rack-protection 1.3.2 → 1.5.5

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 2b7d78da301d9f7fc81ae73e46a389c2b8ce10ab8121f169fd760018ac506d47
+  data.tar.gz: a91bd28f8624f325d6714262ac11d83e0a347405f14e600780cb1bfd846e5b34
+SHA512:
+  metadata.gz: 0c5de92c0283313c00d50c1f9a219c808ad587caabff81c4d1530abd8f0e7d9c0f3753ad9bab7c06a29ce97b2a717fddc04ced642adff058f3431419286e4da6
+  data.tar.gz: d3bf5830bf30475871b73ba54ee38f962bd93c2e1f420b59b649d6dcb7f97d89f091d3add3f692ba847ffe5f5c6cade665d522c86220087d977fb3706e41bd58

data/README.md

@@ -50,7 +50,7 @@ Prevented by:
 Prevented by:
 
 * `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
-* `Rack::Protection::XssHeader` (Internet Explorer only)
+* `Rack::Protection::XSSHeader` (Internet Explorer only)
 
 ## Clickjacking
 
@@ -80,3 +80,11 @@ Prevented by:
 
     gem install rack-protection
 
+# Instrumentation
+
+Instrumentation is enabled by passing in an instrumenter as an option.
+```
+use Rack::Protection, instrumenter: ActiveSupport::Notifications
+```
+
+The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.

data/Rakefile

@@ -14,15 +14,18 @@ task(:spec) { ruby '-S rspec spec' }
 desc "generate gemspec"
 task 'rack-protection.gemspec' do
   require 'rack/protection/version'
-  content = File.read 'rack-protection.gemspec'
+  content = File.binread 'rack-protection.gemspec'
 
   # fetch data
   fields = {
-    :authors => `git shortlog -sn`.scan(/[^\d\s].*/),
-    :email   => `git shortlog -sne`.scan(/[^<]+@[^>]+/),
-    :files   => `git ls-files`.split("\n").reject { |f| f =~ /^(\.|Gemfile)/ }
+    :authors => `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
+    :email   => `git shortlog -sne`.force_encoding('utf-8').scan(/[^<]+@[^>]+/),
+    :files   => `git ls-files`.force_encoding('utf-8').split("\n").reject { |f| f =~ /^(\.|Gemfile)/ }
   }
 
+  # double email :(
+  fields[:email].delete("konstantin.haase@gmail.com")
+
   # insert data
   fields.each do |field, values|
     updated = "  s.#{field} = ["

data/lib/rack/protection.rb

@@ -20,7 +20,11 @@ module Rack
     def self.new(app, options = {})
       # does not include: RemoteReferrer, AuthenticityToken and FormToken
       except = Array options[:except]
+      use_these = Array options[:use]
       Rack::Builder.new do
+        use ::Rack::Protection::RemoteReferrer,   options if use_these.include? :remote_referrer
+        use ::Rack::Protection::AuthenticityToken,options if use_these.include? :authenticity_token
+        use ::Rack::Protection::FormToken,        options if use_these.include? :form_token
         use ::Rack::Protection::FrameOptions,     options unless except.include? :frame_options
         use ::Rack::Protection::HttpOrigin,       options unless except.include? :http_origin
         use ::Rack::Protection::IPSpoofing,       options unless except.include? :ip_spoofing

data/lib/rack/protection/authenticity_token.rb

@@ -11,13 +11,20 @@ module Rack
     # included in the session.
     #
     # Compatible with Rails and rack-csrf.
+    #
+    # Options:
+    #
+    # authenticity_param: Defines the param's name that should contain the token on a request.
+    #
     class AuthenticityToken < Base
+      default_options :authenticity_param => 'authenticity_token'
+
       def accepts?(env)
-        return true if safe? env
         session = session env
         token   = session[:csrf] ||= session['_csrf_token'] || random_string
-        env['HTTP_X_CSRF_TOKEN'] == token or
-          Request.new(env).params['authenticity_token'] == token
+        safe?(env) ||
+          secure_compare(env['HTTP_X_CSRF_TOKEN'].to_s, token) ||
+          secure_compare(Request.new(env).params[options[:authenticity_param]].to_s, token)
       end
     end
   end

data/lib/rack/protection/base.rb

@@ -11,6 +11,7 @@ module Rack
         :message     => 'Forbidden',       :encryptor => Digest::SHA1,
         :session_key => 'rack.session',    :status    => 403,
         :allow_empty_referrer => true,
+        :report_key           => "protection.failed",
         :html_types           => %w[text/html application/xhtml]
       }
 
