rack-protection 1.5.0 → 1.5.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: d142ba2e517a486c07d79a7c7a80061fe405a84d
+  data.tar.gz: 43a1d8c17e3bc26171c5c75bc22eaded63b4587c
+SHA512:
+  metadata.gz: df0552ef6da37611e34ff91e664521794681596cfd3898bf1cd5acb8150eea553db1bc761dc9fc3c90900884a3f5128368096bd9a1e386c84e90fe9c0fb83431
+  data.tar.gz: 4903af66fc37585786fb5650f9475695d3f0455f984c2621bc35ed9ae7addb19588fbc55d134cbf891f972c0316305e426c0d90ecdd9431273ad69a37585ef92

data/README.md

@@ -80,3 +80,11 @@ Prevented by:
 
     gem install rack-protection
 
+# Instrumentation
+
+Instrumentation is enabled by passing in an instrumenter as an option.
+```
+use Rack::Protection, instrumenter: ActiveSupport::Notifications
+```
+
+The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.

data/lib/rack/protection/authenticity_token.rb

@@ -11,13 +11,20 @@ module Rack
     # included in the session.
     #
     # Compatible with Rails and rack-csrf.
+    #
+    # Options:
+    #
+    # authenticity_param: Defines the param's name that should contain the token on a request.
+    #
     class AuthenticityToken < Base
+      default_options :authenticity_param => 'authenticity_token'
+
       def accepts?(env)
-        return true if safe? env
         session = session env
         token   = session[:csrf] ||= session['_csrf_token'] || random_string
-        env['HTTP_X_CSRF_TOKEN'] == token or
-          Request.new(env).params['authenticity_token'] == token
+        safe?(env) ||
+          env['HTTP_X_CSRF_TOKEN'] == token ||
+          Request.new(env).params[options[:authenticity_param]] == token
       end
     end
   end

data/lib/rack/protection/base.rb

@@ -44,6 +44,7 @@ module Rack
       def call(env)
         unless accepts? env
           warn env, "attack prevented by #{self.class}"
+          instrument env
           result = react env
         end
         result or app.call(env)
@@ -60,6 +61,12 @@ module Rack
         l.warn(message)
       end
 
+      def instrument(env)
+        return unless i = options[:instrumenter]
+        env['rack.protection.attack'] = self.class.name.split('::').last.downcase
+        i.instrument('rack.protection', env)
+      end
+
       def deny(env)
         [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
       end
@@ -92,7 +99,7 @@ module Rack
       end
 
       def random_string(secure = defined? SecureRandom)
-        secure ? SecureRandom.hex(32) : "%032x" % rand(2**128-1)
+        secure ? SecureRandom.hex(16) : "%032x" % rand(2**128-1)
       rescue NotImplementedError
         random_string false
       end

data/lib/rack/protection/json_csrf.rb

@@ -11,7 +11,7 @@ module Rack
     # Array prototype has been patched to track data. Checks the referrer
     # even on GET requests if the content type is JSON.
     class JsonCsrf < Base
-      default_reaction :deny
+      alias react deny
 
       def call(env)
         request               = Request.new(env)
@@ -19,7 +19,7 @@ module Rack
 
         if has_vector? request, headers
           warn env, "attack prevented by #{self.class}"
-          react(env)
+          react(env) or [status, headers, body]
         else
           [status, headers, body]
         end

data/lib/rack/protection/path_traversal.rb

@@ -19,16 +19,27 @@ module Rack
       end
 
       def cleanup(path)
+        if path.respond_to?(:encoding)
+          # Ruby 1.9+ M17N
+          encoding = path.encoding
+          dot   = '.'.encode(encoding)
+          slash = '/'.encode(encoding)
+        else
+          # Ruby 1.8
+          dot   = '.'
+          slash = '/'
+        end
+
         parts     = []
-        unescaped = path.gsub('%2e', '.').gsub('%2f', '/')
+        unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash)
 
-        unescaped.split('/').each do |part|
-          next if part.empty? or part == '.'
+        unescaped.split(slash).each do |part|
+          next if part.empty? or part == dot
           part == '..' ? parts.pop : parts << part
         end
 
-        cleaned = '/' << parts.join('/')
-        cleaned << '/' if parts.any? and unescaped =~ /\/\.{0,2}$/
+        cleaned = slash + parts.join(slash)
+        cleaned << slash if parts.any? and unescaped =~ %r{/\.{0,2}$}
         cleaned
       end
     end

data/lib/rack/protection/version.rb

@@ -4,7 +4,7 @@ module Rack
       VERSION
     end
 
-    SIGNATURE = [1, 5, 0]
+    SIGNATURE = [1, 5, 1]
     VERSION   = SIGNATURE.join('.')
 
