rack-protection 2.0.7

data/lib/rack/protection/ip_spoofing.rb

@@ -0,0 +1,23 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   IP spoofing
+    # Supported browsers:: all
+    # More infos::         http://blog.c22.cc/2011/04/22/surveymonkey-ip-spoofing/
+    #
+    # Detect (some) IP spoofing attacks.
+    class IPSpoofing < Base
+      default_reaction :deny
+
+      def accepts?(env)
+        return true unless env.include? 'HTTP_X_FORWARDED_FOR'
+        ips = env['HTTP_X_FORWARDED_FOR'].split(/\s*,\s*/)
+        return false if env.include? 'HTTP_CLIENT_IP' and not ips.include? env['HTTP_CLIENT_IP']
+        return false if env.include? 'HTTP_X_REAL_IP' and not ips.include? env['HTTP_X_REAL_IP']
+        true
+      end
+    end
+  end
+end

data/lib/rack/protection/json_csrf.rb

@@ -0,0 +1,57 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://flask.pocoo.org/docs/0.10/security/#json-security
+    #                      http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
+    #
+    # JSON GET APIs are vulnerable to being embedded as JavaScript when the
+    # Array prototype has been patched to track data. Checks the referrer
+    # even on GET requests if the content type is JSON.
+    #
+    # If request includes Origin HTTP header, defers to HttpOrigin to determine
+    # if the request is safe. Please refer to the documentation for more info.
+    #
+    # The `:allow_if` option can be set to a proc to use custom allow/deny logic.
+    class JsonCsrf < Base
+      default_options :allow_if => nil
+
+      alias react deny
+
+      def call(env)
+        request               = Request.new(env)
+        status, headers, body = app.call(env)
+
+        if has_vector?(request, headers)
+          warn env, "attack prevented by #{self.class}"
+
+          react_and_close(env, body) or [status, headers, body]
+        else
+          [status, headers, body]
+        end
+      end
+
+      def has_vector?(request, headers)
+        return false if request.xhr?
+        return false if options[:allow_if] && options[:allow_if].call(request.env)
+        return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
+        origin(request.env).nil? and referrer(request.env) != request.host
+      end
+
+      def react_and_close(env, body)
+        reaction = react(env)
+
+        close_body(body) if reaction
+
+        reaction
+      end
+
+      def close_body(body)
+        body.close if body.respond_to?(:close)
+      end
+    end
+  end
+end

data/lib/rack/protection/path_traversal.rb

@@ -0,0 +1,42 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Directory traversal
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Directory_traversal
+    #
+    # Unescapes '/' and '.', expands +path_info+.
+    # Thus <tt>GET /foo/%2e%2e%2fbar</tt> becomes <tt>GET /bar</tt>.
+    class PathTraversal < Base
+      def call(env)
+        path_was         = env["PATH_INFO"]
+        env["PATH_INFO"] = cleanup path_was if path_was && !path_was.empty?
+        app.call env
+      ensure
+        env["PATH_INFO"] = path_was
+      end
+
+      def cleanup(path)
+        encoding = path.encoding
+        dot   = '.'.encode(encoding)
+        slash = '/'.encode(encoding)
+        backslash = '\\'.encode(encoding)
+
+        parts     = []
+        unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
+        unescaped = unescaped.gsub(backslash, slash)
+
+        unescaped.split(slash).each do |part|
+          next if part.empty? or part == dot
+          part == '..' ? parts.pop : parts << part
+        end
+
+        cleaned = slash + parts.join(slash)
+        cleaned << slash if parts.any? and unescaped =~ %r{/\.{0,2}$}
+        cleaned
+      end
+    end
+  end
+end

data/lib/rack/protection/remote_referrer.rb

@@ -0,0 +1,20 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Does not accept unsafe HTTP requests if the Referer [sic] header is set to
+    # a different host.
+    class RemoteReferrer < Base
+      default_reaction :deny
+
+      def accepts?(env)
+        safe?(env) or referrer(env) == Request.new(env).host
+      end
+    end
+  end
+end

data/lib/rack/protection/remote_token.rb

@@ -0,0 +1,22 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Only accepts unsafe HTTP requests if a given access token matches the token
+    # included in the session *or* the request comes from the same origin.
+    #
+    # Compatible with rack-csrf.
+    class RemoteToken < AuthenticityToken
+      default_reaction :deny
+
+      def accepts?(env)
+        super or referrer(env) == Request.new(env).host
+      end
+    end
+  end
+end

data/lib/rack/protection/session_hijacking.rb

@@ -0,0 +1,36 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Session Hijacking
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Session_hijacking
+    #
+    # Tracks request properties like the user agent in the session and empties
+    # the session if those properties change. This essentially prevents attacks
+    # from Firesheep. Since all headers taken into consideration can be
+    # spoofed, too, this will not prevent determined hijacking attempts.
+    class SessionHijacking < Base
+      default_reaction :drop_session
+      default_options :tracking_key => :tracking, :encrypt_tracking => true,
+        :track => %w[HTTP_USER_AGENT]
+
+      def accepts?(env)
+        session = session env
+        key     = options[:tracking_key]
+        if session.include? key
+          session[key].all? { |k,v| v == encrypt(env[k]) }
+        else
+          session[key] = {}
+          options[:track].each { |k| session[key][k] = encrypt(env[k]) }
+        end
+      end
+
+      def encrypt(value)
+        value = value.to_s.downcase
+        options[:encrypt_tracking] ? super(value) : value
+      end
+    end
+  end
+end

