rack-protection 1.5.5 → 2.1.0

data/lib/rack/protection/base.rb

@@ -1,4 +1,5 @@
 require 'rack/protection'
+require 'rack/utils'
 require 'digest'
 require 'logger'
 require 'uri'
@@ -12,7 +13,7 @@ module Rack
         :session_key => 'rack.session',    :status    => 403,
         :allow_empty_referrer => true,
         :report_key           => "protection.failed",
-        :html_types           => %w[text/html application/xhtml]
+        :html_types           => %w[text/html application/xhtml text/xml application/xml]
       }
 
       attr_reader :app, :options
@@ -110,28 +111,8 @@ module Rack
         options[:encryptor].hexdigest value.to_s
       end
 
-      # The implementations of secure_compare and bytesize are taken from
-      # Rack::Utils to be able to support rack older than XXXX.
       def secure_compare(a, b)
-        return false unless bytesize(a) == bytesize(b)
-
-        l = a.unpack("C*")
-
-        r, i = 0, -1
-        b.each_byte { |v| r |= v ^ l[i+=1] }
-        r == 0
-      end
-
-      # Return the bytesize of String; uses String#size under Ruby 1.8 and
-      # String#bytesize under 1.9.
-      if ''.respond_to?(:bytesize)
-        def bytesize(string)
-          string.bytesize
-        end
-      else
-        def bytesize(string)
-          string.size
-        end
+        Rack::Utils.secure_compare(a.to_s, b.to_s)
       end
 
       alias default_reaction deny

data/lib/rack/protection/content_security_policy.rb

@@ -0,0 +1,79 @@
+# -*- coding: utf-8 -*-
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   XSS and others
+    # Supported browsers:: Firefox 23+, Safari 7+, Chrome 25+, Opera 15+
+    #
+    # Description:: Content Security Policy, a mechanism web applications
+    #               can use to mitigate a broad class of content injection
+    #               vulnerabilities, such as cross-site scripting (XSS).
+    #               Content Security Policy is a declarative policy that lets
+    #               the authors (or server administrators) of a web application
+    #               inform the client about the sources from which the
+    #               application expects to load resources.
+    #
+    # More info::   W3C CSP Level 1 : https://www.w3.org/TR/CSP1/ (deprecated)
+    #               W3C CSP Level 2 : https://www.w3.org/TR/CSP2/ (current)
+    #               W3C CSP Level 3 : https://www.w3.org/TR/CSP3/ (draft)
+    #               https://developer.mozilla.org/en-US/docs/Web/Security/CSP
+    #               http://caniuse.com/#search=ContentSecurityPolicy
+    #               http://content-security-policy.com/
+    #               https://securityheaders.io
+    #               https://scotthelme.co.uk/csp-cheat-sheet/
+    #               http://www.html5rocks.com/en/tutorials/security/content-security-policy/
+    #
+    # Sets the 'Content-Security-Policy[-Report-Only]' header.
+    #
+    # Options: ContentSecurityPolicy configuration is a complex topic with
+    #          several levels of support that has evolved over time.
+    #          See the W3C documentation and the links in the more info
+    #          section for CSP usage examples and best practices. The
+    #          CSP3 directives in the 'NO_ARG_DIRECTIVES' constant need to be
+    #          presented in the options hash with a boolean 'true' in order
+    #          to be used in a policy.
+    #
+    class ContentSecurityPolicy < Base
+      default_options default_src: "'self'", report_only: false
+
+      DIRECTIVES = %i(base_uri child_src connect_src default_src
+                      font_src form_action frame_ancestors frame_src
+                      img_src manifest_src media_src object_src
+                      plugin_types referrer reflected_xss report_to
+                      report_uri require_sri_for sandbox script_src
+                      style_src worker_src webrtc_src navigate_to
+                      prefetch_src).freeze
+
+      NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
+                             upgrade_insecure_requests).freeze
+
+      def csp_policy
+        directives = []
+
+        DIRECTIVES.each do |d|
+          if options.key?(d)
+            directives << "#{d.to_s.sub(/_/, '-')} #{options[d]}"
+          end
+        end
+
+        # Set these key values to boolean 'true' to include in policy
+        NO_ARG_DIRECTIVES.each do |d|
+          if options.key?(d) && options[d].is_a?(TrueClass)
+            directives << d.to_s.tr('_', '-')
+          end
+        end
+
+        directives.compact.sort.join('; ')
+      end
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        header = options[:report_only] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
+        headers[header] ||= csp_policy if html? headers
+        [status, headers, body]
+      end
+    end
+  end
+end

data/lib/rack/protection/cookie_tossing.rb

@@ -0,0 +1,75 @@
+require 'rack/protection'
+require 'pathname'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Cookie Tossing
+    # Supported browsers:: all
+    # More infos::         https://github.com/blog/1466-yummy-cookies-across-domains
+    #
+    # Does not accept HTTP requests if the HTTP_COOKIE header contains more than one
+    # session cookie. This does not protect against a cookie overflow attack.
+    #
+    # Options:
+    #
+    # session_key:: The name of the session cookie (default: 'rack.session')
+    class CookieTossing < Base
+      default_reaction :deny
+
+      def call(env)
+        status, headers, body = super
+        response = Rack::Response.new(body, status, headers)
+        request = Rack::Request.new(env)
+        remove_bad_cookies(request, response)
+        response.finish
+      end
+
+      def accepts?(env)
+        cookie_header = env['HTTP_COOKIE']
+        cookies = Rack::Utils.parse_query(cookie_header, ';,') { |s| s }
+        cookies.each do |k, v|
+          if k == session_key && Array(v).size > 1
+            bad_cookies << k
+          elsif k != session_key && Rack::Utils.unescape(k) == session_key
+            bad_cookies << k
+          end
+        end
+        bad_cookies.empty?
+      end
+
+      def remove_bad_cookies(request, response)
+        return if bad_cookies.empty?
+        paths = cookie_paths(request.path)
+        bad_cookies.each do |name|
+          paths.each { |path| response.set_cookie name, empty_cookie(request.host, path) }
+        end
+      end
+
+      def redirect(env)
+        request = Request.new(env)
+        warn env, "attack prevented by #{self.class}"
+        [302, {'Content-Type' => 'text/html', 'Location' => request.path}, []]
+      end
+
+      def bad_cookies
+        @bad_cookies ||= []
+      end
+
+      def cookie_paths(path)
+        path = '/' if path.to_s.empty?
+        paths = []
+        Pathname.new(path).descend { |p| paths << p.to_s }
+        paths
+      end
+
+      def empty_cookie(host, path)
+        {:value => '', :domain => host, :path => path, :expires => Time.at(0)}
+      end
+
+      def session_key
+        @session_key ||= options[:session_key]
+      end
+    end
+  end
+end

data/lib/rack/protection/escaped_params.rb

@@ -1,5 +1,6 @@
 require 'rack/protection'
 require 'rack/utils'
+require 'tempfile'
 
 begin
   require 'escape_utils'
@@ -66,6 +67,7 @@ module Rack
         when Hash   then escape_hash(object)
         when Array  then object.map { |o| escape(o) }
         when String then escape_string(object)
+        when Tempfile then object
         else nil
         end
       end

data/lib/rack/protection/form_token.rb

@@ -13,7 +13,7 @@ module Rack
     # This middleware is not used when using the Rack::Protection collection,
     # since it might be a security issue, depending on your application
     #
-    # Compatible with Rails and rack-csrf.
+    # Compatible with rack-csrf.
     class FormToken < AuthenticityToken
       def accepts?(env)
         env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest" or super

data/lib/rack/protection/http_origin.rb

@@ -9,10 +9,17 @@ module Rack
     #                      http://tools.ietf.org/html/draft-abarth-origin
     #
     # Does not accept unsafe HTTP requests when value of Origin HTTP request header
-    # does not match default or whitelisted URIs.
+    # does not match default or permitted URIs.
+    #
+    # If you want to permit a specific domain, you can pass in as the `:permitted_origins` option:
+    #
+    #     use Rack::Protection, permitted_origins: ["http://localhost:3000", "http://127.0.01:3000"]
+    #
+    # The `:allow_if` option can also be set to a proc to use custom allow/deny logic.
     class HttpOrigin < Base
       DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
       default_reaction :deny
+      default_options :allow_if => nil
 
       def base_url(env)
         request = Rack::Request.new(env)
@@ -24,7 +31,15 @@ module Rack
         return true if safe? env
         return true unless origin = env['HTTP_ORIGIN']
         return true if base_url(env) == origin
-        Array(options[:origin_whitelist]).include? origin
+        return true if options[:allow_if] && options[:allow_if].call(env)
+
+        if options.key? :origin_whitelist
+          warn "Rack::Protection origin_whitelist option is deprecated and will be removed, " \
+            "use permitted_origins instead.\n"
+        end
+
+        permitted_origins = options[:permitted_origins] || options[:origin_whitelist]
+        Array(permitted_origins).include? origin
       end
 
     end

data/lib/rack/protection/json_csrf.rb

@@ -5,21 +5,30 @@ module Rack
     ##
     # Prevented attack::   CSRF
     # Supported browsers:: all
-    # More infos::         http://flask.pocoo.org/docs/security/#json-security
+    # More infos::         http://flask.pocoo.org/docs/0.10/security/#json-security
+    #                      http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
     #
-    # JSON GET APIs are vulnerable to being embedded as JavaScript while the
+    # JSON GET APIs are vulnerable to being embedded as JavaScript when the
     # Array prototype has been patched to track data. Checks the referrer
     # even on GET requests if the content type is JSON.
+    #
+    # If request includes Origin HTTP header, defers to HttpOrigin to determine
+    # if the request is safe. Please refer to the documentation for more info.
+    #
+    # The `:allow_if` option can be set to a proc to use custom allow/deny logic.
     class JsonCsrf < Base
+      default_options :allow_if => nil
+
       alias react deny
 
       def call(env)
         request               = Request.new(env)
         status, headers, body = app.call(env)
 
-        if has_vector? request, headers
+        if has_vector?(request, headers)
           warn env, "attack prevented by #{self.class}"
-          react(env) or [status, headers, body]
+
+          react_and_close(env, body) or [status, headers, body]
         else
           [status, headers, body]
         end
@@ -27,9 +36,22 @@ module Rack
 
       def has_vector?(request, headers)
         return false if request.xhr?
+        return false if options[:allow_if] && options[:allow_if].call(request.env)
         return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
         origin(request.env).nil? and referrer(request.env) != request.host
       end
+
+      def react_and_close(env, body)
+        reaction = react(env)
+
+        close_body(body) if reaction
+
+        reaction
+      end
+
+      def close_body(body)
+        body.close if body.respond_to?(:close)
+      end
     end
   end
 end

data/lib/rack/protection/path_traversal.rb

@@ -19,18 +19,10 @@ module Rack
       end
 
       def cleanup(path)
-        if path.respond_to?(:encoding)
-          # Ruby 1.9+ M17N
-          encoding = path.encoding
-          dot   = '.'.encode(encoding)
-          slash = '/'.encode(encoding)
-          backslash = '\\'.encode(encoding)
-        else
-          # Ruby 1.8
-          dot   = '.'
-          slash = '/'
-          backslash = '\\'
-        end
+        encoding = path.encoding
+        dot   = '.'.encode(encoding)
+        slash = '/'.encode(encoding)
+        backslash = '\\'.encode(encoding)
 
         parts     = []
         unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)

data/lib/rack/protection/referrer_policy.rb

@@ -0,0 +1,25 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Secret leakage, third party tracking
+    # Supported browsers:: mixed support
+    # More infos::         https://www.w3.org/TR/referrer-policy/
+    #                      https://caniuse.com/#search=referrer-policy
+    #
+    # Sets Referrer-Policy header to tell the browser to limit the Referer header.
+    #
+    # Options:
+    # referrer_policy:: The policy to use (default: 'strict-origin-when-cross-origin')
+    class ReferrerPolicy < Base
+      default_options :referrer_policy => 'strict-origin-when-cross-origin'
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        headers['Referrer-Policy'] ||= options[:referrer_policy]
+        [status, headers, body]
+      end
+    end
+  end
+end

data/lib/rack/protection/remote_token.rb

@@ -10,7 +10,7 @@ module Rack
     # Only accepts unsafe HTTP requests if a given access token matches the token
     # included in the session *or* the request comes from the same origin.
     #
-    # Compatible with Rails and rack-csrf.
+    # Compatible with rack-csrf.
     class RemoteToken < AuthenticityToken
       default_reaction :deny
 

data/lib/rack/protection/session_hijacking.rb

@@ -14,7 +14,7 @@ module Rack
     class SessionHijacking < Base
       default_reaction :drop_session
       default_options :tracking_key => :tracking, :encrypt_tracking => true,
-        :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_LANGUAGE]
+        :track => %w[HTTP_USER_AGENT]
 
       def accepts?(env)
         session = session env

data/lib/rack/protection/strict_transport.rb

@@ -0,0 +1,39 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Protects against against protocol downgrade attacks and cookie hijacking.
+    # Supported browsers:: all
+    # More infos::         https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+    #
+    # browser will prevent any communications from being sent over HTTP
+    # to the specified domain and will instead send all communications over HTTPS.
+    # It also prevents HTTPS click through prompts on browsers.
+    #
+    # Options:
+    #
+    # max_age:: How long future requests to the domain should go over HTTPS; specified in seconds
+    # include_subdomains:: If all present and future subdomains will be HTTPS
+    # preload:: Allow this domain to be included in browsers HSTS preload list. See https://hstspreload.appspot.com/
+
+    class StrictTransport < Base
+      default_options :max_age => 31_536_000, :include_subdomains => false, :preload => false
+
+      def strict_transport
+        @strict_transport ||= begin
+          strict_transport = 'max-age=' + options[:max_age].to_s
+          strict_transport += '; includeSubDomains' if options[:include_subdomains]
+          strict_transport += '; preload' if options[:preload]
+          strict_transport.to_str
+        end
+      end
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        headers['Strict-Transport-Security'] ||= strict_transport
+        [status, headers, body]
+      end
+    end
+  end
+end

data/lib/rack/protection/version.rb

@@ -1,16 +1,5 @@
 module Rack
   module Protection
-    def self.version
-      VERSION
-    end
-
-    SIGNATURE = [1, 5, 5]
-    VERSION   = SIGNATURE.join('.')
-
-    VERSION.extend Comparable
-    def VERSION.<=>(other)
-      other = other.split('.').map { |i| i.to_i } if other.respond_to? :split
-      SIGNATURE <=> Array(other)
-    end
+    VERSION = '2.1.0'
   end
 end