rack-protection-monkey 1.5.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/License +20 -0
- data/README.md +90 -0
- data/Rakefile +48 -0
- data/lib/rack-protection.rb +1 -0
- data/lib/rack/protection.rb +40 -0
- data/lib/rack/protection/authenticity_token.rb +31 -0
- data/lib/rack/protection/base.rb +121 -0
- data/lib/rack/protection/escaped_params.rb +87 -0
- data/lib/rack/protection/form_token.rb +23 -0
- data/lib/rack/protection/frame_options.rb +37 -0
- data/lib/rack/protection/http_origin.rb +34 -0
- data/lib/rack/protection/ip_spoofing.rb +23 -0
- data/lib/rack/protection/json_csrf.rb +35 -0
- data/lib/rack/protection/path_traversal.rb +47 -0
- data/lib/rack/protection/remote_referrer.rb +20 -0
- data/lib/rack/protection/remote_token.rb +22 -0
- data/lib/rack/protection/session_hijacking.rb +36 -0
- data/lib/rack/protection/version.rb +16 -0
- data/lib/rack/protection/xss_header.rb +25 -0
- data/rack-protection.gemspec +123 -0
- data/spec/lib/rack/protection/authenticity_token_spec.rb +46 -0
- data/spec/lib/rack/protection/base_spec.rb +38 -0
- data/spec/lib/rack/protection/escaped_params_spec.rb +41 -0
- data/spec/lib/rack/protection/form_token_spec.rb +31 -0
- data/spec/lib/rack/protection/frame_options_spec.rb +37 -0
- data/spec/lib/rack/protection/http_origin_spec.rb +40 -0
- data/spec/lib/rack/protection/ip_spoofing_spec.rb +33 -0
- data/spec/lib/rack/protection/json_csrf_spec.rb +56 -0
- data/spec/lib/rack/protection/path_traversal_spec.rb +39 -0
- data/spec/lib/rack/protection/protection_spec.rb +103 -0
- data/spec/lib/rack/protection/remote_referrer_spec.rb +29 -0
- data/spec/lib/rack/protection/remote_token_spec.rb +40 -0
- data/spec/lib/rack/protection/session_hijacking_spec.rb +53 -0
- data/spec/lib/rack/protection/xss_header_spec.rb +54 -0
- data/spec/spec_helper.rb +86 -0
- data/spec/support/dummy_app.rb +7 -0
- data/spec/support/not_implemented_as_pending.rb +23 -0
- data/spec/support/rack_monkey_patches.rb +21 -0
- data/spec/support/shared_examples.rb +65 -0
- data/spec/support/spec_helpers.rb +36 -0
- metadata +180 -0
@@ -0,0 +1,29 @@
|
|
1
|
+
describe Rack::Protection::RemoteReferrer do
|
2
|
+
it_behaves_like "any rack application"
|
3
|
+
|
4
|
+
it "accepts post requests with no referrer" do
|
5
|
+
expect(post('/')).to be_ok
|
6
|
+
end
|
7
|
+
|
8
|
+
it "does not accept post requests with no referrer if allow_empty_referrer is false" do
|
9
|
+
mock_app do
|
10
|
+
use Rack::Protection::RemoteReferrer, :allow_empty_referrer => false
|
11
|
+
run DummyApp
|
12
|
+
end
|
13
|
+
expect(post('/')).not_to be_ok
|
14
|
+
end
|
15
|
+
|
16
|
+
it "should allow post request with a relative referrer" do
|
17
|
+
expect(post('/', {}, 'HTTP_REFERER' => '/')).to be_ok
|
18
|
+
end
|
19
|
+
|
20
|
+
it "accepts post requests with the same host in the referrer" do
|
21
|
+
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.com')
|
22
|
+
expect(last_response).to be_ok
|
23
|
+
end
|
24
|
+
|
25
|
+
it "denies post requests with a remote referrer" do
|
26
|
+
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
|
27
|
+
expect(last_response).not_to be_ok
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,40 @@
|
|
1
|
+
describe Rack::Protection::RemoteToken do
|
2
|
+
it_behaves_like "any rack application"
|
3
|
+
|
4
|
+
it "accepts post requests with no referrer" do
|
5
|
+
expect(post('/')).to be_ok
|
6
|
+
end
|
7
|
+
|
8
|
+
it "accepts post requests with a local referrer" do
|
9
|
+
expect(post('/', {}, 'HTTP_REFERER' => '/')).to be_ok
|
10
|
+
end
|
11
|
+
|
12
|
+
it "denies post requests with a remote referrer and no token" do
|
13
|
+
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
|
14
|
+
expect(last_response).not_to be_ok
|
15
|
+
end
|
16
|
+
|
17
|
+
it "accepts post requests with a remote referrer and correct X-CSRF-Token header" do
