rack-protection 2.0.7

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 8409e3948b276eede337038b10bb8dc59add80afbfa28fbcd2160f9f52670b82
+  data.tar.gz: 1d5485791b331fad229c63535c5c94761dc839194a90ee22811a9eb6a5e6be40
+SHA512:
+  metadata.gz: 1bb5f7e556b1fdf46dd029c4f620e7062527d4b3280d0ce80e43552d5fd260f3445a4411f0f680689d215cc4532cb1e3f5b5cf64eae91a8411daccabeedcf557
+  data.tar.gz: 3108b981b3ada3ea6959f494f08fc6ea1c15e0bf9f269cf5d8a4c82103f9cdcf7d858fbf864eb95ab98fa9eaf041aef4d8f352d05e55167879563e7500896967

data/Gemfile

@@ -0,0 +1,13 @@
+source "https://rubygems.org"
+# encoding: utf-8
+
+gem 'rake'
+
+rack_version = ENV['rack'].to_s
+rack_version = nil if rack_version.empty? or rack_version == 'stable'
+rack_version = {:github => 'rack/rack'} if rack_version == 'master'
+gem 'rack', rack_version
+
+gem 'sinatra', path: '..'
+
+gemspec

data/License

@@ -0,0 +1,23 @@
+The MIT License (MIT)
+
+Copyright (c) 2011-2017 Konstantin Haase
+Copyright (c) 2015-2017 Zachary Scott
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,118 @@
+# Rack::Protection
+
+This gem protects against typical web attacks.
+Should work for all Rack apps, including Rails.
+
+# Usage
+
+Use all protections you probably want to use:
+
+``` ruby
+# config.ru
+require 'rack/protection'
+use Rack::Protection
+run MyApp
+```
+
+Skip a single protection middleware:
+
+``` ruby
+# config.ru
+require 'rack/protection'
+use Rack::Protection, :except => :path_traversal
+run MyApp
+```
+
+Use a single protection middleware:
+
+``` ruby
+# config.ru
+require 'rack/protection'
+use Rack::Protection::AuthenticityToken
+run MyApp
+```
+
+# Prevented Attacks
+
+## Cross Site Request Forgery
+
+Prevented by:
+
+* [`Rack::Protection::AuthenticityToken`][authenticity-token] (not included by `use Rack::Protection`)
+* [`Rack::Protection::FormToken`][form-token] (not included by `use Rack::Protection`)
+* [`Rack::Protection::JsonCsrf`][json-csrf]
+* [`Rack::Protection::RemoteReferrer`][remote-referrer] (not included by `use Rack::Protection`)
+* [`Rack::Protection::RemoteToken`][remote-token]
+* [`Rack::Protection::HttpOrigin`][http-origin]
+
+## Cross Site Scripting
+
+Prevented by:
+
+* [`Rack::Protection::EscapedParams`][escaped-params] (not included by `use Rack::Protection`)
+* [`Rack::Protection::XSSHeader`][xss-header] (Internet Explorer and Chrome only)
+* [`Rack::Protection::ContentSecurityPolicy`][content-security-policy]
+
+## Clickjacking
+
+Prevented by:
+
+* [`Rack::Protection::FrameOptions`][frame-options]
+
+## Directory Traversal
+
+Prevented by:
+
+* [`Rack::Protection::PathTraversal`][path-traversal]
+
+## Session Hijacking
+
+Prevented by:
+
+* [`Rack::Protection::SessionHijacking`][session-hijacking]
+
+## Cookie Tossing
+
+Prevented by:
+* [`Rack::Protection::CookieTossing`][cookie-tossing] (not included by `use Rack::Protection`)
+
+## IP Spoofing
+
+Prevented by:
+
+* [`Rack::Protection::IPSpoofing`][ip-spoofing]
+
+## Helps to protect against protocol downgrade attacks and cookie hijacking
+
+Prevented by:
+
+* [`Rack::Protection::StrictTransport`][strict-transport] (not included by `use Rack::Protection`)
+
+# Installation
+
+    gem install rack-protection
+
+# Instrumentation
+
+Instrumentation is enabled by passing in an instrumenter as an option.
+```
+use Rack::Protection, instrumenter: ActiveSupport::Notifications
+```
+
+The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.
+
+[authenticity-token]: http://www.sinatrarb.com/protection/authenticity_token
+[content-security-policy]: http://www.sinatrarb.com/protection/content_security_policy
+[cookie-tossing]: http://www.sinatrarb.com/protection/cookie_tossing
+[escaped-params]: http://www.sinatrarb.com/protection/escaped_params
+[form-token]: http://www.sinatrarb.com/protection/form_token
+[frame-options]: http://www.sinatrarb.com/protection/frame_options
+[http-origin]: http://www.sinatrarb.com/protection/http_origin
+[ip-spoofing]: http://www.sinatrarb.com/protection/ip_spoofing
+[json-csrf]: http://www.sinatrarb.com/protection/json_csrf
+[path-traversal]: http://www.sinatrarb.com/protection/path_traversal
+[remote-referrer]: http://www.sinatrarb.com/protection/remote_referrer
+[remote-token]: http://www.sinatrarb.com/protection/remote_token
+[session-hijacking]: http://www.sinatrarb.com/protection/session_hijacking
+[strict-transport]: http://www.sinatrarb.com/protection/strict_transport
+[xss-header]: http://www.sinatrarb.com/protection/xss_header

data/Rakefile

@@ -0,0 +1,72 @@
+# encoding: utf-8
+$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+
+begin
+  require 'bundler'
+  Bundler::GemHelper.install_tasks
+rescue LoadError => e
+  $stderr.puts e
+end
+
+desc "run specs"
+task(:spec) { ruby '-S rspec spec' }
+
+namespace :doc do
+  task :readmes do
+    Dir.glob 'lib/rack/protection/*.rb' do |file|
+      excluded_files = %w[lib/rack/protection/base.rb lib/rack/protection/version.rb]
+      next if excluded_files.include?(file)
+      doc  = File.read(file)[/^  module Protection(\n)+(    #[^\n]*\n)*/m].scan(/^ *#(?!#) ?(.*)\n/).join("\n")
+      file = "doc/#{file[4..-4].tr("/_", "-")}.rdoc"
+      Dir.mkdir "doc" unless File.directory? "doc"
+      puts "writing #{file}"
+      File.open(file, "w") { |f| f << doc }
+    end
+  end
+
+  task :index do
+    doc = File.read("README.md")
+    file = "doc/rack-protection-readme.md"
+    Dir.mkdir "doc" unless File.directory? "doc"
+    puts "writing #{file}"
+    File.open(file, "w") { |f| f << doc }
+  end
+
+  task :all => [:readmes, :index]
+end
+
+desc "generate documentation"
+task :doc => 'doc:all'
+
+desc "generate gemspec"
+task 'rack-protection.gemspec' do
+  require 'rack/protection/version'
+  content = File.binread 'rack-protection.gemspec'
+
+  # fetch data
+  fields = {
+    :authors => `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
+    :email   => ["mail@zzak.io", "konstantin.haase@gmail.com"],
+    :files   => %w(License README.md Rakefile Gemfile rack-protection.gemspec) + Dir['lib/**/*']
+  }
+
+  # insert data
+  fields.each do |field, values|
+    updated = "  s.#{field} = ["
+    updated << values.map { |v| "\n    %p" % v }.join(',')
+    updated << "\n  ]"
+    content.sub!(/  s\.#{field} = \[\n(    .*\n)*  \]/, updated)
+  end
+
+  # set version
+  content.sub! /(s\.version.*=\s+).*/, "\\1\"#{Rack::Protection::VERSION}\""
+
+  # escape unicode
+  content.gsub!(/./) { |c| c.bytesize > 1 ? "\\u{#{c.codepoints.first.to_s(16)}}" : c }
+
+  File.open('rack-protection.gemspec', 'w') { |f| f << content }
+end
+
+task :gemspec => 'rack-protection.gemspec'
+task :default => :spec
+task :test    => :spec

data/lib/rack-protection.rb

@@ -0,0 +1 @@
+require "rack/protection"

data/lib/rack/protection.rb

@@ -0,0 +1,54 @@
+require 'rack/protection/version'
+require 'rack'
+
+module Rack
+  module Protection
+    autoload :AuthenticityToken,     'rack/protection/authenticity_token'
+    autoload :Base,                  'rack/protection/base'
+    autoload :CookieTossing,         'rack/protection/cookie_tossing'
+    autoload :ContentSecurityPolicy, 'rack/protection/content_security_policy'
+    autoload :EscapedParams,         'rack/protection/escaped_params'
+    autoload :FormToken,             'rack/protection/form_token'
+    autoload :FrameOptions,          'rack/protection/frame_options'
+    autoload :HttpOrigin,            'rack/protection/http_origin'
+    autoload :IPSpoofing,            'rack/protection/ip_spoofing'
+    autoload :JsonCsrf,              'rack/protection/json_csrf'
+    autoload :PathTraversal,         'rack/protection/path_traversal'
+    autoload :RemoteReferrer,        'rack/protection/remote_referrer'
+    autoload :RemoteToken,           'rack/protection/remote_token'
+    autoload :SessionHijacking,      'rack/protection/session_hijacking'
+    autoload :StrictTransport,       'rack/protection/strict_transport'
+    autoload :XSSHeader,             'rack/protection/xss_header'
+
+    def self.new(app, options = {})
+      # does not include: RemoteReferrer, AuthenticityToken and FormToken
+      except = Array options[:except]
+      use_these = Array options[:use]
+
+      if options.fetch(:without_session, false)
+        except += [:session_hijacking, :remote_token]
+      end
+
+      Rack::Builder.new do
+        # Off by default, unless added
+        use ::Rack::Protection::AuthenticityToken,     options if use_these.include? :authenticity_token
+        use ::Rack::Protection::CookieTossing,         options if use_these.include? :cookie_tossing
+        use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
+        use ::Rack::Protection::FormToken,             options if use_these.include? :form_token
+        use ::Rack::Protection::RemoteReferrer,        options if use_these.include? :remote_referrer
+        use ::Rack::Protection::StrictTransport,       options if use_these.include? :strict_transport
+
+        # On by default, unless skipped
+        use ::Rack::Protection::FrameOptions,          options unless except.include? :frame_options
+        use ::Rack::Protection::HttpOrigin,            options unless except.include? :http_origin
+        use ::Rack::Protection::IPSpoofing,            options unless except.include? :ip_spoofing
+        use ::Rack::Protection::JsonCsrf,              options unless except.include? :json_csrf
+        use ::Rack::Protection::PathTraversal,         options unless except.include? :path_traversal
+        use ::Rack::Protection::RemoteToken,           options unless except.include? :remote_token
+        use ::Rack::Protection::SessionHijacking,      options unless except.include? :session_hijacking
+        use ::Rack::Protection::XSSHeader,             options unless except.include? :xss_header
+        run app
+      end.to_app
+    end
+  end
+end

