rack-protection 1.5.3 → 2.0.0

data/lib/rack/protection/escaped_params.rb

@@ -1,5 +1,6 @@
 require 'rack/protection'
 require 'rack/utils'
+require 'tempfile'
 
 begin
   require 'escape_utils'
@@ -66,6 +67,7 @@ module Rack
         when Hash   then escape_hash(object)
         when Array  then object.map { |o| escape(o) }
         when String then escape_string(object)
+        when Tempfile then object
         else nil
         end
       end

data/lib/rack/protection/form_token.rb

@@ -13,7 +13,7 @@ module Rack
     # This middleware is not used when using the Rack::Protection collection,
     # since it might be a security issue, depending on your application
     #
-    # Compatible with Rails and rack-csrf.
+    # Compatible with rack-csrf.
     class FormToken < AuthenticityToken
       def accepts?(env)
         env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest" or super

data/lib/rack/protection/http_origin.rb

@@ -10,9 +10,16 @@ module Rack
     #
     # Does not accept unsafe HTTP requests when value of Origin HTTP request header
     # does not match default or whitelisted URIs.
+    #
+    # If you want to whitelist a specific domain, you can pass in as the `:origin_whitelist` option:
+    #
+    #     use Rack::Protection, origin_whitelist: ["http://localhost:3000", "http://127.0.01:3000"]
+    #
+    # The `:allow_if` option can also be set to a proc to use custom allow/deny logic.
     class HttpOrigin < Base
       DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
       default_reaction :deny
+      default_options :allow_if => nil
 
       def base_url(env)
         request = Rack::Request.new(env)
@@ -24,6 +31,7 @@ module Rack
         return true if safe? env
         return true unless origin = env['HTTP_ORIGIN']
         return true if base_url(env) == origin
+        return true if options[:allow_if] && options[:allow_if].call(env)
         Array(options[:origin_whitelist]).include? origin
       end
 

data/lib/rack/protection/json_csrf.rb

@@ -5,21 +5,30 @@ module Rack
     ##
     # Prevented attack::   CSRF
     # Supported browsers:: all
-    # More infos::         http://flask.pocoo.org/docs/security/#json-security
+    # More infos::         http://flask.pocoo.org/docs/0.10/security/#json-security
+    #                      http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
     #
-    # JSON GET APIs are vulnerable to being embedded as JavaScript while the
+    # JSON GET APIs are vulnerable to being embedded as JavaScript when the
     # Array prototype has been patched to track data. Checks the referrer
     # even on GET requests if the content type is JSON.
+    #
+    # If request includes Origin HTTP header, defers to HttpOrigin to determine
+    # if the request is safe. Please refer to the documentation for more info.
+    #
+    # The `:allow_if` option can be set to a proc to use custom allow/deny logic.
     class JsonCsrf < Base
+      default_options :allow_if => nil
+
       alias react deny
 
       def call(env)
         request               = Request.new(env)
         status, headers, body = app.call(env)
 
-        if has_vector? request, headers
+        if has_vector?(request, headers)
           warn env, "attack prevented by #{self.class}"
-          react(env) or [status, headers, body]
+
+          react_and_close(env, body) or [status, headers, body]
         else
           [status, headers, body]
         end
@@ -27,9 +36,22 @@ module Rack
 
       def has_vector?(request, headers)
         return false if request.xhr?
+        return false if options[:allow_if] && options[:allow_if].call(request.env)
         return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
         origin(request.env).nil? and referrer(request.env) != request.host
       end
+
+      def react_and_close(env, body)
+        reaction = react(env)
+
+        close_body(body) if reaction
+
+        reaction
+      end
+
+      def close_body(body)
+        body.close if body.respond_to?(:close)
+      end
     end
   end
 end

data/lib/rack/protection/remote_token.rb

@@ -10,7 +10,7 @@ module Rack
     # Only accepts unsafe HTTP requests if a given access token matches the token
     # included in the session *or* the request comes from the same origin.
     #
-    # Compatible with Rails and rack-csrf.
+    # Compatible with rack-csrf.
     class RemoteToken < AuthenticityToken
       default_reaction :deny
 

