rack-protection 1.5.5 → 2.1.0

data/lib/rack/protection/xss_header.rb

@@ -4,7 +4,7 @@ module Rack
   module Protection
     ##
     # Prevented attack::   Non-permanent XSS
-    # Supported browsers:: Internet Explorer 8 and later
+    # Supported browsers:: Internet Explorer 8+ and Chrome
     # More infos::         http://blogs.msdn.com/b/ie/archive/2008/07/01/ie8-security-part-iv-the-xss-filter.aspx
     #
     # Sets X-XSS-Protection header to tell the browser to block attacks.

data/rack-protection.gemspec

@@ -1,118 +1,40 @@
-# Run `rake rack-protection.gemspec` to update the gemspec.
+version = File.read(File.expand_path("../../VERSION", __FILE__)).strip
+
 Gem::Specification.new do |s|
   # general infos
   s.name        = "rack-protection"
-  s.version     = "1.5.5"
-  s.description = "You should use protection!"
-  s.homepage    = "http://github.com/rkh/rack-protection"
+  s.version     = version
+  s.description = "Protect against typical web attacks, works with all Rack apps, including Rails."
+  s.homepage    = "http://sinatrarb.com/protection/"
   s.summary     = s.description
   s.license     = 'MIT'
-
-  # generated from git shortlog -sn
-  s.authors = [
-    "Konstantin Haase",
-    "Alex Rodionov",
-    "Patrick Ellis",
-    "Jason Staten",
-    "ITO Nobuaki",
-    "Jeff Welling",
-    "Matteo Centenaro",
-    "Egor Homakov",
-    "Florian Gilcher",
-    "Fojas",
-    "Igor Bochkariov",
-    "Mael Clerambault",
-    "Martin Mauch",
-    "Renne Nissinen",
-    "SAKAI, Kazuaki",
-    "Stanislav Savulchik",
-    "Steve Agalloco",
-    "TOBY",
-    "Thais Camilo and Konstantin Haase",
-    "Vipul A M",
-    "Akzhan Abdulin",
-    "brookemckim",
-    "Bj\u{f8}rge N\u{e6}ss",
-    "Chris Heald",
-    "Chris Mytton",
-    "Corey Ward",
-    "Dario Cravero",
-    "David Kellum"
-  ]
-
-  # generated from git shortlog -sne
-  s.email = [
-    "konstantin.mailinglists@googlemail.com",
-    "p0deje@gmail.com",
-    "jstaten07@gmail.com",
-    "patrick@soundcloud.com",
-    "jeff.welling@gmail.com",
-    "bugant@gmail.com",
-    "daydream.trippers@gmail.com",
-    "florian.gilcher@asquera.de",
-    "developer@fojasaur.us",
-    "ujifgc@gmail.com",
-    "mael@clerambault.fr",
-    "martin.mauch@gmail.com",
-    "rennex@iki.fi",
-    "kaz.july.7@gmail.com",
-    "s.savulchik@gmail.com",
-    "steve.agalloco@gmail.com",
-    "toby.net.info.mail+git@gmail.com",
-    "dev+narwen+rkh@rkh.im",
-    "vipulnsward@gmail.com",
-    "akzhan.abdulin@gmail.com",
-    "brooke@digitalocean.com",
-    "bjoerge@bengler.no",
-    "cheald@gmail.com",
-    "self@hecticjeff.net",
-    "coreyward@me.com",
-    "dario@uxtemple.com",
-    "dek-oss@gravitext.com",
-    "homakov@gmail.com"
-  ]
-
-  # generated from git ls-files
-  s.files = [
+  s.authors     = ["https://github.com/sinatra/sinatra/graphs/contributors"]
+  s.email       = "sinatrarb@googlegroups.com"
+  s.files       = Dir["lib/**/*.rb"] + [
     "License",
     "README.md",
     "Rakefile",
-    "lib/rack-protection.rb",
-    "lib/rack/protection.rb",
-    "lib/rack/protection/authenticity_token.rb",
-    "lib/rack/protection/base.rb",
-    "lib/rack/protection/escaped_params.rb",
-    "lib/rack/protection/form_token.rb",
-    "lib/rack/protection/frame_options.rb",
-    "lib/rack/protection/http_origin.rb",
-    "lib/rack/protection/ip_spoofing.rb",
-    "lib/rack/protection/json_csrf.rb",
-    "lib/rack/protection/path_traversal.rb",
-    "lib/rack/protection/remote_referrer.rb",
-    "lib/rack/protection/remote_token.rb",
-    "lib/rack/protection/session_hijacking.rb",
-    "lib/rack/protection/version.rb",
-    "lib/rack/protection/xss_header.rb",
-    "rack-protection.gemspec",
-    "spec/authenticity_token_spec.rb",
-    "spec/base_spec.rb",
-    "spec/escaped_params_spec.rb",
-    "spec/form_token_spec.rb",
-    "spec/frame_options_spec.rb",
-    "spec/http_origin_spec.rb",
-    "spec/ip_spoofing_spec.rb",
-    "spec/json_csrf_spec.rb",
-    "spec/path_traversal_spec.rb",
-    "spec/protection_spec.rb",
-    "spec/remote_referrer_spec.rb",
-    "spec/remote_token_spec.rb",
-    "spec/session_hijacking_spec.rb",
-    "spec/spec_helper.rb",
-    "spec/xss_header_spec.rb"
+    "Gemfile",
+    "rack-protection.gemspec"
   ]
 
+  if s.respond_to?(:metadata)
+    s.metadata = {
+      'source_code_uri'   => 'https://github.com/sinatra/sinatra/tree/master/rack-protection',
+      'homepage_uri'      => 'http://sinatrarb.com/protection/',
+      'documentation_uri' => 'https://www.rubydoc.info/gems/rack-protection'
+    }
+  else
+    raise <<-EOF
+RubyGems 2.0 or newer is required to protect against public gem pushes. You can update your rubygems version by running:
+  gem install rubygems-update
+  update_rubygems:
+  gem update --system
+EOF
+  end
+
   # dependencies
   s.add_dependency "rack"
   s.add_development_dependency "rack-test"
-  s.add_development_dependency "rspec", "~> 2.0"
+  s.add_development_dependency "rspec", "~> 3.6"
 end

metadata

@@ -1,41 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 1.5.5
+  version: 2.1.0
 platform: ruby
 authors:
-- Konstantin Haase
-- Alex Rodionov
-- Patrick Ellis
-- Jason Staten
-- ITO Nobuaki
-- Jeff Welling
-- Matteo Centenaro
-- Egor Homakov
-- Florian Gilcher
-- Fojas
-- Igor Bochkariov
-- Mael Clerambault
-- Martin Mauch
-- Renne Nissinen
-- SAKAI, Kazuaki
-- Stanislav Savulchik
-- Steve Agalloco
-- TOBY
-- Thais Camilo and Konstantin Haase
-- Vipul A M
-- Akzhan Abdulin
-- brookemckim
-- Bjørge Næss
-- Chris Heald
-- Chris Mytton
-- Corey Ward
-- Dario Cravero
-- David Kellum
+- https://github.com/sinatra/sinatra/graphs/contributors
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-07 00:00:00.000000000 Z
+date: 2020-09-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -71,48 +44,22 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.6'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
-description: You should use protection!
-email:
-- konstantin.mailinglists@googlemail.com
-- p0deje@gmail.com
-- jstaten07@gmail.com
-- patrick@soundcloud.com
-- jeff.welling@gmail.com
-- bugant@gmail.com
-- daydream.trippers@gmail.com
-- florian.gilcher@asquera.de
-- developer@fojasaur.us
-- ujifgc@gmail.com
-- mael@clerambault.fr
-- martin.mauch@gmail.com
-- rennex@iki.fi
-- kaz.july.7@gmail.com
-- s.savulchik@gmail.com
-- steve.agalloco@gmail.com
-- toby.net.info.mail+git@gmail.com
-- dev+narwen+rkh@rkh.im
-- vipulnsward@gmail.com
-- akzhan.abdulin@gmail.com
-- brooke@digitalocean.com
-- bjoerge@bengler.no
-- cheald@gmail.com
-- self@hecticjeff.net
-- coreyward@me.com
-- dario@uxtemple.com
-- dek-oss@gravitext.com
-- homakov@gmail.com
+        version: '3.6'
+description: Protect against typical web attacks, works with all Rack apps, including
+  Rails.
+email: sinatrarb@googlegroups.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- Gemfile
 - License
 - README.md
 - Rakefile
@@ -120,6 +67,8 @@ files:
 - lib/rack/protection.rb
 - lib/rack/protection/authenticity_token.rb
 - lib/rack/protection/base.rb
+- lib/rack/protection/content_security_policy.rb
+- lib/rack/protection/cookie_tossing.rb
 - lib/rack/protection/escaped_params.rb
 - lib/rack/protection/form_token.rb
 - lib/rack/protection/frame_options.rb
@@ -127,31 +76,21 @@ files:
 - lib/rack/protection/ip_spoofing.rb
 - lib/rack/protection/json_csrf.rb
 - lib/rack/protection/path_traversal.rb
+- lib/rack/protection/referrer_policy.rb
 - lib/rack/protection/remote_referrer.rb
 - lib/rack/protection/remote_token.rb
 - lib/rack/protection/session_hijacking.rb
+- lib/rack/protection/strict_transport.rb
 - lib/rack/protection/version.rb
 - lib/rack/protection/xss_header.rb
 - rack-protection.gemspec
-- spec/authenticity_token_spec.rb
-- spec/base_spec.rb
-- spec/escaped_params_spec.rb
-- spec/form_token_spec.rb
-- spec/frame_options_spec.rb
-- spec/http_origin_spec.rb
-- spec/ip_spoofing_spec.rb
-- spec/json_csrf_spec.rb
-- spec/path_traversal_spec.rb
-- spec/protection_spec.rb
-- spec/remote_referrer_spec.rb
-- spec/remote_token_spec.rb
-- spec/session_hijacking_spec.rb
-- spec/spec_helper.rb
-- spec/xss_header_spec.rb
-homepage: http://github.com/rkh/rack-protection
+homepage: http://sinatrarb.com/protection/
 licenses:
 - MIT
-metadata: {}
+metadata:
+  source_code_uri: https://github.com/sinatra/sinatra/tree/master/rack-protection
+  homepage_uri: http://sinatrarb.com/protection/
+  documentation_uri: https://www.rubydoc.info/gems/rack-protection
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -167,9 +106,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
-summary: You should use protection!
+summary: Protect against typical web attacks, works with all Rack apps, including
+  Rails.
 test_files: []

data/spec/authenticity_token_spec.rb

@@ -1,48 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::AuthenticityToken do
-  it_behaves_like "any rack application"
-
-  it "denies post requests without any token" do
-    post('/').should_not be_ok
-  end
-
-  it "accepts post requests with correct X-CSRF-Token header" do
-    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
-    last_response.should be_ok
-  end
-
-  it "denies post requests with wrong X-CSRF-Token header" do
-    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
-    last_response.should_not be_ok
-  end
-
-  it "accepts post form requests with correct authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
-    last_response.should be_ok
-  end
-
-  it "denies post form requests with wrong authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
-    last_response.should_not be_ok
-  end
-
-  it "prevents ajax requests without a valid token" do
-    post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should_not be_ok
-  end
-
-  it "allows for a custom authenticity token param" do
-    mock_app do
-      use Rack::Protection::AuthenticityToken, :authenticity_param => 'csrf_param'
-      run proc { |e| [200, {'Content-Type' => 'text/plain'}, ['hi']] }
-    end
-
-    post('/', {"csrf_param" => "a"}, 'rack.session' => {:csrf => "a"})
-    last_response.should be_ok
-  end
-
-  it "sets a new csrf token for the session in env, even after a 'safe' request" do
-    get('/', {}, {})
-    env['rack.session'][:csrf].should_not be_nil
-  end
-end

data/spec/base_spec.rb

@@ -1,40 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::Base do
-
-  subject { described_class.new(lambda {}) }
-
-  describe "#random_string" do
-    it "outputs a string of 32 characters" do
-      subject.random_string.length.should == 32
-    end
-  end
-
-  describe "#referrer" do
-    it "Reads referrer from Referer header" do
-      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/valid"}
-      subject.referrer(env).should == "bar.com"
-    end
-
-    it "Reads referrer from Host header when Referer header is relative" do
-      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "/valid"}
-      subject.referrer(env).should == "foo.com"
-    end
-
-    it "Reads referrer from Host header when Referer header is missing" do
-      env = {"HTTP_HOST" => "foo.com"}
-      subject.referrer(env).should == "foo.com"
-    end
-
-    it "Returns nil when Referer header is missing and allow_empty_referrer is false" do
-      env = {"HTTP_HOST" => "foo.com"}
-      subject.options[:allow_empty_referrer] = false
-      subject.referrer(env).should be_nil
-    end
-
-    it "Returns nil when Referer header is invalid" do
-      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/bad|uri"}
-      subject.referrer(env).should be_nil
-    end
-  end
-end

data/spec/escaped_params_spec.rb

@@ -1,43 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::EscapedParams do
-  it_behaves_like "any rack application"
-
-  context 'escaping' do
-    it 'escapes html entities' do
-      mock_app do |env|
-        request = Rack::Request.new(env)
-        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']]]
-      end
-      get '/', :foo => "<bar>"
-      body.should == '&lt;bar&gt;'
-    end
-
-    it 'leaves normal params untouched' do
-      mock_app do |env|
-        request = Rack::Request.new(env)
-        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']]]
-      end
-      get '/', :foo => "bar"
-      body.should == 'bar'
-    end
-
-    it 'copes with nested arrays' do
-      mock_app do |env|
-        request = Rack::Request.new(env)
-        [200, {'Content-Type' => 'text/plain'}, [request.params['foo']['bar']]]
-      end
-      get '/', :foo => {:bar => "<bar>"}
-      body.should == '&lt;bar&gt;'
-    end
-
-    it 'leaves cache-breaker params untouched' do
-      mock_app do |env|
-        [200, {'Content-Type' => 'text/plain'}, ['hi']]
-      end
-
-      get '/?95df8d9bf5237ad08df3115ee74dcb10'
-      body.should == 'hi'
-    end
-  end
-end