rack-protection 2.0.0 → 2.0.1.rc1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of rack-protection might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +31 -17
  3. data/Rakefile +9 -1
  4. data/lib/rack/protection/path_traversal.rb +4 -1
  5. data/lib/rack/protection/version.rb +1 -1
  6. data/rack-protection.gemspec +2 -2
  7. metadata +8 -8
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 60b24d006884c214484d2d6275ddfd9a09719fe6
4
- data.tar.gz: b43b08983d4fc1fcf5525d28e0b704e49ee93a25
3
+ metadata.gz: 9ca2e92c0c0ea291a4fe70147390728620e34484
4
+ data.tar.gz: 2d0def4c47eeb73f7bb726d30efe6c89211c8a7e
5
5
  SHA512:
6
- metadata.gz: 926c434a0da749f9e615786c4600d7f3a933454ba179b4f3671d3abeb65d843281b95038258edaac3f01ae447c032aa8844141de0a399fd5447e6cbab12deac6
7
- data.tar.gz: 64892fdb92b20c537ffebbbc00d374e4d0bd07cf37dab25c21c95676b371477356c7ba3a52945e0f9a84b0db40bbd3fc964aa21a8525ed2bfac4dd3be204817f
6
+ metadata.gz: 4f63dd691c176f7a1d765c6780565797441d203df82473d5e75c4ebbdd84771f5aee2ba318726292e8692d5c489e4794b16c5fa1c40c5bb722782d615524272e
7
+ data.tar.gz: d3c6150b41f30cf81e0fe4135d3cd470e76a2506b9578ed5500ba5c4211d8a76a2d07650c149e151d06b8fc12752ce40899dcd992f80b4b9f7f6b98707f77f13
data/README.md CHANGED
@@ -1,7 +1,5 @@
1
1
  # Rack::Protection
2
2
 
3
- [![Build Status](https://secure.travis-ci.org/sinatra/rack-protection.png)](http://travis-ci.org/sinatra/rack-protection)
4
-
5
3
  This gem protects against typical web attacks.
6
4
  Should work for all Rack apps, including Rails.
7
5
 
@@ -40,55 +38,55 @@ run MyApp
40
38
 
41
39
  Prevented by:
42
40
 
43
- * `Rack::Protection::AuthenticityToken` (not included by `use Rack::Protection`)
44
- * `Rack::Protection::FormToken` (not included by `use Rack::Protection`)
45
- * `Rack::Protection::JsonCsrf`
46
- * `Rack::Protection::RemoteReferrer` (not included by `use Rack::Protection`)
47
- * `Rack::Protection::RemoteToken`
48
- * `Rack::Protection::HttpOrigin`
41
+ * [`Rack::Protection::AuthenticityToken`][authenticity-token] (not included by `use Rack::Protection`)
42
+ * [`Rack::Protection::FormToken`][form-token] (not included by `use Rack::Protection`)
43
+ * [`Rack::Protection::JsonCsrf`][json-csrf]
44
+ * [`Rack::Protection::RemoteReferrer`][remote-referrer] (not included by `use Rack::Protection`)
45
+ * [`Rack::Protection::RemoteToken`][remote-token]
46
+ * [`Rack::Protection::HttpOrigin`][http-origin]
49
47
 
50
48
  ## Cross Site Scripting
51
49
 
52
50
  Prevented by:
53
51
 
54
- * `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
55
- * `Rack::Protection::XSSHeader` (Internet Explorer and Chrome only)
56
- * `Rack::Protection::ContentSecurityPolicy`
52
+ * [`Rack::Protection::EscapedParams`][escaped-params] (not included by `use Rack::Protection`)
53
+ * [`Rack::Protection::XSSHeader`][xss-header] (Internet Explorer and Chrome only)
54
+ * [`Rack::Protection::ContentSecurityPolicy`][content-security-policy]
57
55
 
58
56
  ## Clickjacking
59
57
 
60
58
  Prevented by:
61
59
 
62
- * `Rack::Protection::FrameOptions`
60
+ * [`Rack::Protection::FrameOptions`][frame-options]
63
61
 
64
62
  ## Directory Traversal
65
63
 
66
64
  Prevented by:
67
65
 
68
- * `Rack::Protection::PathTraversal`
66
+ * [`Rack::Protection::PathTraversal`][path-traversal]
69
67
 
70
68
  ## Session Hijacking
71
69
 
72
70
  Prevented by:
73
71
 
74
- * `Rack::Protection::SessionHijacking`
72
+ * [`Rack::Protection::SessionHijacking`][session-hijacking]
75
73
 
76
74
  ## Cookie Tossing
77
75
 
78
76
  Prevented by:
79
- * `Rack::Protection::CookieTossing` (not included by `use Rack::Protection`)
77
+ * [`Rack::Protection::CookieTossing`][cookie-tossing] (not included by `use Rack::Protection`)
80
78
 
81
79
  ## IP Spoofing
82
80
 
83
81
  Prevented by:
84
82
 
85
- * `Rack::Protection::IPSpoofing`
83
+ * [`Rack::Protection::IPSpoofing`][ip-spoofing]
86
84
 
87
85
  ## Helps to protect against protocol downgrade attacks and cookie hijacking
88
86
 
89
87
  Prevented by:
90
88
 
91
- * `Rack::Protection::StrictTransport` (not included by `use Rack::Protection`)
89
+ * [`Rack::Protection::StrictTransport`][strict-transport] (not included by `use Rack::Protection`)
92
90
 
