rack-protection 1.0.0 → 1.5.5

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 2b7d78da301d9f7fc81ae73e46a389c2b8ce10ab8121f169fd760018ac506d47
+  data.tar.gz: a91bd28f8624f325d6714262ac11d83e0a347405f14e600780cb1bfd846e5b34
+SHA512:
+  metadata.gz: 0c5de92c0283313c00d50c1f9a219c808ad587caabff81c4d1530abd8f0e7d9c0f3753ad9bab7c06a29ce97b2a717fddc04ced642adff058f3431419286e4da6
+  data.tar.gz: d3bf5830bf30475871b73ba54ee38f962bd93c2e1f420b59b649d6dcb7f97d89f091d3add3f692ba847ffe5f5c6cade665d522c86220087d977fb3706e41bd58

data/README.md

@@ -43,13 +43,14 @@ Prevented by:
 * `Rack::Protection::JsonCsrf`
 * `Rack::Protection::RemoteReferrer` (not included by `use Rack::Protection`)
 * `Rack::Protection::RemoteToken`
+* `Rack::Protection::HttpOrigin`
 
 ## Cross Site Scripting
 
 Prevented by:
 
-* `Rack::Protection::EscapedParams`
-* `Rack::Protection::XssHeader` (Internet Explorer only)
+* `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
+* `Rack::Protection::XSSHeader` (Internet Explorer only)
 
 ## Clickjacking
 
@@ -79,16 +80,11 @@ Prevented by:
 
     gem install rack-protection
 
-# History
+# Instrumentation
 
-## v0.1.0 (2011/06/20)
-
-First public release.
-
-## v1.0.0 (2011/09/02)
-
-First stable release.
-
-Changes:
+Instrumentation is enabled by passing in an instrumenter as an option.
+```
+use Rack::Protection, instrumenter: ActiveSupport::Notifications
+```
 
-* Fix bug in JsonCsrf
+The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.

data/Rakefile

@@ -1,3 +1,4 @@
+# encoding: utf-8
 $LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
 
 begin
@@ -13,14 +14,19 @@ task(:spec) { ruby '-S rspec spec' }
 desc "generate gemspec"
 task 'rack-protection.gemspec' do
   require 'rack/protection/version'
-  content = File.read 'rack-protection.gemspec'
+  content = File.binread 'rack-protection.gemspec'
 
+  # fetch data
   fields = {
-    :authors => `git shortlog -sn`.scan(/[^\d\s].*/),
-    :email   => `git shortlog -sne`.scan(/[^<]+@[^>]+/),
-    :files   => `git ls-files`.split("\n").reject { |f| f =~ /^(\.|Gemfile)/ }
+    :authors => `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
+    :email   => `git shortlog -sne`.force_encoding('utf-8').scan(/[^<]+@[^>]+/),
+    :files   => `git ls-files`.force_encoding('utf-8').split("\n").reject { |f| f =~ /^(\.|Gemfile)/ }
   }
 
+  # double email :(
+  fields[:email].delete("konstantin.haase@gmail.com")
+
+  # insert data
   fields.each do |field, values|
     updated = "  s.#{field} = ["
     updated << values.map { |v| "\n    %p" % v }.join(',')
@@ -28,7 +34,12 @@ task 'rack-protection.gemspec' do
     content.sub!(/  s\.#{field} = \[\n(    .*\n)*  \]/, updated)
   end
 
+  # set version
   content.sub! /(s\.version.*=\s+).*/, "\\1\"#{Rack::Protection::VERSION}\""
+
+  # escape unicode
+  content.gsub!(/./) { |c| c.bytesize > 1 ? "\\u{#{c.codepoints.first.to_s(16)}}" : c }
+
   File.open('rack-protection.gemspec', 'w') { |f| f << content }
 end
 

