rack-protection 0.1.0

data/lib/rack/protection/path_traversal.rb

@@ -0,0 +1,29 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Directory traversal
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Directory_traversal
+    #
+    # Unescapes '/' and '.', expands +path_info+.
+    # Thus <tt>GET /foo/%2e%2e%2fbar</tt> becomes <tt>GET /bar</tt>.
+    class PathTraversal < Base
+      def call(env)
+        path_was         = env["PATH_INFO"]
+        env["PATH_INFO"] = cleanup path_was
+        app.call env
+      ensure
+        env["PATH_INFO"] = path_was
+      end
+
+      def cleanup(path)
+        return cleanup("/" << path)[1..-1] unless path[0] == ?/
+        escaped = ::File.expand_path path.gsub('%2e', '.').gsub('%2f', '/')
+        escaped << '/' if escaped[-1] != ?/ and path =~ /\/\.{0,2}$/
+        escaped.gsub /\/\/+/, '/'
+      end
+    end
+  end
+end

data/lib/rack/protection/remote_referrer.rb

@@ -0,0 +1,23 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Does not accept unsafe HTTP requests if the Referer [sic] header is set to
+    # a different host.
+    #
+    # Combine with NoReferrer to also block remote requests from non-HTTP pages
+    # (FTP/HTTPS/...).
+    class RemoteReferrer < Base
+      default_reaction :deny
+
+      def accepts?(env)
+        safe?(env) or referrer(env) == Request.new(env).host
+      end
+    end
+  end
+end

data/lib/rack/protection/remote_token.rb

@@ -0,0 +1,22 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Only accepts unsafe HTTP requests if a given access token matches the token
+    # included in the session *or* the request comes from the same origin.
+    #
+    # Compatible with Rails and rack-csrf.
+    class RemoteToken < AuthenticityToken
+      default_reaction :deny
+
+      def accepts?(env)
+        super or referrer(env) == Request.new(env).host
+      end
+    end
+  end
+end

data/lib/rack/protection/session_hijacking.rb

@@ -0,0 +1,36 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Session Hijacking
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Session_hijacking
+    #
+    # Tracks request properties like the user agent in the session and empties
+    # the session if those properties change. This essentially prevents attacks
+    # from Firesheep. Since all headers taken into consideration might be
+    # spoofed, too, this will not prevent all hijacking attempts.
+    class SessionHijacking < Base
+      default_reaction :drop_session
+      default_options :tracking_key => :tracking, :encrypt_tracking => true,
+        :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE
+          HTTP_VERSION]
+
+      def accepts?(env)
+        session = session env
+        key     = options[:tracking_key]
+        if session.include? key
+          session[key].all? { |k,v| v == encrypt(env[k]) }
+        else
+          session[key] = {}
+          options[:track].each { |k| session[key][k] = encrypt(env[k]) }
+        end
+      end
+
+      def encrypt(value)
+        options[:encrypt_tracking] ? super(value) : value.to_s
+      end
+    end
+  end
+end

data/lib/rack/protection/version.rb

@@ -0,0 +1,44 @@
+module Rack
+  module Protection
+    def self.version
+      VERSION
+    end
+
+    module VERSION
+      extend Comparable
+
+      MAJOR     = 0
+      MINOR     = 1
+      TINY      = 0
+      SIGNATURE = [MAJOR, MINOR, TINY]
+      STRING    = SIGNATURE.join '.'
+
+      def self.major; MAJOR  end
+      def self.minor; MINOR  end
+      def self.tiny;  TINY   end
+      def self.to_s;  STRING end
+
+      def self.hash
+        STRING.hash
+      end
+
+      def self.<=>(other)
+        other = other.split('.').map { |i| i.to_i } if other.respond_to? :split
+        SIGNATURE <=> Array(other)
+      end
+
+      def self.inspect
+        STRING.inspect
+      end
+
+      def self.respond_to?(meth, *)
+        meth.to_s !~ /^__|^to_str$/ and STRING.respond_to? meth unless super
+      end
+
+      def self.method_missing(meth, *args, &block)
+        return super unless STRING.respond_to?(meth)
+        STRING.send(meth, *args, &block)
+      end
+    end
+  end
+end

data/lib/rack/protection/xss_header.rb

@@ -0,0 +1,27 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Non-permanent XSS
+    # Supported browsers:: Internet Explorer 8 and later
+    # More infos::         http://blogs.msdn.com/b/ie/archive/2008/07/01/ie8-security-part-iv-the-xss-filter.aspx
+    #
+    # Sets X-XSS-Protection header to tell the browser to block attacks.
+    #
+    # Options:
+    # xss_mode:: How the browser should prevent the attack (default: :block)
+    class XSSHeader < Base
+      default_options :xss_mode => :block
+
+      def header
+        { 'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}" }
+      end
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        [status, header.merge(headers), body]
+      end
+    end
+  end
+end

data/rack-protection.gemspec

@@ -0,0 +1,61 @@
+# Run `rake rack-protection.gemspec` to update the gemspec.
+Gem::Specification.new do |s|
+  # general infos
+  s.name        = "rack-protection"
+  s.version     = "0.1.0"
+  s.description = "You should use protection!"
+  s.homepage    = "http://github.com/rkh/rack-protection"
+  s.summary     = s.description
+
+  # generated from git shortlog -sn
+  s.authors = [
+    "Konstantin Haase"
+  ]
+
+  # generated from git shortlog -sne
+  s.email = [
+    "konstantin.mailinglists@googlemail.com"
+  ]
+
+  # generated from git ls-files
+  s.files = [
+    "License",
+    "README.md",
+    "Rakefile",
+    "lib/rack-protection.rb",
+    "lib/rack/protection.rb",
+    "lib/rack/protection/authenticity_token.rb",
+    "lib/rack/protection/base.rb",
+    "lib/rack/protection/escaped_params.rb",
+    "lib/rack/protection/form_token.rb",
+    "lib/rack/protection/frame_options.rb",
+    "lib/rack/protection/ip_spoofing.rb",
+    "lib/rack/protection/json_csrf.rb",
+    "lib/rack/protection/path_traversal.rb",
+    "lib/rack/protection/remote_referrer.rb",
+    "lib/rack/protection/remote_token.rb",
+    "lib/rack/protection/session_hijacking.rb",
+    "lib/rack/protection/version.rb",
+    "lib/rack/protection/xss_header.rb",
+    "rack-protection.gemspec",
+    "spec/authenticity_token_spec.rb",
+    "spec/escaped_params_spec.rb",
+    "spec/form_token_spec.rb",
+    "spec/frame_options_spec.rb",
+    "spec/ip_spoofing_spec.rb",
+    "spec/json_csrf_spec.rb",
+    "spec/path_traversal_spec.rb",
+    "spec/protection_spec.rb",
+    "spec/remote_referrer_spec.rb",
+    "spec/remote_token_spec.rb",
+    "spec/session_hijacking_spec.rb",
+    "spec/spec_helper.rb",
+    "spec/xss_header_spec.rb"
+  ]
+
+  # dependencies
+  s.add_dependency "rack"
+  s.add_dependency "escape_utils"
+  s.add_development_dependency "rack-test"
+  s.add_development_dependency "rspec", "~> 2.0"
+end

data/spec/authenticity_token_spec.rb

@@ -0,0 +1,33 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::AuthenticityToken do
+  it_behaves_like "any rack application"
+
+  it "denies post requests without any token" do
+    post('/').should_not be_ok
+  end
+
+  it "accepts post requests with correct X-CSRF-Token header" do
+    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
+    last_response.should be_ok
+  end
+
+  it "denies post requests with wrong X-CSRF-Token header" do
+    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
+    last_response.should_not be_ok
+  end
+
+  it "accepts post form requests with correct authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
+    last_response.should be_ok
+  end
+
+  it "denies post form requests with wrong authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
+    last_response.should_not be_ok
+  end
+
+  it "prevents ajax requests without a valid token" do
+    post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should_not be_ok
+  end
+end

data/spec/escaped_params_spec.rb

@@ -0,0 +1,34 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::EscapedParams do
+  it_behaves_like "any rack application"
+
+  context 'escaping' do
+    it 'escapes html entities' do
+      mock_app do |env|
+        request = Rack::Request.new(env)
+        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']]]
+      end
+      get '/', :foo => "<bar>"
+      body.should == '&lt;bar&gt;'
+    end
+
+    it 'leaves normal params untouched' do
+      mock_app do |env|
+        request = Rack::Request.new(env)
+        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']]]
+      end
+      get '/', :foo => "bar"
+      body.should == 'bar'
+    end
+
+    it 'copes with nested arrays' do
+      mock_app do |env|
+        request = Rack::Request.new(env)
+        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']['bar']]]
+      end
+      get '/', :foo => {:bar => "<bar>"}
+      body.should == '&lt;bar&gt;'
+    end
+  end
+end

data/spec/form_token_spec.rb

@@ -0,0 +1,33 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::FormToken do
+  it_behaves_like "any rack application"
+
+  it "denies post requests without any token" do
+    post('/').should_not be_ok
+  end
+
+  it "accepts post requests with correct X-CSRF-Token header" do
+    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
+    last_response.should be_ok
+  end
+
+  it "denies post requests with wrong X-CSRF-Token header" do
+    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
+    last_response.should_not be_ok
+  end
+
+  it "accepts post form requests with correct authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
+    last_response.should be_ok
+  end
+
+  it "denies post form requests with wrong authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
+    last_response.should_not be_ok
+  end
+
+  it "accepts ajax requests without a valid token" do
+    post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should be_ok
+  end
+end

data/spec/frame_options_spec.rb

@@ -0,0 +1,24 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::FrameOptions do
+  it_behaves_like "any rack application"
+
+  it 'should set the X-XSS-Protection' do
+    get('/').headers["X-Frame-Options"].should == "sameorigin"
+  end
+
+  it 'should allow changing the protection mode' do
+    # I have no clue what other modes are available
+    mock_app do
+      use Rack::Protection::FrameOptions, :frame_options => :deny
+      run DummyApp
+    end
+
+    get('/').headers["X-Frame-Options"].should == "deny"
+  end
+
+  it 'should not override the header if already set' do
+    mock_app with_headers("X-Frame-Options" => "allow")
+    get('/').headers["X-Frame-Options"].should == "allow"
+  end
+end

data/spec/ip_spoofing_spec.rb

@@ -0,0 +1,35 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::IPSpoofing do
+  it_behaves_like "any rack application"
+
+  it 'accepts requests without X-Forward-For header' do
+    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.4', 'HTTP_X_REAL_IP' => '4.3.2.1')
+    last_response.should be_ok
+  end
+
+  it 'accepts requests with proper X-Forward-For header' do
+    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.4',
+      'HTTP_X_FORWARDED_FOR' => '192.168.1.20, 1.2.3.4, 127.0.0.1')
+    last_response.should be_ok
+  end
+
+  it 'denies requests where the client spoofs X-Forward-For but not the IP' do
+    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.4', 'HTTP_X_FORWARDED_FOR' => '1.2.3.5')
+    last_response.should_not be_ok
+  end
+
+  it 'denies requests where the client spoofs the IP but not X-Forward-For' do
+    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.5',
+      'HTTP_X_FORWARDED_FOR' => '192.168.1.20, 1.2.3.4, 127.0.0.1')
+    last_response.should_not be_ok
+  end
+
+  it 'denies requests where IP and X-Forward-For are spoofed but not X-Real-IP' do
+    get('/', {},
+      'HTTP_CLIENT_IP'       => '1.2.3.5',
+      'HTTP_X_FORWARDED_FOR' => '1.2.3.5',
+      'HTTP_X_REAL_IP'       => '1.2.3.4')
+    last_response.should_not be_ok
+  end
+end

data/spec/json_csrf_spec.rb

@@ -0,0 +1,23 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::JsonCsrf do
+  it_behaves_like "any rack application"
+
+  describe 'json response' do
+    before do
+      mock_app { |e| [200, {'Content-Type' => 'application/json'}, []]}
+    end
+
+    it "denies get requests with json responses with a remote referrer" do
+      get('/', {}, 'HTTP_REFERER' => 'http://evil.com').should_not be_ok
+    end
+
+    it "accepts get requests with json responses with a local referrer" do
+      get('/', {}, 'HTTP_REFERER' => '/').should be_ok
+    end
+
+    it "accepts get requests with json responses with no referrer" do
+      get('/', {}).should be_ok
+    end
+  end
+end

data/spec/path_traversal_spec.rb

@@ -0,0 +1,23 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::PathTraversal do
+  it_behaves_like "any rack application"
+
+  context 'escaping' do
+    before do
+      mock_app { |e| [200, {'Content-Type' => 'text/plain'}, [e['PATH_INFO']]] }
+    end
+
+    %w[/foo/bar /foo/bar/ / /.f /a.x].each do |path|
+      it("does not touch #{path.inspect}") { get(path).body.should == path }
+    end
+
+    { # yes, this is ugly, feel free to change that
+      '/..' => '/', '/a/../b' => '/b', '/a/../b/' => '/b/', '/a/.' => '/a/',
+      '/%2e.' => '/', '/a/%2e%2e/b' => '/b', '/a%2f%2e%2e%2fb/' => '/b/',
+      '//' => '/', '/%2fetc%2fpasswd' => '/etc/passwd'
+    }.each do |a, b|
+      it("replaces #{a.inspect} with #{b.inspect}") { get(a).body.should == b }
+    end
+  end
+end