rack-protection-monkey 1.5.3

data/spec/lib/rack/protection/authenticity_token_spec.rb

@@ -0,0 +1,46 @@
+describe Rack::Protection::AuthenticityToken do
+  it_behaves_like "any rack application"
+
+  it "denies post requests without any token" do
+    expect(post('/')).not_to be_ok
+  end
+
+  it "accepts post requests with correct X-CSRF-Token header" do
+    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
+    expect(last_response).to be_ok
+  end
+
+  it "denies post requests with wrong X-CSRF-Token header" do
+    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
+    expect(last_response).not_to be_ok
+  end
+
+  it "accepts post form requests with correct authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
+    expect(last_response).to be_ok
+  end
+
+  it "denies post form requests with wrong authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
+    expect(last_response).not_to be_ok
+  end
+
+  it "prevents ajax requests without a valid token" do
+    expect(post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest")).not_to be_ok
+  end
+
+  it "allows for a custom authenticity token param" do
+    mock_app do
+      use Rack::Protection::AuthenticityToken, :authenticity_param => 'csrf_param'
+      run proc { |e| [200, {'Content-Type' => 'text/plain'}, ['hi']] }
+    end
+
+    post('/', {"csrf_param" => "a"}, 'rack.session' => {:csrf => "a"})
+    expect(last_response).to be_ok
+  end
+
+  it "sets a new csrf token for the session in env, even after a 'safe' request" do
+    get('/', {}, {})
+    expect(env['rack.session'][:csrf]).not_to be_nil
+  end
+end

data/spec/lib/rack/protection/base_spec.rb

@@ -0,0 +1,38 @@
+describe Rack::Protection::Base do
+
+  subject { described_class.new(lambda {}) }
+
+  describe "#random_string" do
+    it "outputs a string of 32 characters" do
+      expect(subject.random_string.length).to eq(32)
+    end
+  end
+
+  describe "#referrer" do
+    it "Reads referrer from Referer header" do
+      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/valid"}
+      expect(subject.referrer(env)).to eq("bar.com")
+    end
+
+    it "Reads referrer from Host header when Referer header is relative" do
+      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "/valid"}
+      expect(subject.referrer(env)).to eq("foo.com")
+    end
+
+    it "Reads referrer from Host header when Referer header is missing" do
+      env = {"HTTP_HOST" => "foo.com"}
+      expect(subject.referrer(env)).to eq("foo.com")
+    end
+
+    it "Returns nil when Referer header is missing and allow_empty_referrer is false" do
+      env = {"HTTP_HOST" => "foo.com"}
+      subject.options[:allow_empty_referrer] = false
+      expect(subject.referrer(env)).to be_nil
+    end
+
+    it "Returns nil when Referer header is invalid" do
+      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/bad|uri"}
+      expect(subject.referrer(env)).to be_nil
+    end
+  end
+end

data/spec/lib/rack/protection/escaped_params_spec.rb

@@ -0,0 +1,41 @@
+describe Rack::Protection::EscapedParams do
+  it_behaves_like "any rack application"
+
+  context 'escaping' do
+    it 'escapes html entities' do
+      mock_app do |env|
+        request = Rack::Request.new(env)
+        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']]]
+      end
+      get '/', :foo => "<bar>"
+      expect(body).to eq('&lt;bar&gt;')
+    end
+
+    it 'leaves normal params untouched' do
+      mock_app do |env|
+        request = Rack::Request.new(env)
+        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']]]
+      end
+      get '/', :foo => "bar"
+      expect(body).to eq('bar')
+    end
+
+    it 'copes with nested arrays' do
+      mock_app do |env|
+        request = Rack::Request.new(env)
+        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']['bar']]]
+      end
+      get '/', :foo => {:bar => "<bar>"}
+      expect(body).to eq('&lt;bar&gt;')
+    end
+
+    it 'leaves cache-breaker params untouched' do
+      mock_app do |env|
+        [200, {'Content-Type' => 'text/plain'}, ['hi']]
+      end
+
+      get '/?95df8d9bf5237ad08df3115ee74dcb10'
+      expect(body).to eq('hi')
+    end
+  end
+end