     VERSION.extend Comparable

data/rack-protection.gemspec

@@ -2,18 +2,20 @@
 Gem::Specification.new do |s|
   # general infos
   s.name        = "rack-protection"
-  s.version     = "1.5.0"
+  s.version     = "1.5.1"
   s.description = "You should use protection!"
   s.homepage    = "http://github.com/rkh/rack-protection"
   s.summary     = s.description
+  s.license     = 'MIT'
 
   # generated from git shortlog -sn
   s.authors = [
     "Konstantin Haase",
     "Alex Rodionov",
-    "Chris Heald",
-    "Chris Mytton",
-    "Corey Ward",
+    "Patrick Ellis",
+    "Jeff Welling",
+    "ITO Nobuaki",
+    "Matteo Centenaro",
     "David Kellum",
     "Egor Homakov",
     "Florian Gilcher",
@@ -23,18 +25,24 @@ Gem::Specification.new do |s|
     "SAKAI, Kazuaki",
     "Stanislav Savulchik",
     "Steve Agalloco",
-    "Akzhan Abdulin",
     "TOBY",
-    "Bj\u00F8rge N\u00E6ss"
+    "Akzhan Abdulin",
+    "brookemckim",
+    "Bj\u00F8rge N\u00E6ss",
+    "Chris Heald",
+    "Chris Mytton",
+    "Corey Ward",
+    "Dario Cravero"
   ]
 
   # generated from git shortlog -sne
   s.email = [
     "konstantin.mailinglists@googlemail.com",
     "p0deje@gmail.com",
-    "self@hecticjeff.net",
-    "coreyward@me.com",
-    "dek-oss@gravitext.com",
+    "patrick@soundcloud.com",
+    "jeff.welling@gmail.com",
+    "bugant@gmail.com",
+    "daydream.trippers@gmail.com",
     "homakov@gmail.com",
     "florian.gilcher@asquera.de",
     "developer@fojasaur.us",
@@ -43,10 +51,15 @@ Gem::Specification.new do |s|
     "kaz.july.7@gmail.com",
     "s.savulchik@gmail.com",
     "steve.agalloco@gmail.com",
-    "akzhan.abdulin@gmail.com",
     "toby.net.info.mail+git@gmail.com",
+    "akzhan.abdulin@gmail.com",
+    "brooke@digitalocean.com",
     "bjoerge@bengler.no",
-    "cheald@gmail.com"
+    "cheald@gmail.com",
+    "self@hecticjeff.net",
+    "coreyward@me.com",
+    "dario@uxtemple.com",
+    "dek-oss@gravitext.com"
   ]
 
   # generated from git ls-files
@@ -72,6 +85,7 @@ Gem::Specification.new do |s|
     "lib/rack/protection/xss_header.rb",
     "rack-protection.gemspec",
     "spec/authenticity_token_spec.rb",
+    "spec/base_spec.rb",
     "spec/escaped_params_spec.rb",
     "spec/form_token_spec.rb",
     "spec/frame_options_spec.rb",

data/spec/authenticity_token_spec.rb

@@ -30,4 +30,19 @@ describe Rack::Protection::AuthenticityToken do
   it "prevents ajax requests without a valid token" do
     post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should_not be_ok
   end
+
+  it "allows for a custom authenticity token param" do
+    mock_app do
+      use Rack::Protection::AuthenticityToken, :authenticity_param => 'csrf_param'
+      run proc { |e| [200, {'Content-Type' => 'text/plain'}, ['hi']] }
+    end
+
+    post('/', {"csrf_param" => "a"}, 'rack.session' => {:csrf => "a"})
+    last_response.should be_ok
+  end
+
+  it "sets a new csrf token for the session in env, even after a 'safe' request" do
+    get('/', {}, {})
+    env['rack.session'][:csrf].should_not be_nil
+  end
 end

data/spec/base_spec.rb

@@ -0,0 +1,9 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::Base do
+  describe "#random_string" do
+    it "outputs a string of 32 characters" do
+      described_class.new(lambda {}).random_string.length.should == 32
+    end
+  end
+end

data/spec/json_csrf_spec.rb

@@ -31,6 +31,7 @@ describe Rack::Protection::JsonCsrf do
     it "accepts XHR requests" do
       get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest').should be_ok
     end
+
   end
 
   describe 'not json response' do
@@ -41,4 +42,17 @@ describe Rack::Protection::JsonCsrf do
     end
 
   end
+
+  describe 'with drop_session as default reaction' do
+    it 'still denies' do
+      mock_app do
+        use Rack::Protection, :reaction => :drop_session
+        run proc { |e| [200, {'Content-Type' => 'application/json'}, []]}
+      end
+
+      session = {:foo => :bar}
+      get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'rack.session' => session)
+      last_response.should_not be_ok
+    end
+  end
 end

