rack-protection-monkey 1.5.3

data/spec/lib/rack/protection/remote_referrer_spec.rb

@@ -0,0 +1,29 @@
+describe Rack::Protection::RemoteReferrer do
+  it_behaves_like "any rack application"
+
+  it "accepts post requests with no referrer" do
+    expect(post('/')).to be_ok
+  end
+
+  it "does not accept post requests with no referrer if allow_empty_referrer is false" do
+    mock_app do
+      use Rack::Protection::RemoteReferrer, :allow_empty_referrer => false
+      run DummyApp
+    end
+    expect(post('/')).not_to be_ok
+  end
+
+  it "should allow post request with a relative referrer" do
+    expect(post('/', {}, 'HTTP_REFERER' => '/')).to be_ok
+  end
+
+  it "accepts post requests with the same host in the referrer" do
+    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.com')
+    expect(last_response).to be_ok
+  end
+
+  it "denies post requests with a remote referrer" do
+    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
+    expect(last_response).not_to be_ok
+  end
+end

data/spec/lib/rack/protection/remote_token_spec.rb

@@ -0,0 +1,40 @@
+describe Rack::Protection::RemoteToken do
+  it_behaves_like "any rack application"
+
+  it "accepts post requests with no referrer" do
+    expect(post('/')).to be_ok
+  end
+
+  it "accepts post requests with a local referrer" do
+    expect(post('/', {}, 'HTTP_REFERER' => '/')).to be_ok
+  end
+
+  it "denies post requests with a remote referrer and no token" do
+    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
+    expect(last_response).not_to be_ok
+  end
+
+  it "accepts post requests with a remote referrer and correct X-CSRF-Token header" do
+    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
+      'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
+    expect(last_response).to be_ok
+  end
+
+  it "denies post requests with a remote referrer and wrong X-CSRF-Token header" do
+    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
+      'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
+    expect(last_response).not_to be_ok
+  end
+
+  it "accepts post form requests with a remote referrer and correct authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
+      'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "a"})
+    expect(last_response).to be_ok
+  end
+
+  it "denies post form requests with a remote referrer and wrong authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
+      'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "b"})
+    expect(last_response).not_to be_ok
+  end
+end

data/spec/lib/rack/protection/session_hijacking_spec.rb

@@ -0,0 +1,53 @@
+describe Rack::Protection::SessionHijacking do
+  it_behaves_like "any rack application"
+
+  it "accepts a session without changes to tracked parameters" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session
+    get '/', {}, 'rack.session' => session
+    expect(session[:foo]).to eq(:bar)
+  end
+
+  it "denies requests with a changing User-Agent header" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'b'
+    expect(session).to be_empty
+  end
+
+  it "accepts requests with a changing Accept-Encoding header" do
+    # this is tested because previously it led to clearing the session
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
+    expect(session).not_to be_empty
+  end
+
+  it "denies requests with a changing Accept-Language header" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'b'
+    expect(session).to be_empty
+  end
+
+  it "accepts requests with the same Accept-Language header" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
+    expect(session).not_to be_empty
+  end
+
+  it "comparison of Accept-Language header is not case sensitive" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'A'
+    expect(session).not_to be_empty
+  end
+
+  it "accepts requests with a changing Version header"do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.0'
+    get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.1'
+    expect(session[:foo]).to eq(:bar)
+  end
+end

data/spec/lib/rack/protection/xss_header_spec.rb

@@ -0,0 +1,54 @@
+describe Rack::Protection::XSSHeader do
+  it_behaves_like "any rack application"
+
+  it 'should set the X-XSS-Protection' do
+    expect(get('/', {}, 'wants' => 'text/html;charset=utf-8').headers["X-XSS-Protection"]).to eq("1; mode=block")
+  end
+
+  it 'should set the X-XSS-Protection for XHTML' do
+    expect(get('/', {}, 'wants' => 'application/xhtml+xml').headers["X-XSS-Protection"]).to eq("1; mode=block")
+  end
+
+  it 'should not set the X-XSS-Protection for other content types' do
+    expect(get('/', {}, 'wants' => 'application/foo').headers["X-XSS-Protection"]).to be_nil
+  end
+
+  it 'should allow changing the protection mode' do
+    # I have no clue what other modes are available
+    mock_app do
+      use Rack::Protection::XSSHeader, :xss_mode => :foo
+      run DummyApp
+    end
+
+    expect(get('/', {}, 'wants' => 'application/xhtml').headers["X-XSS-Protection"]).to eq("1; mode=foo")
+  end
+
+  it 'should not override the header if already set' do
+    mock_app with_headers("X-XSS-Protection" => "0")
+    expect(get('/', {}, 'wants' => 'text/html').headers["X-XSS-Protection"]).to eq("0")
+  end
+
+  it 'should set the X-Content-Type-Options' do
+    expect(get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"]).to eq("nosniff")
+  end
+
+
+  it 'should set the X-Content-Type-Options for other content types' do
+    expect(get('/', {}, 'wants' => 'application/foo').header["X-Content-Type-Options"]).to eq("nosniff")
+  end
+
+
+  it 'should allow changing the nosniff-mode off' do
+    mock_app do
+      use Rack::Protection::XSSHeader, :nosniff => false
+      run DummyApp
+    end
+
+    expect(get('/').headers["X-Content-Type-Options"]).to be_nil
+  end
+
+  it 'should not override the header if already set X-Content-Type-Options' do
+    mock_app with_headers("X-Content-Type-Options" => "sniff")
+    expect(get('/', {}, 'wants' => 'text/html').headers["X-Content-Type-Options"]).to eq("sniff")
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,86 @@
+require 'rack/protection'
+require 'rack/test'
+require 'rack'
+
+Dir[File.expand_path('../support/**/*.rb', __FILE__)].each { |f| require f }
+
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause this
+# file to always be loaded, without a need to explicitly require it in any files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, make a
+# separate helper file that requires this one and then use it only in the specs
+# that actually need it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # Enable only the newer, non-monkey-patching expect syntax.
+    # For more details, see:
+    #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
+    expectations.syntax = :expect
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Enable only the newer, non-monkey-patching expect syntax.
+    # For more details, see:
+    #   - http://teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+    mocks.syntax = :expect
+
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended.
+    mocks.verify_partial_doubles = true
+  end
+
+  config.include Rack::Test::Methods
+  config.include SpecHelpers
+end

