rack-protection-monkey 1.5.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/License +20 -0
- data/README.md +90 -0
- data/Rakefile +48 -0
- data/lib/rack-protection.rb +1 -0
- data/lib/rack/protection.rb +40 -0
- data/lib/rack/protection/authenticity_token.rb +31 -0
- data/lib/rack/protection/base.rb +121 -0
- data/lib/rack/protection/escaped_params.rb +87 -0
- data/lib/rack/protection/form_token.rb +23 -0
- data/lib/rack/protection/frame_options.rb +37 -0
- data/lib/rack/protection/http_origin.rb +34 -0
- data/lib/rack/protection/ip_spoofing.rb +23 -0
- data/lib/rack/protection/json_csrf.rb +35 -0
- data/lib/rack/protection/path_traversal.rb +47 -0
- data/lib/rack/protection/remote_referrer.rb +20 -0
- data/lib/rack/protection/remote_token.rb +22 -0
- data/lib/rack/protection/session_hijacking.rb +36 -0
- data/lib/rack/protection/version.rb +16 -0
- data/lib/rack/protection/xss_header.rb +25 -0
- data/rack-protection.gemspec +123 -0
- data/spec/lib/rack/protection/authenticity_token_spec.rb +46 -0
- data/spec/lib/rack/protection/base_spec.rb +38 -0
- data/spec/lib/rack/protection/escaped_params_spec.rb +41 -0
- data/spec/lib/rack/protection/form_token_spec.rb +31 -0
- data/spec/lib/rack/protection/frame_options_spec.rb +37 -0
- data/spec/lib/rack/protection/http_origin_spec.rb +40 -0
- data/spec/lib/rack/protection/ip_spoofing_spec.rb +33 -0
- data/spec/lib/rack/protection/json_csrf_spec.rb +56 -0
- data/spec/lib/rack/protection/path_traversal_spec.rb +39 -0
- data/spec/lib/rack/protection/protection_spec.rb +103 -0
- data/spec/lib/rack/protection/remote_referrer_spec.rb +29 -0
- data/spec/lib/rack/protection/remote_token_spec.rb +40 -0
- data/spec/lib/rack/protection/session_hijacking_spec.rb +53 -0
- data/spec/lib/rack/protection/xss_header_spec.rb +54 -0
- data/spec/spec_helper.rb +86 -0
- data/spec/support/dummy_app.rb +7 -0
- data/spec/support/not_implemented_as_pending.rb +23 -0
- data/spec/support/rack_monkey_patches.rb +21 -0
- data/spec/support/shared_examples.rb +65 -0
- data/spec/support/spec_helpers.rb +36 -0
- metadata +180 -0
@@ -0,0 +1,29 @@
|
|
1
|
+
describe Rack::Protection::RemoteReferrer do
|
2
|
+
it_behaves_like "any rack application"
|
3
|
+
|
4
|
+
it "accepts post requests with no referrer" do
|
5
|
+
expect(post('/')).to be_ok
|
6
|
+
end
|
7
|
+
|
8
|
+
it "does not accept post requests with no referrer if allow_empty_referrer is false" do
|
9
|
+
mock_app do
|
10
|
+
use Rack::Protection::RemoteReferrer, :allow_empty_referrer => false
|
11
|
+
run DummyApp
|
12
|
+
end
|
13
|
+
expect(post('/')).not_to be_ok
|
14
|
+
end
|
15
|
+
|
16
|
+
it "should allow post request with a relative referrer" do
|
17
|
+
expect(post('/', {}, 'HTTP_REFERER' => '/')).to be_ok
|
18
|
+
end
|
19
|
+
|
20
|
+
it "accepts post requests with the same host in the referrer" do
|
21
|
+
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.com')
|
22
|
+
expect(last_response).to be_ok
|
23
|
+
end
|
24
|
+
|
25
|
+
it "denies post requests with a remote referrer" do
|
26
|
+
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
|
27
|
+
expect(last_response).not_to be_ok
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,40 @@
|
|
1
|
+
describe Rack::Protection::RemoteToken do
|
2
|
+
it_behaves_like "any rack application"
|
3
|
+
|
4
|
+
it "accepts post requests with no referrer" do
|
5
|
+
expect(post('/')).to be_ok
|
6
|
+
end
|
7
|
+
|
8
|
+
it "accepts post requests with a local referrer" do
|
9
|
+
expect(post('/', {}, 'HTTP_REFERER' => '/')).to be_ok
|
10
|
+
end
|
11
|
+
|
12
|
+
it "denies post requests with a remote referrer and no token" do
|
13
|
+
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
|
14
|
+
expect(last_response).not_to be_ok
|
15
|
+
end
|
16
|
+
|
17
|
+
it "accepts post requests with a remote referrer and correct X-CSRF-Token header" do