data/lib/rack/protection/strict_transport.rb

@@ -0,0 +1,39 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Protects against against protocol downgrade attacks and cookie hijacking.
+    # Supported browsers:: all
+    # More infos::         https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+    #
+    # browser will prevent any communications from being sent over HTTP
+    # to the specified domain and will instead send all communications over HTTPS.
+    # It also prevents HTTPS click through prompts on browsers.
+    #
+    # Options:
+    #
+    # max_age:: How long future requests to the domain should go over HTTPS; specified in seconds
+    # include_subdomains:: If all present and future subdomains will be HTTPS
+    # preload:: Allow this domain to be included in browsers HSTS preload list. See https://hstspreload.appspot.com/
+
+    class StrictTransport < Base
+      default_options :max_age => 31_536_000, :include_subdomains => false, :preload => false
+
+      def strict_transport
+        @strict_transport ||= begin
+          strict_transport = 'max-age=' + options[:max_age].to_s
+          strict_transport += '; includeSubDomains' if options[:include_subdomains]
+          strict_transport += '; preload' if options[:preload]
+          strict_transport.to_str
+        end
+      end
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        headers['Strict-Transport-Security'] ||= strict_transport
+        [status, headers, body]
+      end
+    end
+  end
+end

data/lib/rack/protection/version.rb

@@ -1,16 +1,5 @@
 module Rack
   module Protection
-    def self.version
-      VERSION
-    end
-
-    SIGNATURE = [1, 5, 3]
-    VERSION   = SIGNATURE.join('.')
-
-    VERSION.extend Comparable
-    def VERSION.<=>(other)
-      other = other.split('.').map { |i| i.to_i } if other.respond_to? :split
-      SIGNATURE <=> Array(other)
-    end
+    VERSION = '2.0.0'
   end
 end

data/lib/rack/protection/xss_header.rb

@@ -4,7 +4,7 @@ module Rack
   module Protection
     ##
     # Prevented attack::   Non-permanent XSS
-    # Supported browsers:: Internet Explorer 8 and later
+    # Supported browsers:: Internet Explorer 8+ and Chrome
     # More infos::         http://blogs.msdn.com/b/ie/archive/2008/07/01/ie8-security-part-iv-the-xss-filter.aspx
     #
     # Sets X-XSS-Protection header to tell the browser to block attacks.

