rack-protection 2.0.0 → 2.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +31 -17
- data/Rakefile +9 -1
- data/lib/rack/protection/path_traversal.rb +4 -1
- data/lib/rack/protection/version.rb +1 -1
- data/rack-protection.gemspec +2 -2
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 82bb8eedbee01c6c9183404515dc70cc7135844d
|
4
|
+
data.tar.gz: 19f676ac801969dbc0dd7a04dbeb5dc7561c5b76
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 30b9dfe62c92269b96c52fa344b5d53fe074a87366a556f1321c7b4f93466f89745f2f8d4acc5d190f316e1cef01a846a797e198e7304310bfa57c6a2f7ec99e
|
7
|
+
data.tar.gz: a1821675a3324d297c37bae3c7aa5e606e9a879ed097ec163d4148657de18efc918477b062ea176c547393830e93d56e5c3149b20e7bcee63de6dde2101da392
|
data/README.md
CHANGED
@@ -1,7 +1,5 @@
|
|
1
1
|
# Rack::Protection
|
2
2
|
|
3
|
-
[![Build Status](https://secure.travis-ci.org/sinatra/rack-protection.png)](http://travis-ci.org/sinatra/rack-protection)
|
4
|
-
|
5
3
|
This gem protects against typical web attacks.
|
6
4
|
Should work for all Rack apps, including Rails.
|
7
5
|
|
@@ -40,55 +38,55 @@ run MyApp
|
|
40
38
|
|
41
39
|
Prevented by:
|
42
40
|
|
43
|
-
* `Rack::Protection::AuthenticityToken` (not included by `use Rack::Protection`)
|
44
|
-
* `Rack::Protection::FormToken` (not included by `use Rack::Protection`)
|
45
|
-
* `Rack::Protection::JsonCsrf`
|
46
|
-
* `Rack::Protection::RemoteReferrer` (not included by `use Rack::Protection`)
|
47
|
-
* `Rack::Protection::RemoteToken`
|
48
|
-
* `Rack::Protection::HttpOrigin`
|
41
|
+
* [`Rack::Protection::AuthenticityToken`][authenticity-token] (not included by `use Rack::Protection`)
|
42
|
+
* [`Rack::Protection::FormToken`][form-token] (not included by `use Rack::Protection`)
|
43
|
+
* [`Rack::Protection::JsonCsrf`][json-csrf]
|
44
|
+
* [`Rack::Protection::RemoteReferrer`][remote-referrer] (not included by `use Rack::Protection`)
|
45
|
+
* [`Rack::Protection::RemoteToken`][remote-token]
|
46
|
+
* [`Rack::Protection::HttpOrigin`][http-origin]
|
49
47
|
|
50
48
|
## Cross Site Scripting
|
51
49
|
|
52
50
|
Prevented by:
|
53
51
|
|
54
|
-
* `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
|
55
|
-
* `Rack::Protection::XSSHeader` (Internet Explorer and Chrome only)
|
56
|
-
* `Rack::Protection::ContentSecurityPolicy`
|
52
|
+
* [`Rack::Protection::EscapedParams`][escaped-params] (not included by `use Rack::Protection`)
|
53
|
+
* [`Rack::Protection::XSSHeader`][xss-header] (Internet Explorer and Chrome only)
|
54
|
+
* [`Rack::Protection::ContentSecurityPolicy`][content-security-policy]
|
57
55
|
|
58
56
|
## Clickjacking
|
59
57
|
|
60
58
|
Prevented by:
|
61
59
|
|
62
|
-
* `Rack::Protection::FrameOptions`
|
60
|
+
* [`Rack::Protection::FrameOptions`][frame-options]
|
63
61
|
|
64
62
|
## Directory Traversal
|
65
63
|
|
66
64
|
Prevented by:
|
67
65
|
|
68
|
-
* `Rack::Protection::PathTraversal`
|
66
|
+
* [`Rack::Protection::PathTraversal`][path-traversal]
|
69
67
|
|
70
68
|
## Session Hijacking
|
71
69
|
|
72
70
|
Prevented by:
|
73
71
|
|
74
|
-
* `Rack::Protection::SessionHijacking`
|
72
|
+
* [`Rack::Protection::SessionHijacking`][session-hijacking]
|
75
73
|
|
76
74
|
## Cookie Tossing
|
77
75
|
|
78
76
|
Prevented by:
|
79
|
-
* `Rack::Protection::CookieTossing` (not included by `use Rack::Protection`)
|
77
|
+
* [`Rack::Protection::CookieTossing`][cookie-tossing] (not included by `use Rack::Protection`)
|
80
78
|
|
81
79
|
## IP Spoofing
|
82
80
|
|
83
81
|
Prevented by:
|
84
82
|
|
85
|
-
* `Rack::Protection::IPSpoofing`
|
83
|
+
* [`Rack::Protection::IPSpoofing`][ip-spoofing]
|
86
84
|
|
87
85
|
## Helps to protect against protocol downgrade attacks and cookie hijacking
|
88
86
|
|
89
87
|
Prevented by:
|
90
88
|
|
91
|
-
* `Rack::Protection::StrictTransport` (not included by `use Rack::Protection`)
|
89
|
+
* [`Rack::Protection::StrictTransport`][strict-transport] (not included by `use Rack::Protection`)
|
92
90
|
|
93
91
|
# Installation
|
94
92
|
|
@@ -102,3 +100,19 @@ use Rack::Protection, instrumenter: ActiveSupport::Notifications
|
|
102
100
|
```
|
103
101
|
|
104
102
|
The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.