|
18
|
+
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
|
19
|
+
'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
|
20
|
+
expect(last_response).to be_ok
|
21
|
+
end
|
22
|
+
|
23
|
+
it "denies post requests with a remote referrer and wrong X-CSRF-Token header" do
|
24
|
+
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
|
25
|
+
'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
|
26
|
+
expect(last_response).not_to be_ok
|
27
|
+
end
|
28
|
+
|
29
|
+
it "accepts post form requests with a remote referrer and correct authenticity_token field" do
|
30
|
+
post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
|
31
|
+
'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "a"})
|
32
|
+
expect(last_response).to be_ok
|
33
|
+
end
|
34
|
+
|
35
|
+
it "denies post form requests with a remote referrer and wrong authenticity_token field" do
|
36
|
+
post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
|
37
|
+
'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "b"})
|
38
|
+
expect(last_response).not_to be_ok
|
39
|
+
end
|
40
|
+
end
|
@@ -0,0 +1,53 @@
|
|
1
|
+
describe Rack::Protection::SessionHijacking do
|
2
|
+
it_behaves_like "any rack application"
|
3
|
+
|
4
|
+
it "accepts a session without changes to tracked parameters" do
|
5
|
+
session = {:foo => :bar}
|
6
|
+
get '/', {}, 'rack.session' => session
|
7
|
+
get '/', {}, 'rack.session' => session
|
8
|
+
expect(session[:foo]).to eq(:bar)
|
9
|
+
end
|
10
|
+
|
11
|
+
it "denies requests with a changing User-Agent header" do
|
12
|
+
session = {:foo => :bar}
|
13
|
+
get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'a'
|
14
|
+
get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'b'
|
15
|
+
expect(session).to be_empty
|
16
|
+
end
|
17
|
+
|
18
|
+
it "accepts requests with a changing Accept-Encoding header" do
|
19
|
+
# this is tested because previously it led to clearing the session
|
20
|
+
session = {:foo => :bar}
|
21
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
|
22
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
|
23
|
+
expect(session).not_to be_empty
|
24
|
+
end
|
25
|
+
|
26
|
+
it "denies requests with a changing Accept-Language header" do
|
27
|
+
session = {:foo => :bar}
|
28
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
|
29
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'b'
|
30
|
+
expect(session).to be_empty
|
31
|
+
end
|
32
|
+
|
33
|
+
it "accepts requests with the same Accept-Language header" do
|
34
|
+
session = {:foo => :bar}
|
35
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
|
36
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
|
37
|
+
expect(session).not_to be_empty
|
38
|
+
end
|
39
|
+
|
40
|
+
it "comparison of Accept-Language header is not case sensitive" do
|
41
|
+
session = {:foo => :bar}
|
42
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
|
43
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'A'
|
44
|
+
expect(session).not_to be_empty
|
45
|
+
end
|
46
|
+
|
47
|
+
it "accepts requests with a changing Version header"do
|
48
|
+
session = {:foo => :bar}
|
49
|
+
get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.0'
|
50
|
+
get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.1'
|
51
|
+
expect(session[:foo]).to eq(:bar)
|
52
|
+
end
|
53
|
+
end
|
@@ -0,0 +1,54 @@
|
|
1
|
+
describe Rack::Protection::XSSHeader do
|
2
|
+
it_behaves_like "any rack application"
|
3
|
+
|
4
|
+
it 'should set the X-XSS-Protection' do
|
5
|
+
expect(get('/', {}, 'wants' => 'text/html;charset=utf-8').headers["X-XSS-Protection"]).to eq("1; mode=block")
|
6
|
+
end
|
7
|
+
|
8
|
+
it 'should set the X-XSS-Protection for XHTML' do
|
9
|
+
expect(get('/', {}, 'wants' => 'application/xhtml+xml').headers["X-XSS-Protection"]).to eq("1; mode=block")
