rack-protection 1.5.5 → 2.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (38) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile +13 -0
  3. data/License +4 -1
  4. data/README.md +41 -13
  5. data/Rakefile +29 -5
  6. data/lib/rack/protection.rb +41 -24
  7. data/lib/rack/protection/authenticity_token.rb +181 -9
  8. data/lib/rack/protection/base.rb +3 -22
  9. data/lib/rack/protection/content_security_policy.rb +79 -0
  10. data/lib/rack/protection/cookie_tossing.rb +75 -0
  11. data/lib/rack/protection/escaped_params.rb +2 -0
  12. data/lib/rack/protection/form_token.rb +1 -1
  13. data/lib/rack/protection/http_origin.rb +17 -2
  14. data/lib/rack/protection/json_csrf.rb +26 -4
  15. data/lib/rack/protection/path_traversal.rb +4 -12
  16. data/lib/rack/protection/referrer_policy.rb +25 -0
  17. data/lib/rack/protection/remote_token.rb +1 -1
  18. data/lib/rack/protection/session_hijacking.rb +1 -1
  19. data/lib/rack/protection/strict_transport.rb +39 -0
  20. data/lib/rack/protection/version.rb +1 -12
  21. data/lib/rack/protection/xss_header.rb +1 -1
  22. data/rack-protection.gemspec +26 -104
  23. metadata +21 -82
  24. data/spec/authenticity_token_spec.rb +0 -48
  25. data/spec/base_spec.rb +0 -40
  26. data/spec/escaped_params_spec.rb +0 -43
  27. data/spec/form_token_spec.rb +0 -33
  28. data/spec/frame_options_spec.rb +0 -39
  29. data/spec/http_origin_spec.rb +0 -38
  30. data/spec/ip_spoofing_spec.rb +0 -35
  31. data/spec/json_csrf_spec.rb +0 -58
  32. data/spec/path_traversal_spec.rb +0 -41
  33. data/spec/protection_spec.rb +0 -105
  34. data/spec/remote_referrer_spec.rb +0 -31
  35. data/spec/remote_token_spec.rb +0 -42
  36. data/spec/session_hijacking_spec.rb +0 -55
  37. data/spec/spec_helper.rb +0 -163
  38. data/spec/xss_header_spec.rb +0 -56
data/spec/spec_helper.rb DELETED
@@ -1,163 +0,0 @@
1
- require 'rack/protection'
2
- require 'rack/test'
3
- require 'rack'
4
- require 'forwardable'
5
- require 'stringio'
6
-
7
- if defined? Gem.loaded_specs and Gem.loaded_specs.include? 'rack'
8
- version = Gem.loaded_specs['rack'].version.to_s
9
- else
10
- version = Rack.release + '.0'
11
- end
12
-
13
- if version == "1.3"
14
- Rack::Session::Abstract::ID.class_eval do
15
- private
16
- def prepare_session(env)
17
- session_was = env[ENV_SESSION_KEY]
18
- env[ENV_SESSION_KEY] = SessionHash.new(self, env)
19
- env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options)
20
- env[ENV_SESSION_KEY].merge! session_was if session_was
21
- end
22
- end
23
- end
24
-
25
- unless Rack::MockResponse.method_defined? :header
26
- Rack::MockResponse.send(:alias_method, :header, :headers)
27
- end
28
-
29
- module DummyApp
30
- def self.call(env)
31
- Thread.current[:last_env] = env
32
- body = (env['REQUEST_METHOD'] == 'HEAD' ? '' : 'ok')
33
- [200, {'Content-Type' => env['wants'] || 'text/plain'}, [body]]
34
- end
35
- end
36
-
37
- module TestHelpers
38
- extend Forwardable
39
- def_delegators :last_response, :body, :headers, :status, :errors
40
- def_delegators :current_session, :env_for
41
- attr_writer :app
42
-
43
- def app
44
- @app || mock_app(DummyApp)
45
- end
46
-
47
- def mock_app(app = nil, &block)
48
- app = block if app.nil? and block.arity == 1
49
- if app
50
- klass = described_class
51
- mock_app do
52
- use Rack::Head
53
- use(Rack::Config) { |e| e['rack.session'] ||= {}}
54
- use klass
55
- run app
56
- end
57
- else
58
- @app = Rack::Lint.new Rack::Builder.new(&block).to_app
59
- end
60
- end
61
-
62
- def with_headers(headers)
63
- proc { [200, {'Content-Type' => 'text/plain'}.merge(headers), ['ok']] }
64
- end
65
-
66
- def env
67
- Thread.current[:last_env]
68
- end
69
- end
70
-
71
- # see http://blog.101ideas.cz/posts/pending-examples-via-not-implemented-error-in-rspec.html
72
- module NotImplementedAsPending
73
- def self.included(base)
74
- base.class_eval do
75
- alias_method :__finish__, :finish
76
- remove_method :finish
77
- end
78
- end
79
-
80
- def finish(reporter)
81
- if @exception.is_a?(NotImplementedError)
82
- from = @exception.backtrace[0]
83
- message = "#{@exception.message} (from #{from})"
84
- @pending_declared_in_example = message
85
- metadata[:pending] = true
86
- @exception = nil
87
- end
88
-
89
- __finish__(reporter)
90
- end
91
-
92
- RSpec::Core::Example.send :include, self
93
- end
94
-
95
- RSpec.configure do |config|
96
- config.expect_with :rspec, :stdlib
97
- config.include Rack::Test::Methods
98
- config.include TestHelpers
99
- end
100
-
101
- shared_examples_for 'any rack application' do
102
- it "should not interfere with normal get requests" do
103
- get('/').should be_ok
104
- body.should == 'ok'
105
- end
106
-
107
- it "should not interfere with normal head requests" do
108
- head('/').should be_ok
109
- end
110
-
111
- it 'should not leak changes to env' do
112
- klass = described_class
113
- detector = Struct.new(:app)
114
-
115
- detector.send(:define_method, :call) do |env|
116
- was = env.dup
117
- res = app.call(env)
118
- was.each do |k,v|
119
- next if env[k] == v
120
- fail "env[#{k.inspect}] changed from #{v.inspect} to #{env[k].inspect}"
121
- end
122
- res
123
- end
124
-
125
- mock_app do
126
- use Rack::Head
127
- use(Rack::Config) { |e| e['rack.session'] ||= {}}
128
- use detector
129
- use klass
130
- run DummyApp
131
- end
132
-
133
- get('/..', :foo => '<bar>').should be_ok
134
- end
135
-
136
- it 'allows passing on values in env' do
137
- klass = described_class
138
- detector = Struct.new(:app)
139
- changer = Struct.new(:app)
140
-
141
- detector.send(:define_method, :call) do |env|
142
- res = app.call(env)
143
- env['foo.bar'].should == 42
144
- res
145
- end
146
-
147
- changer.send(:define_method, :call) do |env|
148
- env['foo.bar'] = 42
149
- app.call(env)
150
- end
151
-
152
- mock_app do
153
- use Rack::Head
154
- use(Rack::Config) { |e| e['rack.session'] ||= {}}
155
- use detector
156
- use klass
157
- use changer
158
- run DummyApp
159
- end
160
-
161
- get('/').should be_ok
162
- end
163
- end
@@ -1,56 +0,0 @@
1
- require File.expand_path('../spec_helper.rb', __FILE__)
2
-
3
- describe Rack::Protection::XSSHeader do
4
- it_behaves_like "any rack application"
5
-
6
- it 'should set the X-XSS-Protection' do
7
- get('/', {}, 'wants' => 'text/html;charset=utf-8').headers["X-XSS-Protection"].should == "1; mode=block"
8
- end
9
-
10
- it 'should set the X-XSS-Protection for XHTML' do
11
- get('/', {}, 'wants' => 'application/xhtml+xml').headers["X-XSS-Protection"].should == "1; mode=block"
12
- end
13
-
14
- it 'should not set the X-XSS-Protection for other content types' do
15
- get('/', {}, 'wants' => 'application/foo').headers["X-XSS-Protection"].should be_nil
16
- end
17
-
18
- it 'should allow changing the protection mode' do
19
- # I have no clue what other modes are available
20
- mock_app do
21
- use Rack::Protection::XSSHeader, :xss_mode => :foo
22
- run DummyApp
23
- end
24
-
25
- get('/', {}, 'wants' => 'application/xhtml').headers["X-XSS-Protection"].should == "1; mode=foo"
26
- end
27
-
28
- it 'should not override the header if already set' do
29
- mock_app with_headers("X-XSS-Protection" => "0")
30
- get('/', {}, 'wants' => 'text/html').headers["X-XSS-Protection"].should == "0"
31
- end
32
-
33
- it 'should set the X-Content-Type-Options' do
34
- get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"].should == "nosniff"
35
- end
36
-
37
-
38
- it 'should set the X-Content-Type-Options for other content types' do
39
- get('/', {}, 'wants' => 'application/foo').header["X-Content-Type-Options"].should == "nosniff"
40
- end
41
-
42
-
43
- it 'should allow changing the nosniff-mode off' do
44
- mock_app do
45
- use Rack::Protection::XSSHeader, :nosniff => false
46
- run DummyApp
47
- end
48
-
49
- get('/').headers["X-Content-Type-Options"].should be_nil
50
- end
51
-
52
- it 'should not override the header if already set X-Content-Type-Options' do
53
- mock_app with_headers("X-Content-Type-Options" => "sniff")
54
- get('/', {}, 'wants' => 'text/html').headers["X-Content-Type-Options"].should == "sniff"
55
- end
56
- end