@@ -42,7 +43,7 @@ module Rack
 
       def call(env)
         unless accepts? env
-          warn env, "attack prevented by #{self.class}"
+          instrument env
           result = react env
         end
         result or app.call(env)
@@ -59,10 +60,22 @@ module Rack
         l.warn(message)
       end
 
+      def instrument(env)
+        return unless i = options[:instrumenter]
+        env['rack.protection.attack'] = self.class.name.split('::').last.downcase
+        i.instrument('rack.protection', env)
+      end
+
       def deny(env)
+        warn env, "attack prevented by #{self.class}"
         [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
       end
 
+      def report(env)
+        warn env, "attack reported by #{self.class}"
+        env[options[:report_key]] = true
+      end
+
       def session?(env)
         env.include? options[:session_key]
       end
@@ -80,6 +93,7 @@ module Rack
         ref = env['HTTP_REFERER'].to_s
         return if !options[:allow_empty_referrer] and ref.empty?
         URI.parse(ref).host || Request.new(env).host
+      rescue URI::InvalidURIError
       end
 
       def origin(env)
@@ -87,7 +101,7 @@ module Rack
       end
 
       def random_string(secure = defined? SecureRandom)
-        secure ? SecureRandom.hex(32) : "%032x" % rand(2**128-1)
+        secure ? SecureRandom.hex(16) : "%032x" % rand(2**128-1)
       rescue NotImplementedError
         random_string false
       end
@@ -96,6 +110,30 @@ module Rack
         options[:encryptor].hexdigest value.to_s
       end
 
+      # The implementations of secure_compare and bytesize are taken from
+      # Rack::Utils to be able to support rack older than XXXX.
+      def secure_compare(a, b)
+        return false unless bytesize(a) == bytesize(b)
+
+        l = a.unpack("C*")
+
+        r, i = 0, -1
+        b.each_byte { |v| r |= v ^ l[i+=1] }
+        r == 0
+      end
+
+      # Return the bytesize of String; uses String#size under Ruby 1.8 and
+      # String#bytesize under 1.9.
+      if ''.respond_to?(:bytesize)
+        def bytesize(string)
+          string.bytesize
+        end
+      else
+        def bytesize(string)
+          string.size
+        end
+      end
+
       alias default_reaction deny
 
       def html?(headers)

data/lib/rack/protection/frame_options.rb

@@ -16,16 +16,22 @@ module Rack
     # frame_options:: Defines who should be allowed to embed the page in a
     #                 frame. Use :deny to forbid any embedding, :sameorigin
     #                 to allow embedding from the same origin (default).
-    class FrameOptions < XSSHeader
+    class FrameOptions < Base
       default_options :frame_options => :sameorigin
 
-      def header
-        @header ||= begin
+      def frame_options
+        @frame_options ||= begin
           frame_options = options[:frame_options]
           frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str
-          { 'X-Frame-Options' => frame_options.to_str }
+          frame_options.to_str
         end
       end
+
+      def call(env)
+        status, headers, body        = @app.call(env)
+        headers['X-Frame-Options'] ||= frame_options if html? headers
+        [status, headers, body]
+      end
     end
   end
 end

data/lib/rack/protection/json_csrf.rb

@@ -11,17 +11,24 @@ module Rack
     # Array prototype has been patched to track data. Checks the referrer
     # even on GET requests if the content type is JSON.
     class JsonCsrf < Base
-      default_reaction :deny
+      alias react deny
 
       def call(env)
+        request               = Request.new(env)
         status, headers, body = app.call(env)
-        if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
-          if origin(env).nil? and referrer(env) != Request.new(env).host
-            result = react(env)
-            warn env, "attack prevented by #{self.class}"
-          end
+
+        if has_vector? request, headers
+          warn env, "attack prevented by #{self.class}"
+          react(env) or [status, headers, body]
+        else
+          [status, headers, body]
         end
-        result or [status, headers, body]
+      end
+
+      def has_vector?(request, headers)
+        return false if request.xhr?
+        return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
+        origin(request.env).nil? and referrer(request.env) != request.host
       end
     end
   end

data/lib/rack/protection/path_traversal.rb

@@ -19,16 +19,30 @@ module Rack
       end
 
       def cleanup(path)
+        if path.respond_to?(:encoding)
+          # Ruby 1.9+ M17N
+          encoding = path.encoding
+          dot   = '.'.encode(encoding)
+          slash = '/'.encode(encoding)
+          backslash = '\\'.encode(encoding)
+        else
+          # Ruby 1.8
+          dot   = '.'
+          slash = '/'
+          backslash = '\\'
+        end
+
         parts     = []
-        unescaped = path.gsub('%2e', '.').gsub('%2f', '/')
+        unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
+        unescaped = unescaped.gsub(backslash, slash)
 