|
10
|
+
end
|
11
|
+
|
12
|
+
it 'should not set the X-XSS-Protection for other content types' do
|
13
|
+
expect(get('/', {}, 'wants' => 'application/foo').headers["X-XSS-Protection"]).to be_nil
|
14
|
+
end
|
15
|
+
|
16
|
+
it 'should allow changing the protection mode' do
|
17
|
+
# I have no clue what other modes are available
|
18
|
+
mock_app do
|
19
|
+
use Rack::Protection::XSSHeader, :xss_mode => :foo
|
20
|
+
run DummyApp
|
21
|
+
end
|
22
|
+
|
23
|
+
expect(get('/', {}, 'wants' => 'application/xhtml').headers["X-XSS-Protection"]).to eq("1; mode=foo")
|
24
|
+
end
|
25
|
+
|
26
|
+
it 'should not override the header if already set' do
|
27
|
+
mock_app with_headers("X-XSS-Protection" => "0")
|
28
|
+
expect(get('/', {}, 'wants' => 'text/html').headers["X-XSS-Protection"]).to eq("0")
|
29
|
+
end
|
30
|
+
|
31
|
+
it 'should set the X-Content-Type-Options' do
|
32
|
+
expect(get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"]).to eq("nosniff")
|
33
|
+
end
|
34
|
+
|
35
|
+
|
36
|
+
it 'should set the X-Content-Type-Options for other content types' do
|
37
|
+
expect(get('/', {}, 'wants' => 'application/foo').header["X-Content-Type-Options"]).to eq("nosniff")
|
38
|
+
end
|
39
|
+
|
40
|
+
|
41
|
+
it 'should allow changing the nosniff-mode off' do
|
42
|
+
mock_app do
|
43
|
+
use Rack::Protection::XSSHeader, :nosniff => false
|
44
|
+
run DummyApp
|
45
|
+
end
|
46
|
+
|
47
|
+
expect(get('/').headers["X-Content-Type-Options"]).to be_nil
|
48
|
+
end
|
49
|
+
|
50
|
+
it 'should not override the header if already set X-Content-Type-Options' do
|
51
|
+
mock_app with_headers("X-Content-Type-Options" => "sniff")
|
52
|
+
expect(get('/', {}, 'wants' => 'text/html').headers["X-Content-Type-Options"]).to eq("sniff")
|
53
|
+
end
|
54
|
+
end
|
data/spec/spec_helper.rb
ADDED
@@ -0,0 +1,86 @@
|
|
1
|
+
require 'rack/protection'
|
2
|
+
require 'rack/test'
|
3
|
+
require 'rack'
|
4
|
+
|
5
|
+
Dir[File.expand_path('../support/**/*.rb', __FILE__)].each { |f| require f }
|
6
|
+
|
7
|
+
# This file was generated by the `rspec --init` command. Conventionally, all
|
8
|
+
# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
|
9
|
+
# The generated `.rspec` file contains `--require spec_helper` which will cause this
|
10
|
+
# file to always be loaded, without a need to explicitly require it in any files.
|
11
|
+
#
|
12
|
+
# Given that it is always loaded, you are encouraged to keep this file as
|
13
|
+
# light-weight as possible. Requiring heavyweight dependencies from this file
|
14
|
+
# will add to the boot time of your test suite on EVERY test run, even for an
|
15
|
+
# individual file that may not need all of that loaded. Instead, make a
|
16
|
+
# separate helper file that requires this one and then use it only in the specs
|
17
|
+
# that actually need it.
|
18
|
+
#
|
19
|
+
# The `.rspec` file also contains a few flags that are not defaults but that
|
20
|
+
# users commonly want.
|
21
|
+
#
|
22
|
+
# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
|
23
|
+
RSpec.configure do |config|
|
24
|
+
# The settings below are suggested to provide a good initial experience
|
25
|
+
# with RSpec, but feel free to customize to your heart's content.
|
26
|
+
|
27
|
+
# These two settings work together to allow you to limit a spec run
|
28
|
+
# to individual examples or groups you care about by tagging them with
|
29
|
+
# `:focus` metadata. When nothing is tagged with `:focus`, all examples
|
30
|
+
# get run.
|
31
|
+
config.filter_run :focus
|
32
|
+
config.run_all_when_everything_filtered = true
|
33
|
+
|
34
|
+
# Many RSpec users commonly either run the entire suite or an individual
|
35
|
+
# file, and it's useful to allow more verbose output when running an
|
36
|
+
# individual spec file.
|
37
|
+
if config.files_to_run.one?