data/lib/rack/protection/strict_transport.rb

@@ -0,0 +1,39 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Protects against against protocol downgrade attacks and cookie hijacking.
+    # Supported browsers:: all
+    # More infos::         https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+    #
+    # browser will prevent any communications from being sent over HTTP
+    # to the specified domain and will instead send all communications over HTTPS.
+    # It also prevents HTTPS click through prompts on browsers.
+    #
+    # Options:
+    #
+    # max_age:: How long future requests to the domain should go over HTTPS; specified in seconds
+    # include_subdomains:: If all present and future subdomains will be HTTPS
+    # preload:: Allow this domain to be included in browsers HSTS preload list. See https://hstspreload.appspot.com/
+
+    class StrictTransport < Base
+      default_options :max_age => 31_536_000, :include_subdomains => false, :preload => false
+
+      def strict_transport
+        @strict_transport ||= begin
+          strict_transport = 'max-age=' + options[:max_age].to_s
+          strict_transport += '; includeSubDomains' if options[:include_subdomains]
+          strict_transport += '; preload' if options[:preload]
+          strict_transport.to_str
+        end
+      end
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        headers['Strict-Transport-Security'] ||= strict_transport
+        [status, headers, body]
+      end
+    end
+  end
+end

data/lib/rack/protection/version.rb

@@ -0,0 +1,5 @@
+module Rack
+  module Protection
+    VERSION = '2.0.7'
+  end
+end

data/lib/rack/protection/xss_header.rb

@@ -0,0 +1,25 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Non-permanent XSS
+    # Supported browsers:: Internet Explorer 8+ and Chrome
+    # More infos::         http://blogs.msdn.com/b/ie/archive/2008/07/01/ie8-security-part-iv-the-xss-filter.aspx
+    #
+    # Sets X-XSS-Protection header to tell the browser to block attacks.
+    #
+    # Options:
+    # xss_mode:: How the browser should prevent the attack (default: :block)
+    class XSSHeader < Base
+      default_options :xss_mode => :block, :nosniff => true
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        headers['X-XSS-Protection']       ||= "1; mode=#{options[:xss_mode]}" if html? headers
+        headers['X-Content-Type-Options'] ||= 'nosniff'                       if options[:nosniff]
+        [status, headers, body]
+      end
+    end
+  end
+end

data/rack-protection.gemspec

@@ -0,0 +1,40 @@
+version = File.read(File.expand_path("../../VERSION", __FILE__)).strip
+
+Gem::Specification.new do |s|
+  # general infos
+  s.name        = "rack-protection"
+  s.version     = version
+  s.description = "Protect against typical web attacks, works with all Rack apps, including Rails."
+  s.homepage    = "http://sinatrarb.com/protection/"
+  s.summary     = s.description
+  s.license     = 'MIT'
+  s.authors     = ["https://github.com/sinatra/sinatra/graphs/contributors"]
+  s.email       = "sinatrarb@googlegroups.com"
+  s.files       = Dir["lib/**/*.rb"] + [
+    "License",
+    "README.md",
+    "Rakefile",
+    "Gemfile",
+    "rack-protection.gemspec"
+  ]
+
+  if s.respond_to?(:metadata)
+    s.metadata = {
+      'source_code_uri'   => 'https://github.com/sinatra/sinatra/tree/master/rack-protection',
+      'homepage_uri'      => 'http://sinatrarb.com/protection/',
+      'documentation_uri' => 'https://www.rubydoc.info/gems/rack-protection'
+    }
+  else
+    raise <<-EOF
+RubyGems 2.0 or newer is required to protect against public gem pushes. You can update your rubygems version by running:
+  gem install rubygems-update
+  update_rubygems:
+  gem update --system
+EOF
+  end
+
+  # dependencies
+  s.add_dependency "rack"
+  s.add_development_dependency "rack-test"
+  s.add_development_dependency "rspec", "~> 3.6"
+end

metadata

@@ -0,0 +1,114 @@
+--- !ruby/object:Gem::Specification
+name: rack-protection
+version: !ruby/object:Gem::Version
+  version: 2.0.7
+platform: ruby
+authors:
+- https://github.com/sinatra/sinatra/graphs/contributors
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-08-22 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
+description: Protect against typical web attacks, works with all Rack apps, including
+  Rails.
+email: sinatrarb@googlegroups.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- License
+- README.md
+- Rakefile
+- lib/rack-protection.rb
+- lib/rack/protection.rb
+- lib/rack/protection/authenticity_token.rb
+- lib/rack/protection/base.rb
+- lib/rack/protection/content_security_policy.rb
+- lib/rack/protection/cookie_tossing.rb
+- lib/rack/protection/escaped_params.rb
+- lib/rack/protection/form_token.rb
+- lib/rack/protection/frame_options.rb
+- lib/rack/protection/http_origin.rb
+- lib/rack/protection/ip_spoofing.rb
+- lib/rack/protection/json_csrf.rb
+- lib/rack/protection/path_traversal.rb
+- lib/rack/protection/remote_referrer.rb
+- lib/rack/protection/remote_token.rb
+- lib/rack/protection/session_hijacking.rb
+- lib/rack/protection/strict_transport.rb
+- lib/rack/protection/version.rb
+- lib/rack/protection/xss_header.rb
+- rack-protection.gemspec
+homepage: http://sinatrarb.com/protection/
+licenses:
+- MIT
+metadata:
+  source_code_uri: https://github.com/sinatra/sinatra/tree/master/rack-protection
+  homepage_uri: http://sinatrarb.com/protection/
+  documentation_uri: https://www.rubydoc.info/gems/rack-protection
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.3
+signing_key: 
+specification_version: 4
+summary: Protect against typical web attacks, works with all Rack apps, including
+  Rails.
+test_files: []