rack-protection-monkey 1.5.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f75c546a977915d22bdaf2e32eb1d903dc5e9f08
+  data.tar.gz: 617f770ae255145766f78710f51fce0994965b84
+SHA512:
+  metadata.gz: 6673074dd7b647fc40803fb2cc409097205857576dbb2456c3d3fe06a676926432816c268f1dea8d10e094b81fedba213608bd1f9eed05a926d6b6ad81f236d5
+  data.tar.gz: 2106e5478e00ac4b20451a820327721630a18b285efe69f0ea6c39c8b6c8c0494aaffc3802984b8e6ffebd0e222dd0352403e3a9390f627cb287cc1605098fe9

data/License

@@ -0,0 +1,20 @@
+Copyright (c) 2011 Konstantin Haase
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,90 @@
+You should use protection!
+
+This gem protects against typical web attacks.
+Should work for all Rack apps, including Rails.
+
+# Usage
+
+Use all protections you probably want to use:
+
+``` ruby
+# config.ru
+require 'rack/protection'
+use Rack::Protection
+run MyApp
+```
+
+Skip a single protection middleware:
+
+``` ruby
+# config.ru
+require 'rack/protection'
+use Rack::Protection, :except => :path_traversal
+run MyApp
+```
+
+Use a single protection middleware:
+
+``` ruby
+# config.ru
+require 'rack/protection'
+use Rack::Protection::AuthenticityToken
+run MyApp
+```
+
+# Prevented Attacks
+
+## Cross Site Request Forgery
+
+Prevented by:
+
+* `Rack::Protection::AuthenticityToken` (not included by `use Rack::Protection`)
+* `Rack::Protection::FormToken` (not included by `use Rack::Protection`)
+* `Rack::Protection::JsonCsrf`
+* `Rack::Protection::RemoteReferrer` (not included by `use Rack::Protection`)
+* `Rack::Protection::RemoteToken`
+* `Rack::Protection::HttpOrigin`
+
+## Cross Site Scripting
+
+Prevented by:
+
+* `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
+* `Rack::Protection::XSSHeader` (Internet Explorer only)
+
+## Clickjacking
+
+Prevented by:
+
+* `Rack::Protection::FrameOptions`
+
+## Directory Traversal
+
+Prevented by:
+
+* `Rack::Protection::PathTraversal`
+
+## Session Hijacking
+
+Prevented by:
+
+* `Rack::Protection::SessionHijacking`
+
+## IP Spoofing
+
+Prevented by:
+
+* `Rack::Protection::IPSpoofing`
+
+# Installation
+
+    gem install rack-protection
+
+# Instrumentation
+
+Instrumentation is enabled by passing in an instrumenter as an option.
+```
+use Rack::Protection, instrumenter: ActiveSupport::Notifications
+```
+
+The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.

data/Rakefile

@@ -0,0 +1,48 @@
+# encoding: utf-8
+$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+
+begin
+  require 'bundler'
+  Bundler::GemHelper.install_tasks
+rescue LoadError => e
+  $stderr.puts e
+end
+
+desc "run specs"
+task(:spec) { ruby '-S rspec spec' }
+
+desc "generate gemspec"
+task 'rack-protection.gemspec' do
+  require 'rack/protection/version'
+  content = File.binread 'rack-protection.gemspec'
+
+  # fetch data
+  fields = {
+    :authors => `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
+    :email   => `git shortlog -sne`.force_encoding('utf-8').scan(/[^<]+@[^>]+/),
+    :files   => `git ls-files`.force_encoding('utf-8').split("\n").reject { |f| f =~ /^(\.|Gemfile)/ }
+  }
+
+  # double email :(
+  fields[:email].delete("konstantin.haase@gmail.com")
+
+  # insert data
+  fields.each do |field, values|
+    updated = "  s.#{field} = ["
+    updated << values.map { |v| "\n    %p" % v }.join(',')
+    updated << "\n  ]"
+    content.sub!(/  s\.#{field} = \[\n(    .*\n)*  \]/, updated)
+  end
+
+  # set version
+  content.sub! /(s\.version.*=\s+).*/, "\\1\"#{Rack::Protection::VERSION}\""
+
+  # escape unicode
+  content.gsub!(/./) { |c| c.bytesize > 1 ? "\\u{#{c.codepoints.first.to_s(16)}}" : c }
+
+  File.open('rack-protection.gemspec', 'w') { |f| f << content }
+end
+
+task :gemspec => 'rack-protection.gemspec'
+task :default => :spec
+task :test    => :spec