|
38
|
+
# Use the documentation formatter for detailed output,
|
39
|
+
# unless a formatter has already been configured
|
40
|
+
# (e.g. via a command-line flag).
|
41
|
+
config.default_formatter = 'doc'
|
42
|
+
end
|
43
|
+
|
44
|
+
# Print the 10 slowest examples and example groups at the
|
45
|
+
# end of the spec run, to help surface which specs are running
|
46
|
+
# particularly slow.
|
47
|
+
config.profile_examples = 10
|
48
|
+
|
49
|
+
# Run specs in random order to surface order dependencies. If you find an
|
50
|
+
# order dependency and want to debug it, you can fix the order by providing
|
51
|
+
# the seed, which is printed after each run.
|
52
|
+
# --seed 1234
|
53
|
+
config.order = :random
|
54
|
+
|
55
|
+
# Seed global randomization in this process using the `--seed` CLI option.
|
56
|
+
# Setting this allows you to use `--seed` to deterministically reproduce
|
57
|
+
# test failures related to randomization by passing the same `--seed` value
|
58
|
+
# as the one that triggered the failure.
|
59
|
+
Kernel.srand config.seed
|
60
|
+
|
61
|
+
# rspec-expectations config goes here. You can use an alternate
|
62
|
+
# assertion/expectation library such as wrong or the stdlib/minitest
|
63
|
+
# assertions if you prefer.
|
64
|
+
config.expect_with :rspec do |expectations|
|
65
|
+
# Enable only the newer, non-monkey-patching expect syntax.
|
66
|
+
# For more details, see:
|
67
|
+
# - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
|
68
|
+
expectations.syntax = :expect
|
69
|
+
end
|
70
|
+
|
71
|
+
# rspec-mocks config goes here. You can use an alternate test double
|
72
|
+
# library (such as bogus or mocha) by changing the `mock_with` option here.
|
73
|
+
config.mock_with :rspec do |mocks|
|
74
|
+
# Enable only the newer, non-monkey-patching expect syntax.
|
75
|
+
# For more details, see:
|
76
|
+
# - http://teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
|
77
|
+
mocks.syntax = :expect
|
78
|
+
|
79
|
+
# Prevents you from mocking or stubbing a method that does not exist on
|
80
|
+
# a real object. This is generally recommended.
|
81
|
+
mocks.verify_partial_doubles = true
|
82
|
+
end
|
83
|
+
|
84
|
+
config.include Rack::Test::Methods
|
85
|
+
config.include SpecHelpers
|
86
|
+
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
# see http://blog.101ideas.cz/posts/pending-examples-via-not-implemented-error-in-rspec.html
|
2
|
+
module NotImplementedAsPending
|
3
|
+
def self.included(base)
|
4
|
+
base.class_eval do
|
5
|
+
alias_method :__finish__, :finish
|
6
|
+
remove_method :finish
|
7
|
+
end
|
8
|
+
end
|
9
|
+
|
10
|
+
def finish(reporter)
|
11
|
+
if @exception.is_a?(NotImplementedError)
|
12
|
+
from = @exception.backtrace[0]
|
13
|
+
message = "#{@exception.message} (from #{from})"
|
14
|
+
@pending_declared_in_example = message
|
15
|
+
metadata[:pending] = true
|
16
|
+
@exception = nil
|
17
|
+
end
|
18
|
+
|
19
|
+
__finish__(reporter)
|
20
|
+
end
|
21
|
+
|
22
|
+
RSpec::Core::Example.send :include, self
|
23
|
+
end
|
@@ -0,0 +1,21 @@
|
|
1
|
+
if defined? Gem.loaded_specs and Gem.loaded_specs.include? 'rack'
|
2
|
+
version = Gem.loaded_specs['rack'].version.to_s
|
3
|
+
else
|
4
|
+
version = Rack.release + '.0'
|
5
|
+
end
|
6
|
+
|
7
|
+
if version == "1.3"
|
8
|
+
Rack::Session::Abstract::ID.class_eval do
|
9
|
+
private
|
10
|
+
def prepare_session(env)
|
11
|
+
session_was = env[ENV_SESSION_KEY]
|
12
|
+
env[ENV_SESSION_KEY] = SessionHash.new(self, env)
|
13
|
+
env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options)
|
14
|
+
env[ENV_SESSION_KEY].merge! session_was if session_was
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
unless Rack::MockResponse.method_defined? :header
|
20
|
+
Rack::MockResponse.send(:alias_method, :header, :headers)
|
21
|
+
end
|
@@ -0,0 +1,65 @@
|
|
1
|
+
shared_examples_for 'any rack application' do
|
2
|
+
it "should not interfere with normal get requests" do
|
3
|
+
expect(get('/')).to be_ok
|
4
|
+
expect(body).to eq('ok')
|
5
|
+
end
|
6
|
+
|
7
|
+
it "should not interfere with normal head requests" do
|
8
|
+
expect(head('/')).to be_ok
|
9
|
+
end
|
10
|
+
|
11
|
+
it 'should not leak changes to env' do
|
12
|
+
klass = described_class
|
13
|
+
detector = Struct.new(:app) do
|
14
|
+
def call(env)
|
15
|
+
was = env.dup
|
16
|
+
res = app.call(env)
|
17
|
+
was.each do |k,v|
|
18
|
+
next if env[k] == v
|
19
|
+
fail "env[#{k.inspect}] changed from #{v.inspect} to #{env[k].inspect}"
|
20
|
+
end
|
21
|
+
res
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
mock_app do
|
26
|
+
use Rack::Head
|
27
|
+
use(Rack::Config) { |e| e['rack.session'] ||= {}}
|
28
|
+
use detector
|
29
|
+
use klass
|
30
|
+
run DummyApp
|
31
|
+
end
|
32
|
+
|
33
|
+
expect(get('/..', :foo => '<bar>')).to be_ok
|
34
|
+
end
|
35
|
+
|
36
|
+
it 'allows passing on values in env' do
|
37
|
+
klass = described_class
|
38
|
+
changer = Struct.new(:app) do
|
39
|
+
def call(env)
|
40
|
+
env['foo.bar'] = 42
|
41
|
+
app.call(env)
|
42
|
+
end
|
43
|
+
end
|
44
|
+
detector = Struct.new(:app) do
|
45
|
+
def call(env)
|
46
|
+
app.call(env)
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
expect_any_instance_of(detector).to receive(:call).with(
|
51
|
+
hash_including('foo.bar' => 42)
|
52
|
+
).and_call_original
|
53
|
+
|
54
|
+
mock_app do
|
55
|
+
use Rack::Head
|
56
|
+
use(Rack::Config) { |e| e['rack.session'] ||= {}}
|
57
|
+
use changer
|
58
|
+
use klass
|
59
|
+
use detector
|
60
|
+
run DummyApp
|
61
|
+
end
|
62
|
+
|
63
|
+
expect(get('/')).to be_ok
|
64
|
+
end
|
65
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
require 'forwardable'
|
2
|
+
|
3
|
+
module SpecHelpers
|
4
|
+
extend Forwardable
|
5
|
+
def_delegators :last_response, :body, :headers, :status, :errors
|
6
|
+
def_delegators :current_session, :env_for
|
7
|
+
attr_writer :app
|
8
|
+
|
9
|
+
def app
|
10
|
+
@app ||= nil
|
11
|
+
@app || mock_app(DummyApp)
|
12
|
+
end
|
13
|
+
|
14
|
+
def mock_app(app = nil, &block)
|
15
|
+
app = block if app.nil? and block.arity == 1
|
16
|
+
if app
|
17
|
+
klass = described_class
|
18
|
+
mock_app do
|
19
|
+
use Rack::Head
|
20
|
+
use(Rack::Config) { |e| e['rack.session'] ||= {}}
|
21
|
+
use klass
|
22
|
+
run app
|
23
|
+
end
|
24
|
+
else
|
25
|
+
@app = Rack::Lint.new Rack::Builder.new(&block).to_app
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