|
18
|
+
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
|
19
|
+
'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
|
20
|
+
expect(last_response).to be_ok
|
21
|
+
end
|
22
|
+
|
23
|
+
it "denies post requests with a remote referrer and wrong X-CSRF-Token header" do
|
24
|
+
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
|
25
|
+
'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
|
26
|
+
expect(last_response).not_to be_ok
|
27
|
+
end
|
28
|
+
|
29
|
+
it "accepts post form requests with a remote referrer and correct authenticity_token field" do
|
30
|
+
post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
|
31
|
+
'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "a"})
|
32
|
+
expect(last_response).to be_ok
|
33
|
+
end
|
34
|
+
|
35
|
+
it "denies post form requests with a remote referrer and wrong authenticity_token field" do
|
36
|
+
post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
|
37
|
+
'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "b"})
|
38
|
+
expect(last_response).not_to be_ok
|
39
|
+
end
|
40
|
+
end
|
@@ -0,0 +1,53 @@
|
|
1
|
+
describe Rack::Protection::SessionHijacking do
|
2
|
+
it_behaves_like "any rack application"
|
3
|
+
|
4
|
+
it "accepts a session without changes to tracked parameters" do
|
5
|
+
session = {:foo => :bar}
|
6
|
+
get '/', {}, 'rack.session' => session
|
7
|
+
get '/', {}, 'rack.session' => session
|
8
|
+
expect(session[:foo]).to eq(:bar)
|
9
|
+
end
|
10
|
+
|
11
|
+
it "denies requests with a changing User-Agent header" do
|
12
|
+
session = {:foo => :bar}
|
13
|
+
get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'a'
|
14
|
+
get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'b'
|
15
|
+
expect(session).to be_empty
|
16
|
+
end
|
17
|
+
|
18
|
+
it "accepts requests with a changing Accept-Encoding header" do
|
19
|
+
# this is tested because previously it led to clearing the session
|
20
|
+
session = {:foo => :bar}
|
21
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
|
22
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
|
23
|
+
expect(session).not_to be_empty
|
24
|
+
end
|
25
|
+
|
26
|
+
it "denies requests with a changing Accept-Language header" do
|
27
|
+
session = {:foo => :bar}
|
28
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
|
29
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'b'
|
30
|
+
expect(session).to be_empty
|
31
|
+
end
|
32
|
+
|
33
|
+
it "accepts requests with the same Accept-Language header" do
|
34
|
+
session = {:foo => :bar}
|
35
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
|
36
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
|
37
|
+
expect(session).not_to be_empty
|
38
|
+
end
|
39
|
+
|
40
|
+
it "comparison of Accept-Language header is not case sensitive" do
|
41
|
+
session = {:foo => :bar}
|
42
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
|
43
|
+
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'A'
|
44
|
+
expect(session).not_to be_empty
|
45
|
+
end
|
46
|
+
|
47
|
+
it "accepts requests with a changing Version header"do
|
48
|
+
session = {:foo => :bar}
|
49
|
+
get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.0'
|
50
|
+
get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.1'
|
51
|
+
expect(session[:foo]).to eq(:bar)
|
52
|
+
end
|
53
|
+
end
|
@@ -0,0 +1,54 @@
|
|
1
|
+
describe Rack::Protection::XSSHeader do
|
2
|
+
it_behaves_like "any rack application"
|
3
|
+
|
4
|
+
it 'should set the X-XSS-Protection' do
|
5
|
+
expect(get('/', {}, 'wants' => 'text/html;charset=utf-8').headers["X-XSS-Protection"]).to eq("1; mode=block")
|
6
|
+
end
|
7
|
+
|
8
|
+
it 'should set the X-XSS-Protection for XHTML' do
|
9
|
+
expect(get('/', {}, 'wants' => 'application/xhtml+xml').headers["X-XSS-Protection"]).to eq("1; mode=block")
