rack-protection 2.0.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 60b24d006884c214484d2d6275ddfd9a09719fe6
-  data.tar.gz: b43b08983d4fc1fcf5525d28e0b704e49ee93a25
+SHA256:
+  metadata.gz: a3268bb2b60f8095b38658717f5e267da2e1dfbee57f487baf39a185d3cf9266
+  data.tar.gz: fc40122b95963a81333da038536782d85a9abdc92b823eb5d3044ef3c5c807c4
 SHA512:
-  metadata.gz: 926c434a0da749f9e615786c4600d7f3a933454ba179b4f3671d3abeb65d843281b95038258edaac3f01ae447c032aa8844141de0a399fd5447e6cbab12deac6
-  data.tar.gz: 64892fdb92b20c537ffebbbc00d374e4d0bd07cf37dab25c21c95676b371477356c7ba3a52945e0f9a84b0db40bbd3fc964aa21a8525ed2bfac4dd3be204817f
+  metadata.gz: 7b381c903bb99d1e8cfcd00554642aafc2644f4432987be95e094a84b0f020648efb92b4a48e082cda5749045c44d14e5f08d97a1a733bf2b1e850eeaf69d67b
+  data.tar.gz: bfb60cf9484528f0096cd68a6da55b66fa3471407a120caff83ee961b54043f3e4aca45a219273e7e48cc85ce70742ee75dab750609239fb887dfc35dfbcae59

data/Gemfile

@@ -1,4 +1,4 @@
-source "http://rubygems.org"
+source "https://rubygems.org"
 # encoding: utf-8
 
 gem 'rake'

data/README.md

@@ -1,7 +1,5 @@
 # Rack::Protection
 
-[![Build Status](https://secure.travis-ci.org/sinatra/rack-protection.png)](http://travis-ci.org/sinatra/rack-protection)
-
 This gem protects against typical web attacks.
 Should work for all Rack apps, including Rails.
 
@@ -40,55 +38,55 @@ run MyApp
 
 Prevented by:
 
-* `Rack::Protection::AuthenticityToken` (not included by `use Rack::Protection`)
-* `Rack::Protection::FormToken` (not included by `use Rack::Protection`)
-* `Rack::Protection::JsonCsrf`
-* `Rack::Protection::RemoteReferrer` (not included by `use Rack::Protection`)
-* `Rack::Protection::RemoteToken`
-* `Rack::Protection::HttpOrigin`
+* [`Rack::Protection::AuthenticityToken`][authenticity-token] (not included by `use Rack::Protection`)
+* [`Rack::Protection::FormToken`][form-token] (not included by `use Rack::Protection`)
+* [`Rack::Protection::JsonCsrf`][json-csrf]
+* [`Rack::Protection::RemoteReferrer`][remote-referrer] (not included by `use Rack::Protection`)
+* [`Rack::Protection::RemoteToken`][remote-token]
+* [`Rack::Protection::HttpOrigin`][http-origin]
 
 ## Cross Site Scripting
 
 Prevented by:
 
-* `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
-* `Rack::Protection::XSSHeader` (Internet Explorer and Chrome only)
-* `Rack::Protection::ContentSecurityPolicy`
+* [`Rack::Protection::EscapedParams`][escaped-params] (not included by `use Rack::Protection`)
+* [`Rack::Protection::XSSHeader`][xss-header] (Internet Explorer and Chrome only)
+* [`Rack::Protection::ContentSecurityPolicy`][content-security-policy]
 
 ## Clickjacking
 
 Prevented by:
 
-* `Rack::Protection::FrameOptions`
+* [`Rack::Protection::FrameOptions`][frame-options]
 
 ## Directory Traversal
 
 Prevented by:
 
-* `Rack::Protection::PathTraversal`
+* [`Rack::Protection::PathTraversal`][path-traversal]
 
 ## Session Hijacking
 
 Prevented by:
 
-* `Rack::Protection::SessionHijacking`
+* [`Rack::Protection::SessionHijacking`][session-hijacking]
 
 ## Cookie Tossing
 
 Prevented by:
-* `Rack::Protection::CookieTossing` (not included by `use Rack::Protection`)
+* [`Rack::Protection::CookieTossing`][cookie-tossing] (not included by `use Rack::Protection`)
 
 ## IP Spoofing
 
 Prevented by:
 
-* `Rack::Protection::IPSpoofing`
+* [`Rack::Protection::IPSpoofing`][ip-spoofing]
 
 ## Helps to protect against protocol downgrade attacks and cookie hijacking
 
 Prevented by:
 
