rack-protection 1.5.3 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 738b46a37db596fd6ab75ccccfcf98b8530684d5
-  data.tar.gz: ba76d3a2e8e5f5ec8493acf43980325a5a2bfb55
+  metadata.gz: 60b24d006884c214484d2d6275ddfd9a09719fe6
+  data.tar.gz: b43b08983d4fc1fcf5525d28e0b704e49ee93a25
 SHA512:
-  metadata.gz: 3c88e6d4d2bcb83aa35327db0bf8d1ef7e0057579573e305958a99cdb642bffab66009e73404322be636bc3860c0acbd58fc6c15a6dda8d55948713ef28fbae4
-  data.tar.gz: 651bf843d47d99accab655195673ae835d266602845edb8fadd913c7bff8677636c0b2db825ea0e087309b6d62f89035d503eccf6e698c2d11c625150eccb111
+  metadata.gz: 926c434a0da749f9e615786c4600d7f3a933454ba179b4f3671d3abeb65d843281b95038258edaac3f01ae447c032aa8844141de0a399fd5447e6cbab12deac6
+  data.tar.gz: 64892fdb92b20c537ffebbbc00d374e4d0bd07cf37dab25c21c95676b371477356c7ba3a52945e0f9a84b0db40bbd3fc964aa21a8525ed2bfac4dd3be204817f

data/Gemfile

@@ -0,0 +1,13 @@
+source "http://rubygems.org"
+# encoding: utf-8
+
+gem 'rake'
+
+rack_version = ENV['rack'].to_s
+rack_version = nil if rack_version.empty? or rack_version == 'stable'
+rack_version = {:github => 'rack/rack'} if rack_version == 'master'
+gem 'rack', rack_version
+
+gem 'sinatra', path: '..'
+
+gemspec

data/License

@@ -1,4 +1,7 @@
-Copyright (c) 2011 Konstantin Haase
+The MIT License (MIT)
+
+Copyright (c) 2011-2017 Konstantin Haase
+Copyright (c) 2015-2017 Zachary Scott
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -1,4 +1,6 @@
-You should use protection!
+# Rack::Protection
+
+[![Build Status](https://secure.travis-ci.org/sinatra/rack-protection.png)](http://travis-ci.org/sinatra/rack-protection)
 
 This gem protects against typical web attacks.
 Should work for all Rack apps, including Rails.
@@ -50,7 +52,8 @@ Prevented by:
 Prevented by:
 
 * `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
-* `Rack::Protection::XSSHeader` (Internet Explorer only)
+* `Rack::Protection::XSSHeader` (Internet Explorer and Chrome only)
+* `Rack::Protection::ContentSecurityPolicy`
 
 ## Clickjacking
 
@@ -70,12 +73,23 @@ Prevented by:
 
 * `Rack::Protection::SessionHijacking`
 
+## Cookie Tossing
+
+Prevented by:
+* `Rack::Protection::CookieTossing` (not included by `use Rack::Protection`)
+
 ## IP Spoofing
 
 Prevented by:
 
 * `Rack::Protection::IPSpoofing`
 
+## Helps to protect against protocol downgrade attacks and cookie hijacking
+
+Prevented by:
+
+* `Rack::Protection::StrictTransport` (not included by `use Rack::Protection`)
+
 # Installation
 