|
103
|
+
|
104
|
+
[authenticity-token]: http://www.sinatrarb.com/protection/authenticity_token
|
105
|
+
[content-security-policy]: http://www.sinatrarb.com/protection/content_security_policy
|
106
|
+
[cookie-tossing]: http://www.sinatrarb.com/protection/cookie_tossing
|
107
|
+
[escaped-params]: http://www.sinatrarb.com/protection/escaped_params
|
108
|
+
[form-token]: http://www.sinatrarb.com/protection/form_token
|
109
|
+
[frame-options]: http://www.sinatrarb.com/protection/frame_options
|
110
|
+
[http-origin]: http://www.sinatrarb.com/protection/http_origin
|
111
|
+
[ip-spoofing]: http://www.sinatrarb.com/protection/ip_spoofing
|
112
|
+
[json-csrf]: http://www.sinatrarb.com/protection/json_csrf
|
113
|
+
[path-traversal]: http://www.sinatrarb.com/protection/path_traversal
|
114
|
+
[remote-referrer]: http://www.sinatrarb.com/protection/remote_referrer
|
115
|
+
[remote-token]: http://www.sinatrarb.com/protection/remote_token
|
116
|
+
[session-hijacking]: http://www.sinatrarb.com/protection/session_hijacking
|
117
|
+
[strict-transport]: http://www.sinatrarb.com/protection/strict_transport
|
118
|
+
[xss-header]: http://www.sinatrarb.com/protection/xss_header
|
data/Rakefile
CHANGED
@@ -24,7 +24,15 @@ namespace :doc do
|
|
24
24
|
end
|
25
25
|
end
|
26
26
|
|
27
|
-
task :
|
27
|
+
task :index do
|
28
|
+
doc = File.read("README.md")
|
29
|
+
file = "doc/rack-protection-readme.md"
|
30
|
+
Dir.mkdir "doc" unless File.directory? "doc"
|
31
|
+
puts "writing #{file}"
|
32
|
+
File.open(file, "w") { |f| f << doc }
|
33
|
+
end
|
34
|
+
|
35
|
+
task :all => [:readmes, :index]
|
28
36
|
end
|
29
37
|
|
30
38
|
desc "generate documentation"
|
@@ -24,14 +24,17 @@ module Rack
|
|
24
24
|
encoding = path.encoding
|
25
25
|
dot = '.'.encode(encoding)
|
26
26
|
slash = '/'.encode(encoding)
|
27
|
+
backslash = '\\'.encode(encoding)
|
27
28
|
else
|
28
29
|
# Ruby 1.8
|
29
30
|
dot = '.'
|
30
31
|
slash = '/'
|
32
|
+
backslash = '\\'
|
31
33
|
end
|
32
34
|
|
33
35
|
parts = []
|
34
|
-
unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash)
|
36
|
+
unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
|
37
|
+
unescaped = unescaped.gsub(backslash, slash)
|
35
38
|
|
36
39
|
unescaped.split(slash).each do |part|
|
37
40
|
next if part.empty? or part == dot
|
data/rack-protection.gemspec
CHANGED
@@ -5,7 +5,7 @@ Gem::Specification.new do |s|
|
|
5
5
|
s.name = "rack-protection"
|
6
6
|
s.version = version
|
7
7
|
s.description = "Protect against typical web attacks, works with all Rack apps, including Rails."
|
8
|
-
s.homepage = "http://
|
8
|
+
s.homepage = "http://www.sinatrarb.com/protection/"
|
9
9
|
s.summary = s.description
|
10
10
|
s.license = 'MIT'
|
11
11
|
s.authors = ["https://github.com/sinatra/sinatra/graphs/contributors"]
|
@@ -21,5 +21,5 @@ Gem::Specification.new do |s|
|
|
21
21
|
# dependencies
|
22
22
|
s.add_dependency "rack"
|
23
23
|
s.add_development_dependency "rack-test"
|
24
|
-
s.add_development_dependency "rspec", "~> 3.
|
24
|
+
s.add_development_dependency "rspec", "~> 3.6"
|
25
25
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-protection
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.
|
4
|
+
version: 2.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- https://github.com/sinatra/sinatra/graphs/contributors
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2018-02-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rack
|
@@ -44,14 +44,14 @@ dependencies:
|
|
44
44
|
requirements:
|
45
45
|
- - "~>"
|
46
46
|
- !ruby/object:Gem::Version
|
47
|
-
version: 3.
|
47
|
+
version: '3.6'
|
48
48
|
type: :development
|
49
49
|
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
52
|
- - "~>"
|
53
53
|
- !ruby/object:Gem::Version
|
54
|
-
version: 3.
|
54
|
+
version: '3.6'
|
55
55
|
description: Protect against typical web attacks, works with all Rack apps, including
|
56
56
|
Rails.
|
57
57
|
email: sinatrarb@googlegroups.com
|
@@ -83,7 +83,7 @@ files:
|
|
83
83
|
- lib/rack/protection/version.rb
|
84
84
|
- lib/rack/protection/xss_header.rb
|
85
85
|
- rack-protection.gemspec
|
86
|
-
homepage: http://
|
86
|
+
homepage: http://www.sinatrarb.com/protection/
|
87
87
|
licenses:
|
88
88
|
- MIT
|
89
89
|
metadata: {}
|
@@ -103,7 +103,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
103
103
|
version: '0'
|
104
104
|
requirements: []
|
105
105
|
rubyforge_project:
|
106
|
-
rubygems_version: 2.6.
|
106
|
+
rubygems_version: 2.6.8
|
107
107
|
signing_key:
|
108
108
|
specification_version: 4
|
109
109
|
summary: Protect against typical web attacks, works with all Rack apps, including
|