|
10
|
+
end
|
11
|
+
|
12
|
+
it 'should not set the X-XSS-Protection for other content types' do
|
13
|
+
expect(get('/', {}, 'wants' => 'application/foo').headers["X-XSS-Protection"]).to be_nil
|
14
|
+
end
|
15
|
+
|
16
|
+
it 'should allow changing the protection mode' do
|
17
|
+
# I have no clue what other modes are available
|
18
|
+
mock_app do
|
19
|
+
use Rack::Protection::XSSHeader, :xss_mode => :foo
|
20
|
+
run DummyApp
|
21
|
+
end
|
22
|
+
|
23
|
+
expect(get('/', {}, 'wants' => 'application/xhtml').headers["X-XSS-Protection"]).to eq("1; mode=foo")
|
24
|
+
end
|
25
|
+
|
26
|
+
it 'should not override the header if already set' do
|
27
|
+
mock_app with_headers("X-XSS-Protection" => "0")
|
28
|
+
expect(get('/', {}, 'wants' => 'text/html').headers["X-XSS-Protection"]).to eq("0")
|
29
|
+
end
|
30
|
+
|
31
|
+
it 'should set the X-Content-Type-Options' do
|
32
|
+
expect(get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"]).to eq("nosniff")
|
33
|
+
end
|
34
|
+
|
35
|
+
|
36
|
+
it 'should set the X-Content-Type-Options for other content types' do
|
37
|
+
expect(get('/', {}, 'wants' => 'application/foo').header["X-Content-Type-Options"]).to eq("nosniff")
|
38
|
+
end
|
39
|
+
|
40
|
+
|
41
|
+
it 'should allow changing the nosniff-mode off' do
|
42
|
+
mock_app do
|
43
|
+
use Rack::Protection::XSSHeader, :nosniff => false
|
44
|
+
run DummyApp
|
45
|
+
end
|
46
|
+
|
47
|
+
expect(get('/').headers["X-Content-Type-Options"]).to be_nil
|
48
|
+
end
|
49
|
+
|
50
|
+
it 'should not override the header if already set X-Content-Type-Options' do
|
51
|
+
mock_app with_headers("X-Content-Type-Options" => "sniff")
|
52
|
+
expect(get('/', {}, 'wants' => 'text/html').headers["X-Content-Type-Options"]).to eq("sniff")
|
53
|
+
end
|
54
|
+
end
|
data/spec/spec_helper.rb
ADDED
@@ -0,0 +1,86 @@
|
|
1
|
+
require 'rack/protection'
|
2
|
+
require 'rack/test'
|
3
|
+
require 'rack'
|
4
|
+
|
5
|
+
Dir[File.expand_path('../support/**/*.rb', __FILE__)].each { |f| require f }
|
6
|
+
|
7
|
+
# This file was generated by the `rspec --init` command. Conventionally, all
|
8
|
+
# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
|
9
|
+
# The generated `.rspec` file contains `--require spec_helper` which will cause this
|
10
|
+
# file to always be loaded, without a need to explicitly require it in any files.
|
11
|
+
#
|
12
|
+
# Given that it is always loaded, you are encouraged to keep this file as
|
13
|
+
# light-weight as possible. Requiring heavyweight dependencies from this file
|
14
|
+
# will add to the boot time of your test suite on EVERY test run, even for an
|
15
|
+
# individual file that may not need all of that loaded. Instead, make a
|
16
|
+
# separate helper file that requires this one and then use it only in the specs
|
17
|
+
# that actually need it.
|
18
|
+
#
|
19
|
+
# The `.rspec` file also contains a few flags that are not defaults but that
|
20
|
+
# users commonly want.
|
21
|
+
#
|
22
|
+
# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
|
23
|
+
RSpec.configure do |config|
|
24
|
+
# The settings below are suggested to provide a good initial experience
|
25
|
+
# with RSpec, but feel free to customize to your heart's content.
|
26
|
+
|
27
|
+
# These two settings work together to allow you to limit a spec run
|
28
|
+
# to individual examples or groups you care about by tagging them with
|
29
|
+
# `:focus` metadata. When nothing is tagged with `:focus`, all examples
|
30
|
+
# get run.
|
31
|
+
config.filter_run :focus
|
32
|
+
config.run_all_when_everything_filtered = true
|
33
|
+
|
34
|
+
# Many RSpec users commonly either run the entire suite or an individual
|
35
|
+
# file, and it's useful to allow more verbose output when running an
|
36
|
+
# individual spec file.
|
37
|
+
if config.files_to_run.one?