data/spec/support/dummy_app.rb

@@ -0,0 +1,7 @@
+module DummyApp
+  def self.call(env)
+    Thread.current[:last_env] = env
+    body = (env['REQUEST_METHOD'] == 'HEAD' ? '' : 'ok')
+    [200, {'Content-Type' => env['wants'] || 'text/plain'}, [body]]
+  end
+end

data/spec/support/not_implemented_as_pending.rb

@@ -0,0 +1,23 @@
+# see http://blog.101ideas.cz/posts/pending-examples-via-not-implemented-error-in-rspec.html
+module NotImplementedAsPending
+  def self.included(base)
+    base.class_eval do
+      alias_method :__finish__, :finish
+      remove_method :finish
+    end
+  end
+
+  def finish(reporter)
+    if @exception.is_a?(NotImplementedError)
+      from = @exception.backtrace[0]
+      message = "#{@exception.message} (from #{from})"
+      @pending_declared_in_example = message
+      metadata[:pending] = true
+      @exception = nil
+    end
+
+    __finish__(reporter)
+  end
+
+  RSpec::Core::Example.send :include, self
+end

data/spec/support/rack_monkey_patches.rb

@@ -0,0 +1,21 @@
+if defined? Gem.loaded_specs and Gem.loaded_specs.include? 'rack'
+  version = Gem.loaded_specs['rack'].version.to_s
+else
+  version = Rack.release + '.0'
+end
+
+if version == "1.3"
+  Rack::Session::Abstract::ID.class_eval do
+    private
+    def prepare_session(env)
+      session_was                  = env[ENV_SESSION_KEY]
+      env[ENV_SESSION_KEY]         = SessionHash.new(self, env)
+      env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options)
+      env[ENV_SESSION_KEY].merge! session_was if session_was
+    end
+  end
+end
+
+unless Rack::MockResponse.method_defined? :header
+  Rack::MockResponse.send(:alias_method, :header, :headers)
+end

data/spec/support/shared_examples.rb

@@ -0,0 +1,65 @@
+shared_examples_for 'any rack application' do
+  it "should not interfere with normal get requests" do
+    expect(get('/')).to be_ok
+    expect(body).to eq('ok')
+  end
+
+  it "should not interfere with normal head requests" do
+    expect(head('/')).to be_ok
+  end
+
+  it 'should not leak changes to env' do
+    klass    = described_class
+    detector = Struct.new(:app) do
+      def call(env)
+        was = env.dup
+        res = app.call(env)
+        was.each do |k,v|
+          next if env[k] == v
+          fail "env[#{k.inspect}] changed from #{v.inspect} to #{env[k].inspect}"
+        end
+        res
+      end
+    end
+
+    mock_app do
+      use Rack::Head
+      use(Rack::Config) { |e| e['rack.session'] ||= {}}
+      use detector
+      use klass
+      run DummyApp
+    end
+
+    expect(get('/..', :foo => '<bar>')).to be_ok
+  end
+
+  it 'allows passing on values in env' do
+    klass    = described_class
+    changer  = Struct.new(:app) do
+      def call(env)
+        env['foo.bar'] = 42
+        app.call(env)
+      end
+    end
+    detector = Struct.new(:app) do
+      def call(env)
+        app.call(env)
+      end
+    end
+
+    expect_any_instance_of(detector).to receive(:call).with(
+      hash_including('foo.bar' => 42)
+    ).and_call_original
+
+    mock_app do
+      use Rack::Head
+      use(Rack::Config) { |e| e['rack.session'] ||= {}}
+      use changer
+      use klass
+      use detector
+      run DummyApp
+    end
+
+    expect(get('/')).to be_ok
+  end
+end

data/spec/support/spec_helpers.rb

@@ -0,0 +1,36 @@
+require 'forwardable'
+
+module SpecHelpers
+  extend Forwardable
+  def_delegators :last_response, :body, :headers, :status, :errors
+  def_delegators :current_session, :env_for
+  attr_writer :app
+
+  def app
+    @app ||= nil
+    @app || mock_app(DummyApp)
+  end
+
+  def mock_app(app = nil, &block)
+    app = block if app.nil? and block.arity == 1
+    if app
+      klass = described_class
+      mock_app do
+        use Rack::Head
+        use(Rack::Config) { |e| e['rack.session'] ||= {}}
+        use klass
+        run app
+      end
+    else
+      @app = Rack::Lint.new Rack::Builder.new(&block).to_app
+    end
+  end
+
+  def with_headers(headers)
+    proc { [200, {'Content-Type' => 'text/plain'}.merge(headers), ['ok']] }
+  end
+
+  def env
+    Thread.current[:last_env]
+  end
+end

metadata

@@ -0,0 +1,180 @@
+--- !ruby/object:Gem::Specification
+name: rack-protection-monkey
+version: !ruby/object:Gem::Version
+  version: 1.5.3
+platform: ruby
+authors:
+- Konstantin Haase
+- Alex Rodionov
+- Patrick Ellis
+- Jason Staten
+- ITO Nobuaki
+- Jeff Welling
+- Matteo Centenaro
+- Egor Homakov
+- Florian Gilcher
+- Fojas
+- Igor Bochkariov
+- Mael Clerambault
+- Martin Mauch
+- Renne Nissinen
+- SAKAI, Kazuaki
+- Stanislav Savulchik
+- Steve Agalloco
+- TOBY
+- Thais Camilo and Konstantin Haase
+- Vipul A M
+- Akzhan Abdulin
+- brookemckim
+- Bjørge Næss
+- Chris Heald
+- Chris Mytton
+- Corey Ward
+- Dario Cravero
+- David Kellum
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-08-31 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+description: You should use protection! - Monkey Version
+email:
+- konstantin.mailinglists@googlemail.com
+- p0deje@gmail.com
+- jstaten07@gmail.com
+- patrick@soundcloud.com
+- jeff.welling@gmail.com
+- bugant@gmail.com
+- daydream.trippers@gmail.com
+- florian.gilcher@asquera.de
+- developer@fojasaur.us
+- ujifgc@gmail.com
+- mael@clerambault.fr
+- martin.mauch@gmail.com
+- rennex@iki.fi
+- kaz.july.7@gmail.com
+- s.savulchik@gmail.com
+- steve.agalloco@gmail.com
+- toby.net.info.mail+git@gmail.com
+- dev+narwen+rkh@rkh.im
+- vipulnsward@gmail.com
+- akzhan.abdulin@gmail.com
+- brooke@digitalocean.com
+- bjoerge@bengler.no
+- cheald@gmail.com
+- self@hecticjeff.net
+- coreyward@me.com
+- dario@uxtemple.com
+- dek-oss@gravitext.com
+- homakov@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- License
+- README.md
+- Rakefile
+- lib/rack-protection.rb
+- lib/rack/protection.rb
+- lib/rack/protection/authenticity_token.rb
+- lib/rack/protection/base.rb
+- lib/rack/protection/escaped_params.rb
+- lib/rack/protection/form_token.rb
+- lib/rack/protection/frame_options.rb
+- lib/rack/protection/http_origin.rb
+- lib/rack/protection/ip_spoofing.rb
+- lib/rack/protection/json_csrf.rb
+- lib/rack/protection/path_traversal.rb
+- lib/rack/protection/remote_referrer.rb
+- lib/rack/protection/remote_token.rb
+- lib/rack/protection/session_hijacking.rb
+- lib/rack/protection/version.rb
+- lib/rack/protection/xss_header.rb
+- rack-protection.gemspec
+- spec/lib/rack/protection/authenticity_token_spec.rb
+- spec/lib/rack/protection/base_spec.rb
+- spec/lib/rack/protection/escaped_params_spec.rb
+- spec/lib/rack/protection/form_token_spec.rb
+- spec/lib/rack/protection/frame_options_spec.rb
+- spec/lib/rack/protection/http_origin_spec.rb
+- spec/lib/rack/protection/ip_spoofing_spec.rb
+- spec/lib/rack/protection/json_csrf_spec.rb
+- spec/lib/rack/protection/path_traversal_spec.rb
+- spec/lib/rack/protection/protection_spec.rb
+- spec/lib/rack/protection/remote_referrer_spec.rb
+- spec/lib/rack/protection/remote_token_spec.rb
+- spec/lib/rack/protection/session_hijacking_spec.rb
+- spec/lib/rack/protection/xss_header_spec.rb
+- spec/spec_helper.rb
+- spec/support/dummy_app.rb
+- spec/support/not_implemented_as_pending.rb
+- spec/support/rack_monkey_patches.rb
+- spec/support/shared_examples.rb
+- spec/support/spec_helpers.rb
+homepage: http://github.com/sinatra/rack-protection
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: You should use protection! - Monkey Version
+test_files: []