rack-protection 1.5.5 → 2.0.0.beta1

data/spec/frame_options_spec.rb

@@ -1,39 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::FrameOptions do
-  it_behaves_like "any rack application"
-
-  it 'should set the X-Frame-Options' do
-    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "SAMEORIGIN"
-  end
-
-  it 'should not set the X-Frame-Options for other content types' do
-    get('/', {}, 'wants' => 'text/foo').headers["X-Frame-Options"].should be_nil
-  end
-
-  it 'should allow changing the protection mode' do
-    # I have no clue what other modes are available
-    mock_app do
-      use Rack::Protection::FrameOptions, :frame_options => :deny
-      run DummyApp
-    end
-
-    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "DENY"
-  end
-
-
-  it 'should allow changing the protection mode to a string' do
-    # I have no clue what other modes are available
-    mock_app do
-      use Rack::Protection::FrameOptions, :frame_options => "ALLOW-FROM foo"
-      run DummyApp
-    end
-
-    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "ALLOW-FROM foo"
-  end
-
-  it 'should not override the header if already set' do
-    mock_app with_headers("X-Frame-Options" => "allow")
-    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "allow"
-  end
-end

data/spec/http_origin_spec.rb

@@ -1,38 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::HttpOrigin do
-  it_behaves_like "any rack application"
-
-  before(:each) do
-    mock_app do
-      use Rack::Protection::HttpOrigin
-      run DummyApp
-    end
-  end
-
-  %w(GET HEAD POST PUT DELETE).each do |method|
-    it "accepts #{method} requests with no Origin" do
-      send(method.downcase, '/').should be_ok
-    end
-  end
-
-  %w(GET HEAD).each do |method|
-    it "accepts #{method} requests with non-whitelisted Origin" do
-      send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com').should be_ok
-    end
-  end
-
-  %w(POST PUT DELETE).each do |method|
-    it "denies #{method} requests with non-whitelisted Origin" do
-      send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com').should_not be_ok
-    end
-
-    it "accepts #{method} requests with whitelisted Origin" do
-      mock_app do
-        use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://www.friend.com']
-        run DummyApp
-      end
-      send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://www.friend.com').should be_ok
-    end
-  end
-end

data/spec/ip_spoofing_spec.rb

@@ -1,35 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::IPSpoofing do
-  it_behaves_like "any rack application"
-
-  it 'accepts requests without X-Forward-For header' do
-    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.4', 'HTTP_X_REAL_IP' => '4.3.2.1')
-    last_response.should be_ok
-  end
-
-  it 'accepts requests with proper X-Forward-For header' do
-    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.4',
-      'HTTP_X_FORWARDED_FOR' => '192.168.1.20, 1.2.3.4, 127.0.0.1')
-    last_response.should be_ok
-  end
-
-  it 'denies requests where the client spoofs X-Forward-For but not the IP' do
-    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.4', 'HTTP_X_FORWARDED_FOR' => '1.2.3.5')
-    last_response.should_not be_ok
-  end
-
-  it 'denies requests where the client spoofs the IP but not X-Forward-For' do
-    get('/', {}, 'HTTP_CLIENT_IP' => '1.2.3.5',
-      'HTTP_X_FORWARDED_FOR' => '192.168.1.20, 1.2.3.4, 127.0.0.1')
-    last_response.should_not be_ok
-  end
-
-  it 'denies requests where IP and X-Forward-For are spoofed but not X-Real-IP' do
-    get('/', {},
-      'HTTP_CLIENT_IP'       => '1.2.3.5',
-      'HTTP_X_FORWARDED_FOR' => '1.2.3.5',
-      'HTTP_X_REAL_IP'       => '1.2.3.4')
-    last_response.should_not be_ok
-  end
-end

