rack-protection 1.5.5 → 2.0.0.beta1

data/rack-protection.gemspec

@@ -1,26 +1,39 @@
-# Run `rake rack-protection.gemspec` to update the gemspec.
+$:.unshift File.expand_path("../../lib", __FILE__)
+require "sinatra/version"
+
 Gem::Specification.new do |s|
   # general infos
   s.name        = "rack-protection"
-  s.version     = "1.5.5"
-  s.description = "You should use protection!"
-  s.homepage    = "http://github.com/rkh/rack-protection"
+  s.version     = Sinatra::VERSION
+  s.description = "Protect against typical web attacks, works with all Rack apps, including Rails."
+  s.homepage    = "http://github.com/sinatra/rack-protection"
   s.summary     = s.description
   s.license     = 'MIT'
 
   # generated from git shortlog -sn
   s.authors = [
     "Konstantin Haase",
+    "Maurizio De Santis",
     "Alex Rodionov",
-    "Patrick Ellis",
     "Jason Staten",
+    "Patrick Ellis",
     "ITO Nobuaki",
     "Jeff Welling",
     "Matteo Centenaro",
+    "Akzhan Abdulin",
+    "Alan deLevie",
+    "Bj\u{f8}rge N\u{e6}ss",
+    "Chris Heald",
+    "Chris Mytton",
+    "Corey Ward",
+    "Dario Cravero",
+    "David Kellum",
     "Egor Homakov",
     "Florian Gilcher",
     "Fojas",
     "Igor Bochkariov",
+    "Josef Stribny",
+    "Katrina Owen",
     "Mael Clerambault",
     "Martin Mauch",
     "Renne Nissinen",
@@ -30,46 +43,15 @@ Gem::Specification.new do |s|
     "TOBY",
     "Thais Camilo and Konstantin Haase",
     "Vipul A M",
-    "Akzhan Abdulin",
-    "brookemckim",
-    "Bj\u{f8}rge N\u{e6}ss",
-    "Chris Heald",
-    "Chris Mytton",
-    "Corey Ward",
-    "Dario Cravero",
-    "David Kellum"
+    "Zachary Scott",
+    "ashley williams",
+    "brookemckim"
   ]
 
   # generated from git shortlog -sne
   s.email = [
-    "konstantin.mailinglists@googlemail.com",
-    "p0deje@gmail.com",
-    "jstaten07@gmail.com",
-    "patrick@soundcloud.com",
-    "jeff.welling@gmail.com",
-    "bugant@gmail.com",
-    "daydream.trippers@gmail.com",
-    "florian.gilcher@asquera.de",
-    "developer@fojasaur.us",
-    "ujifgc@gmail.com",
-    "mael@clerambault.fr",
-    "martin.mauch@gmail.com",
-    "rennex@iki.fi",
-    "kaz.july.7@gmail.com",
-    "s.savulchik@gmail.com",
-    "steve.agalloco@gmail.com",
-    "toby.net.info.mail+git@gmail.com",
-    "dev+narwen+rkh@rkh.im",
-    "vipulnsward@gmail.com",
-    "akzhan.abdulin@gmail.com",
-    "brooke@digitalocean.com",
-    "bjoerge@bengler.no",
-    "cheald@gmail.com",
-    "self@hecticjeff.net",
-    "coreyward@me.com",
-    "dario@uxtemple.com",
-    "dek-oss@gravitext.com",
-    "homakov@gmail.com"
+    "mail@zzak.io",
+    "konstantin.haase@gmail.com"
   ]
 
   # generated from git ls-files
@@ -77,42 +59,30 @@ Gem::Specification.new do |s|
     "License",
     "README.md",
     "Rakefile",
-    "lib/rack-protection.rb",
-    "lib/rack/protection.rb",
-    "lib/rack/protection/authenticity_token.rb",
-    "lib/rack/protection/base.rb",
+    "Gemfile",
+    "rack-protection.gemspec",
+    "lib/rack",
+    "lib/rack/protection",
     "lib/rack/protection/escaped_params.rb",
-    "lib/rack/protection/form_token.rb",
-    "lib/rack/protection/frame_options.rb",
-    "lib/rack/protection/http_origin.rb",
-    "lib/rack/protection/ip_spoofing.rb",
-    "lib/rack/protection/json_csrf.rb",
-    "lib/rack/protection/path_traversal.rb",
     "lib/rack/protection/remote_referrer.rb",
-    "lib/rack/protection/remote_token.rb",
+    "lib/rack/protection/ip_spoofing.rb",
+    "lib/rack/protection/base.rb",
     "lib/rack/protection/session_hijacking.rb",
+    "lib/rack/protection/authenticity_token.rb",
     "lib/rack/protection/version.rb",
+    "lib/rack/protection/path_traversal.rb",
+    "lib/rack/protection/form_token.rb",
+    "lib/rack/protection/json_csrf.rb",
+    "lib/rack/protection/http_origin.rb",
+    "lib/rack/protection/frame_options.rb",
     "lib/rack/protection/xss_header.rb",
-    "rack-protection.gemspec",
-    "spec/authenticity_token_spec.rb",
-    "spec/base_spec.rb",
-    "spec/escaped_params_spec.rb",
-    "spec/form_token_spec.rb",
-    "spec/frame_options_spec.rb",
-    "spec/http_origin_spec.rb",
-    "spec/ip_spoofing_spec.rb",
-    "spec/json_csrf_spec.rb",
-    "spec/path_traversal_spec.rb",
-    "spec/protection_spec.rb",
-    "spec/remote_referrer_spec.rb",
-    "spec/remote_token_spec.rb",
-    "spec/session_hijacking_spec.rb",
-    "spec/spec_helper.rb",
-    "spec/xss_header_spec.rb"
+    "lib/rack/protection/remote_token.rb",
+    "lib/rack/protection.rb",
+    "lib/rack-protection.rb"
   ]
 
