rack-protection 0.1.0

data/spec/protection_spec.rb

@@ -0,0 +1,5 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection do
+  it_behaves_like "any rack application"
+end

data/spec/remote_referrer_spec.rb

@@ -0,0 +1,31 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::RemoteReferrer do
+  it_behaves_like "any rack application"
+
+  it "accepts post requests with no referrer" do
+    post('/').should be_ok
+  end
+
+  it "does not accept post requests with no referrer if allow_empty_referrer is false" do
+    mock_app do
+      use Rack::Protection::RemoteReferrer, :allow_empty_referrer => false
+      run DummyApp
+    end
+    post('/').should_not be_ok
+  end
+
+  it "should allow post request with a relative referrer" do
+    post('/', {}, 'HTTP_REFERER' => '/').should be_ok
+  end
+
+  it "accepts post requests with the same host in the referrer" do
+    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.com')
+    last_response.should be_ok
+  end
+
+  it "denies post requests with a remote referrer" do
+    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
+    last_response.should_not be_ok
+  end
+end

data/spec/remote_token_spec.rb

@@ -0,0 +1,42 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::RemoteToken do
+  it_behaves_like "any rack application"
+
+  it "accepts post requests with no referrer" do
+    post('/').should be_ok
+  end
+
+  it "accepts post requests with a local referrer" do
+    post('/', {}, 'HTTP_REFERER' => '/').should be_ok
+  end
+
+  it "denies post requests with a remote referrer and no token" do
+    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
+    last_response.should_not be_ok
+  end
+
+  it "accepts post requests with a remote referrer and correct X-CSRF-Token header" do
+    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
+      'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
+    last_response.should be_ok
+  end
+
+  it "denies post requests with a remote referrer and wrong X-CSRF-Token header" do
+    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
+      'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
+    last_response.should_not be_ok
+  end
+
+  it "accepts post form requests with a remote referrer and correct authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
+      'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "a"})
+    last_response.should be_ok
+  end
+
+  it "denies post form requests with a remote referrer and wrong authenticity_token field" do
+    post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
+      'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "b"})
+    last_response.should_not be_ok
+  end
+end

data/spec/session_hijacking_spec.rb

@@ -0,0 +1,40 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::SessionHijacking do
+  it_behaves_like "any rack application"
+
+  it "accepts a session without changes to tracked parameters" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session
+    get '/', {}, 'rack.session' => session
+    session[:foo].should == :bar
+  end
+
+  it "denies requests with a changing User-Agent header" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'b'
+    session.should be_empty
+  end
+
+  it "denies requests with a changing Accept-Encoding header" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
+    session.should be_empty
+  end
+
+  it "denies requests with a changing Accept-Language header" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'b'
+    session.should be_empty
+  end
+
+  it "denies requests with a changing Version header"do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.0'
+    get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.1'
+    session.should be_empty
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,157 @@
+require 'rack/protection'
+require 'rack/test'
+require 'forwardable'
+require 'stringio'
+
+if defined? Gem.loaded_specs and Gem.loaded_specs.include? 'rack'
+  version = Gem.loaded_specs['rack'].version.to_s
+else
+  version = Rack.release + '.0'
+end
+
+if version == "1.3"
+  Rack::Session::Abstract::ID.class_eval do
+    private
+    def prepare_session(env)
+      session_was                  = env[ENV_SESSION_KEY]
+      env[ENV_SESSION_KEY]         = SessionHash.new(self, env)
+      env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options)
+      env[ENV_SESSION_KEY].merge! session_was if session_was
+    end
+  end
+end
+
+module DummyApp
+  def self.call(env)
+    Thread.current[:last_env] = env
+    [200, {'Content-Type' => 'text/plain'}, ['ok']]
+  end
+end
+
+module TestHelpers
+  extend Forwardable
+  def_delegators :last_response, :body, :headers, :status, :errors
+  def_delegators :current_session, :env_for
+  attr_writer :app
+
+  def app
+    @app || mock_app(DummyApp)
+  end
+
+  def mock_app(app = nil, &block)
+    app = block if app.nil? and block.arity == 1
+    if app
+      klass = described_class
+      mock_app do
+        use Rack::Head
+        use(Rack::Config) { |e| e['rack.session'] ||= {}}
+        use klass
+        run app
+      end
+    else
+      @app = Rack::Lint.new Rack::Builder.new(&block).to_app
+    end
+  end
+
+  def with_headers(headers)
+    proc { [200, {'Content-Type' => 'text/plain'}.merge(headers), ['ok']] }
+  end
+
+  def env
+    Thread.current[:last_env]
+  end
+end
+
+# see http://blog.101ideas.cz/posts/pending-examples-via-not-implemented-error-in-rspec.html
+module NotImplementedAsPending
+  def self.included(base)
+    base.class_eval do
+      alias_method :__finish__, :finish
+      remove_method :finish
+    end
+  end
+
+  def finish(reporter)
+    if @exception.is_a?(NotImplementedError)
+      from = @exception.backtrace[0]
+      message = "#{@exception.message} (from #{from})"
+      @pending_declared_in_example = message
+      metadata[:pending] = true
+      @exception = nil
+    end
+
+    __finish__(reporter)
+  end
+
+  RSpec::Core::Example.send :include, self
+end
+
+RSpec.configure do |config|
+  config.expect_with :rspec, :stdlib
+  config.include Rack::Test::Methods
+  config.include TestHelpers
+end
+
+shared_examples_for 'any rack application' do
+  it "should not interfere with normal get requests" do
+    get('/').should be_ok
+    body.should == 'ok'
+  end
+
+  it "should not interfere with normal head requests" do
+    head('/').should be_ok
+  end
+
+  it 'should not leak changes to env' do
+    klass    = described_class
+    detector = Struct.new(:app)
+
+    detector.send(:define_method, :call) do |env|
+      was = env.dup
+      res = app.call(env)
+      was.each do |k,v|
+        next if env[k] == v
+        fail "env[#{k.inspect}] changed from #{v.inspect} to #{env[k].inspect}"
+      end
+      res
+    end
+
+    mock_app do
+      use Rack::Head
+      use(Rack::Config) { |e| e['rack.session'] ||= {}}
+      use detector
+      use klass
+      run DummyApp
+    end
+
+    get('/..', :foo => '<bar>').should be_ok
+  end
+
+  it 'allows passing on values in env' do
+    klass    = described_class
+    detector = Struct.new(:app)
+    changer  = Struct.new(:app)
+
+    detector.send(:define_method, :call) do |env|
+      res = app.call(env)
+      env['foo.bar'].should == 42
+      res
+    end
+
+    changer.send(:define_method, :call) do |env|
+      env['foo.bar'] = 42
+      app.call(env)
+    end
+
+    mock_app do
+      use Rack::Head
+      use(Rack::Config) { |e| e['rack.session'] ||= {}}
+      use detector
+      use klass
+      use changer
+      run DummyApp
+    end
+
+    get('/').should be_ok
+  end
+end

data/spec/xss_header_spec.rb

@@ -0,0 +1,24 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::XSSHeader do
+  it_behaves_like "any rack application"
+
+  it 'should set the X-XSS-Protection' do
+    get('/').headers["X-XSS-Protection"].should == "1; mode=block"
+  end
+
+  it 'should allow changing the protection mode' do
+    # I have no clue what other modes are available
+    mock_app do
+      use Rack::Protection::XSSHeader, :xss_mode => :foo
+      run DummyApp
+    end
+
+    get('/').headers["X-XSS-Protection"].should == "1; mode=foo"
+  end
+
+  it 'should not override the header if already set' do
+    mock_app with_headers("X-XSS-Protection" => "0")
+    get('/').headers["X-XSS-Protection"].should == "0"
+  end
+end

metadata

@@ -0,0 +1,121 @@
+--- !ruby/object:Gem::Specification
+name: rack-protection
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Konstantin Haase
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2011-06-20 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: &2153646760 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *2153646760
+- !ruby/object:Gem::Dependency
+  name: escape_utils
+  requirement: &2153646220 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *2153646220
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: &2153645700 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2153645700
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &2153645080 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: *2153645080
+description: You should use protection!
+email:
+- konstantin.mailinglists@googlemail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- License
+- README.md
+- Rakefile
+- lib/rack-protection.rb
+- lib/rack/protection.rb
+- lib/rack/protection/authenticity_token.rb
+- lib/rack/protection/base.rb
+- lib/rack/protection/escaped_params.rb
+- lib/rack/protection/form_token.rb
+- lib/rack/protection/frame_options.rb
+- lib/rack/protection/ip_spoofing.rb
+- lib/rack/protection/json_csrf.rb
+- lib/rack/protection/path_traversal.rb
+- lib/rack/protection/remote_referrer.rb
+- lib/rack/protection/remote_token.rb
+- lib/rack/protection/session_hijacking.rb
+- lib/rack/protection/version.rb
+- lib/rack/protection/xss_header.rb
+- rack-protection.gemspec
+- spec/authenticity_token_spec.rb
+- spec/escaped_params_spec.rb
+- spec/form_token_spec.rb
+- spec/frame_options_spec.rb
+- spec/ip_spoofing_spec.rb
+- spec/json_csrf_spec.rb
+- spec/path_traversal_spec.rb
+- spec/protection_spec.rb
+- spec/remote_referrer_spec.rb
+- spec/remote_token_spec.rb
+- spec/session_hijacking_spec.rb
+- spec/spec_helper.rb
+- spec/xss_header_spec.rb
+homepage: http://github.com/rkh/rack-protection
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.5
+signing_key: 
+specification_version: 3
+summary: You should use protection!
+test_files: []