93
91
  # Installation
94
92
 
@@ -102,3 +100,19 @@ use Rack::Protection, instrumenter: ActiveSupport::Notifications
102
100
  ```
103
101
 
104
102
  The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.
103
+
104
+ [authenticity-token]: http://www.sinatrarb.com/protection/authenticity_token
105
+ [content-security-policy]: http://www.sinatrarb.com/protection/content_security_policy
106
+ [cookie-tossing]: http://www.sinatrarb.com/protection/cookie_tossing
107
+ [escaped-params]: http://www.sinatrarb.com/protection/escaped_params
108
+ [form-token]: http://www.sinatrarb.com/protection/form_token
109
+ [frame-options]: http://www.sinatrarb.com/protection/frame_options
110
+ [http-origin]: http://www.sinatrarb.com/protection/http_origin
111
+ [ip-spoofing]: http://www.sinatrarb.com/protection/ip_spoofing
112
+ [json-csrf]: http://www.sinatrarb.com/protection/json_csrf
113
+ [path-traversal]: http://www.sinatrarb.com/protection/path_traversal
114
+ [remote-referrer]: http://www.sinatrarb.com/protection/remote_referrer
115
+ [remote-token]: http://www.sinatrarb.com/protection/remote_token
116
+ [session-hijacking]: http://www.sinatrarb.com/protection/session_hijacking
117
+ [strict-transport]: http://www.sinatrarb.com/protection/strict_transport
118
+ [xss-header]: http://www.sinatrarb.com/protection/xss_header
data/Rakefile CHANGED
@@ -24,7 +24,15 @@ namespace :doc do
24
24
  end
25
25
  end
26
26
 
27
- task :all => [:readmes]
27
+ task :index do
28
+ doc = File.read("README.md")
29
+ file = "doc/rack-protection-readme.md"
30
+ Dir.mkdir "doc" unless File.directory? "doc"
31
+ puts "writing #{file}"
32
+ File.open(file, "w") { |f| f << doc }
33
+ end
34
+
35
+ task :all => [:readmes, :index]
28
36
  end
29
37
 
30
38
  desc "generate documentation"
data/lib/rack/protection/path_traversal.rb CHANGED
@@ -24,14 +24,17 @@ module Rack
24
24
  encoding = path.encoding
25
25
  dot = '.'.encode(encoding)
26
26
  slash = '/'.encode(encoding)
27
+ backslash = '\\'.encode(encoding)
27
28
  else
28
29
  # Ruby 1.8
29
30
  dot = '.'
30
31
  slash = '/'
32
+ backslash = '\\'
31
33
  end
32
34
 
33
35
  parts = []
34
- unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash)
36
+ unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
37
+ unescaped = unescaped.gsub(backslash, slash)
35
38
 
36
39
  unescaped.split(slash).each do |part|
37
40
  next if part.empty? or part == dot
data/lib/rack/protection/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Rack
2
2
  module Protection
3
- VERSION = '2.0.0'
3
+ VERSION = '2.0.1.rc1'
4
4
  end
5
5
  end
data/rack-protection.gemspec CHANGED
@@ -5,7 +5,7 @@ Gem::Specification.new do |s|
5
5
  s.name = "rack-protection"
6
6
  s.version = version
7
7
  s.description = "Protect against typical web attacks, works with all Rack apps, including Rails."
8
- s.homepage = "http://github.com/sinatra/sinatra/tree/master/rack-protection"
8
+ s.homepage = "http://www.sinatrarb.com/protection/"
9
9
  s.summary = s.description
10
10
  s.license = 'MIT'
11
11
  s.authors = ["https://github.com/sinatra/sinatra/graphs/contributors"]
@@ -21,5 +21,5 @@ Gem::Specification.new do |s|
21
21
  # dependencies
22
22
  s.add_dependency "rack"
23
23
  s.add_development_dependency "rack-test"
24
- s.add_development_dependency "rspec", "~> 3.0.0"
24
+ s.add_development_dependency "rspec", "~> 3.6"
25
25
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-protection
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.0
4
+ version: 2.0.1.rc1
5
5
  platform: ruby
6
6
  authors:
7
7
  - https://github.com/sinatra/sinatra/graphs/contributors
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-05-07 00:00:00.000000000 Z
11
+ date: 2018-02-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rack
@@ -44,14 +44,14 @@ dependencies:
44
44
  requirements:
45
45
  - - "~>"
46
46
  - !ruby/object:Gem::Version
47
- version: 3.0.0
47
+ version: '3.6'
48
48
  type: :development
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
52
  - - "~>"
53
53
  - !ruby/object:Gem::Version
54
- version: 3.0.0
54
+ version: '3.6'
55
55
  description: Protect against typical web attacks, works with all Rack apps, including
56
56
  Rails.
57
57
  email: sinatrarb@googlegroups.com
@@ -83,7 +83,7 @@ files:
83
83
  - lib/rack/protection/version.rb
84
84
  - lib/rack/protection/xss_header.rb
85
85
  - rack-protection.gemspec
86
- homepage: http://github.com/sinatra/sinatra/tree/master/rack-protection
86
+ homepage: http://www.sinatrarb.com/protection/
87
87
  licenses:
88
88
  - MIT
89
89
  metadata: {}
@@ -98,12 +98,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
98
98
  version: '0'
99
99
  required_rubygems_version: !ruby/object:Gem::Requirement
100
100
  requirements:
101
- - - ">="
101
+ - - ">"
102
102
  - !ruby/object:Gem::Version
103
- version: '0'
103
+ version: 1.3.1
104
104
  requirements: []
105
105
  rubyforge_project:
106
- rubygems_version: 2.6.11
106
+ rubygems_version: 2.6.8
107
107
  signing_key:
108
108
  specification_version: 4
109
109
  summary: Protect against typical web attacks, works with all Rack apps, including