   # dependencies
   s.add_dependency "rack"
   s.add_development_dependency "rack-test"
-  s.add_development_dependency "rspec", "~> 2.0"
+  s.add_development_dependency "rspec", "~> 3.0.0"
 end

metadata

@@ -1,20 +1,31 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 1.5.5
+  version: 2.0.0.beta1
 platform: ruby
 authors:
 - Konstantin Haase
+- Maurizio De Santis
 - Alex Rodionov
-- Patrick Ellis
 - Jason Staten
+- Patrick Ellis
 - ITO Nobuaki
 - Jeff Welling
 - Matteo Centenaro
+- Akzhan Abdulin
+- Alan deLevie
+- Bjørge Næss
+- Chris Heald
+- Chris Mytton
+- Corey Ward
+- Dario Cravero
+- David Kellum
 - Egor Homakov
 - Florian Gilcher
 - Fojas
 - Igor Bochkariov
+- Josef Stribny
+- Katrina Owen
 - Mael Clerambault
 - Martin Mauch
 - Renne Nissinen
@@ -24,18 +35,13 @@ authors:
 - TOBY
 - Thais Camilo and Konstantin Haase
 - Vipul A M
-- Akzhan Abdulin
+- Zachary Scott
+- ashley williams
 - brookemckim
-- Bjørge Næss
-- Chris Heald
-- Chris Mytton
-- Corey Ward
-- Dario Cravero
-- David Kellum
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-07 00:00:00.000000000 Z
+date: 2016-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -71,48 +77,24 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: 3.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
-description: You should use protection!
+        version: 3.0.0
+description: Protect against typical web attacks, works with all Rack apps, including
+  Rails.
 email:
-- konstantin.mailinglists@googlemail.com
-- p0deje@gmail.com
-- jstaten07@gmail.com
-- patrick@soundcloud.com
-- jeff.welling@gmail.com
-- bugant@gmail.com
-- daydream.trippers@gmail.com
-- florian.gilcher@asquera.de
-- developer@fojasaur.us
-- ujifgc@gmail.com
-- mael@clerambault.fr
-- martin.mauch@gmail.com
-- rennex@iki.fi
-- kaz.july.7@gmail.com
-- s.savulchik@gmail.com
-- steve.agalloco@gmail.com
-- toby.net.info.mail+git@gmail.com
-- dev+narwen+rkh@rkh.im
-- vipulnsward@gmail.com
-- akzhan.abdulin@gmail.com
-- brooke@digitalocean.com
-- bjoerge@bengler.no
-- cheald@gmail.com
-- self@hecticjeff.net
-- coreyward@me.com
-- dario@uxtemple.com
-- dek-oss@gravitext.com
-- homakov@gmail.com
+- mail@zzak.io
+- konstantin.haase@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- Gemfile
 - License
 - README.md
 - Rakefile
@@ -133,22 +115,7 @@ files:
 - lib/rack/protection/version.rb
 - lib/rack/protection/xss_header.rb
 - rack-protection.gemspec
-- spec/authenticity_token_spec.rb
-- spec/base_spec.rb
-- spec/escaped_params_spec.rb
-- spec/form_token_spec.rb
-- spec/frame_options_spec.rb
-- spec/http_origin_spec.rb
-- spec/ip_spoofing_spec.rb
-- spec/json_csrf_spec.rb
-- spec/path_traversal_spec.rb
-- spec/protection_spec.rb
-- spec/remote_referrer_spec.rb
-- spec/remote_token_spec.rb
-- spec/session_hijacking_spec.rb
-- spec/spec_helper.rb
-- spec/xss_header_spec.rb
-homepage: http://github.com/rkh/rack-protection
+homepage: http://github.com/sinatra/rack-protection
 licenses:
 - MIT
 metadata: {}
@@ -163,13 +130,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
-summary: You should use protection!
+summary: Protect against typical web attacks, works with all Rack apps, including
+  Rails.
 test_files: []
+has_rdoc: 