     gem install rack-protection

data/Rakefile

@@ -11,6 +11,25 @@ end
 desc "run specs"
 task(:spec) { ruby '-S rspec spec' }
 
+namespace :doc do
+  task :readmes do
+    Dir.glob 'lib/rack/protection/*.rb' do |file|
+      excluded_files = %w[lib/rack/protection/base.rb lib/rack/protection/version.rb]
+      next if excluded_files.include?(file)
+      doc  = File.read(file)[/^  module Protection(\n)+(    #[^\n]*\n)*/m].scan(/^ *#(?!#) ?(.*)\n/).join("\n")
+      file = "doc/#{file[4..-4].tr("/_", "-")}.rdoc"
+      Dir.mkdir "doc" unless File.directory? "doc"
+      puts "writing #{file}"
+      File.open(file, "w") { |f| f << doc }
+    end
+  end
+
+  task :all => [:readmes]
+end
+
+desc "generate documentation"
+task :doc => 'doc:all'
+
 desc "generate gemspec"
 task 'rack-protection.gemspec' do
   require 'rack/protection/version'
@@ -19,13 +38,10 @@ task 'rack-protection.gemspec' do
   # fetch data
   fields = {
     :authors => `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
-    :email   => `git shortlog -sne`.force_encoding('utf-8').scan(/[^<]+@[^>]+/),
-    :files   => `git ls-files`.force_encoding('utf-8').split("\n").reject { |f| f =~ /^(\.|Gemfile)/ }
+    :email   => ["mail@zzak.io", "konstantin.haase@gmail.com"],
+    :files   => %w(License README.md Rakefile Gemfile rack-protection.gemspec) + Dir['lib/**/*']
   }
 
-  # double email :(
-  fields[:email].delete("konstantin.haase@gmail.com")
-
   # insert data
   fields.each do |field, values|
     updated = "  s.#{field} = ["

data/lib/rack/protection.rb

@@ -3,36 +3,50 @@ require 'rack'
 
 module Rack
   module Protection
-    autoload :AuthenticityToken, 'rack/protection/authenticity_token'
-    autoload :Base,              'rack/protection/base'
-    autoload :EscapedParams,     'rack/protection/escaped_params'
-    autoload :FormToken,         'rack/protection/form_token'
-    autoload :FrameOptions,      'rack/protection/frame_options'
-    autoload :HttpOrigin,        'rack/protection/http_origin'
-    autoload :IPSpoofing,        'rack/protection/ip_spoofing'
-    autoload :JsonCsrf,          'rack/protection/json_csrf'
-    autoload :PathTraversal,     'rack/protection/path_traversal'
-    autoload :RemoteReferrer,    'rack/protection/remote_referrer'
-    autoload :RemoteToken,       'rack/protection/remote_token'
-    autoload :SessionHijacking,  'rack/protection/session_hijacking'
-    autoload :XSSHeader,         'rack/protection/xss_header'
+    autoload :AuthenticityToken,     'rack/protection/authenticity_token'
+    autoload :Base,                  'rack/protection/base'
+    autoload :CookieTossing,         'rack/protection/cookie_tossing'
+    autoload :ContentSecurityPolicy, 'rack/protection/content_security_policy'
+    autoload :EscapedParams,         'rack/protection/escaped_params'
+    autoload :FormToken,             'rack/protection/form_token'
+    autoload :FrameOptions,          'rack/protection/frame_options'
+    autoload :HttpOrigin,            'rack/protection/http_origin'
+    autoload :IPSpoofing,            'rack/protection/ip_spoofing'
+    autoload :JsonCsrf,              'rack/protection/json_csrf'
+    autoload :PathTraversal,         'rack/protection/path_traversal'
+    autoload :RemoteReferrer,        'rack/protection/remote_referrer'
+    autoload :RemoteToken,           'rack/protection/remote_token'
+    autoload :SessionHijacking,      'rack/protection/session_hijacking'
+    autoload :StrictTransport,       'rack/protection/strict_transport'
+    autoload :XSSHeader,             'rack/protection/xss_header'
 
     def self.new(app, options = {})
       # does not include: RemoteReferrer, AuthenticityToken and FormToken
       except = Array options[:except]
       use_these = Array options[:use]
+
+      if options.fetch(:without_session, false)
+        except += [:session_hijacking, :remote_token]
+      end
+
       Rack::Builder.new do
-        use ::Rack::Protection::RemoteReferrer,   options if use_these.include? :remote_referrer
-        use ::Rack::Protection::AuthenticityToken,options if use_these.include? :authenticity_token
-        use ::Rack::Protection::FormToken,        options if use_these.include? :form_token
-        use ::Rack::Protection::FrameOptions,     options unless except.include? :frame_options
-        use ::Rack::Protection::HttpOrigin,       options unless except.include? :http_origin
-        use ::Rack::Protection::IPSpoofing,       options unless except.include? :ip_spoofing
-        use ::Rack::Protection::JsonCsrf,         options unless except.include? :json_csrf
-        use ::Rack::Protection::PathTraversal,    options unless except.include? :path_traversal
-        use ::Rack::Protection::RemoteToken,      options unless except.include? :remote_token
-        use ::Rack::Protection::SessionHijacking, options unless except.include? :session_hijacking
-        use ::Rack::Protection::XSSHeader,        options unless except.include? :xss_header
+        # Off by default, unless added
+        use ::Rack::Protection::AuthenticityToken,     options if use_these.include? :authenticity_token
+        use ::Rack::Protection::CookieTossing,         options if use_these.include? :cookie_tossing
+        use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
+        use ::Rack::Protection::FormToken,             options if use_these.include? :form_token
+        use ::Rack::Protection::RemoteReferrer,        options if use_these.include? :remote_referrer
+        use ::Rack::Protection::StrictTransport,       options if use_these.include? :strict_transport
+
+        # On by default, unless skipped
+        use ::Rack::Protection::FrameOptions,          options unless except.include? :frame_options
+        use ::Rack::Protection::HttpOrigin,            options unless except.include? :http_origin
+        use ::Rack::Protection::IPSpoofing,            options unless except.include? :ip_spoofing
+        use ::Rack::Protection::JsonCsrf,              options unless except.include? :json_csrf
+        use ::Rack::Protection::PathTraversal,         options unless except.include? :path_traversal
+        use ::Rack::Protection::RemoteToken,           options unless except.include? :remote_token
+        use ::Rack::Protection::SessionHijacking,      options unless except.include? :session_hijacking
+        use ::Rack::Protection::XSSHeader,             options unless except.include? :xss_header
         run app
       end.to_app
     end

data/lib/rack/protection/authenticity_token.rb

@@ -1,4 +1,6 @@
 require 'rack/protection'
+require 'securerandom'
+require 'base64'
 
 module Rack
   module Protection
@@ -10,21 +12,120 @@ module Rack
     # Only accepts unsafe HTTP requests if a given access token matches the token
     # included in the session.
     #
-    # Compatible with Rails and rack-csrf.
+    # Compatible with rack-csrf.
     #
     # Options:
     #
     # authenticity_param: Defines the param's name that should contain the token on a request.
-    #
     class AuthenticityToken < Base
-      default_options :authenticity_param => 'authenticity_token'
+      TOKEN_LENGTH = 32
+
+      default_options :authenticity_param => 'authenticity_token',
+                      :allow_if => nil
+
+      def self.token(session)
+        self.new(nil).mask_authenticity_token(session)
+      end
+
+      def self.random_token
+        SecureRandom.base64(TOKEN_LENGTH)
+      end
 
       def accepts?(env)
         session = session env
-        token   = session[:csrf] ||= session['_csrf_token'] || random_string
+        set_token(session)
+
         safe?(env) ||
-          env['HTTP_X_CSRF_TOKEN'] == token ||
-          Request.new(env).params[options[:authenticity_param]] == token
+          valid_token?(session, env['HTTP_X_CSRF_TOKEN']) ||
+          valid_token?(session, Request.new(env).params[options[:authenticity_param]]) ||
+          ( options[:allow_if] && options[:allow_if].call(env) )
+      end
+
+      def mask_authenticity_token(session)
+        token = set_token(session)
+        mask_token(token)
+      end
+
+      private
+
+      def set_token(session)
+        session[:csrf] ||= self.class.random_token
+      end
+
+      # Checks the client's masked token to see if it matches the
+      # session token.
+      def valid_token?(session, token)
+        return false if token.nil? || token.empty?
+
+        begin
+          token = decode_token(token)
+        rescue ArgumentError # encoded_masked_token is invalid Base64
+          return false
+        end
+
+        # See if it's actually a masked token or not. We should be able
+        # to handle any unmasked tokens that we've issued without error.
+
+        if unmasked_token?(token)
+          compare_with_real_token token, session
+
+        elsif masked_token?(token)
+          token = unmask_token(token)
+
+          compare_with_real_token token, session
+
+        else
+          false # Token is malformed
+        end
+      end
+
+      # Creates a masked version of the authenticity token that varies
+      # on each request. The masking is used to mitigate SSL attacks
+      # like BREACH.
+      def mask_token(token)
+        token = decode_token(token)
+        one_time_pad = SecureRandom.random_bytes(token.length)
+        encrypted_token = xor_byte_strings(one_time_pad, token)
+        masked_token = one_time_pad + encrypted_token
+        encode_token(masked_token)
+      end
+
+      # Essentially the inverse of +mask_token+.
+      def unmask_token(masked_token)
+        # Split the token into the one-time pad and the encrypted
+        # value and decrypt it
+        token_length = masked_token.length / 2
+        one_time_pad = masked_token[0...token_length]
+        encrypted_token = masked_token[token_length..-1]
+        xor_byte_strings(one_time_pad, encrypted_token)
+      end
+
+      def unmasked_token?(token)
+        token.length == TOKEN_LENGTH
+      end
+
+      def masked_token?(token)
+        token.length == TOKEN_LENGTH * 2
+      end
+
+      def compare_with_real_token(token, session)
+        secure_compare(token, real_token(session))
+      end
+
+      def real_token(session)
+        decode_token(session[:csrf])
+      end
+
+      def encode_token(token)
+        Base64.strict_encode64(token)
+      end
+
+      def decode_token(token)
+        Base64.strict_decode64(token)
+      end
+
+      def xor_byte_strings(s1, s2)
+        s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
       end
     end
   end

data/lib/rack/protection/base.rb

@@ -1,4 +1,5 @@
 require 'rack/protection'
+require 'rack/utils'
 require 'digest'
 require 'logger'
 require 'uri'
@@ -110,6 +111,10 @@ module Rack
         options[:encryptor].hexdigest value.to_s
       end
 
+      def secure_compare(a, b)
+        Rack::Utils.secure_compare(a.to_s, b.to_s)
+      end
+
       alias default_reaction deny
 
       def html?(headers)