-        unescaped.split('/').each do |part|
-          next if part.empty? or part == '.'
+        unescaped.split(slash).each do |part|
+          next if part.empty? or part == dot
           part == '..' ? parts.pop : parts << part
         end
 
-        cleaned = '/' << parts.join('/')
-        cleaned << '/' if parts.any? and unescaped =~ /\/\.{0,2}$/
+        cleaned = slash + parts.join(slash)
+        cleaned << slash if parts.any? and unescaped =~ %r{/\.{0,2}$}
         cleaned
       end
     end

data/lib/rack/protection/remote_referrer.rb

@@ -9,9 +9,6 @@ module Rack
     #
     # Does not accept unsafe HTTP requests if the Referer [sic] header is set to
     # a different host.
-    #
-    # Combine with NoReferrer to also block remote requests from non-HTTP pages
-    # (FTP/HTTPS/...).
     class RemoteReferrer < Base
       default_reaction :deny
 

data/lib/rack/protection/session_hijacking.rb

@@ -9,12 +9,12 @@ module Rack
     #
     # Tracks request properties like the user agent in the session and empties
     # the session if those properties change. This essentially prevents attacks
-    # from Firesheep. Since all headers taken into consideration might be
-    # spoofed, too, this will not prevent all hijacking attempts.
+    # from Firesheep. Since all headers taken into consideration can be
+    # spoofed, too, this will not prevent determined hijacking attempts.
     class SessionHijacking < Base
       default_reaction :drop_session
       default_options :tracking_key => :tracking, :encrypt_tracking => true,
-        :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE]
+        :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_LANGUAGE]
 
       def accepts?(env)
         session = session env

data/lib/rack/protection/version.rb

@@ -4,7 +4,7 @@ module Rack
       VERSION
     end
 
-    SIGNATURE = [1, 3, 2]
+    SIGNATURE = [1, 5, 5]
     VERSION   = SIGNATURE.join('.')
 
     VERSION.extend Comparable

data/lib/rack/protection/xss_header.rb

@@ -14,18 +14,10 @@ module Rack
     class XSSHeader < Base
       default_options :xss_mode => :block, :nosniff => true
 
-      def header
-        headers = {
-          'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}",
-          'X-Content-Type-Options' => "nosniff"
-        }
-        headers.delete("X-Content-Type-Options") unless options[:nosniff]
-        headers
-      end
-
       def call(env)
         status, headers, body = @app.call(env)
-        headers = header.merge(headers) if options[:nosniff] and html?(headers)
+        headers['X-XSS-Protection']       ||= "1; mode=#{options[:xss_mode]}" if html? headers
+        headers['X-Content-Type-Options'] ||= 'nosniff'                       if options[:nosniff]
         [status, headers, body]
       end
     end

data/rack-protection.gemspec

@@ -2,47 +2,74 @@
 Gem::Specification.new do |s|
   # general infos
   s.name        = "rack-protection"
-  s.version     = "1.3.2"
+  s.version     = "1.5.5"
   s.description = "You should use protection!"
   s.homepage    = "http://github.com/rkh/rack-protection"
   s.summary     = s.description
+  s.license     = 'MIT'
 
   # generated from git shortlog -sn
   s.authors = [
     "Konstantin Haase",
     "Alex Rodionov",
-    "Chris Heald",
-    "Chris Mytton",
-    "Corey Ward",
-    "David Kellum",
+    "Patrick Ellis",
+    "Jason Staten",
+    "ITO Nobuaki",
+    "Jeff Welling",
+    "Matteo Centenaro",
+    "Egor Homakov",
+    "Florian Gilcher",
     "Fojas",
+    "Igor Bochkariov",
     "Mael Clerambault",
     "Martin Mauch",
+    "Renne Nissinen",
     "SAKAI, Kazuaki",
     "Stanislav Savulchik",
     "Steve Agalloco",
-    "Akzhan Abdulin",
     "TOBY",
-    "Bj\u{f8}rge N\u{e6}ss"
+    "Thais Camilo and Konstantin Haase",
+    "Vipul A M",
+    "Akzhan Abdulin",
+    "brookemckim",
+    "Bj\u{f8}rge N\u{e6}ss",
+    "Chris Heald",
+    "Chris Mytton",
+    "Corey Ward",
+    "Dario Cravero",
+    "David Kellum"
   ]
 
   # generated from git shortlog -sne
   s.email = [
     "konstantin.mailinglists@googlemail.com",
     "p0deje@gmail.com",
-    "cheald@gmail.com",
-    "self@hecticjeff.net",
-    "coreyward@me.com",
-    "dek-oss@gravitext.com",
+    "jstaten07@gmail.com",
+    "patrick@soundcloud.com",
+    "jeff.welling@gmail.com",
+    "bugant@gmail.com",
+    "daydream.trippers@gmail.com",
+    "florian.gilcher@asquera.de",
     "developer@fojasaur.us",
+    "ujifgc@gmail.com",
     "mael@clerambault.fr",
     "martin.mauch@gmail.com",
+    "rennex@iki.fi",
     "kaz.july.7@gmail.com",
     "s.savulchik@gmail.com",
     "steve.agalloco@gmail.com",
-    "akzhan.abdulin@gmail.com",
     "toby.net.info.mail+git@gmail.com",
-    "bjoerge@bengler.no"
+    "dev+narwen+rkh@rkh.im",
+    "vipulnsward@gmail.com",
+    "akzhan.abdulin@gmail.com",
+    "brooke@digitalocean.com",
+    "bjoerge@bengler.no",
+    "cheald@gmail.com",
+    "self@hecticjeff.net",
+    "coreyward@me.com",
+    "dario@uxtemple.com",
+    "dek-oss@gravitext.com",
+    "homakov@gmail.com"
   ]
 
   # generated from git ls-files
@@ -68,6 +95,7 @@ Gem::Specification.new do |s|
     "lib/rack/protection/xss_header.rb",
     "rack-protection.gemspec",
     "spec/authenticity_token_spec.rb",
+    "spec/base_spec.rb",
     "spec/escaped_params_spec.rb",
     "spec/form_token_spec.rb",
     "spec/frame_options_spec.rb",

data/spec/authenticity_token_spec.rb

@@ -30,4 +30,19 @@ describe Rack::Protection::AuthenticityToken do
   it "prevents ajax requests without a valid token" do
     post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should_not be_ok
   end
+
+  it "allows for a custom authenticity token param" do
+    mock_app do
+      use Rack::Protection::AuthenticityToken, :authenticity_param => 'csrf_param'
+      run proc { |e| [200, {'Content-Type' => 'text/plain'}, ['hi']] }
+    end
+
+    post('/', {"csrf_param" => "a"}, 'rack.session' => {:csrf => "a"})
+    last_response.should be_ok
+  end
+
+  it "sets a new csrf token for the session in env, even after a 'safe' request" do
+    get('/', {}, {})
+    env['rack.session'][:csrf].should_not be_nil
+  end
 end

data/spec/base_spec.rb

@@ -0,0 +1,40 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::Base do
+
+  subject { described_class.new(lambda {}) }
+
+  describe "#random_string" do
+    it "outputs a string of 32 characters" do
+      subject.random_string.length.should == 32
+    end
+  end
+
+  describe "#referrer" do
+    it "Reads referrer from Referer header" do
+      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/valid"}
+      subject.referrer(env).should == "bar.com"
+    end
+
+    it "Reads referrer from Host header when Referer header is relative" do
+      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "/valid"}
+      subject.referrer(env).should == "foo.com"
+    end
+
+    it "Reads referrer from Host header when Referer header is missing" do
+      env = {"HTTP_HOST" => "foo.com"}
+      subject.referrer(env).should == "foo.com"
+    end
+
+    it "Returns nil when Referer header is missing and allow_empty_referrer is false" do
+      env = {"HTTP_HOST" => "foo.com"}
+      subject.options[:allow_empty_referrer] = false
+      subject.referrer(env).should be_nil
+    end
+
+    it "Returns nil when Referer header is invalid" do
+      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/bad|uri"}
+      subject.referrer(env).should be_nil
+    end
+  end
+end

data/spec/escaped_params_spec.rb

@@ -33,7 +33,6 @@ describe Rack::Protection::EscapedParams do
 
     it 'leaves cache-breaker params untouched' do
       mock_app do |env|
-        request = Rack::Request.new(env)
         [200, {'Content-Type' => 'text/plain'}, ['hi']]
       end
 

data/spec/json_csrf_spec.rb

@@ -27,6 +27,11 @@ describe Rack::Protection::JsonCsrf do
     it "accepts get requests with json responses with no referrer" do
       get('/', {}).should be_ok
     end
+
+    it "accepts XHR requests" do
+      get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest').should be_ok
+    end
+
   end
 
   describe 'not json response' do
@@ -37,4 +42,17 @@ describe Rack::Protection::JsonCsrf do
     end
 
   end
+
+  describe 'with drop_session as default reaction' do
+    it 'still denies' do
+      mock_app do
+        use Rack::Protection, :reaction => :drop_session
+        run proc { |e| [200, {'Content-Type' => 'application/json'}, []]}
+      end
+
+      session = {:foo => :bar}
+      get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'rack.session' => session)
+      last_response.should_not be_ok
+    end
+  end
 end

data/spec/path_traversal_spec.rb

@@ -14,8 +14,8 @@ describe Rack::Protection::PathTraversal do
 
     { # yes, this is ugly, feel free to change that
       '/..' => '/', '/a/../b' => '/b', '/a/../b/' => '/b/', '/a/.' => '/a/',
-      '/%2e.' => '/', '/a/%2e%2e/b' => '/b', '/a%2f%2e%2e%2fb/' => '/b/',
-      '//' => '/', '/%2fetc%2fpasswd' => '/etc/passwd'
+      '/%2e.' => '/', '/a/%2E%2e/b' => '/b', '/a%2f%2E%2e%2Fb/' => '/b/',
+      '//' => '/', '/%2fetc%2Fpasswd' => '/etc/passwd'
     }.each do |a, b|
       it("replaces #{a.inspect} with #{b.inspect}") { get(a).body.should == b }
     end
@@ -25,4 +25,17 @@ describe Rack::Protection::PathTraversal do
       app.call({}).should be == 42
     end
   end
+
+  if "".respond_to?(:encoding)  # Ruby 1.9+ M17N
+    context "PATH_INFO's encoding" do
+      before do
+        @app = Rack::Protection::PathTraversal.new(proc { |e| [200, {'Content-Type' => 'text/plain'}, [e['PATH_INFO'].encoding.to_s]] })
+      end
+
+      it 'should remain unchanged as ASCII-8BIT' do
+        body = @app.call({ 'PATH_INFO' => '/'.encode('ASCII-8BIT') })[2][0]
+        body.should == 'ASCII-8BIT'
+      end
+    end
+  end
 end

data/spec/protection_spec.rb

@@ -18,6 +18,53 @@ describe Rack::Protection do
     session.should be_empty
   end
 
+  it 'passes errors through if :reaction => :report is used' do
+    mock_app do
+      use Rack::Protection, :reaction => :report
+      run proc { |e| [200, {'Content-Type' => 'text/plain'}, [e["protection.failed"].to_s]] }
+    end
+
+    session = {:foo => :bar}
+    post('/', {}, 'rack.session' => session, 'HTTP_ORIGIN' => 'http://malicious.com')
+    last_response.should be_ok
+    body.should == "true"
+  end
+
+  describe "#react" do
+    it 'prevents attacks and warns about it' do
+      io = StringIO.new
+      mock_app do
+        use Rack::Protection, :logger => Logger.new(io)
+        run DummyApp
+      end
+      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
+      io.string.should match /prevented.*Origin/
+    end
+
+    it 'reports attacks if reaction is to report' do
+      io = StringIO.new
+      mock_app do
+        use Rack::Protection, :reaction => :report, :logger => Logger.new(io)
+        run DummyApp
+      end
+      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
+      io.string.should match /reported.*Origin/
+      io.string.should_not match /prevented.*Origin/
+    end
+
+    it 'passes errors to reaction method if specified' do
+      io = StringIO.new
+      Rack::Protection::Base.send(:define_method, :special) { |*args| io << args.inspect }
+      mock_app do
+        use Rack::Protection, :reaction => :special, :logger => Logger.new(io)
+        run DummyApp
+      end
+      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
+      io.string.should match /HTTP_ORIGIN.*malicious.com/
+      io.string.should_not match /reported|prevented/
+    end
+  end
+
   describe "#html?" do
     context "given an appropriate content-type header" do
       subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/html" }
@@ -34,4 +81,25 @@ describe Rack::Protection do
       it { should be_false }
     end
   end
+
+  describe "#instrument" do
+    let(:env) { { 'rack.protection.attack' => 'base' } }
+    let(:instrumenter) { double('Instrumenter') }
+
+    after do
+      app.instrument(env)
+    end
+
+    context 'with an instrumenter specified' do
+      let(:app) { Rack::Protection::Base.new(nil, :instrumenter => instrumenter) }
+
+      it { instrumenter.should_receive(:instrument).with('rack.protection', env) }
+    end
+
+    context 'with no instrumenter specified' do
+      let(:app) { Rack::Protection::Base.new(nil) }
+
+      it { instrumenter.should_not_receive(:instrument) }
+    end
+  end
 end

data/spec/session_hijacking_spec.rb

@@ -17,11 +17,12 @@ describe Rack::Protection::SessionHijacking do
     session.should be_empty
   end
 