29
|
+
def with_headers(headers)
|
30
|
+
proc { [200, {'Content-Type' => 'text/plain'}.merge(headers), ['ok']] }
|
31
|
+
end
|
32
|
+
|
33
|
+
def env
|
34
|
+
Thread.current[:last_env]
|
35
|
+
end
|
36
|
+
end
|
metadata
ADDED
@@ -0,0 +1,180 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: rack-protection-monkey
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 1.5.3
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Konstantin Haase
|
8
|
+
- Alex Rodionov
|
9
|
+
- Patrick Ellis
|
10
|
+
- Jason Staten
|
11
|
+
- ITO Nobuaki
|
12
|
+
- Jeff Welling
|
13
|
+
- Matteo Centenaro
|
14
|
+
- Egor Homakov
|
15
|
+
- Florian Gilcher
|
16
|
+
- Fojas
|
17
|
+
- Igor Bochkariov
|
18
|
+
- Mael Clerambault
|
19
|
+
- Martin Mauch
|
20
|
+
- Renne Nissinen
|
21
|
+
- SAKAI, Kazuaki
|
22
|
+
- Stanislav Savulchik
|
23
|
+
- Steve Agalloco
|
24
|
+
- TOBY
|
25
|
+
- Thais Camilo and Konstantin Haase
|
26
|
+
- Vipul A M
|
27
|
+
- Akzhan Abdulin
|
28
|
+
- brookemckim
|
29
|
+
- Bjørge Næss
|
30
|
+
- Chris Heald
|
31
|
+
- Chris Mytton
|
32
|
+
- Corey Ward
|
33
|
+
- Dario Cravero
|
34
|
+
- David Kellum
|
35
|
+
autorequire:
|
36
|
+
bindir: bin
|
37
|
+
cert_chain: []
|
38
|
+
date: 2015-08-31 00:00:00.000000000 Z
|
39
|
+
dependencies:
|
40
|
+
- !ruby/object:Gem::Dependency
|
41
|
+
name: rack
|
42
|
+
requirement: !ruby/object:Gem::Requirement
|
43
|
+
requirements:
|
44
|
+
- - ">="
|
45
|
+
- !ruby/object:Gem::Version
|
46
|
+
version: '0'
|
47
|
+
type: :runtime
|
48
|
+
prerelease: false
|
49
|
+
version_requirements: !ruby/object:Gem::Requirement
|
50
|
+
requirements:
|
51
|
+
- - ">="
|
52
|
+
- !ruby/object:Gem::Version
|
53
|
+
version: '0'
|
54
|
+
- !ruby/object:Gem::Dependency
|
55
|
+
name: rack-test
|
56
|
+
requirement: !ruby/object:Gem::Requirement
|
57
|
+
requirements:
|
58
|
+
- - ">="
|
59
|
+
- !ruby/object:Gem::Version
|
60
|
+
version: '0'
|
61
|
+
type: :development
|
62
|
+
prerelease: false
|
63
|
+
version_requirements: !ruby/object:Gem::Requirement
|
64
|
+
requirements:
|
65
|
+
- - ">="
|
66
|
+
- !ruby/object:Gem::Version
|
67
|
+
version: '0'
|
68
|
+
- !ruby/object:Gem::Dependency
|
69
|
+
name: rspec
|
70
|
+
requirement: !ruby/object:Gem::Requirement
|
71
|
+
requirements:
|
72
|
+
- - "~>"
|
73
|
+
- !ruby/object:Gem::Version
|
74
|
+
version: 3.0.0
|
75
|
+
type: :development
|
76
|
+
prerelease: false
|
77
|
+
version_requirements: !ruby/object:Gem::Requirement
|
78
|
+
requirements:
|
79
|
+
- - "~>"
|
80
|
+
- !ruby/object:Gem::Version
|
81
|
+
version: 3.0.0
|
82
|
+
description: You should use protection! - Monkey Version
|
83
|
+
email:
|
84
|
+
- konstantin.mailinglists@googlemail.com
|
85
|
+
- p0deje@gmail.com
|
86
|
+
- jstaten07@gmail.com
|
87
|
+
- patrick@soundcloud.com
|
88
|
+
- jeff.welling@gmail.com
|
89
|
+
- bugant@gmail.com
|
90
|
+
- daydream.trippers@gmail.com
|
91
|
+
- florian.gilcher@asquera.de
|
92
|
+
- developer@fojasaur.us
|
93
|
+
- ujifgc@gmail.com
|
94
|
+
- mael@clerambault.fr
|
95
|
+
- martin.mauch@gmail.com
|
96
|
+
- rennex@iki.fi
|
97
|
+
- kaz.july.7@gmail.com
|
98
|
+
- s.savulchik@gmail.com
|
99
|
+
- steve.agalloco@gmail.com