data/lib/rack/protection/authenticity_token.rb

@@ -11,13 +11,20 @@ module Rack
     # included in the session.
     #
     # Compatible with Rails and rack-csrf.
+    #
+    # Options:
+    #
+    # authenticity_param: Defines the param's name that should contain the token on a request.
+    #
     class AuthenticityToken < Base
+      default_options :authenticity_param => 'authenticity_token'
+
       def accepts?(env)
-        return true if safe? env
         session = session env
         token   = session[:csrf] ||= session['_csrf_token'] || random_string
-        env['HTTP_X_CSRF_TOKEN'] == token or
-          Request.new(env).params['authenticity_token'] == token
+        safe?(env) ||
+          secure_compare(env['HTTP_X_CSRF_TOKEN'].to_s, token) ||
+          secure_compare(Request.new(env).params[options[:authenticity_param]].to_s, token)
       end
     end
   end

data/lib/rack/protection/base.rb

@@ -10,7 +10,9 @@ module Rack
         :reaction    => :default_reaction, :logging   => true,
         :message     => 'Forbidden',       :encryptor => Digest::SHA1,
         :session_key => 'rack.session',    :status    => 403,
-        :allow_empty_referrer => true
+        :allow_empty_referrer => true,
+        :report_key           => "protection.failed",
+        :html_types           => %w[text/html application/xhtml]
       }
 
       attr_reader :app, :options
@@ -41,7 +43,7 @@ module Rack
 
       def call(env)
         unless accepts? env
-          warn env, "attack prevented by #{self.class}"
+          instrument env
           result = react env
         end
         result or app.call(env)
@@ -58,10 +60,22 @@ module Rack
         l.warn(message)
       end
 
+      def instrument(env)
+        return unless i = options[:instrumenter]
+        env['rack.protection.attack'] = self.class.name.split('::').last.downcase
+        i.instrument('rack.protection', env)
+      end
+
       def deny(env)
+        warn env, "attack prevented by #{self.class}"
         [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
       end
 
+      def report(env)
+        warn env, "attack reported by #{self.class}"
+        env[options[:report_key]] = true
+      end
+
       def session?(env)
         env.include? options[:session_key]
       end
@@ -79,11 +93,16 @@ module Rack
         ref = env['HTTP_REFERER'].to_s
         return if !options[:allow_empty_referrer] and ref.empty?
         URI.parse(ref).host || Request.new(env).host
+      rescue URI::InvalidURIError
+      end
+
+      def origin(env)
+        env['HTTP_ORIGIN'] || env['HTTP_X_ORIGIN']
       end
 
       def random_string(secure = defined? SecureRandom)
-        secure ? SecureRandom.hex(32) : "%032x" % rand(2**128-1)
-      rescue NotImpelentedError
+        secure ? SecureRandom.hex(16) : "%032x" % rand(2**128-1)
+      rescue NotImplementedError
         random_string false
       end
 
@@ -91,7 +110,36 @@ module Rack
         options[:encryptor].hexdigest value.to_s
       end
 
+      # The implementations of secure_compare and bytesize are taken from
+      # Rack::Utils to be able to support rack older than XXXX.
+      def secure_compare(a, b)
+        return false unless bytesize(a) == bytesize(b)
+
+        l = a.unpack("C*")
+
+        r, i = 0, -1
+        b.each_byte { |v| r |= v ^ l[i+=1] }
+        r == 0
+      end
+
+      # Return the bytesize of String; uses String#size under Ruby 1.8 and
+      # String#bytesize under 1.9.
+      if ''.respond_to?(:bytesize)
+        def bytesize(string)
+          string.bytesize
+        end
+      else
+        def bytesize(string)
+          string.size
+        end
+      end
+
       alias default_reaction deny
+
+      def html?(headers)
+        return false unless header = headers.detect { |k,v| k.downcase == 'content-type' }
+        options[:html_types].include? header.last[/^\w+\/\w+/]
+      end
     end
   end
 end

data/lib/rack/protection/escaped_params.rb

@@ -1,5 +1,10 @@
 require 'rack/protection'
-require 'escape_utils'
+require 'rack/utils'
+
+begin
+  require 'escape_utils'
+rescue LoadError
+end
 
 module Rack
   module Protection
@@ -16,14 +21,28 @@ module Rack
     # escape:: What escaping modes to use, should be Symbol or Array of Symbols.
     #          Available: :html (default), :javascript, :url
     class EscapedParams < Base
-      default_options :escape => :html
+      extend Rack::Utils
+
+      class << self
+        alias escape_url escape
+        public :escape_html
+      end
+
+      default_options :escape => :html,
+        :escaper => defined?(EscapeUtils) ? EscapeUtils : self
 
       def initialize(*)
         super
-        modes = Array options[:escape]
-        code  = "def self.escape_string(str) %s end"
-        modes.each { |m| code %= "EscapeUtils.escape_#{m}(%s)"}
-        eval code % 'str'
+
+        modes       = Array options[:escape]
+        @escaper    = options[:escaper]
+        @html       = modes.include? :html
+        @javascript = modes.include? :javascript
+        @url        = modes.include? :url
+
+        if @javascript and not @escaper.respond_to? :escape_javascript
+          fail("Use EscapeUtils for JavaScript escaping.")
+        end
       end
 
       def call(env)
@@ -32,7 +51,7 @@ module Rack
         post_was = handle(request.POST) rescue nil
         app.call env
       ensure
-        request.GET.replace get_was
+        request.GET.replace  get_was  if get_was
         request.POST.replace post_was if post_was
       end
 
@@ -47,7 +66,7 @@ module Rack
         when Hash   then escape_hash(object)
         when Array  then object.map { |o| escape(o) }
         when String then escape_string(object)
-        else raise ArgumentError, "cannot escape #{object.inspect}"
+        else nil
         end
       end
 
@@ -56,6 +75,13 @@ module Rack
         hash.each { |k,v| hash[k] = escape(v) }
         hash
       end
+
+      def escape_string(str)
+        str = @escaper.escape_url(str)        if @url
+        str = @escaper.escape_html(str)       if @html
+        str = @escaper.escape_javascript(str) if @javascript
+        str
+      end
     end
   end
 end

data/lib/rack/protection/frame_options.rb

@@ -16,10 +16,21 @@ module Rack
     # frame_options:: Defines who should be allowed to embed the page in a
     #                 frame. Use :deny to forbid any embedding, :sameorigin
     #                 to allow embedding from the same origin (default).
-    class FrameOptions < XSSHeader
+    class FrameOptions < Base
       default_options :frame_options => :sameorigin
-      def header
-        { 'X-Frame-Options' => options[:frame_options].to_s }
+
+      def frame_options
+        @frame_options ||= begin
+          frame_options = options[:frame_options]
+          frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str
+          frame_options.to_str
+        end
+      end
+
+      def call(env)
+        status, headers, body        = @app.call(env)
+        headers['X-Frame-Options'] ||= frame_options if html? headers
+        [status, headers, body]
       end
     end
   end

data/lib/rack/protection/http_origin.rb

@@ -0,0 +1,32 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: Google Chrome 2, Safari 4 and later
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #                      http://tools.ietf.org/html/draft-abarth-origin
+    #
+    # Does not accept unsafe HTTP requests when value of Origin HTTP request header
+    # does not match default or whitelisted URIs.
+    class HttpOrigin < Base
+      DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
+      default_reaction :deny
+
+      def base_url(env)
+        request = Rack::Request.new(env)
+        port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme]
+        "#{request.scheme}://#{request.host}#{port}"
+      end
+
+      def accepts?(env)
+        return true if safe? env
+        return true unless origin = env['HTTP_ORIGIN']
+        return true if base_url(env) == origin
+        Array(options[:origin_whitelist]).include? origin
+      end
+
+    end
+  end
+end

data/lib/rack/protection/ip_spoofing.rb

@@ -13,7 +13,7 @@ module Rack
 
       def accepts?(env)
         return true unless env.include? 'HTTP_X_FORWARDED_FOR'
-        ips = env['HTTP_X_FORWARDED_FOR'].split /\s*,\s*/
+        ips = env['HTTP_X_FORWARDED_FOR'].split(/\s*,\s*/)
         return false if env.include? 'HTTP_CLIENT_IP' and not ips.include? env['HTTP_CLIENT_IP']
         return false if env.include? 'HTTP_X_REAL_IP' and not ips.include? env['HTTP_X_REAL_IP']
         true

data/lib/rack/protection/json_csrf.rb

@@ -11,14 +11,24 @@ module Rack
     # Array prototype has been patched to track data. Checks the referrer
     # even on GET requests if the content type is JSON.
     class JsonCsrf < Base
-      default_reaction :deny
+      alias react deny
 
       def call(env)
+        request               = Request.new(env)
         status, headers, body = app.call(env)
-        if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
-          result = react(env) if referrer(env) != Request.new(env).host
+
+        if has_vector? request, headers
+          warn env, "attack prevented by #{self.class}"
+          react(env) or [status, headers, body]
+        else
+          [status, headers, body]
         end
-        result or [status, headers, body]
+      end
+
+      def has_vector?(request, headers)
+        return false if request.xhr?
+        return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
+        origin(request.env).nil? and referrer(request.env) != request.host
       end
     end
   end

data/lib/rack/protection/path_traversal.rb

@@ -12,17 +12,38 @@ module Rack
     class PathTraversal < Base
       def call(env)
         path_was         = env["PATH_INFO"]
-        env["PATH_INFO"] = cleanup path_was
+        env["PATH_INFO"] = cleanup path_was if path_was && !path_was.empty?
         app.call env
       ensure
         env["PATH_INFO"] = path_was
       end
 
       def cleanup(path)
-        return cleanup("/" << path)[1..-1] unless path[0] == ?/
-        escaped = ::File.expand_path path.gsub('%2e', '.').gsub('%2f', '/')
-        escaped << '/' if escaped[-1] != ?/ and path =~ /\/\.{0,2}$/
-        escaped.gsub /\/\/+/, '/'
+        if path.respond_to?(:encoding)
+          # Ruby 1.9+ M17N
+          encoding = path.encoding
+          dot   = '.'.encode(encoding)
+          slash = '/'.encode(encoding)
+          backslash = '\\'.encode(encoding)
+        else
+          # Ruby 1.8
+          dot   = '.'
+          slash = '/'
+          backslash = '\\'
+        end
+
+        parts     = []
+        unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
+        unescaped = unescaped.gsub(backslash, slash)
+
+        unescaped.split(slash).each do |part|
+          next if part.empty? or part == dot
+          part == '..' ? parts.pop : parts << part
+        end
+
+        cleaned = slash + parts.join(slash)
+        cleaned << slash if parts.any? and unescaped =~ %r{/\.{0,2}$}
+        cleaned
       end
     end
   end

data/lib/rack/protection/remote_referrer.rb

@@ -9,9 +9,6 @@ module Rack
     #
     # Does not accept unsafe HTTP requests if the Referer [sic] header is set to
     # a different host.
-    #
-    # Combine with NoReferrer to also block remote requests from non-HTTP pages
-    # (FTP/HTTPS/...).
     class RemoteReferrer < Base
       default_reaction :deny
 

data/lib/rack/protection/session_hijacking.rb

@@ -9,13 +9,12 @@ module Rack
     #
     # Tracks request properties like the user agent in the session and empties
     # the session if those properties change. This essentially prevents attacks
-    # from Firesheep. Since all headers taken into consideration might be
-    # spoofed, too, this will not prevent all hijacking attempts.
+    # from Firesheep. Since all headers taken into consideration can be
+    # spoofed, too, this will not prevent determined hijacking attempts.
     class SessionHijacking < Base
       default_reaction :drop_session
       default_options :tracking_key => :tracking, :encrypt_tracking => true,
-        :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE
-          HTTP_VERSION]
+        :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_LANGUAGE]
 
       def accepts?(env)
         session = session env
@@ -29,7 +28,8 @@ module Rack
       end
 
       def encrypt(value)
-        options[:encrypt_tracking] ? super(value) : value.to_s
+        value = value.to_s.downcase
+        options[:encrypt_tracking] ? super(value) : value
       end
     end
   end

data/lib/rack/protection/version.rb

@@ -4,41 +4,13 @@ module Rack
       VERSION
     end
 
-    module VERSION
-      extend Comparable
+    SIGNATURE = [1, 5, 5]
+    VERSION   = SIGNATURE.join('.')
 
-      MAJOR     = 1
-      MINOR     = 0
-      TINY      = 0
-      SIGNATURE = [MAJOR, MINOR, TINY]
-      STRING    = SIGNATURE.join '.'
-
-      def self.major; MAJOR  end
-      def self.minor; MINOR  end
-      def self.tiny;  TINY   end
-      def self.to_s;  STRING end
-
-      def self.hash
-        STRING.hash
-      end
-
-      def self.<=>(other)
-        other = other.split('.').map { |i| i.to_i } if other.respond_to? :split
-        SIGNATURE <=> Array(other)
-      end
-
-      def self.inspect
-        STRING.inspect
-      end
-
-      def self.respond_to?(meth, *)
-        meth.to_s !~ /^__|^to_str$/ and STRING.respond_to? meth unless super
-      end
-
-      def self.method_missing(meth, *args, &block)
-        return super unless STRING.respond_to?(meth)
-        STRING.send(meth, *args, &block)
-      end
+    VERSION.extend Comparable
+    def VERSION.<=>(other)
+      other = other.split('.').map { |i| i.to_i } if other.respond_to? :split
+      SIGNATURE <=> Array(other)
     end
   end
 end

data/lib/rack/protection/xss_header.rb

@@ -12,15 +12,13 @@ module Rack
     # Options:
     # xss_mode:: How the browser should prevent the attack (default: :block)
     class XSSHeader < Base
-      default_options :xss_mode => :block
-
-      def header
-        { 'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}" }
-      end
+      default_options :xss_mode => :block, :nosniff => true
 
       def call(env)
         status, headers, body = @app.call(env)
-        [status, header.merge(headers), body]
+        headers['X-XSS-Protection']       ||= "1; mode=#{options[:xss_mode]}" if html? headers
+        headers['X-Content-Type-Options'] ||= 'nosniff'                       if options[:nosniff]
+        [status, headers, body]
       end
     end
   end

data/lib/rack/protection.rb

@@ -8,6 +8,7 @@ module Rack
     autoload :EscapedParams,     'rack/protection/escaped_params'
     autoload :FormToken,         'rack/protection/form_token'
     autoload :FrameOptions,      'rack/protection/frame_options'
+    autoload :HttpOrigin,        'rack/protection/http_origin'
     autoload :IPSpoofing,        'rack/protection/ip_spoofing'
     autoload :JsonCsrf,          'rack/protection/json_csrf'
     autoload :PathTraversal,     'rack/protection/path_traversal'
@@ -19,15 +20,19 @@ module Rack
     def self.new(app, options = {})
       # does not include: RemoteReferrer, AuthenticityToken and FormToken
       except = Array options[:except]
+      use_these = Array options[:use]
       Rack::Builder.new do
-        use EscapedParams,    options unless except.include? :escaped_params
-        use FrameOptions,     options unless except.include? :frame_options
-        use IPSpoofing,       options unless except.include? :ip_spoofing
-        use JsonCsrf,         options unless except.include? :json_csrf
-        use PathTraversal,    options unless except.include? :path_traversal
-        use RemoteToken,      options unless except.include? :remote_token
-        use SessionHijacking, options unless except.include? :session_hijacking
-        use XSSHeader,        options unless except.include? :xss_header
+        use ::Rack::Protection::RemoteReferrer,   options if use_these.include? :remote_referrer
+        use ::Rack::Protection::AuthenticityToken,options if use_these.include? :authenticity_token
+        use ::Rack::Protection::FormToken,        options if use_these.include? :form_token
+        use ::Rack::Protection::FrameOptions,     options unless except.include? :frame_options
+        use ::Rack::Protection::HttpOrigin,       options unless except.include? :http_origin
+        use ::Rack::Protection::IPSpoofing,       options unless except.include? :ip_spoofing
+        use ::Rack::Protection::JsonCsrf,         options unless except.include? :json_csrf
+        use ::Rack::Protection::PathTraversal,    options unless except.include? :path_traversal
+        use ::Rack::Protection::RemoteToken,      options unless except.include? :remote_token
+        use ::Rack::Protection::SessionHijacking, options unless except.include? :session_hijacking
+        use ::Rack::Protection::XSSHeader,        options unless except.include? :xss_header
         run app
       end.to_app
     end