rack-protection 1.1.4 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rack-protection might be problematic. Click here for more details.

Files changed (7) hide show
  1. data/lib/rack/protection.rb +7 -8
  2. data/lib/rack/protection/base.rb +1 -1
  3. data/lib/rack/protection/json_csrf.rb +4 -1
  4. data/lib/rack/protection/version.rb +1 -1
  5. data/rack-protection.gemspec +7 -3
  6. data/spec/protection_spec.rb +15 -0
  7. metadata +12 -8
data/lib/rack/protection.rb CHANGED
@@ -20,14 +20,13 @@ module Rack
20
20
  # does not include: RemoteReferrer, AuthenticityToken and FormToken
21
21
  except = Array options[:except]
22
22
  Rack::Builder.new do
23
- use EscapedParams, options unless except.include? :escaped_params
24
- use FrameOptions, options unless except.include? :frame_options
25
- use IPSpoofing, options unless except.include? :ip_spoofing
26
- use JsonCsrf, options unless except.include? :json_csrf
27
- use PathTraversal, options unless except.include? :path_traversal
28
- use RemoteToken, options unless except.include? :remote_token
29
- use SessionHijacking, options unless except.include? :session_hijacking
30
- use XSSHeader, options unless except.include? :xss_header
23
+ use ::Rack::Protection::FrameOptions, options unless except.include? :frame_options
24
+ use ::Rack::Protection::IPSpoofing, options unless except.include? :ip_spoofing
25
+ use ::Rack::Protection::JsonCsrf, options unless except.include? :json_csrf
26
+ use ::Rack::Protection::PathTraversal, options unless except.include? :path_traversal
27
+ use ::Rack::Protection::RemoteToken, options unless except.include? :remote_token
28
+ use ::Rack::Protection::SessionHijacking, options unless except.include? :session_hijacking
29
+ use ::Rack::Protection::XSSHeader, options unless except.include? :xss_header
31
30
  run app
32
31
  end.to_app
33
32
  end
data/lib/rack/protection/base.rb CHANGED
@@ -83,7 +83,7 @@ module Rack
83
83
 
84
84
  def random_string(secure = defined? SecureRandom)
85
85
  secure ? SecureRandom.hex(32) : "%032x" % rand(2**128-1)
86
- rescue NotImpelentedError
86
+ rescue NotImplementedError
87
87
  random_string false
88
88
  end
89
89
 
data/lib/rack/protection/json_csrf.rb CHANGED
@@ -16,7 +16,10 @@ module Rack
16
16
  def call(env)
17
17
  status, headers, body = app.call(env)
18
18
  if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
19
- result = react(env) if referrer(env) != Request.new(env).host
19
+ if referrer(env) != Request.new(env).host
20
+ result = react(env)
21
+ warn env, "attack prevented by #{self.class}"
22
+ end
20
23
  end
21
24
  result or [status, headers, body]
22
25
  end
data/lib/rack/protection/version.rb CHANGED
@@ -4,7 +4,7 @@ module Rack
4
4
  VERSION
5
5
  end
6
6
 
7
- SIGNATURE = [1, 1, 4]
7
+ SIGNATURE = [1, 2, 0]
8
8
  VERSION = SIGNATURE.join('.')
9
9
 
10
10
  VERSION.extend Comparable
data/rack-protection.gemspec CHANGED
@@ -2,7 +2,7 @@
2
2
  Gem::Specification.new do |s|
3
3
  # general infos
4
4
  s.name = "rack-protection"
5
- s.version = "1.1.4"
5
+ s.version = "1.2.0"
6
6
  s.description = "You should use protection!"
7
7
  s.homepage = "http://github.com/rkh/rack-protection"
8
8
  s.summary = s.description
@@ -10,17 +10,21 @@ Gem::Specification.new do |s|
10
10
  # generated from git shortlog -sn
11
11
  s.authors = [
12
12
  "Konstantin Haase",
13
+ "Akzhan Abdulin",
13
14
  "Corey Ward",
14
15
  "David Kellum",
15
- "Fojas"
16
+ "Fojas",
17
+ "Martin Mauch"
16
18
  ]
17
19
 
18
20
  # generated from git shortlog -sne
19
21
  s.email = [
20
22
  "konstantin.mailinglists@googlemail.com",
23
+ "akzhan.abdulin@gmail.com",
21
24
  "coreyward@me.com",
22
25
  "dek-oss@gravitext.com",
23
- "developer@fojasaur.us"
26
+ "developer@fojasaur.us",
27
+ "martin.mauch@gmail.com"
24
28
  ]
25
29
 
26
30
  # generated from git ls-files
data/spec/protection_spec.rb CHANGED
@@ -2,4 +2,19 @@ require File.expand_path('../spec_helper.rb', __FILE__)
2
2
 
3
3
  describe Rack::Protection do
4
4
  it_behaves_like "any rack application"
5
+
6
+ it 'passes on options' do
7
+ mock_app do
8
+ use Rack::Protection, :track => ['HTTP_FOO']
9
+ run proc { |e| [200, {'Content-Type' => 'text/plain'}, ['hi']] }
10
+ end
11
+
12
+ session = {:foo => :bar}
13
+ get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
14
+ get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
15
+ session[:foo].should be == :bar
16
+
17
+ get '/', {}, 'rack.session' => session, 'HTTP_FOO' => 'BAR'
18
+ session.should be_empty
19
+ end
5
20
  end
metadata CHANGED
@@ -1,22 +1,24 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-protection
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.4
4
+ version: 1.2.0
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
8
8
  - Konstantin Haase
9
+ - Akzhan Abdulin
9
10
  - Corey Ward
10
11
  - David Kellum
11
12
  - Fojas
13
+ - Martin Mauch
12
14
  autorequire:
13
15
  bindir: bin
14
16
  cert_chain: []
15
- date: 2011-10-04 00:00:00.000000000Z
17
+ date: 2011-12-30 00:00:00.000000000 Z
16
18
  dependencies:
17
19
  - !ruby/object:Gem::Dependency
18
20
  name: rack
19
- requirement: &2152664140 !ruby/object:Gem::Requirement
21
+ requirement: &2153091280 !ruby/object:Gem::Requirement
20
22
  none: false
21
23
  requirements:
22
24
  - - ! '>='
@@ -24,10 +26,10 @@ dependencies:
24
26
  version: '0'
25
27
  type: :runtime
26
28
  prerelease: false
27
- version_requirements: *2152664140
29
+ version_requirements: *2153091280
28
30
  - !ruby/object:Gem::Dependency
29
31
  name: rack-test
30
- requirement: &2152663420 !ruby/object:Gem::Requirement
32
+ requirement: &2153090800 !ruby/object:Gem::Requirement
31
33
  none: false
32
34
  requirements:
33
35
  - - ! '>='
@@ -35,10 +37,10 @@ dependencies:
35
37
  version: '0'
36
38
  type: :development
37
39
  prerelease: false
38
- version_requirements: *2152663420
40
+ version_requirements: *2153090800
39
41
  - !ruby/object:Gem::Dependency
40
42
  name: rspec
41
- requirement: &2152662520 !ruby/object:Gem::Requirement
43
+ requirement: &2153090140 !ruby/object:Gem::Requirement
42
44
  none: false
43
45
  requirements:
44
46
  - - ~>
@@ -46,13 +48,15 @@ dependencies:
46
48
  version: '2.0'
47
49
  type: :development
48
50
  prerelease: false
49
- version_requirements: *2152662520
51
+ version_requirements: *2153090140
50
52
  description: You should use protection!
51
53
  email:
52
54
  - konstantin.mailinglists@googlemail.com
55
+ - akzhan.abdulin@gmail.com
53
56
  - coreyward@me.com
54
57
  - dek-oss@gravitext.com
55
58
  - developer@fojasaur.us
59
+ - martin.mauch@gmail.com
56
60
  executables: []
57
61
  extensions: []
58
62
  extra_rdoc_files: []