data/lib/rack-protection.rb

@@ -0,0 +1 @@
+require "rack/protection"

data/lib/rack/protection.rb

@@ -0,0 +1,40 @@
+require 'rack/protection/version'
+require 'rack'
+
+module Rack
+  module Protection
+    autoload :AuthenticityToken, 'rack/protection/authenticity_token'
+    autoload :Base,              'rack/protection/base'
+    autoload :EscapedParams,     'rack/protection/escaped_params'
+    autoload :FormToken,         'rack/protection/form_token'
+    autoload :FrameOptions,      'rack/protection/frame_options'
+    autoload :HttpOrigin,        'rack/protection/http_origin'
+    autoload :IPSpoofing,        'rack/protection/ip_spoofing'
+    autoload :JsonCsrf,          'rack/protection/json_csrf'
+    autoload :PathTraversal,     'rack/protection/path_traversal'
+    autoload :RemoteReferrer,    'rack/protection/remote_referrer'
+    autoload :RemoteToken,       'rack/protection/remote_token'
+    autoload :SessionHijacking,  'rack/protection/session_hijacking'
+    autoload :XSSHeader,         'rack/protection/xss_header'
+
+    def self.new(app, options = {})
+      # does not include: RemoteReferrer, AuthenticityToken and FormToken
+      except = Array options[:except]
+      use_these = Array options[:use]
+      Rack::Builder.new do
+        use ::Rack::Protection::RemoteReferrer,   options if use_these.include? :remote_referrer
+        use ::Rack::Protection::AuthenticityToken,options if use_these.include? :authenticity_token
+        use ::Rack::Protection::FormToken,        options if use_these.include? :form_token
+        use ::Rack::Protection::FrameOptions,     options unless except.include? :frame_options
+        use ::Rack::Protection::HttpOrigin,       options unless except.include? :http_origin
+        use ::Rack::Protection::IPSpoofing,       options unless except.include? :ip_spoofing
+        use ::Rack::Protection::JsonCsrf,         options unless except.include? :json_csrf
+        use ::Rack::Protection::PathTraversal,    options unless except.include? :path_traversal
+        use ::Rack::Protection::RemoteToken,      options unless except.include? :remote_token
+        use ::Rack::Protection::SessionHijacking, options unless except.include? :session_hijacking
+        use ::Rack::Protection::XSSHeader,        options unless except.include? :xss_header
+        run app
+      end.to_app
+    end
+  end
+end

data/lib/rack/protection/authenticity_token.rb

@@ -0,0 +1,31 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Only accepts unsafe HTTP requests if a given access token matches the token
+    # included in the session.
+    #
+    # Compatible with Rails and rack-csrf.
+    #
+    # Options:
+    #
+    # authenticity_param: Defines the param's name that should contain the token on a request.
+    #
+    class AuthenticityToken < Base
+      default_options :authenticity_param => 'authenticity_token'
+
+      def accepts?(env)
+        session = session env
+        token   = session[:csrf] ||= session['_csrf_token'] || random_string
+        safe?(env) ||
+          env['HTTP_X_CSRF_TOKEN'] == token ||
+          Request.new(env).params[options[:authenticity_param]] == token
+      end
+    end
+  end
+end

data/lib/rack/protection/base.rb

@@ -0,0 +1,121 @@
+require 'rack/protection'
+require 'digest'
+require 'logger'
+require 'uri'
+
+module Rack
+  module Protection
+    class Base
+      DEFAULT_OPTIONS = {
+        :reaction    => :default_reaction, :logging   => true,
+        :message     => 'Forbidden',       :encryptor => Digest::SHA1,
+        :session_key => 'rack.session',    :status    => 403,
+        :allow_empty_referrer => true,
+        :report_key           => "protection.failed",
+        :html_types           => %w[text/html application/xhtml]
+      }
+
+      attr_reader :app, :options
+
+      def self.default_options(options)
+        define_method(:default_options) { super().merge(options) }
+      end
+
+      def self.default_reaction(reaction)
+        alias_method(:default_reaction, reaction)
+      end
+
+      def default_options
+        DEFAULT_OPTIONS
+      end
+
+      def initialize(app, options = {})
+        @app, @options = app, default_options.merge(options)
+      end
+
+      def safe?(env)
+        %w[GET HEAD OPTIONS TRACE].include? env['REQUEST_METHOD']
+      end
+
+      def accepts?(env)
+        raise NotImplementedError, "#{self.class} implementation pending"
+      end
+
+      def call(env)
+        unless accepts? env
+          instrument env
+          result = react env
+        end
+        result or app.call(env)
+      end
+
+      def react(env)
+        result = send(options[:reaction], env)
+        result if Array === result and result.size == 3
+      end
+
+      def warn(env, message)
+        return unless options[:logging]
+        l = options[:logger] || env['rack.logger'] || ::Logger.new(env['rack.errors'])
+        l.warn(message)
+      end
+
+      def instrument(env)
+        return unless i = options[:instrumenter]
+        env['rack.protection.attack'] = self.class.name.split('::').last.downcase
+        i.instrument('rack.protection', env)
+      end
+
+      def deny(env)
+        warn env, "attack prevented by #{self.class}"
+        [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
+      end
+
+      def report(env)
+        warn env, "attack reported by #{self.class}"
+        env[options[:report_key]] = true
+      end
+
+      def session?(env)
+        env.include? options[:session_key]
+      end
+
+      def session(env)
+        return env[options[:session_key]] if session? env
+        fail "you need to set up a session middleware *before* #{self.class}"
+      end
+
+      def drop_session(env)
+        session(env).clear if session? env
+      end
+
+      def referrer(env)
+        ref = env['HTTP_REFERER'].to_s
+        return if !options[:allow_empty_referrer] and ref.empty?
+        URI.parse(ref).host || Request.new(env).host
+      rescue URI::InvalidURIError
+      end
+
+      def origin(env)
+        env['HTTP_ORIGIN'] || env['HTTP_X_ORIGIN']
+      end
+
+      def random_string(secure = defined? SecureRandom)
+        secure ? SecureRandom.hex(16) : "%032x" % rand(2**128-1)
+      rescue NotImplementedError
+        random_string false
+      end
+
+      def encrypt(value)
+        options[:encryptor].hexdigest value.to_s
+      end
+
+      alias default_reaction deny
+
+      def html?(headers)
+        return false unless header = headers.detect { |k,v| k.downcase == 'content-type' }
+        options[:html_types].include? header.last[/^\w+\/\w+/]
+      end
+    end
+  end
+end

data/lib/rack/protection/escaped_params.rb

@@ -0,0 +1,87 @@
+require 'rack/protection'
+require 'rack/utils'
+
+begin
+  require 'escape_utils'
+rescue LoadError
+end
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   XSS
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_scripting
+    #
+    # Automatically escapes Rack::Request#params so they can be embedded in HTML
+    # or JavaScript without any further issues. Calls +html_safe+ on the escaped
+    # strings if defined, to avoid double-escaping in Rails.
+    #
+    # Options:
+    # escape:: What escaping modes to use, should be Symbol or Array of Symbols.
+    #          Available: :html (default), :javascript, :url
+    class EscapedParams < Base
+      extend Rack::Utils
+
+      class << self
+        alias escape_url escape
+        public :escape_html
+      end
+
+      default_options :escape => :html,
+        :escaper => defined?(EscapeUtils) ? EscapeUtils : self
+
+      def initialize(*)
+        super
+
+        modes       = Array options[:escape]
+        @escaper    = options[:escaper]
+        @html       = modes.include? :html
+        @javascript = modes.include? :javascript
+        @url        = modes.include? :url
+
+        if @javascript and not @escaper.respond_to? :escape_javascript
+          fail("Use EscapeUtils for JavaScript escaping.")
+        end
+      end
+
+      def call(env)
+        request  = Request.new(env)
+        get_was  = handle(request.GET)
+        post_was = handle(request.POST) rescue nil
+        app.call env
+      ensure
+        request.GET.replace  get_was  if get_was
+        request.POST.replace post_was if post_was
+      end
+
+      def handle(hash)
+        was = hash.dup
+        hash.replace escape(hash)
+        was
+      end
+
+      def escape(object)
+        case object
+        when Hash   then escape_hash(object)
+        when Array  then object.map { |o| escape(o) }
+        when String then escape_string(object)
+        else nil
+        end
+      end
+
+      def escape_hash(hash)
+        hash = hash.dup
+        hash.each { |k,v| hash[k] = escape(v) }
+        hash
+      end
+
+      def escape_string(str)
+        str = @escaper.escape_url(str)        if @url
+        str = @escaper.escape_html(str)       if @html
+        str = @escaper.escape_javascript(str) if @javascript
+        str
+      end
+    end
+  end
+end