rack-protection 1.5.5 → 2.0.0.beta1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of rack-protection might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/Gemfile +13 -0
- data/README.md +16 -2
- data/Rakefile +2 -5
- data/lib/rack/protection.rb +38 -24
- data/lib/rack/protection/authenticity_token.rb +104 -4
- data/lib/rack/protection/base.rb +2 -21
- data/lib/rack/protection/escaped_params.rb +2 -0
- data/lib/rack/protection/http_origin.rb +8 -0
- data/lib/rack/protection/json_csrf.rb +18 -2
- data/lib/rack/protection/path_traversal.rb +1 -4
- data/lib/rack/protection/version.rb +1 -12
- data/lib/rack/protection/xss_header.rb +1 -1
- data/rack-protection.gemspec +39 -69
- metadata +30 -61
- data/spec/authenticity_token_spec.rb +0 -48
- data/spec/base_spec.rb +0 -40
- data/spec/escaped_params_spec.rb +0 -43
- data/spec/form_token_spec.rb +0 -33
- data/spec/frame_options_spec.rb +0 -39
- data/spec/http_origin_spec.rb +0 -38
- data/spec/ip_spoofing_spec.rb +0 -35
- data/spec/json_csrf_spec.rb +0 -58
- data/spec/path_traversal_spec.rb +0 -41
- data/spec/protection_spec.rb +0 -105
- data/spec/remote_referrer_spec.rb +0 -31
- data/spec/remote_token_spec.rb +0 -42
- data/spec/session_hijacking_spec.rb +0 -55
- data/spec/spec_helper.rb +0 -163
- data/spec/xss_header_spec.rb +0 -56
data/spec/spec_helper.rb
DELETED
@@ -1,163 +0,0 @@
|
|
1
|
-
require 'rack/protection'
|
2
|
-
require 'rack/test'
|
3
|
-
require 'rack'
|
4
|
-
require 'forwardable'
|
5
|
-
require 'stringio'
|
6
|
-
|
7
|
-
if defined? Gem.loaded_specs and Gem.loaded_specs.include? 'rack'
|
8
|
-
version = Gem.loaded_specs['rack'].version.to_s
|
9
|
-
else
|
10
|
-
version = Rack.release + '.0'
|
11
|
-
end
|
12
|
-
|
13
|
-
if version == "1.3"
|
14
|
-
Rack::Session::Abstract::ID.class_eval do
|
15
|
-
private
|
16
|
-
def prepare_session(env)
|
17
|
-
session_was = env[ENV_SESSION_KEY]
|
18
|
-
env[ENV_SESSION_KEY] = SessionHash.new(self, env)
|
19
|
-
env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options)
|
20
|
-
env[ENV_SESSION_KEY].merge! session_was if session_was
|
21
|
-
end
|
22
|
-
end
|
23
|
-
end
|
24
|
-
|
25
|
-
unless Rack::MockResponse.method_defined? :header
|
26
|
-
Rack::MockResponse.send(:alias_method, :header, :headers)
|
27
|
-
end
|
28
|
-
|
29
|
-
module DummyApp
|
30
|
-
def self.call(env)
|
31
|
-
Thread.current[:last_env] = env
|
32
|
-
body = (env['REQUEST_METHOD'] == 'HEAD' ? '' : 'ok')
|
33
|
-
[200, {'Content-Type' => env['wants'] || 'text/plain'}, [body]]
|
34
|
-
end
|
35
|
-
end
|
36
|
-
|
37
|
-
module TestHelpers
|
38
|
-
extend Forwardable
|
39
|
-
def_delegators :last_response, :body, :headers, :status, :errors
|
40
|
-
def_delegators :current_session, :env_for
|
41
|
-
attr_writer :app
|
42
|
-
|
43
|
-
def app
|
44
|
-
@app || mock_app(DummyApp)
|
45
|
-
end
|
46
|
-
|
47
|
-
def mock_app(app = nil, &block)
|
48
|
-
app = block if app.nil? and block.arity == 1
|
49
|
-
if app
|
50
|
-
klass = described_class
|
51
|
-
mock_app do
|
52
|
-
use Rack::Head
|
53
|
-
use(Rack::Config) { |e| e['rack.session'] ||= {}}
|
54
|
-
use klass
|
55
|
-
run app
|
56
|
-
end
|
57
|
-
else
|
58
|
-
@app = Rack::Lint.new Rack::Builder.new(&block).to_app
|
59
|
-
end
|
60
|
-
end
|
61
|
-
|
62
|
-
def with_headers(headers)
|
63
|
-
proc { [200, {'Content-Type' => 'text/plain'}.merge(headers), ['ok']] }
|
64
|
-
end
|
65
|
-
|
66
|
-
def env
|
67
|
-
Thread.current[:last_env]
|
68
|
-
end
|
69
|
-
end
|
70
|
-
|
71
|
-
# see http://blog.101ideas.cz/posts/pending-examples-via-not-implemented-error-in-rspec.html
|
72
|
-
module NotImplementedAsPending
|
73
|
-
def self.included(base)
|
74
|
-
base.class_eval do
|
75
|
-
alias_method :__finish__, :finish
|
76
|
-
remove_method :finish
|
77
|
-
end
|
78
|
-
end
|
79
|
-
|
80
|
-
def finish(reporter)
|
81
|
-
if @exception.is_a?(NotImplementedError)
|
82
|
-
from = @exception.backtrace[0]
|
83
|
-
message = "#{@exception.message} (from #{from})"
|
84
|
-
@pending_declared_in_example = message
|
85
|
-
metadata[:pending] = true
|
86
|
-
@exception = nil
|
87
|
-
end
|
88
|
-
|
89
|
-
__finish__(reporter)
|
90
|
-
end
|
91
|
-
|
92
|
-
RSpec::Core::Example.send :include, self
|
93
|
-
end
|
94
|
-
|
95
|
-
RSpec.configure do |config|
|
96
|
-
config.expect_with :rspec, :stdlib
|
97
|
-
config.include Rack::Test::Methods
|
98
|
-
config.include TestHelpers
|
99
|
-
end
|
100
|
-
|
101
|
-
shared_examples_for 'any rack application' do
|
102
|
-
it "should not interfere with normal get requests" do
|
103
|
-
get('/').should be_ok
|
104
|
-
body.should == 'ok'
|
105
|
-
end
|
106
|
-
|
107
|
-
it "should not interfere with normal head requests" do
|
108
|
-
head('/').should be_ok
|
109
|
-
end
|
110
|
-
|
111
|
-
it 'should not leak changes to env' do
|
112
|
-
klass = described_class
|
113
|
-
detector = Struct.new(:app)
|
114
|
-
|
115
|
-
detector.send(:define_method, :call) do |env|
|
116
|
-
was = env.dup
|
117
|
-
res = app.call(env)
|
118
|
-
was.each do |k,v|
|
119
|
-
next if env[k] == v
|
120
|
-
fail "env[#{k.inspect}] changed from #{v.inspect} to #{env[k].inspect}"
|
121
|
-
end
|
122
|
-
res
|
123
|
-
end
|
124
|
-
|
125
|
-
mock_app do
|
126
|
-
use Rack::Head
|
127
|
-
use(Rack::Config) { |e| e['rack.session'] ||= {}}
|
128
|
-
use detector
|
129
|
-
use klass
|
130
|
-
run DummyApp
|
131
|
-
end
|
132
|
-
|
133
|
-
get('/..', :foo => '<bar>').should be_ok
|
134
|
-
end
|
135
|
-
|
136
|
-
it 'allows passing on values in env' do
|
137
|
-
klass = described_class
|
138
|
-
detector = Struct.new(:app)
|
139
|
-
changer = Struct.new(:app)
|
140
|
-
|
141
|
-
detector.send(:define_method, :call) do |env|
|
142
|
-
res = app.call(env)
|
143
|
-
env['foo.bar'].should == 42
|
144
|
-
res
|
145
|
-
end
|
146
|
-
|
147
|
-
changer.send(:define_method, :call) do |env|
|
148
|
-
env['foo.bar'] = 42
|
149
|
-
app.call(env)
|
150
|
-
end
|
151
|
-
|
152
|
-
mock_app do
|
153
|
-
use Rack::Head
|
154
|
-
use(Rack::Config) { |e| e['rack.session'] ||= {}}
|
155
|
-
use detector
|
156
|
-
use klass
|
157
|
-
use changer
|
158
|
-
run DummyApp
|
159
|
-
end
|
160
|
-
|
161
|
-
get('/').should be_ok
|
162
|
-
end
|
163
|
-
end
|
data/spec/xss_header_spec.rb
DELETED
@@ -1,56 +0,0 @@
|
|
1
|
-
require File.expand_path('../spec_helper.rb', __FILE__)
|
2
|
-
|
3
|
-
describe Rack::Protection::XSSHeader do
|
4
|
-
it_behaves_like "any rack application"
|
5
|
-
|
6
|
-
it 'should set the X-XSS-Protection' do
|
7
|
-
get('/', {}, 'wants' => 'text/html;charset=utf-8').headers["X-XSS-Protection"].should == "1; mode=block"
|
8
|
-
end
|
9
|
-
|
10
|
-
it 'should set the X-XSS-Protection for XHTML' do
|
11
|
-
get('/', {}, 'wants' => 'application/xhtml+xml').headers["X-XSS-Protection"].should == "1; mode=block"
|
12
|
-
end
|
13
|
-
|
14
|
-
it 'should not set the X-XSS-Protection for other content types' do
|
15
|
-
get('/', {}, 'wants' => 'application/foo').headers["X-XSS-Protection"].should be_nil
|
16
|
-
end
|
17
|
-
|
18
|
-
it 'should allow changing the protection mode' do
|
19
|
-
# I have no clue what other modes are available
|
20
|
-
mock_app do
|
21
|
-
use Rack::Protection::XSSHeader, :xss_mode => :foo
|
22
|
-
run DummyApp
|
23
|
-
end
|
24
|
-
|
25
|
-
get('/', {}, 'wants' => 'application/xhtml').headers["X-XSS-Protection"].should == "1; mode=foo"
|
26
|
-
end
|
27
|
-
|
28
|
-
it 'should not override the header if already set' do
|
29
|
-
mock_app with_headers("X-XSS-Protection" => "0")
|
30
|
-
get('/', {}, 'wants' => 'text/html').headers["X-XSS-Protection"].should == "0"
|
31
|
-
end
|
32
|
-
|
33
|
-
it 'should set the X-Content-Type-Options' do
|
34
|
-
get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"].should == "nosniff"
|
35
|
-
end
|
36
|
-
|
37
|
-
|
38
|
-
it 'should set the X-Content-Type-Options for other content types' do
|
39
|
-
get('/', {}, 'wants' => 'application/foo').header["X-Content-Type-Options"].should == "nosniff"
|
40
|
-
end
|
41
|
-
|
42
|
-
|
43
|
-
it 'should allow changing the nosniff-mode off' do
|
44
|
-
mock_app do
|
45
|
-
use Rack::Protection::XSSHeader, :nosniff => false
|
46
|
-
run DummyApp
|
47
|
-
end
|
48
|
-
|
49
|
-
get('/').headers["X-Content-Type-Options"].should be_nil
|
50
|
-
end
|
51
|
-
|
52
|
-
it 'should not override the header if already set X-Content-Type-Options' do
|
53
|
-
mock_app with_headers("X-Content-Type-Options" => "sniff")
|
54
|
-
get('/', {}, 'wants' => 'text/html').headers["X-Content-Type-Options"].should == "sniff"
|
55
|
-
end
|
56
|
-
end
|