data/rack-protection.gemspec

@@ -1,118 +1,25 @@
-# Run `rake rack-protection.gemspec` to update the gemspec.
+version = File.read(File.expand_path("../../VERSION", __FILE__)).strip
+
 Gem::Specification.new do |s|
   # general infos
   s.name        = "rack-protection"
-  s.version     = "1.5.3"
-  s.description = "You should use protection!"
-  s.homepage    = "http://github.com/rkh/rack-protection"
+  s.version     = version
+  s.description = "Protect against typical web attacks, works with all Rack apps, including Rails."
+  s.homepage    = "http://github.com/sinatra/sinatra/tree/master/rack-protection"
   s.summary     = s.description
   s.license     = 'MIT'
-
-  # generated from git shortlog -sn
-  s.authors = [
-    "Konstantin Haase",
-    "Alex Rodionov",
-    "Patrick Ellis",
-    "Jason Staten",
-    "ITO Nobuaki",
-    "Jeff Welling",
-    "Matteo Centenaro",
-    "Egor Homakov",
-    "Florian Gilcher",
-    "Fojas",
-    "Igor Bochkariov",
-    "Mael Clerambault",
-    "Martin Mauch",
-    "Renne Nissinen",
-    "SAKAI, Kazuaki",
-    "Stanislav Savulchik",
-    "Steve Agalloco",
-    "TOBY",
-    "Thais Camilo and Konstantin Haase",
-    "Vipul A M",
-    "Akzhan Abdulin",
-    "brookemckim",
-    "Bj\u{f8}rge N\u{e6}ss",
-    "Chris Heald",
-    "Chris Mytton",
-    "Corey Ward",
-    "Dario Cravero",
-    "David Kellum"
-  ]
-
-  # generated from git shortlog -sne
-  s.email = [
-    "konstantin.mailinglists@googlemail.com",
-    "p0deje@gmail.com",
-    "jstaten07@gmail.com",
-    "patrick@soundcloud.com",
-    "jeff.welling@gmail.com",
-    "bugant@gmail.com",
-    "daydream.trippers@gmail.com",
-    "florian.gilcher@asquera.de",
-    "developer@fojasaur.us",
-    "ujifgc@gmail.com",
-    "mael@clerambault.fr",
-    "martin.mauch@gmail.com",
-    "rennex@iki.fi",
-    "kaz.july.7@gmail.com",
-    "s.savulchik@gmail.com",
-    "steve.agalloco@gmail.com",
-    "toby.net.info.mail+git@gmail.com",
-    "dev+narwen+rkh@rkh.im",
-    "vipulnsward@gmail.com",
-    "akzhan.abdulin@gmail.com",
-    "brooke@digitalocean.com",
-    "bjoerge@bengler.no",
-    "cheald@gmail.com",
-    "self@hecticjeff.net",
-    "coreyward@me.com",
-    "dario@uxtemple.com",
-    "dek-oss@gravitext.com",
-    "homakov@gmail.com"
-  ]
-
-  # generated from git ls-files
-  s.files = [
+  s.authors     = ["https://github.com/sinatra/sinatra/graphs/contributors"]
+  s.email       = "sinatrarb@googlegroups.com"
+  s.files       = Dir["lib/**/*.rb"] + [
     "License",
     "README.md",
     "Rakefile",
-    "lib/rack-protection.rb",
-    "lib/rack/protection.rb",
-    "lib/rack/protection/authenticity_token.rb",
-    "lib/rack/protection/base.rb",
-    "lib/rack/protection/escaped_params.rb",
-    "lib/rack/protection/form_token.rb",
-    "lib/rack/protection/frame_options.rb",
-    "lib/rack/protection/http_origin.rb",
-    "lib/rack/protection/ip_spoofing.rb",
-    "lib/rack/protection/json_csrf.rb",
-    "lib/rack/protection/path_traversal.rb",
-    "lib/rack/protection/remote_referrer.rb",
-    "lib/rack/protection/remote_token.rb",
-    "lib/rack/protection/session_hijacking.rb",
-    "lib/rack/protection/version.rb",
-    "lib/rack/protection/xss_header.rb",
-    "rack-protection.gemspec",
-    "spec/authenticity_token_spec.rb",
-    "spec/base_spec.rb",
-    "spec/escaped_params_spec.rb",
-    "spec/form_token_spec.rb",
-    "spec/frame_options_spec.rb",
-    "spec/http_origin_spec.rb",
-    "spec/ip_spoofing_spec.rb",
-    "spec/json_csrf_spec.rb",
-    "spec/path_traversal_spec.rb",
-    "spec/protection_spec.rb",
-    "spec/remote_referrer_spec.rb",
-    "spec/remote_token_spec.rb",
-    "spec/session_hijacking_spec.rb",
-    "spec/spec_helper.rb",
-    "spec/xss_header_spec.rb"
+    "Gemfile",
+    "rack-protection.gemspec"
   ]
 