-  it "denies requests with a changing Accept-Encoding header" do
+  it "accepts requests with a changing Accept-Encoding header" do
+    # this is tested because previously it led to clearing the session
     session = {:foo => :bar}
     get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
     get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
-    session.should be_empty
+    session.should_not be_empty
   end
 
   it "denies requests with a changing Accept-Language header" do

data/spec/xss_header_spec.rb

@@ -34,6 +34,12 @@ describe Rack::Protection::XSSHeader do
     get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"].should == "nosniff"
   end
 
+
+  it 'should set the X-Content-Type-Options for other content types' do
+    get('/', {}, 'wants' => 'application/foo').header["X-Content-Type-Options"].should == "nosniff"
+  end
+
+
   it 'should allow changing the nosniff-mode off' do
     mock_app do
       use Rack::Protection::XSSHeader, :nosniff => false

metadata

@@ -1,95 +1,114 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 1.3.2
-  prerelease: 
+  version: 1.5.5
 platform: ruby
 authors:
 - Konstantin Haase
 - Alex Rodionov
-- Chris Heald
-- Chris Mytton
-- Corey Ward
-- David Kellum
+- Patrick Ellis
+- Jason Staten
+- ITO Nobuaki
+- Jeff Welling
+- Matteo Centenaro
+- Egor Homakov
+- Florian Gilcher
 - Fojas
+- Igor Bochkariov
 - Mael Clerambault
 - Martin Mauch
+- Renne Nissinen
 - SAKAI, Kazuaki
 - Stanislav Savulchik
 - Steve Agalloco
-- Akzhan Abdulin
 - TOBY
+- Thais Camilo and Konstantin Haase
+- Vipul A M
+- Akzhan Abdulin
+- brookemckim
 - Bjørge Næss
+- Chris Heald
+- Chris Mytton
+- Corey Ward
+- Dario Cravero
+- David Kellum
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-12-12 00:00:00.000000000 Z
+date: 2018-03-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
 description: You should use protection!
 email:
 - konstantin.mailinglists@googlemail.com
 - p0deje@gmail.com
-- cheald@gmail.com
-- self@hecticjeff.net
-- coreyward@me.com
-- dek-oss@gravitext.com
+- jstaten07@gmail.com
+- patrick@soundcloud.com
+- jeff.welling@gmail.com
+- bugant@gmail.com
+- daydream.trippers@gmail.com
+- florian.gilcher@asquera.de
 - developer@fojasaur.us
+- ujifgc@gmail.com
 - mael@clerambault.fr
 - martin.mauch@gmail.com
+- rennex@iki.fi
 - kaz.july.7@gmail.com
 - s.savulchik@gmail.com
 - steve.agalloco@gmail.com
-- akzhan.abdulin@gmail.com
 - toby.net.info.mail+git@gmail.com
+- dev+narwen+rkh@rkh.im
+- vipulnsward@gmail.com
+- akzhan.abdulin@gmail.com
+- brooke@digitalocean.com
 - bjoerge@bengler.no
+- cheald@gmail.com
+- self@hecticjeff.net
+- coreyward@me.com
+- dario@uxtemple.com
+- dek-oss@gravitext.com
+- homakov@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -115,6 +134,7 @@ files:
 - lib/rack/protection/xss_header.rb
 - rack-protection.gemspec
 - spec/authenticity_token_spec.rb
+- spec/base_spec.rb
 - spec/escaped_params_spec.rb
 - spec/form_token_spec.rb
 - spec/frame_options_spec.rb
@@ -129,28 +149,27 @@ files:
 - spec/spec_helper.rb
 - spec/xss_header_spec.rb
 homepage: http://github.com/rkh/rack-protection
-licenses: []
+licenses:
+- MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.23
+rubygems_version: 2.7.3
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: You should use protection!
 test_files: []
-has_rdoc: