ss",
+    "Chris Heald",
+    "Chris Mytton",
+    "Corey Ward",
+    "Dario Cravero",
+    "David Kellum"
+  ]
+
+  # generated from git shortlog -sne
+  s.email = [
+    "konstantin.mailinglists@googlemail.com",
+    "p0deje@gmail.com",
+    "jstaten07@gmail.com",
+    "patrick@soundcloud.com",
+    "jeff.welling@gmail.com",
+    "bugant@gmail.com",
+    "daydream.trippers@gmail.com",
+    "florian.gilcher@asquera.de",
+    "developer@fojasaur.us",
+    "ujifgc@gmail.com",
+    "mael@clerambault.fr",
+    "martin.mauch@gmail.com",
+    "rennex@iki.fi",
+    "kaz.july.7@gmail.com",
+    "s.savulchik@gmail.com",
+    "steve.agalloco@gmail.com",
+    "toby.net.info.mail+git@gmail.com",
+    "dev+narwen+rkh@rkh.im",
+    "vipulnsward@gmail.com",
+    "akzhan.abdulin@gmail.com",
+    "brooke@digitalocean.com",
+    "bjoerge@bengler.no",
+    "cheald@gmail.com",
+    "self@hecticjeff.net",
+    "coreyward@me.com",
+    "dario@uxtemple.com",
+    "dek-oss@gravitext.com",
+    "homakov@gmail.com"
+  ]
+
+  # generated from git ls-files
+  s.files = [
+      "License",
+      "README.md",
+      "Rakefile",
+      "lib/rack-protection.rb",
+      "lib/rack/protection.rb",
+      "lib/rack/protection/authenticity_token.rb",
+      "lib/rack/protection/base.rb",
+      "lib/rack/protection/escaped_params.rb",
+      "lib/rack/protection/form_token.rb",
+      "lib/rack/protection/frame_options.rb",
+      "lib/rack/protection/http_origin.rb",
+      "lib/rack/protection/ip_spoofing.rb",
+      "lib/rack/protection/json_csrf.rb",
+      "lib/rack/protection/path_traversal.rb",
+      "lib/rack/protection/remote_referrer.rb",
+      "lib/rack/protection/remote_token.rb",
+      "lib/rack/protection/session_hijacking.rb",
+      "lib/rack/protection/version.rb",
+      "lib/rack/protection/xss_header.rb",
+      "rack-protection.gemspec",
+      "spec/lib/rack/protection/authenticity_token_spec.rb",
+      "spec/lib/rack/protection/base_spec.rb",
+      "spec/lib/rack/protection/escaped_params_spec.rb",
+      "spec/lib/rack/protection/form_token_spec.rb",
+      "spec/lib/rack/protection/frame_options_spec.rb",
+      "spec/lib/rack/protection/http_origin_spec.rb",
+      "spec/lib/rack/protection/ip_spoofing_spec.rb",
+      "spec/lib/rack/protection/json_csrf_spec.rb",
+      "spec/lib/rack/protection/path_traversal_spec.rb",
+      "spec/lib/rack/protection/protection_spec.rb",
+      "spec/lib/rack/protection/remote_referrer_spec.rb",
+      "spec/lib/rack/protection/remote_token_spec.rb",
+      "spec/lib/rack/protection/session_hijacking_spec.rb",
+      "spec/lib/rack/protection/xss_header_spec.rb",
+      "spec/spec_helper.rb",
+      "spec/support/dummy_app.rb",
+      "spec/support/not_implemented_as_pending.rb",
+      "spec/support/rack_monkey_patches.rb",
+      "spec/support/shared_examples.rb",
+      "spec/support/spec_helpers.rb"
+  ]
+
+  # dependencies
+  s.add_dependency "rack"
+  s.add_development_dependency "rack-test"
+  s.add_development_dependency "rspec", "~> 3.0.0"
+end