rack-protection 1.3.2 → 1.4.0

data/README.md

@@ -50,7 +50,7 @@ Prevented by:
 Prevented by:
 
 * `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
-* `Rack::Protection::XssHeader` (Internet Explorer only)
+* `Rack::Protection::XSSHeader` (Internet Explorer only)
 
 ## Clickjacking
 

data/Rakefile

@@ -14,15 +14,18 @@ task(:spec) { ruby '-S rspec spec' }
 desc "generate gemspec"
 task 'rack-protection.gemspec' do
   require 'rack/protection/version'
-  content = File.read 'rack-protection.gemspec'
+  content = File.binread 'rack-protection.gemspec'
 
   # fetch data
   fields = {
-    :authors => `git shortlog -sn`.scan(/[^\d\s].*/),
-    :email   => `git shortlog -sne`.scan(/[^<]+@[^>]+/),
-    :files   => `git ls-files`.split("\n").reject { |f| f =~ /^(\.|Gemfile)/ }
+    :authors => `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
+    :email   => `git shortlog -sne`.force_encoding('utf-8').scan(/[^<]+@[^>]+/),
+    :files   => `git ls-files`.force_encoding('utf-8').split("\n").reject { |f| f =~ /^(\.|Gemfile)/ }
   }
 
+  # double email :(
+  fields[:email].delete("konstantin.haase@gmail.com")
+
   # insert data
   fields.each do |field, values|
     updated = "  s.#{field} = ["

data/lib/rack/protection.rb

@@ -20,7 +20,11 @@ module Rack
     def self.new(app, options = {})
       # does not include: RemoteReferrer, AuthenticityToken and FormToken
       except = Array options[:except]
+      use_these = Array options[:use]
       Rack::Builder.new do
+        use ::Rack::Protection::RemoteReferrer,   options if use_these.include? :remote_referrer
+        use ::Rack::Protection::AuthenticityToken,options if use_these.include? :authenticity_token
+        use ::Rack::Protection::FormToken,        options if use_these.include? :form_token
         use ::Rack::Protection::FrameOptions,     options unless except.include? :frame_options
         use ::Rack::Protection::HttpOrigin,       options unless except.include? :http_origin
         use ::Rack::Protection::IPSpoofing,       options unless except.include? :ip_spoofing

data/lib/rack/protection/frame_options.rb

@@ -16,16 +16,22 @@ module Rack
     # frame_options:: Defines who should be allowed to embed the page in a
     #                 frame. Use :deny to forbid any embedding, :sameorigin
     #                 to allow embedding from the same origin (default).
-    class FrameOptions < XSSHeader
+    class FrameOptions < Base
       default_options :frame_options => :sameorigin
 
-      def header
-        @header ||= begin
+      def frame_options
+        @frame_options ||= begin
           frame_options = options[:frame_options]
           frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str
-          { 'X-Frame-Options' => frame_options.to_str }
+          frame_options.to_str
         end
       end
+
+      def call(env)
+        status, headers, body        = @app.call(env)
+        headers['X-Frame-Options'] ||= frame_options if html? headers
+        [status, headers, body]
+      end
     end
   end
 end

data/lib/rack/protection/json_csrf.rb

@@ -14,14 +14,21 @@ module Rack
       default_reaction :deny
 
       def call(env)
+        request               = Request.new(env)
         status, headers, body = app.call(env)
-        if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
-          if origin(env).nil? and referrer(env) != Request.new(env).host
-            result = react(env)
-            warn env, "attack prevented by #{self.class}"
-          end
+
+        if has_vector? request, headers
+          warn env, "attack prevented by #{self.class}"
+          react(env)
+        else
+          [status, headers, body]
         end
-        result or [status, headers, body]
+      end
+
+      def has_vector?(request, headers)
+        return false if request.xhr?
+        return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
+        origin(request.env).nil? and referrer(request.env) != request.host
       end
     end
   end

data/lib/rack/protection/remote_referrer.rb

@@ -9,9 +9,6 @@ module Rack
     #
     # Does not accept unsafe HTTP requests if the Referer [sic] header is set to
     # a different host.
-    #
-    # Combine with NoReferrer to also block remote requests from non-HTTP pages
-    # (FTP/HTTPS/...).
     class RemoteReferrer < Base
       default_reaction :deny
 

data/lib/rack/protection/version.rb

@@ -4,7 +4,7 @@ module Rack
       VERSION
     end
 
-    SIGNATURE = [1, 3, 2]
+    SIGNATURE = [1, 4, 0]
     VERSION   = SIGNATURE.join('.')
 
     VERSION.extend Comparable

data/lib/rack/protection/xss_header.rb

@@ -14,18 +14,10 @@ module Rack
     class XSSHeader < Base
       default_options :xss_mode => :block, :nosniff => true
 
-      def header
-        headers = {
-          'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}",
-          'X-Content-Type-Options' => "nosniff"
-        }
-        headers.delete("X-Content-Type-Options") unless options[:nosniff]
-        headers
-      end
-
       def call(env)
         status, headers, body = @app.call(env)
-        headers = header.merge(headers) if options[:nosniff] and html?(headers)
+        headers['X-XSS-Protection']       ||= "1; mode=#{options[:xss_mode]}" if html? headers
+        headers['X-Content-Type-Options'] ||= 'nosniff'                       if options[:nosniff]
         [status, headers, body]
       end
     end

data/rack-protection.gemspec

@@ -2,7 +2,7 @@
 Gem::Specification.new do |s|
   # general infos
   s.name        = "rack-protection"
-  s.version     = "1.3.2"
+  s.version     = "1.4.0"
   s.description = "You should use protection!"
   s.homepage    = "http://github.com/rkh/rack-protection"
   s.summary     = s.description
@@ -15,6 +15,7 @@ Gem::Specification.new do |s|
     "Chris Mytton",
     "Corey Ward",
     "David Kellum",
+    "Egor Homakov",
     "Fojas",
     "Mael Clerambault",
     "Martin Mauch",
@@ -23,7 +24,7 @@ Gem::Specification.new do |s|
     "Steve Agalloco",
     "Akzhan Abdulin",
     "TOBY",
-    "Bj\u{f8}rge N\u{e6}ss"
+    "Bj\u00F8rge N\u00E6ss"
   ]
 
   # generated from git shortlog -sne
@@ -34,6 +35,7 @@ Gem::Specification.new do |s|
     "self@hecticjeff.net",
     "coreyward@me.com",
     "dek-oss@gravitext.com",
+    "homakov@gmail.com",
     "developer@fojasaur.us",
     "mael@clerambault.fr",
     "martin.mauch@gmail.com",

data/spec/json_csrf_spec.rb

@@ -27,6 +27,10 @@ describe Rack::Protection::JsonCsrf do
     it "accepts get requests with json responses with no referrer" do
       get('/', {}).should be_ok
     end
+
+    it "accepts XHR requests" do
+      get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest').should be_ok
+    end
   end
 
   describe 'not json response' do

data/spec/xss_header_spec.rb

@@ -34,6 +34,12 @@ describe Rack::Protection::XSSHeader do
     get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"].should == "nosniff"
   end
 
+
+  it 'should set the X-Content-Type-Options for other content types' do
+    get('/', {}, 'wants' => 'application/foo').header["X-Content-Type-Options"].should == "nosniff"
+  end
+
+
   it 'should allow changing the nosniff-mode off' do
     mock_app do
       use Rack::Protection::XSSHeader, :nosniff => false

metadata

@@ -1,16 +1,22 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: rack-protection
-version: !ruby/object:Gem::Version
-  version: 1.3.2
+version: !ruby/object:Gem::Version 
+  hash: 7
   prerelease: 
+  segments: 
+  - 1
+  - 4
+  - 0
+  version: 1.4.0
 platform: ruby
-authors:
+authors: 
 - Konstantin Haase
 - Alex Rodionov
 - Chris Heald
 - Chris Mytton
 - Corey Ward
 - David Kellum
+- Egor Homakov
 - Fojas
 - Mael Clerambault
 - Martin Mauch
@@ -19,68 +25,66 @@ authors:
 - Steve Agalloco
 - Akzhan Abdulin
 - TOBY
-- Bjørge Næss
+- Bju00F8rge Nu00E6ss
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-12-12 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+
+date: 2013-03-01 00:00:00 +11:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
   name: rack
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
   name: rack-test
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.0'
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
   type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: rspec
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.0'
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 2
+        - 0
+        version: "2.0"
+  type: :development
+  version_requirements: *id003
 description: You should use protection!
-email:
+email: 
 - konstantin.mailinglists@googlemail.com
 - p0deje@gmail.com
 - cheald@gmail.com
 - self@hecticjeff.net
 - coreyward@me.com
 - dek-oss@gravitext.com
+- homakov@gmail.com
 - developer@fojasaur.us
 - mael@clerambault.fr
 - martin.mauch@gmail.com
@@ -91,9 +95,12 @@ email:
 - toby.net.info.mail+git@gmail.com
 - bjoerge@bengler.no
 executables: []
+
 extensions: []
+
 extra_rdoc_files: []
-files:
+
+files: 
 - License
 - README.md
 - Rakefile
@@ -128,29 +135,39 @@ files:
 - spec/session_hijacking_spec.rb
 - spec/spec_helper.rb
 - spec/xss_header_spec.rb
+has_rdoc: true
 homepage: http://github.com/rkh/rack-protection
 licenses: []
+
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
 requirements: []
+
 rubyforge_project: 
-rubygems_version: 1.8.23
+rubygems_version: 1.6.2
 signing_key: 
 specification_version: 3
 summary: You should use protection!
 test_files: []
-has_rdoc: 
+