data/spec/json_csrf_spec.rb

@@ -1,58 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::JsonCsrf do
-  it_behaves_like "any rack application"
-
-  describe 'json response' do
-    before do
-      mock_app { |e| [200, {'Content-Type' => 'application/json'}, []]}
-    end
-
-    it "denies get requests with json responses with a remote referrer" do
-      get('/', {}, 'HTTP_REFERER' => 'http://evil.com').should_not be_ok
-    end
-
-    it "accepts requests with json responses with a remote referrer when there's an origin header set" do
-      get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_ORIGIN' => 'http://good.com').should be_ok
-    end
-
-    it "accepts requests with json responses with a remote referrer when there's an x-origin header set" do
-      get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_X_ORIGIN' => 'http://good.com').should be_ok
-    end
-
-    it "accepts get requests with json responses with a local referrer" do
-      get('/', {}, 'HTTP_REFERER' => '/').should be_ok
-    end
-
-    it "accepts get requests with json responses with no referrer" do
-      get('/', {}).should be_ok
-    end
-
-    it "accepts XHR requests" do
-      get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest').should be_ok
-    end
-
-  end
-
-  describe 'not json response' do
-
-    it "accepts get requests with 304 headers" do
-      mock_app { |e| [304, {}, []]}
-      get('/', {}).status.should == 304
-    end
-
-  end
-
-  describe 'with drop_session as default reaction' do
-    it 'still denies' do
-      mock_app do
-        use Rack::Protection, :reaction => :drop_session
-        run proc { |e| [200, {'Content-Type' => 'application/json'}, []]}
-      end
-
-      session = {:foo => :bar}
-      get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'rack.session' => session)
-      last_response.should_not be_ok
-    end
-  end
-end

data/spec/path_traversal_spec.rb

@@ -1,41 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::PathTraversal do
-  it_behaves_like "any rack application"
-
-  context 'escaping' do
-    before do
-      mock_app { |e| [200, {'Content-Type' => 'text/plain'}, [e['PATH_INFO']]] }
-    end
-
-    %w[/foo/bar /foo/bar/ / /.f /a.x].each do |path|
-      it("does not touch #{path.inspect}") { get(path).body.should == path }
-    end
-
-    { # yes, this is ugly, feel free to change that
-      '/..' => '/', '/a/../b' => '/b', '/a/../b/' => '/b/', '/a/.' => '/a/',
-      '/%2e.' => '/', '/a/%2E%2e/b' => '/b', '/a%2f%2E%2e%2Fb/' => '/b/',
-      '//' => '/', '/%2fetc%2Fpasswd' => '/etc/passwd'
-    }.each do |a, b|
-      it("replaces #{a.inspect} with #{b.inspect}") { get(a).body.should == b }
-    end
-
-    it 'should be able to deal with PATH_INFO = nil (fcgi?)' do
-      app = Rack::Protection::PathTraversal.new(proc { 42 })
-      app.call({}).should be == 42
-    end
-  end
-
-  if "".respond_to?(:encoding)  # Ruby 1.9+ M17N
-    context "PATH_INFO's encoding" do
-      before do
-        @app = Rack::Protection::PathTraversal.new(proc { |e| [200, {'Content-Type' => 'text/plain'}, [e['PATH_INFO'].encoding.to_s]] })
-      end
-
-      it 'should remain unchanged as ASCII-8BIT' do
-        body = @app.call({ 'PATH_INFO' => '/'.encode('ASCII-8BIT') })[2][0]
-        body.should == 'ASCII-8BIT'
-      end
-    end
-  end
-end

data/spec/protection_spec.rb

@@ -1,105 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection do
-  it_behaves_like "any rack application"
-
-  it 'passes on options' do
-    mock_app do
-      use Rack::Protection, :track => ['HTTP_FOO']
-      run proc { |e| [200, {'Content-Type' => 'text/plain'}, ['hi']] }
-    end
-
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
-    session[:foo].should be == :bar
-
-    get '/', {}, 'rack.session' => session, 'HTTP_FOO' => 'BAR'
-    session.should be_empty
-  end
-
-  it 'passes errors through if :reaction => :report is used' do
-    mock_app do
-      use Rack::Protection, :reaction => :report
-      run proc { |e| [200, {'Content-Type' => 'text/plain'}, [e["protection.failed"].to_s]] }
-    end
-
-    session = {:foo => :bar}
-    post('/', {}, 'rack.session' => session, 'HTTP_ORIGIN' => 'http://malicious.com')
-    last_response.should be_ok
-    body.should == "true"
-  end
-
-  describe "#react" do
-    it 'prevents attacks and warns about it' do
-      io = StringIO.new
-      mock_app do
-        use Rack::Protection, :logger => Logger.new(io)
-        run DummyApp
-      end
-      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
-      io.string.should match /prevented.*Origin/
-    end
-
-    it 'reports attacks if reaction is to report' do
-      io = StringIO.new
-      mock_app do
-        use Rack::Protection, :reaction => :report, :logger => Logger.new(io)
-        run DummyApp
-      end
-      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
-      io.string.should match /reported.*Origin/
-      io.string.should_not match /prevented.*Origin/
-    end
-
-    it 'passes errors to reaction method if specified' do
-      io = StringIO.new
-      Rack::Protection::Base.send(:define_method, :special) { |*args| io << args.inspect }
-      mock_app do
-        use Rack::Protection, :reaction => :special, :logger => Logger.new(io)
-        run DummyApp
-      end
-      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
-      io.string.should match /HTTP_ORIGIN.*malicious.com/
-      io.string.should_not match /reported|prevented/
-    end
-  end
-
-  describe "#html?" do
-    context "given an appropriate content-type header" do
-      subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/html" }
-      it { should be_true }
-    end
-
-    context "given an inappropriate content-type header" do
-      subject { Rack::Protection::Base.new(nil).html? 'content-type' => "image/gif" }
-      it { should be_false }
-    end
-
-    context "given no content-type header" do
-      subject { Rack::Protection::Base.new(nil).html?({}) }
-      it { should be_false }
-    end
-  end
-
-  describe "#instrument" do
-    let(:env) { { 'rack.protection.attack' => 'base' } }
-    let(:instrumenter) { double('Instrumenter') }
-
-    after do
-      app.instrument(env)
-    end
-
-    context 'with an instrumenter specified' do
-      let(:app) { Rack::Protection::Base.new(nil, :instrumenter => instrumenter) }
-
-      it { instrumenter.should_receive(:instrument).with('rack.protection', env) }
-    end
-
-    context 'with no instrumenter specified' do
-      let(:app) { Rack::Protection::Base.new(nil) }
-
-      it { instrumenter.should_not_receive(:instrument) }
-    end
-  end
-end

data/spec/remote_referrer_spec.rb

@@ -1,31 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::RemoteReferrer do
-  it_behaves_like "any rack application"
-
-  it "accepts post requests with no referrer" do
-    post('/').should be_ok
-  end
-
-  it "does not accept post requests with no referrer if allow_empty_referrer is false" do
-    mock_app do
-      use Rack::Protection::RemoteReferrer, :allow_empty_referrer => false
-      run DummyApp
-    end
-    post('/').should_not be_ok
-  end
-
-  it "should allow post request with a relative referrer" do
-    post('/', {}, 'HTTP_REFERER' => '/').should be_ok
-  end
-
-  it "accepts post requests with the same host in the referrer" do
-    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.com')
-    last_response.should be_ok
-  end
-
-  it "denies post requests with a remote referrer" do
-    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
-    last_response.should_not be_ok
-  end
-end

data/spec/remote_token_spec.rb

@@ -1,42 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::RemoteToken do
-  it_behaves_like "any rack application"
-
-  it "accepts post requests with no referrer" do
-    post('/').should be_ok
-  end
-
-  it "accepts post requests with a local referrer" do
-    post('/', {}, 'HTTP_REFERER' => '/').should be_ok
-  end
-
-  it "denies post requests with a remote referrer and no token" do
-    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
-    last_response.should_not be_ok
-  end
-
-  it "accepts post requests with a remote referrer and correct X-CSRF-Token header" do
-    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
-      'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
-    last_response.should be_ok
-  end
-
-  it "denies post requests with a remote referrer and wrong X-CSRF-Token header" do
-    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
-      'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
-    last_response.should_not be_ok
-  end
-
-  it "accepts post form requests with a remote referrer and correct authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
-      'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "a"})
-    last_response.should be_ok
-  end
-
-  it "denies post form requests with a remote referrer and wrong authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
-      'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "b"})
-    last_response.should_not be_ok
-  end
-end

data/spec/session_hijacking_spec.rb

@@ -1,55 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::SessionHijacking do
-  it_behaves_like "any rack application"
-
-  it "accepts a session without changes to tracked parameters" do
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session
-    get '/', {}, 'rack.session' => session
-    session[:foo].should == :bar
-  end
-
-  it "denies requests with a changing User-Agent header" do
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'a'
-    get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'b'
-    session.should be_empty
-  end
-
-  it "accepts requests with a changing Accept-Encoding header" do
-    # this is tested because previously it led to clearing the session
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
-    session.should_not be_empty
-  end
-
-  it "denies requests with a changing Accept-Language header" do
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'b'
-    session.should be_empty
-  end
-
-  it "accepts requests with the same Accept-Language header" do
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
-    session.should_not be_empty
-  end
-
-  it "comparison of Accept-Language header is not case sensitive" do
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'A'
-    session.should_not be_empty
-  end
-
-  it "accepts requests with a changing Version header"do
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.0'
-    get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.1'
-    session[:foo].should == :bar
-  end
-end