data/spec/lib/rack/protection/form_token_spec.rb

@@ -0,0 +1,31 @@
+describe Rack::Protection::FormToken do
+  it_behaves_like "any rack application"
+
+  it "denies post requests without any token" do
+    expect(post('/')).not_to be_ok
+  end
+
+  it "accepts post requests with correct X-CSRF-Token header" do
+    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
+    expect(last_response).to be_ok
+  end
+
+  it "denies post requests with wrong X-CSRF-Token header" do
+    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
+    expect(last_response).not_to be_ok
+  end
+
+  it "accepts post form requests with correct authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
+    expect(last_response).to be_ok
+  end
+
+  it "denies post form requests with wrong authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
+    expect(last_response).not_to be_ok
+  end
+
+  it "accepts ajax requests without a valid token" do
+    expect(post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest")).to be_ok
+  end
+end

data/spec/lib/rack/protection/frame_options_spec.rb

@@ -0,0 +1,37 @@
+describe Rack::Protection::FrameOptions do
+  it_behaves_like "any rack application"
+
+  it 'should set the X-Frame-Options' do
+    expect(get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"]).to eq("SAMEORIGIN")
+  end
+
+  it 'should not set the X-Frame-Options for other content types' do
+    expect(get('/', {}, 'wants' => 'text/foo').headers["X-Frame-Options"]).to be_nil
+  end
+
+  it 'should allow changing the protection mode' do
+    # I have no clue what other modes are available
+    mock_app do
+      use Rack::Protection::FrameOptions, :frame_options => :deny
+      run DummyApp
+    end
+
+    expect(get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"]).to eq("DENY")
+  end
+
+
+  it 'should allow changing the protection mode to a string' do
+    # I have no clue what other modes are available
+    mock_app do
+      use Rack::Protection::FrameOptions, :frame_options => "ALLOW-FROM foo"
+      run DummyApp
+    end
+
+    expect(get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"]).to eq("ALLOW-FROM foo")
+  end
+
+  it 'should not override the header if already set' do
+    mock_app with_headers("X-Frame-Options" => "allow")
+    expect(get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"]).to eq("allow")
+  end
+end

data/spec/lib/rack/protection/http_origin_spec.rb

@@ -0,0 +1,40 @@
+describe Rack::Protection::HttpOrigin do
+  it_behaves_like "any rack application"
+
+  before(:each) do
+    mock_app do
+      use Rack::Protection::HttpOrigin
+      run DummyApp
+    end
+  end
+
+  %w(GET HEAD POST PUT DELETE).each do |method|
+    it "accepts #{method} requests with no Origin" do
+      expect(send(method.downcase, '/')).to be_ok
+    end
+  end
+
+  %w(GET HEAD).each do |method|
+    it "accepts #{method} requests with non-whitelisted Origin" do
+      expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com')).to be_ok
+    end
+  end
+
+  %w(POST PUT DELETE).each do |method|
+    it "denies #{method} requests with non-whitelisted Origin" do
+      expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com')).not_to be_ok
+    end
+
+    it "accepts #{} requests with 'null' Origin" do
+      expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'null')).to be_ok
+    end
+
+    it "accepts #{method} requests with whitelisted Origin" do
+      mock_app do
+        use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://www.friend.com']
+        run DummyApp
+      end
+      expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://www.friend.com')).to be_ok
+    end
+  end
+end

data/spec/lib/rack/protection/ip_spoofing_spec.rb

@@ -0,0 +1,33 @@
+describe Rack::Protection::IPSpoofing do
+  it_behaves_like "any rack application"
+
+  it 'accepts requests without X-Forward-For header' do
+    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.4', 'HTTP_X_REAL_IP' => '4.3.2.1')
+    expect(last_response).to be_ok
+  end
+
+  it 'accepts requests with proper X-Forward-For header' do
+    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.4',
+      'HTTP_X_FORWARDED_FOR' => '192.168.1.20, 1.2.3.4, 127.0.0.1')
+    expect(last_response).to be_ok
+  end
+
+  it 'denies requests where the client spoofs X-Forward-For but not the IP' do
+    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.4', 'HTTP_X_FORWARDED_FOR' => '1.2.3.5')
+    expect(last_response).not_to be_ok
+  end
+
+  it 'denies requests where the client spoofs the IP but not X-Forward-For' do
+    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.5',
+      'HTTP_X_FORWARDED_FOR' => '192.168.1.20, 1.2.3.4, 127.0.0.1')
+    expect(last_response).not_to be_ok
+  end
+
+  it 'denies requests where IP and X-Forward-For are spoofed but not X-Real-IP' do
+    get('/', {},
+      'HTTP_CLIENT_IP'       => '1.2.3.5',
+      'HTTP_X_FORWARDED_FOR' => '1.2.3.5',
+      'HTTP_X_REAL_IP'       => '1.2.3.4')
+    expect(last_response).not_to be_ok
+  end
+end

data/spec/lib/rack/protection/json_csrf_spec.rb

@@ -0,0 +1,56 @@
+describe Rack::Protection::JsonCsrf do
+  it_behaves_like "any rack application"
+
+  describe 'json response' do
+    before do
+      mock_app { |e| [200, {'Content-Type' => 'application/json'}, []]}
+    end
+
+    it "denies get requests with json responses with a remote referrer" do
+      expect(get('/', {}, 'HTTP_REFERER' => 'http://evil.com')).not_to be_ok
+    end
+
+    it "accepts requests with json responses with a remote referrer when there's an origin header set" do
+      expect(get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_ORIGIN' => 'http://good.com')).to be_ok
+    end
+
+    it "accepts requests with json responses with a remote referrer when there's an x-origin header set" do
+      expect(get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_X_ORIGIN' => 'http://good.com')).to be_ok
+    end
+
+    it "accepts get requests with json responses with a local referrer" do
+      expect(get('/', {}, 'HTTP_REFERER' => '/')).to be_ok
+    end
+
+    it "accepts get requests with json responses with no referrer" do
+      expect(get('/', {})).to be_ok
+    end
+
+    it "accepts XHR requests" do
+      expect(get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest')).to be_ok
+    end
+
+  end
+
+  describe 'not json response' do
+
+    it "accepts get requests with 304 headers" do
+      mock_app { |e| [304, {}, []]}
+      expect(get('/', {}).status).to eq(304)
+    end
+
+  end
+
+  describe 'with drop_session as default reaction' do
+    it 'still denies' do
+      mock_app do
+        use Rack::Protection, :reaction => :drop_session
+        run proc { |e| [200, {'Content-Type' => 'application/json'}, []]}
+      end
+
+      session = {:foo => :bar}
+      get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'rack.session' => session)
+      expect(last_response).not_to be_ok
+    end
+  end
+end

data/spec/lib/rack/protection/path_traversal_spec.rb

@@ -0,0 +1,39 @@
+describe Rack::Protection::PathTraversal do
+  it_behaves_like "any rack application"
+
+  context 'escaping' do
+    before do
+      mock_app { |e| [200, {'Content-Type' => 'text/plain'}, [e['PATH_INFO']]] }
+    end
+
+    %w[/foo/bar /foo/bar/ / /.f /a.x].each do |path|
+      it("does not touch #{path.inspect}") { expect(get(path).body).to eq(path) }
+    end
+
+    { # yes, this is ugly, feel free to change that
+      '/..' => '/', '/a/../b' => '/b', '/a/../b/' => '/b/', '/a/.' => '/a/',
+      '/%2e.' => '/', '/a/%2E%2e/b' => '/b', '/a%2f%2E%2e%2Fb/' => '/b/',
+      '//' => '/', '/%2fetc%2Fpasswd' => '/etc/passwd'
+    }.each do |a, b|
+      it("replaces #{a.inspect} with #{b.inspect}") { expect(get(a).body).to eq(b) }
+    end
+
+    it 'should be able to deal with PATH_INFO = nil (fcgi?)' do
+      app = Rack::Protection::PathTraversal.new(proc { 42 })
+      expect(app.call({})).to eq(42)
+    end
+  end
+
+  if "".respond_to?(:encoding)  # Ruby 1.9+ M17N
+    context "PATH_INFO's encoding" do
+      before do
+        @app = Rack::Protection::PathTraversal.new(proc { |e| [200, {'Content-Type' => 'text/plain'}, [e['PATH_INFO'].encoding.to_s]] })
+      end
+
+      it 'should remain unchanged as ASCII-8BIT' do
+        body = @app.call({ 'PATH_INFO' => '/'.encode('ASCII-8BIT') })[2][0]
+        expect(body).to eq('ASCII-8BIT')
+      end
+    end
+  end
+end

data/spec/lib/rack/protection/protection_spec.rb

@@ -0,0 +1,103 @@
+describe Rack::Protection do
+  it_behaves_like "any rack application"
+
+  it 'passes on options' do
+    mock_app do
+      use Rack::Protection, :track => ['HTTP_FOO']
+      run proc { |e| [200, {'Content-Type' => 'text/plain'}, ['hi']] }
+    end
+
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
+    expect(session[:foo]).to eq(:bar)
+
+    get '/', {}, 'rack.session' => session, 'HTTP_FOO' => 'BAR'
+    expect(session).to be_empty
+  end
+
+  it 'passes errors through if :reaction => :report is used' do
+    mock_app do
+      use Rack::Protection, :reaction => :report
+      run proc { |e| [200, {'Content-Type' => 'text/plain'}, [e["protection.failed"].to_s]] }
+    end
+
+    session = {:foo => :bar}
+    post('/', {}, 'rack.session' => session, 'HTTP_ORIGIN' => 'http://malicious.com')
+    expect(last_response).to be_ok
+    expect(body).to eq("true")
+  end
+
+  describe "#react" do
+    it 'prevents attacks and warns about it' do
+      io = StringIO.new
+      mock_app do
+        use Rack::Protection, :logger => Logger.new(io)
+        run DummyApp
+      end
+      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
+      expect(io.string).to match(/prevented.*Origin/)
+    end
+
+    it 'reports attacks if reaction is to report' do
+      io = StringIO.new
+      mock_app do
+        use Rack::Protection, :reaction => :report, :logger => Logger.new(io)
+        run DummyApp
+      end
+      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
+      expect(io.string).to match(/reported.*Origin/)
+      expect(io.string).not_to match(/prevented.*Origin/)
+    end
+
+    it 'passes errors to reaction method if specified' do
+      io = StringIO.new
+      Rack::Protection::Base.send(:define_method, :special) { |*args| io << args.inspect }
+      mock_app do
+        use Rack::Protection, :reaction => :special, :logger => Logger.new(io)
+        run DummyApp
+      end
+      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
+      expect(io.string).to match(/HTTP_ORIGIN.*malicious.com/)
+      expect(io.string).not_to match(/reported|prevented/)
+    end
+  end
+
+  describe "#html?" do
+    context "given an appropriate content-type header" do
+      subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/html" }
+      it { is_expected.to be_truthy }
+    end
+
+    context "given an inappropriate content-type header" do
+      subject { Rack::Protection::Base.new(nil).html? 'content-type' => "image/gif" }
+      it { is_expected.to be_falsey }
+    end
+
+    context "given no content-type header" do
+      subject { Rack::Protection::Base.new(nil).html?({}) }
+      it { is_expected.to be_falsey }
+    end
+  end
+
+  describe "#instrument" do
+    let(:env) { { 'rack.protection.attack' => 'base' } }
+    let(:instrumenter) { double('Instrumenter') }
+
+    after do
+      app.instrument(env)
+    end
+
+    context 'with an instrumenter specified' do
+      let(:app) { Rack::Protection::Base.new(nil, :instrumenter => instrumenter) }
+
+      it { expect(instrumenter).to receive(:instrument).with('rack.protection', env) }
+    end
+
+    context 'with no instrumenter specified' do
+      let(:app) { Rack::Protection::Base.new(nil) }
+
+      it { expect(instrumenter).not_to receive(:instrument) }
+    end
+  end
+end