|
100
|
+
- toby.net.info.mail+git@gmail.com
|
101
|
+
- dev+narwen+rkh@rkh.im
|
102
|
+
- vipulnsward@gmail.com
|
103
|
+
- akzhan.abdulin@gmail.com
|
104
|
+
- brooke@digitalocean.com
|
105
|
+
- bjoerge@bengler.no
|
106
|
+
- cheald@gmail.com
|
107
|
+
- self@hecticjeff.net
|
108
|
+
- coreyward@me.com
|
109
|
+
- dario@uxtemple.com
|
110
|
+
- dek-oss@gravitext.com
|
111
|
+
- homakov@gmail.com
|
112
|
+
executables: []
|
113
|
+
extensions: []
|
114
|
+
extra_rdoc_files: []
|
115
|
+
files:
|
116
|
+
- License
|
117
|
+
- README.md
|
118
|
+
- Rakefile
|
119
|
+
- lib/rack-protection.rb
|
120
|
+
- lib/rack/protection.rb
|
121
|
+
- lib/rack/protection/authenticity_token.rb
|
122
|
+
- lib/rack/protection/base.rb
|
123
|
+
- lib/rack/protection/escaped_params.rb
|
124
|
+
- lib/rack/protection/form_token.rb
|
125
|
+
- lib/rack/protection/frame_options.rb
|
126
|
+
- lib/rack/protection/http_origin.rb
|
127
|
+
- lib/rack/protection/ip_spoofing.rb
|
128
|
+
- lib/rack/protection/json_csrf.rb
|
129
|
+
- lib/rack/protection/path_traversal.rb
|
130
|
+
- lib/rack/protection/remote_referrer.rb
|
131
|
+
- lib/rack/protection/remote_token.rb
|
132
|
+
- lib/rack/protection/session_hijacking.rb
|
133
|
+
- lib/rack/protection/version.rb
|
134
|
+
- lib/rack/protection/xss_header.rb
|
135
|
+
- rack-protection.gemspec
|
136
|
+
- spec/lib/rack/protection/authenticity_token_spec.rb
|
137
|
+
- spec/lib/rack/protection/base_spec.rb
|
138
|
+
- spec/lib/rack/protection/escaped_params_spec.rb
|
139
|
+
- spec/lib/rack/protection/form_token_spec.rb
|
140
|
+
- spec/lib/rack/protection/frame_options_spec.rb
|
141
|
+
- spec/lib/rack/protection/http_origin_spec.rb
|
142
|
+
- spec/lib/rack/protection/ip_spoofing_spec.rb
|
143
|
+
- spec/lib/rack/protection/json_csrf_spec.rb
|
144
|
+
- spec/lib/rack/protection/path_traversal_spec.rb
|
145
|
+
- spec/lib/rack/protection/protection_spec.rb
|
146
|
+
- spec/lib/rack/protection/remote_referrer_spec.rb
|
147
|
+
- spec/lib/rack/protection/remote_token_spec.rb
|
148
|
+
- spec/lib/rack/protection/session_hijacking_spec.rb
|
149
|
+
- spec/lib/rack/protection/xss_header_spec.rb
|
150
|
+
- spec/spec_helper.rb
|
151
|
+
- spec/support/dummy_app.rb
|
152
|
+
- spec/support/not_implemented_as_pending.rb
|
153
|
+
- spec/support/rack_monkey_patches.rb
|
154
|
+
- spec/support/shared_examples.rb
|
155
|
+
- spec/support/spec_helpers.rb
|
156
|
+
homepage: http://github.com/sinatra/rack-protection
|
157
|
+
licenses:
|
158
|
+
- MIT
|
159
|
+
metadata: {}
|
160
|
+
post_install_message:
|
161
|
+
rdoc_options: []
|
162
|
+
require_paths:
|
163
|
+
- lib
|
164
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
165
|
+
requirements:
|
166
|
+
- - ">="
|
167
|
+
- !ruby/object:Gem::Version
|
168
|
+
version: '0'
|
169
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
170
|
+
requirements:
|
171
|
+
- - ">="
|
172
|
+
- !ruby/object:Gem::Version
|
173
|
+
version: '0'
|
174
|
+
requirements: []
|
175
|
+
rubyforge_project:
|
176
|
+
rubygems_version: 2.4.5
|
177
|
+
signing_key:
|
178
|
+
specification_version: 4
|
179
|
+
summary: You should use protection! - Monkey Version
|
180
|
+
test_files: []
|