   # dependencies
   s.add_dependency "rack"
   s.add_development_dependency "rack-test"
-  s.add_development_dependency "rspec", "~> 2.0"
+  s.add_development_dependency "rspec", "~> 3.0.0"
 end

metadata

@@ -1,41 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 1.5.3
+  version: 2.0.0
 platform: ruby
 authors:
-- Konstantin Haase
-- Alex Rodionov
-- Patrick Ellis
-- Jason Staten
-- ITO Nobuaki
-- Jeff Welling
-- Matteo Centenaro
-- Egor Homakov
-- Florian Gilcher
-- Fojas
-- Igor Bochkariov
-- Mael Clerambault
-- Martin Mauch
-- Renne Nissinen
-- SAKAI, Kazuaki
-- Stanislav Savulchik
-- Steve Agalloco
-- TOBY
-- Thais Camilo and Konstantin Haase
-- Vipul A M
-- Akzhan Abdulin
-- brookemckim
-- Bjørge Næss
-- Chris Heald
-- Chris Mytton
-- Corey Ward
-- Dario Cravero
-- David Kellum
+- https://github.com/sinatra/sinatra/graphs/contributors
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-04-08 00:00:00.000000000 Z
+date: 2017-05-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -71,48 +44,22 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: 3.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
-description: You should use protection!
-email:
-- konstantin.mailinglists@googlemail.com
-- p0deje@gmail.com
-- jstaten07@gmail.com
-- patrick@soundcloud.com
-- jeff.welling@gmail.com
-- bugant@gmail.com
-- daydream.trippers@gmail.com
-- florian.gilcher@asquera.de
-- developer@fojasaur.us
-- ujifgc@gmail.com
-- mael@clerambault.fr
-- martin.mauch@gmail.com
-- rennex@iki.fi
-- kaz.july.7@gmail.com
-- s.savulchik@gmail.com
-- steve.agalloco@gmail.com
-- toby.net.info.mail+git@gmail.com
-- dev+narwen+rkh@rkh.im
-- vipulnsward@gmail.com
-- akzhan.abdulin@gmail.com
-- brooke@digitalocean.com
-- bjoerge@bengler.no
-- cheald@gmail.com
-- self@hecticjeff.net
-- coreyward@me.com
-- dario@uxtemple.com
-- dek-oss@gravitext.com
-- homakov@gmail.com
+        version: 3.0.0
+description: Protect against typical web attacks, works with all Rack apps, including
+  Rails.
+email: sinatrarb@googlegroups.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- Gemfile
 - License
 - README.md
 - Rakefile
@@ -120,6 +67,8 @@ files:
 - lib/rack/protection.rb
 - lib/rack/protection/authenticity_token.rb
 - lib/rack/protection/base.rb
+- lib/rack/protection/content_security_policy.rb
+- lib/rack/protection/cookie_tossing.rb
 - lib/rack/protection/escaped_params.rb
 - lib/rack/protection/form_token.rb
 - lib/rack/protection/frame_options.rb
@@ -130,25 +79,11 @@ files:
 - lib/rack/protection/remote_referrer.rb
 - lib/rack/protection/remote_token.rb
 - lib/rack/protection/session_hijacking.rb
+- lib/rack/protection/strict_transport.rb
 - lib/rack/protection/version.rb
 - lib/rack/protection/xss_header.rb
 - rack-protection.gemspec
-- spec/authenticity_token_spec.rb
-- spec/base_spec.rb
-- spec/escaped_params_spec.rb
-- spec/form_token_spec.rb
-- spec/frame_options_spec.rb
-- spec/http_origin_spec.rb
-- spec/ip_spoofing_spec.rb
-- spec/json_csrf_spec.rb
-- spec/path_traversal_spec.rb
-- spec/protection_spec.rb
-- spec/remote_referrer_spec.rb
-- spec/remote_token_spec.rb
-- spec/session_hijacking_spec.rb
-- spec/spec_helper.rb
-- spec/xss_header_spec.rb
-homepage: http://github.com/rkh/rack-protection
+homepage: http://github.com/sinatra/sinatra/tree/master/rack-protection
 licenses:
 - MIT
 metadata: {}
@@ -168,9 +103,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.14
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
-summary: You should use protection!
+summary: Protect against typical web attacks, works with all Rack apps, including
+  Rails.
 test_files: []
-has_rdoc: