rack-protection 1.1.4 → 1.2.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of rack-protection might be problematic. Click here for more details.

Files changed (7) hide show
  1. data/lib/rack/protection.rb +7 -8
  2. data/lib/rack/protection/base.rb +1 -1
  3. data/lib/rack/protection/json_csrf.rb +4 -1
  4. data/lib/rack/protection/version.rb +1 -1
  5. data/rack-protection.gemspec +7 -3
  6. data/spec/protection_spec.rb +15 -0
  7. metadata +12 -8
data/lib/rack/protection.rb CHANGED
@@ -20,14 +20,13 @@ module Rack
20
20
  # does not include: RemoteReferrer, AuthenticityToken and FormToken
21
21
  except = Array options[:except]
22
22
  Rack::Builder.new do
23
- use EscapedParams, options unless except.include? :escaped_params
24
- use FrameOptions, options unless except.include? :frame_options
25
- use IPSpoofing, options unless except.include? :ip_spoofing
26
- use JsonCsrf, options unless except.include? :json_csrf
27
- use PathTraversal, options unless except.include? :path_traversal
28
- use RemoteToken, options unless except.include? :remote_token
29
- use SessionHijacking, options unless except.include? :session_hijacking
30
- use XSSHeader, options unless except.include? :xss_header
23
+ use ::Rack::Protection::FrameOptions, options unless except.include? :frame_options
24
+ use ::Rack::Protection::IPSpoofing, options unless except.include? :ip_spoofing
25
+ use ::Rack::Protection::JsonCsrf, options unless except.include? :json_csrf
26
+ use ::Rack::Protection::PathTraversal, options unless except.include? :path_traversal
27
+ use ::Rack::Protection::RemoteToken, options unless except.include? :remote_token
28
+ use ::Rack::Protection::SessionHijacking, options unless except.include? :session_hijacking
29
+ use ::Rack::Protection::XSSHeader, options unless except.include? :xss_header
31
30
  run app
32
31
  end.to_app
33
32
  end
data/lib/rack/protection/base.rb CHANGED
@@ -83,7 +83,7 @@ module Rack
83
83
 
84
84
  def random_string(secure = defined? SecureRandom)
85
85
  secure ? SecureRandom.hex(32) : "%032x" % rand(2**128-1)
86
- rescue NotImpelentedError
86
+ rescue NotImplementedError
87
87
  random_string false
88
88
  end
89
89
 
data/lib/rack/protection/json_csrf.rb CHANGED
@@ -16,7 +16,10 @@ module Rack
16
16
  def call(env)
17
17
  status, headers, body = app.call(env)
18
18
  if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
19
- result = react(env) if referrer(env) != Request.new(env).host
19
+ if referrer(env) != Request.new(env).host
20
+ result = react(env)
21
+ warn env, "attack prevented by #{self.class}"
22
+ end
20
23
  end
21
24
  result or [status, headers, body]
22
25
  end
data/lib/rack/protection/version.rb CHANGED
@@ -4,7 +4,7 @@ module Rack
4
4
  VERSION
5
5
  end
6
6
 
7
- SIGNATURE = [1, 1, 4]
7
+ SIGNATURE = [1, 2, 0]
8
8
  VERSION = SIGNATURE.join('.')
9
9
 
10
10
  VERSION.extend Comparable
data/rack-protection.gemspec CHANGED
@@ -2,7 +2,7 @@
2
2
  Gem::Specification.new do |s|
3
3
  # general infos
4
4
  s.name = "rack-protection"
5
- s.version = "1.1.4"
5
+ s.version = "1.2.0"
6
6
  s.description = "You should use protection!"
7
7
  s.homepage = "http://github.com/rkh/rack-protection"
8
8
  s.summary = s.description
@@ -10,17 +10,21 @@ Gem::Specification.new do |s|
10
10
  # generated from git shortlog -sn
11
11
  s.authors = [
12
12
  "Konstantin Haase",
13
+ "Akzhan Abdulin",
13
14
  "Corey Ward",
14
15
  "David Kellum",
15
- "Fojas"
16
+ "Fojas",
17
+ "Martin Mauch"
16
18
  ]
17
19
 
18
20
  # generated from git shortlog -sne
19
21
  s.email = [
20
22
  "konstantin.mailinglists@googlemail.com",
23
+ "akzhan.abdulin@gmail.com",
21
24
  "coreyward@me.com",
22
25
  "dek-oss@gravitext.com",
23
- "developer@fojasaur.us"
26
+ "developer@fojasaur.us",
27
+ "martin.mauch@gmail.com"
24
28
  ]
25
29
 
26
30
  # generated from git ls-files
data/spec/protection_spec.rb CHANGED
@@ -2,4 +2,19 @@ require File.expand_path('../spec_helper.rb', __FILE__)
2
2
 
3
3
  describe Rack::Protection do
4
4
  it_behaves_like "any rack application"
5
+
6
+ it 'passes on options' do
7
+ mock_app do
8
+ use Rack::Protection, :track => ['HTTP_FOO']
9
+ run proc { |e| [200, {'Content-Type' => 'text/plain'}, ['hi']] }
10
+ end
11
+
12
+ session = {:foo => :bar}
13
+ get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
14
+ get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
15
+ session[:foo].should be == :bar
16
+
17
+ get '/', {}, 'rack.session' => session, 'HTTP_FOO' => 'BAR'
18
+ session.should be_empty
19
+ end
5
20
  end
metadata CHANGED
@@ -1,22 +1,24 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-protection
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.4
4
+ version: 1.2.0
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
8
8
  - Konstantin Haase
9
+ - Akzhan Abdulin
9
10
  - Corey Ward
10
11
  - David Kellum
11
12
  - Fojas
13
+ - Martin Mauch
12
14
  autorequire:
13
15
  bindir: bin
14
16
  cert_chain: []
15
- date: 2011-10-04 00:00:00.000000000Z
17
+ date: 2011-12-30 00:00:00.000000000 Z
16
18
  dependencies:
17
19
  - !ruby/object:Gem::Dependency
18
20
  name: rack
19
- requirement: &2152664140 !ruby/object:Gem::Requirement
21
+ requirement: &2153091280 !ruby/object:Gem::Requirement
20
22
  none: false
21
23
  requirements:
22
24
  - - ! '>='
@@ -24,10 +26,10 @@ dependencies:
24
26
  version: '0'
25
27
  type: :runtime
26
28
  prerelease: false
27
- version_requirements: *2152664140
29
+ version_requirements: *2153091280
28
30
  - !ruby/object:Gem::Dependency
29
31
  name: rack-test
30
- requirement: &2152663420 !ruby/object:Gem::Requirement
32
+ requirement: &2153090800 !ruby/object:Gem::Requirement
31
33
  none: false
32
34
  requirements:
33
35
  - - ! '>='
@@ -35,10 +37,10 @@ dependencies:
35
37
  version: '0'
36
38
  type: :development
37
39
  prerelease: false
38
- version_requirements: *2152663420
40
+ version_requirements: *2153090800
39
41
  - !ruby/object:Gem::Dependency
40
42
  name: rspec
41
- requirement: &2152662520 !ruby/object:Gem::Requirement
43
+ requirement: &2153090140 !ruby/object:Gem::Requirement
42
44
  none: false
43
45
  requirements:
44
46
  - - ~>
@@ -46,13 +48,15 @@ dependencies:
46
48
  version: '2.0'
47
49
  type: :development
48
50
  prerelease: false
49
- version_requirements: *2152662520
51
+ version_requirements: *2153090140
50
52
  description: You should use protection!
51
53
  email:
52
54
  - konstantin.mailinglists@googlemail.com
55
+ - akzhan.abdulin@gmail.com
53
56
  - coreyward@me.com
54
57
  - dek-oss@gravitext.com
55
58
  - developer@fojasaur.us
59
+ - martin.mauch@gmail.com
56
60
  executables: []
57
61
  extensions: []
58
62
  extra_rdoc_files: []