data/lib/rack/protection/content_security_policy.rb

@@ -0,0 +1,80 @@
+# -*- coding: utf-8 -*-
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   XSS and others
+    # Supported browsers:: Firefox 23+, Safari 7+, Chrome 25+, Opera 15+
+    #
+    # Description:: Content Security Policy, a mechanism web applications
+    #               can use to mitigate a broad class of content injection
+    #               vulnerabilities, such as cross-site scripting (XSS).
+    #               Content Security Policy is a declarative policy that lets
+    #               the authors (or server administrators) of a web application
+    #               inform the client about the sources from which the
+    #               application expects to load resources.
+    #
+    # More info::   W3C CSP Level 1 : https://www.w3.org/TR/CSP1/ (deprecated)
+    #               W3C CSP Level 2 : https://www.w3.org/TR/CSP2/ (current)
+    #               W3C CSP Level 3 : https://www.w3.org/TR/CSP3/ (draft)
+    #               https://developer.mozilla.org/en-US/docs/Web/Security/CSP
+    #               http://caniuse.com/#search=ContentSecurityPolicy
+    #               http://content-security-policy.com/
+    #               https://securityheaders.io
+    #               https://scotthelme.co.uk/csp-cheat-sheet/
+    #               http://www.html5rocks.com/en/tutorials/security/content-security-policy/
+    #
+    # Sets the 'Content-Security-Policy[-Report-Only]' header.
+    #
+    # Options: ContentSecurityPolicy configuration is a complex topic with
+    #          several levels of support that has evolved over time.
+    #          See the W3C documentation and the links in the more info
+    #          section for CSP usage examples and best practices. The
+    #          CSP3 directives in the 'NO_ARG_DIRECTIVES' constant need to be
+    #          presented in the options hash with a boolean 'true' in order
+    #          to be used in a policy.
+    #
+    class ContentSecurityPolicy < Base
+      default_options default_src: :none, script_src: "'self'",
+                      img_src: "'self'", style_src: "'self'",
+                      connect_src: "'self'", report_only: false
+
+      DIRECTIVES = %i(base_uri child_src connect_src default_src
+                      font_src form_action frame_ancestors frame_src
+                      img_src manifest_src media_src object_src
+                      plugin_types referrer reflected_xss report_to
+                      report_uri require_sri_for sandbox script_src
+                      style_src worker_src).freeze
+
+      NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
+                             upgrade_insecure_requests).freeze
+
+      def csp_policy
+        directives = []
+
+        DIRECTIVES.each do |d|
+          if options.key?(d)
+            directives << "#{d.to_s.sub(/_/, '-')} #{options[d]}"
+          end
+        end
+
+        # Set these key values to boolean 'true' to include in policy
+        NO_ARG_DIRECTIVES.each do |d|
+          if options.key?(d) && options[d].is_a?(TrueClass)
+            directives << d.to_s.sub(/_/, '-')
+          end
+        end
+
+        directives.compact.sort.join('; ')
+      end
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        header = options[:report_only] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
+        headers[header] ||= csp_policy if html? headers
+        [status, headers, body]
+      end
+    end
+  end
+end

data/lib/rack/protection/cookie_tossing.rb

@@ -0,0 +1,75 @@
+require 'rack/protection'
+require 'pathname'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Cookie Tossing
+    # Supported browsers:: all
+    # More infos::         https://github.com/blog/1466-yummy-cookies-across-domains
+    #
+    # Does not accept HTTP requests if the HTTP_COOKIE header contains more than one
+    # session cookie. This does not protect against a cookie overflow attack.
+    #
+    # Options:
+    #
+    # session_key:: The name of the session cookie (default: 'rack.session')
+    class CookieTossing < Base
+      default_reaction :deny
+
+      def call(env)
+        status, headers, body = super
+        response = Rack::Response.new(body, status, headers)
+        request = Rack::Request.new(env)
+        remove_bad_cookies(request, response)
+        response.finish
+      end
+
+      def accepts?(env)
+        cookie_header = env['HTTP_COOKIE']
+        cookies = Rack::Utils.parse_query(cookie_header, ';,') { |s| s }
+        cookies.each do |k, v|
+          if k == session_key && Array(v).size > 1
+            bad_cookies << k
+          elsif k != session_key && Rack::Utils.unescape(k) == session_key
+            bad_cookies << k
+          end
+        end
+        bad_cookies.empty?
+      end
+
+      def remove_bad_cookies(request, response)
+        return if bad_cookies.empty?
+        paths = cookie_paths(request.path)
+        bad_cookies.each do |name|
+          paths.each { |path| response.set_cookie name, empty_cookie(request.host, path) }
+        end
+      end
+
+      def redirect(env)
+        request = Request.new(env)
+        warn env, "attack prevented by #{self.class}"
+        [302, {'Content-Type' => 'text/html', 'Location' => request.path}, []]
+      end
+
+      def bad_cookies
+        @bad_cookies ||= []
+      end
+
+      def cookie_paths(path)
+        path = '/' if path.to_s.empty?
+        paths = []
+        Pathname.new(path).descend { |p| paths << p.to_s }
+        paths
+      end
+
+      def empty_cookie(host, path)
+        {:value => '', :domain => host, :path => path, :expires => Time.at(0)}
+      end
+
+      def session_key
+        @session_key ||= options[:session_key]
+      end
+    end
+  end
+end