data/spec/path_traversal_spec.rb

@@ -14,8 +14,8 @@ describe Rack::Protection::PathTraversal do
 
     { # yes, this is ugly, feel free to change that
       '/..' => '/', '/a/../b' => '/b', '/a/../b/' => '/b/', '/a/.' => '/a/',
-      '/%2e.' => '/', '/a/%2e%2e/b' => '/b', '/a%2f%2e%2e%2fb/' => '/b/',
-      '//' => '/', '/%2fetc%2fpasswd' => '/etc/passwd'
+      '/%2e.' => '/', '/a/%2E%2e/b' => '/b', '/a%2f%2E%2e%2Fb/' => '/b/',
+      '//' => '/', '/%2fetc%2Fpasswd' => '/etc/passwd'
     }.each do |a, b|
       it("replaces #{a.inspect} with #{b.inspect}") { get(a).body.should == b }
     end
@@ -25,4 +25,17 @@ describe Rack::Protection::PathTraversal do
       app.call({}).should be == 42
     end
   end
+
+  if "".respond_to?(:encoding)  # Ruby 1.9+ M17N
+    context "PATH_INFO's encoding" do
+      before do
+        @app = Rack::Protection::PathTraversal.new(proc { |e| [200, {'Content-Type' => 'text/plain'}, [e['PATH_INFO'].encoding.to_s]] })
+      end
+
+      it 'should remain unchanged as ASCII-8BIT' do
+        body = @app.call({ 'PATH_INFO' => '/'.encode('ASCII-8BIT') })[2][0]
+        body.should == 'ASCII-8BIT'
+      end
+    end
+  end
 end

data/spec/protection_spec.rb

@@ -46,4 +46,25 @@ describe Rack::Protection do
       it { should be_false }
     end
   end
+
+  describe "#instrument" do
+    let(:env) { { 'rack.protection.attack' => 'base' } }
+    let(:instrumenter) { double('Instrumenter') }
+
+    after do
+      app.instrument(env)
+    end
+
+    context 'with an instrumenter specified' do
+      let(:app) { Rack::Protection::Base.new(nil, :instrumenter => instrumenter) }
+
+      it { instrumenter.should_receive(:instrument).with('rack.protection', env) }
+    end
+
+    context 'with no instrumenter specified' do
+      let(:app) { Rack::Protection::Base.new(nil) }
+
+      it { instrumenter.should_not_receive(:instrument) }
+    end
+  end
 end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 1.5.0
-  prerelease: 
+  version: 1.5.1
 platform: ruby
 authors:
 - Konstantin Haase
 - Alex Rodionov
-- Chris Heald
-- Chris Mytton
-- Corey Ward
+- Patrick Ellis
+- Jeff Welling
+- ITO Nobuaki
+- Matteo Centenaro
 - David Kellum
 - Egor Homakov
 - Florian Gilcher
@@ -19,50 +19,50 @@ authors:
 - SAKAI, Kazuaki
 - Stanislav Savulchik
 - Steve Agalloco
-- Akzhan Abdulin
 - TOBY
+- Akzhan Abdulin
+- brookemckim
 - Bjørge Næss
+- Chris Heald
+- Chris Mytton
+- Corey Ward
+- Dario Cravero
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-03-13 00:00:00.000000000 Z
+date: 2013-10-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -70,7 +70,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -79,9 +78,10 @@ description: You should use protection!
 email:
 - konstantin.mailinglists@googlemail.com
 - p0deje@gmail.com
-- self@hecticjeff.net
-- coreyward@me.com
-- dek-oss@gravitext.com
+- patrick@soundcloud.com
+- jeff.welling@gmail.com
+- bugant@gmail.com
+- daydream.trippers@gmail.com
 - homakov@gmail.com
 - florian.gilcher@asquera.de
 - developer@fojasaur.us
@@ -90,10 +90,15 @@ email:
 - kaz.july.7@gmail.com
 - s.savulchik@gmail.com
 - steve.agalloco@gmail.com
-- akzhan.abdulin@gmail.com
 - toby.net.info.mail+git@gmail.com
+- akzhan.abdulin@gmail.com
+- brooke@digitalocean.com
 - bjoerge@bengler.no
 - cheald@gmail.com
+- self@hecticjeff.net
+- coreyward@me.com
+- dario@uxtemple.com
+- dek-oss@gravitext.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -119,6 +124,7 @@ files:
 - lib/rack/protection/xss_header.rb
 - rack-protection.gemspec
 - spec/authenticity_token_spec.rb
+- spec/base_spec.rb
 - spec/escaped_params_spec.rb
 - spec/form_token_spec.rb
 - spec/frame_options_spec.rb
@@ -133,28 +139,28 @@ files:
 - spec/spec_helper.rb
 - spec/xss_header_spec.rb
 homepage: http://github.com/rkh/rack-protection
-licenses: []
+licenses:
+- MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.23
+rubygems_version: 2.0.7
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: You should use protection!
 test_files: []
 has_rdoc: