rack-protection 1.5.5 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2b7d78da301d9f7fc81ae73e46a389c2b8ce10ab8121f169fd760018ac506d47
-  data.tar.gz: a91bd28f8624f325d6714262ac11d83e0a347405f14e600780cb1bfd846e5b34
+  metadata.gz: a3268bb2b60f8095b38658717f5e267da2e1dfbee57f487baf39a185d3cf9266
+  data.tar.gz: fc40122b95963a81333da038536782d85a9abdc92b823eb5d3044ef3c5c807c4
 SHA512:
-  metadata.gz: 0c5de92c0283313c00d50c1f9a219c808ad587caabff81c4d1530abd8f0e7d9c0f3753ad9bab7c06a29ce97b2a717fddc04ced642adff058f3431419286e4da6
-  data.tar.gz: d3bf5830bf30475871b73ba54ee38f962bd93c2e1f420b59b649d6dcb7f97d89f091d3add3f692ba847ffe5f5c6cade665d522c86220087d977fb3706e41bd58
+  metadata.gz: 7b381c903bb99d1e8cfcd00554642aafc2644f4432987be95e094a84b0f020648efb92b4a48e082cda5749045c44d14e5f08d97a1a733bf2b1e850eeaf69d67b
+  data.tar.gz: bfb60cf9484528f0096cd68a6da55b66fa3471407a120caff83ee961b54043f3e4aca45a219273e7e48cc85ce70742ee75dab750609239fb887dfc35dfbcae59

data/Gemfile

@@ -0,0 +1,13 @@
+source "https://rubygems.org"
+# encoding: utf-8
+
+gem 'rake'
+
+rack_version = ENV['rack'].to_s
+rack_version = nil if rack_version.empty? or rack_version == 'stable'
+rack_version = {:github => 'rack/rack'} if rack_version == 'master'
+gem 'rack', rack_version
+
+gem 'sinatra', path: '..'
+
+gemspec

data/License

@@ -1,4 +1,7 @@
-Copyright (c) 2011 Konstantin Haase
+The MIT License (MIT)
+
+Copyright (c) 2011-2017 Konstantin Haase
+Copyright (c) 2015-2017 Zachary Scott
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -1,4 +1,4 @@
-You should use protection!
+# Rack::Protection
 
 This gem protects against typical web attacks.
 Should work for all Rack apps, including Rails.
@@ -38,43 +38,55 @@ run MyApp
 
 Prevented by:
 
-* `Rack::Protection::AuthenticityToken` (not included by `use Rack::Protection`)
-* `Rack::Protection::FormToken` (not included by `use Rack::Protection`)
-* `Rack::Protection::JsonCsrf`
-* `Rack::Protection::RemoteReferrer` (not included by `use Rack::Protection`)
-* `Rack::Protection::RemoteToken`
-* `Rack::Protection::HttpOrigin`
+* [`Rack::Protection::AuthenticityToken`][authenticity-token] (not included by `use Rack::Protection`)
+* [`Rack::Protection::FormToken`][form-token] (not included by `use Rack::Protection`)
+* [`Rack::Protection::JsonCsrf`][json-csrf]
+* [`Rack::Protection::RemoteReferrer`][remote-referrer] (not included by `use Rack::Protection`)
+* [`Rack::Protection::RemoteToken`][remote-token]
+* [`Rack::Protection::HttpOrigin`][http-origin]
 
 ## Cross Site Scripting
 
 Prevented by:
 
-* `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
-* `Rack::Protection::XSSHeader` (Internet Explorer only)
+* [`Rack::Protection::EscapedParams`][escaped-params] (not included by `use Rack::Protection`)
+* [`Rack::Protection::XSSHeader`][xss-header] (Internet Explorer and Chrome only)
+* [`Rack::Protection::ContentSecurityPolicy`][content-security-policy]
 
 ## Clickjacking
 
 Prevented by:
 
-* `Rack::Protection::FrameOptions`
+* [`Rack::Protection::FrameOptions`][frame-options]
 
 ## Directory Traversal
 
 Prevented by:
 
-* `Rack::Protection::PathTraversal`
+* [`Rack::Protection::PathTraversal`][path-traversal]
 
 ## Session Hijacking
 
 Prevented by:
 
-* `Rack::Protection::SessionHijacking`
+* [`Rack::Protection::SessionHijacking`][session-hijacking]
+
+## Cookie Tossing
+
+Prevented by:
+* [`Rack::Protection::CookieTossing`][cookie-tossing] (not included by `use Rack::Protection`)
 
 ## IP Spoofing
 
 Prevented by:
 
-* `Rack::Protection::IPSpoofing`
+* [`Rack::Protection::IPSpoofing`][ip-spoofing]
+
+## Helps to protect against protocol downgrade attacks and cookie hijacking
+
+Prevented by:
+
+* [`Rack::Protection::StrictTransport`][strict-transport] (not included by `use Rack::Protection`)
 
 # Installation
 
@@ -88,3 +100,19 @@ use Rack::Protection, instrumenter: ActiveSupport::Notifications
 ```
 
 The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.
+
+[authenticity-token]: http://www.sinatrarb.com/protection/authenticity_token
+[content-security-policy]: http://www.sinatrarb.com/protection/content_security_policy
+[cookie-tossing]: http://www.sinatrarb.com/protection/cookie_tossing
+[escaped-params]: http://www.sinatrarb.com/protection/escaped_params
+[form-token]: http://www.sinatrarb.com/protection/form_token
+[frame-options]: http://www.sinatrarb.com/protection/frame_options
+[http-origin]: http://www.sinatrarb.com/protection/http_origin
+[ip-spoofing]: http://www.sinatrarb.com/protection/ip_spoofing
+[json-csrf]: http://www.sinatrarb.com/protection/json_csrf
+[path-traversal]: http://www.sinatrarb.com/protection/path_traversal
+[remote-referrer]: http://www.sinatrarb.com/protection/remote_referrer
+[remote-token]: http://www.sinatrarb.com/protection/remote_token
+[session-hijacking]: http://www.sinatrarb.com/protection/session_hijacking
+[strict-transport]: http://www.sinatrarb.com/protection/strict_transport
+[xss-header]: http://www.sinatrarb.com/protection/xss_header

data/Rakefile

@@ -11,6 +11,33 @@ end
 desc "run specs"
 task(:spec) { ruby '-S rspec spec' }
 
+namespace :doc do
+  task :readmes do
+    Dir.glob 'lib/rack/protection/*.rb' do |file|
+      excluded_files = %w[lib/rack/protection/base.rb lib/rack/protection/version.rb]
+      next if excluded_files.include?(file)
+      doc  = File.read(file)[/^  module Protection(\n)+(    #[^\n]*\n)*/m].scan(/^ *#(?!#) ?(.*)\n/).join("\n")
+      file = "doc/#{file[4..-4].tr("/_", "-")}.rdoc"
+      Dir.mkdir "doc" unless File.directory? "doc"
+      puts "writing #{file}"
+      File.open(file, "w") { |f| f << doc }
+    end
+  end
+
+  task :index do
+    doc = File.read("README.md")
+    file = "doc/rack-protection-readme.md"
+    Dir.mkdir "doc" unless File.directory? "doc"
+    puts "writing #{file}"
+    File.open(file, "w") { |f| f << doc }
+  end
+
+  task :all => [:readmes, :index]
+end
+
+desc "generate documentation"
+task :doc => 'doc:all'
+
 desc "generate gemspec"
 task 'rack-protection.gemspec' do
   require 'rack/protection/version'
@@ -19,13 +46,10 @@ task 'rack-protection.gemspec' do
   # fetch data
   fields = {
     :authors => `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
-    :email   => `git shortlog -sne`.force_encoding('utf-8').scan(/[^<]+@[^>]+/),
-    :files   => `git ls-files`.force_encoding('utf-8').split("\n").reject { |f| f =~ /^(\.|Gemfile)/ }
+    :email   => ["mail@zzak.io", "konstantin.haase@gmail.com"],
+    :files   => %w(License README.md Rakefile Gemfile rack-protection.gemspec) + Dir['lib/**/*']
   }
 
-  # double email :(
-  fields[:email].delete("konstantin.haase@gmail.com")
-
   # insert data
   fields.each do |field, values|
     updated = "  s.#{field} = ["

data/lib/rack/protection.rb

@@ -3,36 +3,53 @@ require 'rack'
 
 module Rack
   module Protection
-    autoload :AuthenticityToken, 'rack/protection/authenticity_token'
-    autoload :Base,              'rack/protection/base'
-    autoload :EscapedParams,     'rack/protection/escaped_params'
-    autoload :FormToken,         'rack/protection/form_token'
-    autoload :FrameOptions,      'rack/protection/frame_options'
-    autoload :HttpOrigin,        'rack/protection/http_origin'
-    autoload :IPSpoofing,        'rack/protection/ip_spoofing'
-    autoload :JsonCsrf,          'rack/protection/json_csrf'
-    autoload :PathTraversal,     'rack/protection/path_traversal'
-    autoload :RemoteReferrer,    'rack/protection/remote_referrer'
-    autoload :RemoteToken,       'rack/protection/remote_token'
-    autoload :SessionHijacking,  'rack/protection/session_hijacking'
-    autoload :XSSHeader,         'rack/protection/xss_header'
+    autoload :AuthenticityToken,     'rack/protection/authenticity_token'
+    autoload :Base,                  'rack/protection/base'
+    autoload :CookieTossing,         'rack/protection/cookie_tossing'
+    autoload :ContentSecurityPolicy, 'rack/protection/content_security_policy'
+    autoload :EscapedParams,         'rack/protection/escaped_params'
+    autoload :FormToken,             'rack/protection/form_token'
+    autoload :FrameOptions,          'rack/protection/frame_options'
+    autoload :HttpOrigin,            'rack/protection/http_origin'
+    autoload :IPSpoofing,            'rack/protection/ip_spoofing'
+    autoload :JsonCsrf,              'rack/protection/json_csrf'
+    autoload :PathTraversal,         'rack/protection/path_traversal'
+    autoload :ReferrerPolicy,        'rack/protection/referrer_policy'
+    autoload :RemoteReferrer,        'rack/protection/remote_referrer'
+    autoload :RemoteToken,           'rack/protection/remote_token'
+    autoload :SessionHijacking,      'rack/protection/session_hijacking'
+    autoload :StrictTransport,       'rack/protection/strict_transport'
+    autoload :XSSHeader,             'rack/protection/xss_header'
 
     def self.new(app, options = {})
       # does not include: RemoteReferrer, AuthenticityToken and FormToken
       except = Array options[:except]
       use_these = Array options[:use]
+
+      if options.fetch(:without_session, false)
+        except += [:session_hijacking, :remote_token]
+      end
+
       Rack::Builder.new do
-        use ::Rack::Protection::RemoteReferrer,   options if use_these.include? :remote_referrer
-        use ::Rack::Protection::AuthenticityToken,options if use_these.include? :authenticity_token
-        use ::Rack::Protection::FormToken,        options if use_these.include? :form_token
-        use ::Rack::Protection::FrameOptions,     options unless except.include? :frame_options
-        use ::Rack::Protection::HttpOrigin,       options unless except.include? :http_origin
-        use ::Rack::Protection::IPSpoofing,       options unless except.include? :ip_spoofing
-        use ::Rack::Protection::JsonCsrf,         options unless except.include? :json_csrf
-        use ::Rack::Protection::PathTraversal,    options unless except.include? :path_traversal
-        use ::Rack::Protection::RemoteToken,      options unless except.include? :remote_token
-        use ::Rack::Protection::SessionHijacking, options unless except.include? :session_hijacking
-        use ::Rack::Protection::XSSHeader,        options unless except.include? :xss_header
+        # Off by default, unless added
+        use ::Rack::Protection::AuthenticityToken,     options if use_these.include? :authenticity_token
+        use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
+        use ::Rack::Protection::CookieTossing,         options if use_these.include? :cookie_tossing
+        use ::Rack::Protection::EscapedParams,         options if use_these.include? :escaped_params
+        use ::Rack::Protection::FormToken,             options if use_these.include? :form_token
+        use ::Rack::Protection::ReferrerPolicy,        options if use_these.include? :referrer_policy
+        use ::Rack::Protection::RemoteReferrer,        options if use_these.include? :remote_referrer
+        use ::Rack::Protection::StrictTransport,       options if use_these.include? :strict_transport
+
+        # On by default, unless skipped
+        use ::Rack::Protection::FrameOptions,          options unless except.include? :frame_options
+        use ::Rack::Protection::HttpOrigin,            options unless except.include? :http_origin
+        use ::Rack::Protection::IPSpoofing,            options unless except.include? :ip_spoofing
+        use ::Rack::Protection::JsonCsrf,              options unless except.include? :json_csrf
+        use ::Rack::Protection::PathTraversal,         options unless except.include? :path_traversal
+        use ::Rack::Protection::RemoteToken,           options unless except.include? :remote_token
+        use ::Rack::Protection::SessionHijacking,      options unless except.include? :session_hijacking
+        use ::Rack::Protection::XSSHeader,             options unless except.include? :xss_header
         run app
       end.to_app
     end

data/lib/rack/protection/authenticity_token.rb

@@ -1,4 +1,6 @@
 require 'rack/protection'
+require 'securerandom'
+require 'base64'
 
 module Rack
   module Protection
@@ -7,24 +9,194 @@ module Rack
     # Supported browsers:: all
     # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
     #
-    # Only accepts unsafe HTTP requests if a given access token matches the token
-    # included in the session.
+    # This middleware only accepts requests other than <tt>GET</tt>,
+    # <tt>HEAD</tt>, <tt>OPTIONS</tt>, <tt>TRACE</tt> if their given access
+    # token matches the token included in the session.
     #
-    # Compatible with Rails and rack-csrf.
+    # It checks the <tt>X-CSRF-Token</tt> header and the <tt>POST</tt> form
+    # data.
     #
-    # Options:
+    # Compatible with the {rack-csrf}[https://rubygems.org/gems/rack_csrf] gem.
     #
-    # authenticity_param: Defines the param's name that should contain the token on a request.
+    # == Options
     #
+    # [<tt>:authenticity_param</tt>] the name of the param that should contain
+    #                                the token on a request. Default value:
+    #                                <tt>"authenticity_token"</tt>
+    #
+    # == Example: Forms application
+    #
+    # To show what the AuthenticityToken does, this section includes a sample
+    # program which shows two forms. One with, and one without a CSRF token
+    # The one without CSRF token field will get a 403 Forbidden response.
+    #
+    # Install the gem, then run the program:
+    #
+    #   gem install 'rack-protection'
+    #   ruby server.rb
+    #
+    # Here is <tt>server.rb</tt>:
+    #
+    #   require 'rack/protection'
+    #
+    #   app = Rack::Builder.app do
+    #     use Rack::Session::Cookie, secret: 'secret'
+    #     use Rack::Protection::AuthenticityToken
+    #
+    #     run -> (env) do
+    #       [200, {}, [
+    #         <<~EOS
+    #           <!DOCTYPE html>
+    #           <html lang="en">
+    #           <head>
+    #             <meta charset="UTF-8" />
+    #             <title>rack-protection minimal example</title>
+    #           </head>
+    #           <body>
+    #             <h1>Without Authenticity Token</h1>
+    #             <p>This takes you to <tt>Forbidden</tt></p>
+    #             <form action="" method="post">
+    #               <input type="text" name="foo" />
+    #               <input type="submit" />
+    #             </form>
+    #
+    #             <h1>With Authenticity Token</h1>
+    #             <p>This successfully takes you to back to this form.</p>
+    #             <form action="" method="post">
+    #               <input type="hidden" name="authenticity_token" value="#{Rack::Protection::AuthenticityToken.token(env['rack.session'])}" />
+    #               <input type="text" name="foo" />
+    #               <input type="submit" />
+    #             </form>
+    #           </body>
+    #           </html>
+    #         EOS
+    #       ]]
+    #     end
+    #   end
+    #
+    #   Rack::Handler::WEBrick.run app
+    #
+    # == Example: Customize which POST parameter holds the token
+    #
+    # To customize the authenticity parameter for form data, use the
+    # <tt>:authenticity_param</tt> option:
+    #   use Rack::Protection::AuthenticityToken, authenticity_param: 'your_token_param_name'
     class AuthenticityToken < Base
-      default_options :authenticity_param => 'authenticity_token'
+      TOKEN_LENGTH = 32
+
+      default_options :authenticity_param => 'authenticity_token',
+                      :allow_if => nil
+
+      def self.token(session)
+        self.new(nil).mask_authenticity_token(session)
+      end
+
+      def self.random_token
+        SecureRandom.base64(TOKEN_LENGTH)
+      end
 
       def accepts?(env)
         session = session env
-        token   = session[:csrf] ||= session['_csrf_token'] || random_string
+        set_token(session)
+
         safe?(env) ||
-          secure_compare(env['HTTP_X_CSRF_TOKEN'].to_s, token) ||
-          secure_compare(Request.new(env).params[options[:authenticity_param]].to_s, token)
+          valid_token?(session, env['HTTP_X_CSRF_TOKEN']) ||
+          valid_token?(session, Request.new(env).params[options[:authenticity_param]]) ||
+          ( options[:allow_if] && options[:allow_if].call(env) )
+      end
+
+      def mask_authenticity_token(session)
+        token = set_token(session)
+        mask_token(token)
+      end
+
+      private
+
+      def set_token(session)
+        session[:csrf] ||= self.class.random_token
+      end
+
+      # Checks the client's masked token to see if it matches the
+      # session token.
+      def valid_token?(session, token)
+        return false if token.nil? || token.empty?
+
+        begin
+          token = decode_token(token)
+        rescue ArgumentError # encoded_masked_token is invalid Base64
+          return false
+        end
+
+        # See if it's actually a masked token or not. We should be able
+        # to handle any unmasked tokens that we've issued without error.
+
+        if unmasked_token?(token)
+          compare_with_real_token token, session
+
+        elsif masked_token?(token)
+          token = unmask_token(token)
+
+          compare_with_real_token token, session
+
+        else
+          false # Token is malformed
+        end
+      end
+
+      # Creates a masked version of the authenticity token that varies
+      # on each request. The masking is used to mitigate SSL attacks
+      # like BREACH.
+      def mask_token(token)
+        token = decode_token(token)
+        one_time_pad = SecureRandom.random_bytes(token.length)
+        encrypted_token = xor_byte_strings(one_time_pad, token)
+        masked_token = one_time_pad + encrypted_token
+        encode_token(masked_token)
+      end
+
+      # Essentially the inverse of +mask_token+.
+      def unmask_token(masked_token)
+        # Split the token into the one-time pad and the encrypted
+        # value and decrypt it
+        token_length = masked_token.length / 2
+        one_time_pad = masked_token[0...token_length]
+        encrypted_token = masked_token[token_length..-1]
+        xor_byte_strings(one_time_pad, encrypted_token)
+      end
+
+      def unmasked_token?(token)
+        token.length == TOKEN_LENGTH
+      end
+
+      def masked_token?(token)
+        token.length == TOKEN_LENGTH * 2
+      end
+
+      def compare_with_real_token(token, session)
+        secure_compare(token, real_token(session))
+      end
+
+      def real_token(session)
+        decode_token(session[:csrf])
+      end
+
+      def encode_token(token)
+        Base64.strict_encode64(token)
+      end
+
+      def decode_token(token)
+        Base64.strict_decode64(token)
+      end
+
+      def xor_byte_strings(s1, s2)
+        s2 = s2.dup
+        size = s1.bytesize
+        i = 0
+        while i < size
+          s2.setbyte(i, s1.getbyte(i) ^ s2.getbyte(i))
+          i += 1
+        end
+        s2
       end
     end
   end