data/lib/rack/protection/authenticity_token.rb

@@ -0,0 +1,196 @@
+require 'rack/protection'
+require 'securerandom'
+require 'base64'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # This middleware only accepts requests other than <tt>GET</tt>,
+    # <tt>HEAD</tt>, <tt>OPTIONS</tt>, <tt>TRACE</tt> if their given access
+    # token matches the token included in the session.
+    #
+    # It checks the <tt>X-CSRF-Token</tt> header and the <tt>POST</tt> form
+    # data.
+    #
+    # Compatible with the {rack-csrf}[https://rubygems.org/gems/rack_csrf] gem.
+    #
+    # == Options
+    #
+    # [<tt>:authenticity_param</tt>] the name of the param that should contain
+    #                                the token on a request. Default value:
+    #                                <tt>"authenticity_token"</tt>
+    #
+    # == Example: Forms application
+    #
+    # To show what the AuthenticityToken does, this section includes a sample
+    # program which shows two forms. One with, and one without a CSRF token
+    # The one without CSRF token field will get a 403 Forbidden response.
+    #
+    # Install the gem, then run the program:
+    #
+    #   gem install 'rack-protection'
+    #   ruby server.rb
+    #
+    # Here is <tt>server.rb</tt>:
+    #
+    #   require 'rack/protection'
+    #
+    #   app = Rack::Builder.app do
+    #     use Rack::Session::Cookie, secret: 'secret'
+    #     use Rack::Protection::AuthenticityToken
+    #
+    #     run -> (env) do
+    #       [200, {}, [
+    #         <<~EOS
+    #           <!DOCTYPE html>
+    #           <html lang="en">
+    #           <head>
+    #             <meta charset="UTF-8" />
+    #             <title>rack-protection minimal example</title>
+    #           </head>
+    #           <body>
+    #             <h1>Without Authenticity Token</h1>
+    #             <p>This takes you to <tt>Forbidden</tt></p>
+    #             <form action="" method="post">
+    #               <input type="text" name="foo" />
+    #               <input type="submit" />
+    #             </form>
+    #
+    #             <h1>With Authenticity Token</h1>
+    #             <p>This successfully takes you to back to this form.</p>
+    #             <form action="" method="post">
+    #               <input type="hidden" name="authenticity_token" value="#{env['rack.session'][:csrf]}" />
+    #               <input type="text" name="foo" />
+    #               <input type="submit" />
+    #             </form>
+    #           </body>
+    #           </html>
+    #         EOS
+    #       ]]
+    #     end
+    #   end
+    #
+    #   Rack::Handler::WEBrick.run app
+    #
+    # == Example: Customize which POST parameter holds the token
+    #
+    # To customize the authenticity parameter for form data, use the
+    # <tt>:authenticity_param</tt> option:
+    #   use Rack::Protection::AuthenticityToken, authenticity_param: 'your_token_param_name'
+    class AuthenticityToken < Base
+      TOKEN_LENGTH = 32
+
+      default_options :authenticity_param => 'authenticity_token',
+                      :allow_if => nil
+
+      def self.token(session)
+        self.new(nil).mask_authenticity_token(session)
+      end
+
+      def self.random_token
+        SecureRandom.base64(TOKEN_LENGTH)
+      end
+
+      def accepts?(env)
+        session = session env
+        set_token(session)
+
+        safe?(env) ||
+          valid_token?(session, env['HTTP_X_CSRF_TOKEN']) ||
+          valid_token?(session, Request.new(env).params[options[:authenticity_param]]) ||
+          ( options[:allow_if] && options[:allow_if].call(env) )
+      end
+
+      def mask_authenticity_token(session)
+        token = set_token(session)
+        mask_token(token)
+      end
+
+      private
+
+      def set_token(session)
+        session[:csrf] ||= self.class.random_token
+      end
+
+      # Checks the client's masked token to see if it matches the
+      # session token.
+      def valid_token?(session, token)
+        return false if token.nil? || token.empty?
+
+        begin
+          token = decode_token(token)
+        rescue ArgumentError # encoded_masked_token is invalid Base64
+          return false
+        end
+
+        # See if it's actually a masked token or not. We should be able
+        # to handle any unmasked tokens that we've issued without error.
+
+        if unmasked_token?(token)
+          compare_with_real_token token, session
+
+        elsif masked_token?(token)
+          token = unmask_token(token)
+
+          compare_with_real_token token, session
+
+        else
+          false # Token is malformed
+        end
+      end
+
+      # Creates a masked version of the authenticity token that varies
+      # on each request. The masking is used to mitigate SSL attacks
+      # like BREACH.
+      def mask_token(token)
+        token = decode_token(token)
+        one_time_pad = SecureRandom.random_bytes(token.length)
+        encrypted_token = xor_byte_strings(one_time_pad, token)
+        masked_token = one_time_pad + encrypted_token
+        encode_token(masked_token)
+      end
+
+      # Essentially the inverse of +mask_token+.
+      def unmask_token(masked_token)
+        # Split the token into the one-time pad and the encrypted
+        # value and decrypt it
+        token_length = masked_token.length / 2
+        one_time_pad = masked_token[0...token_length]
+        encrypted_token = masked_token[token_length..-1]
+        xor_byte_strings(one_time_pad, encrypted_token)
+      end
+
+      def unmasked_token?(token)
+        token.length == TOKEN_LENGTH
+      end
+
+      def masked_token?(token)
+        token.length == TOKEN_LENGTH * 2
+      end
+
+      def compare_with_real_token(token, session)
+        secure_compare(token, real_token(session))
+      end
+
+      def real_token(session)
+        decode_token(session[:csrf])
+      end
+
+      def encode_token(token)
+        Base64.strict_encode64(token)
+      end
+
+      def decode_token(token)
+        Base64.strict_decode64(token)
+      end
+
+      def xor_byte_strings(s1, s2)
+        s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
+      end
+    end
+  end
+end