rack-protection 1.5.3 → 2.0.0

data/spec/authenticity_token_spec.rb

@@ -1,48 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::AuthenticityToken do
-  it_behaves_like "any rack application"
-
-  it "denies post requests without any token" do
-    post('/').should_not be_ok
-  end
-
-  it "accepts post requests with correct X-CSRF-Token header" do
-    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
-    last_response.should be_ok
-  end
-
-  it "denies post requests with wrong X-CSRF-Token header" do
-    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
-    last_response.should_not be_ok
-  end
-
-  it "accepts post form requests with correct authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
-    last_response.should be_ok
-  end
-
-  it "denies post form requests with wrong authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
-    last_response.should_not be_ok
-  end
-
-  it "prevents ajax requests without a valid token" do
-    post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should_not be_ok
-  end
-
-  it "allows for a custom authenticity token param" do
-    mock_app do
-      use Rack::Protection::AuthenticityToken, :authenticity_param => 'csrf_param'
-      run proc { |e| [200, {'Content-Type' => 'text/plain'}, ['hi']] }
-    end
-
-    post('/', {"csrf_param" => "a"}, 'rack.session' => {:csrf => "a"})
-    last_response.should be_ok
-  end
-
-  it "sets a new csrf token for the session in env, even after a 'safe' request" do
-    get('/', {}, {})
-    env['rack.session'][:csrf].should_not be_nil
-  end
-end

data/spec/base_spec.rb

@@ -1,40 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::Base do
-
-  subject { described_class.new(lambda {}) }
-
-  describe "#random_string" do
-    it "outputs a string of 32 characters" do
-      subject.random_string.length.should == 32
-    end
-  end
-
-  describe "#referrer" do
-    it "Reads referrer from Referer header" do
-      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/valid"}
-      subject.referrer(env).should == "bar.com"
-    end
-
-    it "Reads referrer from Host header when Referer header is relative" do
-      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "/valid"}
-      subject.referrer(env).should == "foo.com"
-    end
-
-    it "Reads referrer from Host header when Referer header is missing" do
-      env = {"HTTP_HOST" => "foo.com"}
-      subject.referrer(env).should == "foo.com"
-    end
-
-    it "Returns nil when Referer header is missing and allow_empty_referrer is false" do
-      env = {"HTTP_HOST" => "foo.com"}
-      subject.options[:allow_empty_referrer] = false
-      subject.referrer(env).should be_nil
-    end
-
-    it "Returns nil when Referer header is invalid" do
-      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/bad|uri"}
-      subject.referrer(env).should be_nil
-    end
-  end
-end

data/spec/escaped_params_spec.rb

@@ -1,43 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::EscapedParams do
-  it_behaves_like "any rack application"
-
-  context 'escaping' do
-    it 'escapes html entities' do
-      mock_app do |env|
-        request = Rack::Request.new(env)
-        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']]]
-      end
-      get '/', :foo => "<bar>"
-      body.should == '&lt;bar&gt;'
-    end
-
-    it 'leaves normal params untouched' do
-      mock_app do |env|
-        request = Rack::Request.new(env)
-        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']]]
-      end
-      get '/', :foo => "bar"
-      body.should == 'bar'
-    end
-
-    it 'copes with nested arrays' do
-      mock_app do |env|
-        request = Rack::Request.new(env)
-        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']['bar']]]
-      end
-      get '/', :foo => {:bar => "<bar>"}
-      body.should == '&lt;bar&gt;'
-    end
-
-    it 'leaves cache-breaker params untouched' do
-      mock_app do |env|
-        [200, {'Content-Type' => 'text/plain'}, ['hi']]
-      end
-
-      get '/?95df8d9bf5237ad08df3115ee74dcb10'
-      body.should == 'hi'
-    end
-  end
-end

data/spec/form_token_spec.rb

@@ -1,33 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::FormToken do
-  it_behaves_like "any rack application"
-
-  it "denies post requests without any token" do
-    post('/').should_not be_ok
-  end
-
-  it "accepts post requests with correct X-CSRF-Token header" do
-    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
-    last_response.should be_ok
-  end
-
-  it "denies post requests with wrong X-CSRF-Token header" do
-    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
-    last_response.should_not be_ok
-  end
-
-  it "accepts post form requests with correct authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
-    last_response.should be_ok
-  end
-
-  it "denies post form requests with wrong authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
-    last_response.should_not be_ok
-  end
-
-  it "accepts ajax requests without a valid token" do
-    post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should be_ok
-  end
-end