data/spec/authenticity_token_spec.rb

@@ -1,48 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::AuthenticityToken do
-  it_behaves_like "any rack application"
-
-  it "denies post requests without any token" do
-    post('/').should_not be_ok
-  end
-
-  it "accepts post requests with correct X-CSRF-Token header" do
-    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
-    last_response.should be_ok
-  end
-
-  it "denies post requests with wrong X-CSRF-Token header" do
-    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
-    last_response.should_not be_ok
-  end
-
-  it "accepts post form requests with correct authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
-    last_response.should be_ok
-  end
-
-  it "denies post form requests with wrong authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
-    last_response.should_not be_ok
-  end
-
-  it "prevents ajax requests without a valid token" do
-    post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should_not be_ok
-  end
-
-  it "allows for a custom authenticity token param" do
-    mock_app do
-      use Rack::Protection::AuthenticityToken, :authenticity_param => 'csrf_param'
-      run proc { |e| [200, {'Content-Type' => 'text/plain'}, ['hi']] }
-    end
-
-    post('/', {"csrf_param" => "a"}, 'rack.session' => {:csrf => "a"})
-    last_response.should be_ok
-  end
-
-  it "sets a new csrf token for the session in env, even after a 'safe' request" do
-    get('/', {}, {})
-    env['rack.session'][:csrf].should_not be_nil
-  end
-end

data/spec/base_spec.rb

@@ -1,40 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::Base do
-
-  subject { described_class.new(lambda {}) }
-
-  describe "#random_string" do
-    it "outputs a string of 32 characters" do
-      subject.random_string.length.should == 32
-    end
-  end
-
-  describe "#referrer" do
-    it "Reads referrer from Referer header" do
-      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/valid"}
-      subject.referrer(env).should == "bar.com"
-    end
-
-    it "Reads referrer from Host header when Referer header is relative" do
-      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "/valid"}
-      subject.referrer(env).should == "foo.com"
-    end
-
-    it "Reads referrer from Host header when Referer header is missing" do
-      env = {"HTTP_HOST" => "foo.com"}
-      subject.referrer(env).should == "foo.com"
-    end
-
-    it "Returns nil when Referer header is missing and allow_empty_referrer is false" do
-      env = {"HTTP_HOST" => "foo.com"}
-      subject.options[:allow_empty_referrer] = false
-      subject.referrer(env).should be_nil
-    end
-
-    it "Returns nil when Referer header is invalid" do
-      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/bad|uri"}
-      subject.referrer(env).should be_nil
-    end
-  end
-end

data/spec/escaped_params_spec.rb

@@ -1,43 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::EscapedParams do
-  it_behaves_like "any rack application"
-
-  context 'escaping' do
-    it 'escapes html entities' do
-      mock_app do |env|
-        request = Rack::Request.new(env)
-        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']]]
-      end
-      get '/', :foo => "<bar>"
-      body.should == '&lt;bar&gt;'
-    end
-
-    it 'leaves normal params untouched' do
-      mock_app do |env|
-        request = Rack::Request.new(env)
-        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']]]
-      end
-      get '/', :foo => "bar"
-      body.should == 'bar'
-    end
-
-    it 'copes with nested arrays' do
-      mock_app do |env|
-        request = Rack::Request.new(env)
-        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']['bar']]]
-      end
-      get '/', :foo => {:bar => "<bar>"}
-      body.should == '&lt;bar&gt;'
-    end
-
-    it 'leaves cache-breaker params untouched' do
-      mock_app do |env|
-        [200, {'Content-Type' => 'text/plain'}, ['hi']]
-      end
-
-      get '/?95df8d9bf5237ad08df3115ee74dcb10'
-      body.should == 'hi'
-    end
-  end
-end

data/spec/form_token_spec.rb

@@ -1,33 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::FormToken do
-  it_behaves_like "any rack application"
-
-  it "denies post requests without any token" do
-    post('/').should_not be_ok
-  end
-
-  it "accepts post requests with correct X-CSRF-Token header" do
-    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
-    last_response.should be_ok
-  end
-
-  it "denies post requests with wrong X-CSRF-Token header" do
-    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
-    last_response.should_not be_ok
-  end
-
-  it "accepts post form requests with correct authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
-    last_response.should be_ok
-  end
-
-  it "denies post form requests with wrong authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
-    last_response.should_not be_ok
-  end
-
-  it "accepts ajax requests without a valid token" do
-    post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should be_ok
-  end
-end