|
38
|
+
# Use the documentation formatter for detailed output,
|
39
|
+
# unless a formatter has already been configured
|
40
|
+
# (e.g. via a command-line flag).
|
41
|
+
config.default_formatter = 'doc'
|
42
|
+
end
|
43
|
+
|
44
|
+
# Print the 10 slowest examples and example groups at the
|
45
|
+
# end of the spec run, to help surface which specs are running
|
46
|
+
# particularly slow.
|
47
|
+
config.profile_examples = 10
|
48
|
+
|
49
|
+
# Run specs in random order to surface order dependencies. If you find an
|
50
|
+
# order dependency and want to debug it, you can fix the order by providing
|
51
|
+
# the seed, which is printed after each run.
|
52
|
+
# --seed 1234
|
53
|
+
config.order = :random
|
54
|
+
|
55
|
+
# Seed global randomization in this process using the `--seed` CLI option.
|
56
|
+
# Setting this allows you to use `--seed` to deterministically reproduce
|
57
|
+
# test failures related to randomization by passing the same `--seed` value
|
58
|
+
# as the one that triggered the failure.
|
59
|
+
Kernel.srand config.seed
|
60
|
+
|
61
|
+
# rspec-expectations config goes here. You can use an alternate
|
62
|
+
# assertion/expectation library such as wrong or the stdlib/minitest
|
63
|
+
# assertions if you prefer.
|
64
|
+
config.expect_with :rspec do |expectations|
|
65
|
+
# Enable only the newer, non-monkey-patching expect syntax.
|
66
|
+
# For more details, see:
|
67
|
+
# - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
|
68
|
+
expectations.syntax = :expect
|
69
|
+
end
|
70
|
+
|
71
|
+
# rspec-mocks config goes here. You can use an alternate test double
|
72
|
+
# library (such as bogus or mocha) by changing the `mock_with` option here.
|
73
|
+
config.mock_with :rspec do |mocks|
|
74
|
+
# Enable only the newer, non-monkey-patching expect syntax.
|
75
|
+
# For more details, see:
|
76
|
+
# - http://teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
|
77
|
+
mocks.syntax = :expect
|
78
|
+
|
79
|
+
# Prevents you from mocking or stubbing a method that does not exist on
|
80
|
+
# a real object. This is generally recommended.
|
81
|
+
mocks.verify_partial_doubles = true
|
82
|
+
end
|
83
|
+
|
84
|
+
config.include Rack::Test::Methods
|
85
|
+
config.include SpecHelpers
|
86
|
+
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
# see http://blog.101ideas.cz/posts/pending-examples-via-not-implemented-error-in-rspec.html
|
2
|
+
module NotImplementedAsPending
|
3
|
+
def self.included(base)
|
4
|
+
base.class_eval do
|
5
|
+
alias_method :__finish__, :finish
|
6
|
+
remove_method :finish
|
7
|
+
end
|
8
|
+
end
|
9
|
+
|
10
|
+
def finish(reporter)
|
11
|
+
if @exception.is_a?(NotImplementedError)
|
12
|
+
from = @exception.backtrace[0]
|
13
|
+
message = "#{@exception.message} (from #{from})"
|
14
|
+
@pending_declared_in_example = message
|
15
|
+
metadata[:pending] = true
|
16
|
+
@exception = nil
|
17
|
+
end
|
18
|
+
|
19
|
+
__finish__(reporter)
|
20
|
+
end
|
21
|
+
|
22
|
+
RSpec::Core::Example.send :include, self
|
23
|
+
end
|
@@ -0,0 +1,21 @@
|
|
1
|
+
if defined? Gem.loaded_specs and Gem.loaded_specs.include? 'rack'
|
2
|
+
version = Gem.loaded_specs['rack'].version.to_s
|
3
|
+
else
|
4
|
+
version = Rack.release + '.0'
|
5
|
+
end
|
6
|
+
|
7
|
+
if version == "1.3"
|
8
|
+
Rack::Session::Abstract::ID.class_eval do
|
9
|
+
private
|
10
|
+
def prepare_session(env)
|
11
|
+
session_was = env[ENV_SESSION_KEY]
|
12
|
+
env[ENV_SESSION_KEY] = SessionHash.new(self, env)
|
13
|
+
env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options)
|
14
|
+
env[ENV_SESSION_KEY].merge! session_was if session_was
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
unless Rack::MockResponse.method_defined? :header
|
20
|
+
Rack::MockResponse.send(:alias_method, :header, :headers)
|
21
|
+
end
|
@@ -0,0 +1,65 @@
|
|
1
|
+
shared_examples_for 'any rack application' do
|
2
|
+
it "should not interfere with normal get requests" do
|
3
|
+
expect(get('/')).to be_ok
|
4
|
+
expect(body).to eq('ok')
|
5
|
+
end
|
6
|
+
|
7
|
+
it "should not interfere with normal head requests" do
|
8
|
+
expect(head('/')).to be_ok
|
9
|
+
end
|
10
|
+
|
11
|
+
it 'should not leak changes to env' do
|
12
|
+
klass = described_class
|
13
|
+
detector = Struct.new(:app) do
|
14
|
+
def call(env)
|
15
|
+
was = env.dup
|
16
|
+
res = app.call(env)
|
17
|
+
was.each do |k,v|
|
18
|
+
next if env[k] == v
|
19
|
+
fail "env[#{k.inspect}] changed from #{v.inspect} to #{env[k].inspect}"
|
20
|
+
end
|
21
|
+
res
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
mock_app do
|
26
|
+
use Rack::Head
|
27
|
+
use(Rack::Config) { |e| e['rack.session'] ||= {}}
|
28
|
+
use detector
|
29
|
+
use klass
|
30
|
+
run DummyApp
|
31
|
+
end
|
32
|
+
|
33
|
+
expect(get('/..', :foo => '<bar>')).to be_ok
|
34
|
+
end
|
35
|
+
|
36
|
+
it 'allows passing on values in env' do
|
37
|
+
klass = described_class
|
38
|
+
changer = Struct.new(:app) do
|
39
|
+
def call(env)
|
40
|
+
env['foo.bar'] = 42
|
41
|
+
app.call(env)
|
42
|
+
end
|
43
|
+
end
|
44
|
+
detector = Struct.new(:app) do
|
45
|
+
def call(env)
|
46
|
+
app.call(env)
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
expect_any_instance_of(detector).to receive(:call).with(
|
51
|
+
hash_including('foo.bar' => 42)
|
52
|
+
).and_call_original
|
53
|
+
|
54
|
+
mock_app do
|
55
|
+
use Rack::Head
|
56
|
+
use(Rack::Config) { |e| e['rack.session'] ||= {}}
|
57
|
+
use changer
|
58
|
+
use klass
|
59
|
+
use detector
|
60
|
+
run DummyApp
|
61
|
+
end
|
62
|
+
|
63
|
+
expect(get('/')).to be_ok
|
64
|
+
end
|
65
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
require 'forwardable'
|
2
|
+
|
3
|
+
module SpecHelpers
|
4
|
+
extend Forwardable
|
5
|
+
def_delegators :last_response, :body, :headers, :status, :errors
|
6
|
+
def_delegators :current_session, :env_for
|
7
|
+
attr_writer :app
|
8
|
+
|
9
|
+
def app
|
10
|
+
@app ||= nil
|
11
|
+
@app || mock_app(DummyApp)
|
12
|
+
end
|
13
|
+
|
14
|
+
def mock_app(app = nil, &block)
|
15
|
+
app = block if app.nil? and block.arity == 1
|
16
|
+
if app
|
17
|
+
klass = described_class
|
18
|
+
mock_app do
|
19
|
+
use Rack::Head
|
20
|
+
use(Rack::Config) { |e| e['rack.session'] ||= {}}
|
21
|
+
use klass
|
22
|
+
run app
|
23
|
+
end
|
24
|
+
else
|
25
|
+
@app = Rack::Lint.new Rack::Builder.new(&block).to_app
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
29
|
+
def with_headers(headers)
|
30
|
+
proc { [200, {'Content-Type' => 'text/plain'}.merge(headers), ['ok']] }
|
31
|
+
end
|
32
|
+
|
33
|
+
def env
|
34
|
+
Thread.current[:last_env]
|
35
|
+
end
|
36
|
+
end
|
metadata
ADDED
@@ -0,0 +1,180 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: rack-protection-monkey
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 1.5.3
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Konstantin Haase
|
8
|
+
- Alex Rodionov
|
9
|
+
- Patrick Ellis
|
10
|
+
- Jason Staten
|
11
|
+
- ITO Nobuaki
|
12
|
+
- Jeff Welling
|
13
|
+
- Matteo Centenaro
|
14
|
+
- Egor Homakov
|
15
|
+
- Florian Gilcher
|
16
|
+
- Fojas
|
17
|
+
- Igor Bochkariov
|
18
|
+
- Mael Clerambault
|
19
|
+
- Martin Mauch
|
20
|
+
- Renne Nissinen
|
21
|
+
- SAKAI, Kazuaki
|
22
|
+
- Stanislav Savulchik
|
23
|
+
- Steve Agalloco
|
24
|
+
- TOBY
|
25
|
+
- Thais Camilo and Konstantin Haase
|
26
|
+
- Vipul A M
|
27
|
+
- Akzhan Abdulin
|
28
|
+
- brookemckim
|
29
|
+
- Bjørge Næss
|
30
|
+
- Chris Heald
|
31
|
+
- Chris Mytton
|
32
|
+
- Corey Ward
|
33
|
+
- Dario Cravero
|
34
|
+
- David Kellum
|
35
|
+
autorequire:
|
36
|
+
bindir: bin
|
37
|
+
cert_chain: []
|
38
|
+
date: 2015-08-31 00:00:00.000000000 Z
|
39
|
+
dependencies:
|
40
|
+
- !ruby/object:Gem::Dependency
|
41
|
+
name: rack
|
42
|
+
requirement: !ruby/object:Gem::Requirement
|
43
|
+
requirements:
|
44
|
+
- - ">="
|
45
|
+
- !ruby/object:Gem::Version
|
46
|
+
version: '0'
|
47
|
+
type: :runtime
|
48
|
+
prerelease: false
|
49
|
+
version_requirements: !ruby/object:Gem::Requirement
|
50
|
+
requirements:
|
51
|
+
- - ">="
|
52
|
+
- !ruby/object:Gem::Version
|
53
|
+
version: '0'
|
54
|
+
- !ruby/object:Gem::Dependency
|
55
|
+
name: rack-test
|
56
|
+
requirement: !ruby/object:Gem::Requirement
|
57
|
+
requirements:
|
58
|
+
- - ">="
|
59
|
+
- !ruby/object:Gem::Version
|
60
|
+
version: '0'
|
61
|
+
type: :development
|
62
|
+
prerelease: false
|
63
|
+
version_requirements: !ruby/object:Gem::Requirement
|
64
|
+
requirements:
|
65
|
+
- - ">="
|
66
|
+
- !ruby/object:Gem::Version
|
67
|
+
version: '0'
|
68
|
+
- !ruby/object:Gem::Dependency
|
69
|
+
name: rspec
|
70
|
+
requirement: !ruby/object:Gem::Requirement
|
71
|
+
requirements:
|
72
|
+
- - "~>"
|
73
|
+
- !ruby/object:Gem::Version
|
74
|
+
version: 3.0.0
|
75
|
+
type: :development
|
76
|
+
prerelease: false
|
77
|
+
version_requirements: !ruby/object:Gem::Requirement
|
78
|
+
requirements:
|
79
|
+
- - "~>"
|
80
|
+
- !ruby/object:Gem::Version
|
81
|
+
version: 3.0.0
|
82
|
+
description: You should use protection! - Monkey Version
|
83
|
+
email:
|
84
|
+
- konstantin.mailinglists@googlemail.com
|
85
|
+
- p0deje@gmail.com
|
86
|
+
- jstaten07@gmail.com
|
87
|
+
- patrick@soundcloud.com
|
88
|
+
- jeff.welling@gmail.com
|
89
|
+
- bugant@gmail.com
|
90
|
+
- daydream.trippers@gmail.com
|
91
|
+
- florian.gilcher@asquera.de
|
92
|
+
- developer@fojasaur.us
|
93
|
+
- ujifgc@gmail.com
|
94
|
+
- mael@clerambault.fr
|
95
|
+
- martin.mauch@gmail.com
|
96
|
+
- rennex@iki.fi
|
97
|
+
- kaz.july.7@gmail.com
|
98
|
+
- s.savulchik@gmail.com
|
99
|
+
- steve.agalloco@gmail.com