data/spec/frame_options_spec.rb

@@ -1,39 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::FrameOptions do
-  it_behaves_like "any rack application"
-
-  it 'should set the X-Frame-Options' do
-    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "SAMEORIGIN"
-  end
-
-  it 'should not set the X-Frame-Options for other content types' do
-    get('/', {}, 'wants' => 'text/foo').headers["X-Frame-Options"].should be_nil
-  end
-
-  it 'should allow changing the protection mode' do
-    # I have no clue what other modes are available
-    mock_app do
-      use Rack::Protection::FrameOptions, :frame_options => :deny
-      run DummyApp
-    end
-
-    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "DENY"
-  end
-
-
-  it 'should allow changing the protection mode to a string' do
-    # I have no clue what other modes are available
-    mock_app do
-      use Rack::Protection::FrameOptions, :frame_options => "ALLOW-FROM foo"
-      run DummyApp
-    end
-
-    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "ALLOW-FROM foo"
-  end
-
-  it 'should not override the header if already set' do
-    mock_app with_headers("X-Frame-Options" => "allow")
-    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "allow"
-  end
-end

data/spec/http_origin_spec.rb

@@ -1,38 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::HttpOrigin do
-  it_behaves_like "any rack application"
-
-  before(:each) do
-    mock_app do
-      use Rack::Protection::HttpOrigin
-      run DummyApp
-    end
-  end
-
-  %w(GET HEAD POST PUT DELETE).each do |method|
-    it "accepts #{method} requests with no Origin" do
-      send(method.downcase, '/').should be_ok
-    end
-  end
-
-  %w(GET HEAD).each do |method|
-    it "accepts #{method} requests with non-whitelisted Origin" do
-      send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com').should be_ok
-    end
-  end
-
-  %w(POST PUT DELETE).each do |method|
-    it "denies #{method} requests with non-whitelisted Origin" do
-      send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com').should_not be_ok
-    end
-
-    it "accepts #{method} requests with whitelisted Origin" do
-      mock_app do
-        use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://www.friend.com']
-        run DummyApp
-      end
-      send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://www.friend.com').should be_ok
-    end
-  end
-end

data/spec/ip_spoofing_spec.rb

@@ -1,35 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::IPSpoofing do
-  it_behaves_like "any rack application"
-
-  it 'accepts requests without X-Forward-For header' do
-    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.4', 'HTTP_X_REAL_IP' => '4.3.2.1')
-    last_response.should be_ok
-  end
-
-  it 'accepts requests with proper X-Forward-For header' do
-    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.4',
-      'HTTP_X_FORWARDED_FOR' => '192.168.1.20, 1.2.3.4, 127.0.0.1')
-    last_response.should be_ok
-  end
-
-  it 'denies requests where the client spoofs X-Forward-For but not the IP' do
-    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.4', 'HTTP_X_FORWARDED_FOR' => '1.2.3.5')
-    last_response.should_not be_ok
-  end
-
-  it 'denies requests where the client spoofs the IP but not X-Forward-For' do
-    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.5',
-      'HTTP_X_FORWARDED_FOR' => '192.168.1.20, 1.2.3.4, 127.0.0.1')
-    last_response.should_not be_ok
-  end
-
-  it 'denies requests where IP and X-Forward-For are spoofed but not X-Real-IP' do
-    get('/', {},
-      'HTTP_CLIENT_IP'       => '1.2.3.5',
-      'HTTP_X_FORWARDED_FOR' => '1.2.3.5',
-      'HTTP_X_REAL_IP'       => '1.2.3.4')
-    last_response.should_not be_ok
-  end
-end

data/spec/json_csrf_spec.rb

@@ -1,58 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::JsonCsrf do
-  it_behaves_like "any rack application"
-
-  describe 'json response' do
-    before do
-      mock_app { |e| [200, {'Content-Type' => 'application/json'}, []]}
-    end
-
-    it "denies get requests with json responses with a remote referrer" do
-      get('/', {}, 'HTTP_REFERER' => 'http://evil.com').should_not be_ok
-    end
-
-    it "accepts requests with json responses with a remote referrer when there's an origin header set" do
-      get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_ORIGIN' => 'http://good.com').should be_ok
-    end
-
-    it "accepts requests with json responses with a remote referrer when there's an x-origin header set" do
-      get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_X_ORIGIN' => 'http://good.com').should be_ok
-    end
-
-    it "accepts get requests with json responses with a local referrer" do
-      get('/', {}, 'HTTP_REFERER' => '/').should be_ok
-    end
-
-    it "accepts get requests with json responses with no referrer" do
-      get('/', {}).should be_ok
-    end
-
-    it "accepts XHR requests" do
-      get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest').should be_ok
-    end
-
-  end
-
-  describe 'not json response' do
-
-    it "accepts get requests with 304 headers" do
-      mock_app { |e| [304, {}, []]}
-      get('/', {}).status.should == 304
-    end
-
-  end
-
-  describe 'with drop_session as default reaction' do
-    it 'still denies' do
-      mock_app do
-        use Rack::Protection, :reaction => :drop_session
-        run proc { |e| [200, {'Content-Type' => 'application/json'}, []]}
-      end
-
-      session = {:foo => :bar}
-      get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'rack.session' => session)
-      last_response.should_not be_ok
-    end
-  end
-end

data/spec/path_traversal_spec.rb

@@ -1,41 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::PathTraversal do
-  it_behaves_like "any rack application"
-
-  context 'escaping' do
-    before do
-      mock_app { |e| [200, {'Content-Type' => 'text/plain'}, [e['PATH_INFO']]] }
-    end
-
-    %w[/foo/bar /foo/bar/ / /.f /a.x].each do |path|
-      it("does not touch #{path.inspect}") { get(path).body.should == path }
-    end
-
-    { # yes, this is ugly, feel free to change that
-      '/..' => '/', '/a/../b' => '/b', '/a/../b/' => '/b/', '/a/.' => '/a/',
-      '/%2e.' => '/', '/a/%2E%2e/b' => '/b', '/a%2f%2E%2e%2Fb/' => '/b/',
-      '//' => '/', '/%2fetc%2Fpasswd' => '/etc/passwd'
-    }.each do |a, b|
-      it("replaces #{a.inspect} with #{b.inspect}") { get(a).body.should == b }
-    end
-
-    it 'should be able to deal with PATH_INFO = nil (fcgi?)' do
-      app = Rack::Protection::PathTraversal.new(proc { 42 })
-      app.call({}).should be == 42
-    end
-  end
-
-  if "".respond_to?(:encoding)  # Ruby 1.9+ M17N
-    context "PATH_INFO's encoding" do
-      before do
-        @app = Rack::Protection::PathTraversal.new(proc { |e| [200, {'Content-Type' => 'text/plain'}, [e['PATH_INFO'].encoding.to_s]] })
-      end
-
-      it 'should remain unchanged as ASCII-8BIT' do
-        body = @app.call({ 'PATH_INFO' => '/'.encode('ASCII-8BIT') })[2][0]
-        body.should == 'ASCII-8BIT'
-      end
-    end
-  end
-end

data/spec/protection_spec.rb

@@ -1,105 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection do
-  it_behaves_like "any rack application"
-
-  it 'passes on options' do
-    mock_app do
-      use Rack::Protection, :track => ['HTTP_FOO']
-      run proc { |e| [200, {'Content-Type' => 'text/plain'}, ['hi']] }
-    end
-
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
-    session[:foo].should be == :bar
-
-    get '/', {}, 'rack.session' => session, 'HTTP_FOO' => 'BAR'
-    session.should be_empty
-  end
-
-  it 'passes errors through if :reaction => :report is used' do
-    mock_app do
-      use Rack::Protection, :reaction => :report
-      run proc { |e| [200, {'Content-Type' => 'text/plain'}, [e["protection.failed"].to_s]] }
-    end
-
-    session = {:foo => :bar}
-    post('/', {}, 'rack.session' => session, 'HTTP_ORIGIN' => 'http://malicious.com')
-    last_response.should be_ok
-    body.should == "true"
-  end
-
-  describe "#react" do
-    it 'prevents attacks and warns about it' do
-      io = StringIO.new
-      mock_app do
-        use Rack::Protection, :logger => Logger.new(io)
-        run DummyApp
-      end
-      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
-      io.string.should match /prevented.*Origin/
-    end
-
-    it 'reports attacks if reaction is to report' do
-      io = StringIO.new
-      mock_app do
-        use Rack::Protection, :reaction => :report, :logger => Logger.new(io)
-        run DummyApp
-      end
-      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
-      io.string.should match /reported.*Origin/
-      io.string.should_not match /prevented.*Origin/
-    end
-
-    it 'passes errors to reaction method if specified' do
-      io = StringIO.new
-      Rack::Protection::Base.send(:define_method, :special) { |*args| io << args.inspect }
-      mock_app do
-        use Rack::Protection, :reaction => :special, :logger => Logger.new(io)
-        run DummyApp
-      end
-      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
-      io.string.should match /HTTP_ORIGIN.*malicious.com/
-      io.string.should_not match /reported|prevented/
-    end
-  end
-
-  describe "#html?" do
-    context "given an appropriate content-type header" do
-      subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/html" }
-      it { should be_true }
-    end
-
-    context "given an inappropriate content-type header" do
-      subject { Rack::Protection::Base.new(nil).html? 'content-type' => "image/gif" }
-      it { should be_false }
-    end
-
-    context "given no content-type header" do
-      subject { Rack::Protection::Base.new(nil).html?({}) }
-      it { should be_false }
-    end
-  end
-
-  describe "#instrument" do
-    let(:env) { { 'rack.protection.attack' => 'base' } }
-    let(:instrumenter) { double('Instrumenter') }
-
-    after do
-      app.instrument(env)
-    end
-
-    context 'with an instrumenter specified' do
-      let(:app) { Rack::Protection::Base.new(nil, :instrumenter => instrumenter) }
-
-      it { instrumenter.should_receive(:instrument).with('rack.protection', env) }
-    end
-
-    context 'with no instrumenter specified' do
-      let(:app) { Rack::Protection::Base.new(nil) }
-
-      it { instrumenter.should_not_receive(:instrument) }
-    end
-  end
-end