|
100
|
+
- toby.net.info.mail+git@gmail.com
|
101
|
+
- dev+narwen+rkh@rkh.im
|
102
|
+
- vipulnsward@gmail.com
|
103
|
+
- akzhan.abdulin@gmail.com
|
104
|
+
- brooke@digitalocean.com
|
105
|
+
- bjoerge@bengler.no
|
106
|
+
- cheald@gmail.com
|
107
|
+
- self@hecticjeff.net
|
108
|
+
- coreyward@me.com
|
109
|
+
- dario@uxtemple.com
|
110
|
+
- dek-oss@gravitext.com
|
111
|
+
- homakov@gmail.com
|
112
|
+
executables: []
|
113
|
+
extensions: []
|
114
|
+
extra_rdoc_files: []
|
115
|
+
files:
|
116
|
+
- License
|
117
|
+
- README.md
|
118
|
+
- Rakefile
|
119
|
+
- lib/rack-protection.rb
|
120
|
+
- lib/rack/protection.rb
|
121
|
+
- lib/rack/protection/authenticity_token.rb
|
122
|
+
- lib/rack/protection/base.rb
|
123
|
+
- lib/rack/protection/escaped_params.rb
|
124
|
+
- lib/rack/protection/form_token.rb
|
125
|
+
- lib/rack/protection/frame_options.rb
|
126
|
+
- lib/rack/protection/http_origin.rb
|
127
|
+
- lib/rack/protection/ip_spoofing.rb
|
128
|
+
- lib/rack/protection/json_csrf.rb
|
129
|
+
- lib/rack/protection/path_traversal.rb
|
130
|
+
- lib/rack/protection/remote_referrer.rb
|
131
|
+
- lib/rack/protection/remote_token.rb
|
132
|
+
- lib/rack/protection/session_hijacking.rb
|
133
|
+
- lib/rack/protection/version.rb
|
134
|
+
- lib/rack/protection/xss_header.rb
|
135
|
+
- rack-protection.gemspec
|
136
|
+
- spec/lib/rack/protection/authenticity_token_spec.rb
|
137
|
+
- spec/lib/rack/protection/base_spec.rb
|
138
|
+
- spec/lib/rack/protection/escaped_params_spec.rb
|
139
|
+
- spec/lib/rack/protection/form_token_spec.rb
|
140
|
+
- spec/lib/rack/protection/frame_options_spec.rb
|
141
|
+
- spec/lib/rack/protection/http_origin_spec.rb
|
142
|
+
- spec/lib/rack/protection/ip_spoofing_spec.rb
|
143
|
+
- spec/lib/rack/protection/json_csrf_spec.rb
|
144
|
+
- spec/lib/rack/protection/path_traversal_spec.rb
|
145
|
+
- spec/lib/rack/protection/protection_spec.rb
|
146
|
+
- spec/lib/rack/protection/remote_referrer_spec.rb
|
147
|
+
- spec/lib/rack/protection/remote_token_spec.rb
|
148
|
+
- spec/lib/rack/protection/session_hijacking_spec.rb
|
149
|
+
- spec/lib/rack/protection/xss_header_spec.rb
|
150
|
+
- spec/spec_helper.rb
|
151
|
+
- spec/support/dummy_app.rb
|
152
|
+
- spec/support/not_implemented_as_pending.rb
|
153
|
+
- spec/support/rack_monkey_patches.rb
|
154
|
+
- spec/support/shared_examples.rb
|
155
|
+
- spec/support/spec_helpers.rb
|
156
|
+
homepage: http://github.com/sinatra/rack-protection
|
157
|
+
licenses:
|
158
|
+
- MIT
|
159
|
+
metadata: {}
|
160
|
+
post_install_message:
|
161
|
+
rdoc_options: []
|
162
|
+
require_paths:
|
163
|
+
- lib
|
164
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
165
|
+
requirements:
|
166
|
+
- - ">="
|
167
|
+
- !ruby/object:Gem::Version
|
168
|
+
version: '0'
|
169
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
170
|
+
requirements:
|
171
|
+
- - ">="
|
172
|
+
- !ruby/object:Gem::Version
|
173
|
+
version: '0'
|
174
|
+
requirements: []
|
175
|
+
rubyforge_project:
|
176
|
+
rubygems_version: 2.4.5
|
177
|
+
signing_key:
|
178
|
+
specification_version: 4
|
179
|
+
summary: You should use protection! - Monkey Version
|
180
|
+
test_files: []
|