-* `Rack::Protection::StrictTransport` (not included by `use Rack::Protection`)
+* [`Rack::Protection::StrictTransport`][strict-transport] (not included by `use Rack::Protection`)
 
 # Installation
 
@@ -102,3 +100,19 @@ use Rack::Protection, instrumenter: ActiveSupport::Notifications
 ```
 
 The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.
+
+[authenticity-token]: http://www.sinatrarb.com/protection/authenticity_token
+[content-security-policy]: http://www.sinatrarb.com/protection/content_security_policy
+[cookie-tossing]: http://www.sinatrarb.com/protection/cookie_tossing
+[escaped-params]: http://www.sinatrarb.com/protection/escaped_params
+[form-token]: http://www.sinatrarb.com/protection/form_token
+[frame-options]: http://www.sinatrarb.com/protection/frame_options
+[http-origin]: http://www.sinatrarb.com/protection/http_origin
+[ip-spoofing]: http://www.sinatrarb.com/protection/ip_spoofing
+[json-csrf]: http://www.sinatrarb.com/protection/json_csrf
+[path-traversal]: http://www.sinatrarb.com/protection/path_traversal
+[remote-referrer]: http://www.sinatrarb.com/protection/remote_referrer
+[remote-token]: http://www.sinatrarb.com/protection/remote_token
+[session-hijacking]: http://www.sinatrarb.com/protection/session_hijacking
+[strict-transport]: http://www.sinatrarb.com/protection/strict_transport
+[xss-header]: http://www.sinatrarb.com/protection/xss_header

data/Rakefile

@@ -24,7 +24,15 @@ namespace :doc do
     end
   end
 
-  task :all => [:readmes]
+  task :index do
+    doc = File.read("README.md")
+    file = "doc/rack-protection-readme.md"
+    Dir.mkdir "doc" unless File.directory? "doc"
+    puts "writing #{file}"
+    File.open(file, "w") { |f| f << doc }
+  end
+
+  task :all => [:readmes, :index]
 end
 
 desc "generate documentation"

data/lib/rack/protection.rb

@@ -14,6 +14,7 @@ module Rack
     autoload :IPSpoofing,            'rack/protection/ip_spoofing'
     autoload :JsonCsrf,              'rack/protection/json_csrf'
     autoload :PathTraversal,         'rack/protection/path_traversal'
+    autoload :ReferrerPolicy,        'rack/protection/referrer_policy'
     autoload :RemoteReferrer,        'rack/protection/remote_referrer'
     autoload :RemoteToken,           'rack/protection/remote_token'
     autoload :SessionHijacking,      'rack/protection/session_hijacking'
@@ -32,9 +33,11 @@ module Rack
       Rack::Builder.new do
         # Off by default, unless added
         use ::Rack::Protection::AuthenticityToken,     options if use_these.include? :authenticity_token
-        use ::Rack::Protection::CookieTossing,         options if use_these.include? :cookie_tossing
         use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
+        use ::Rack::Protection::CookieTossing,         options if use_these.include? :cookie_tossing
+        use ::Rack::Protection::EscapedParams,         options if use_these.include? :escaped_params
         use ::Rack::Protection::FormToken,             options if use_these.include? :form_token
+        use ::Rack::Protection::ReferrerPolicy,        options if use_these.include? :referrer_policy
         use ::Rack::Protection::RemoteReferrer,        options if use_these.include? :remote_referrer
         use ::Rack::Protection::StrictTransport,       options if use_these.include? :strict_transport
 

data/lib/rack/protection/authenticity_token.rb

@@ -9,14 +9,78 @@ module Rack
     # Supported browsers:: all
     # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
     #
-    # Only accepts unsafe HTTP requests if a given access token matches the token
-    # included in the session.
+    # This middleware only accepts requests other than <tt>GET</tt>,
+    # <tt>HEAD</tt>, <tt>OPTIONS</tt>, <tt>TRACE</tt> if their given access
+    # token matches the token included in the session.
     #
-    # Compatible with rack-csrf.
+    # It checks the <tt>X-CSRF-Token</tt> header and the <tt>POST</tt> form
+    # data.
     #
-    # Options:
+    # Compatible with the {rack-csrf}[https://rubygems.org/gems/rack_csrf] gem.
     #
-    # authenticity_param: Defines the param's name that should contain the token on a request.
+    # == Options
+    #
+    # [<tt>:authenticity_param</tt>] the name of the param that should contain
+    #                                the token on a request. Default value:
+    #                                <tt>"authenticity_token"</tt>
+    #
+    # == Example: Forms application
+    #
+    # To show what the AuthenticityToken does, this section includes a sample
+    # program which shows two forms. One with, and one without a CSRF token
+    # The one without CSRF token field will get a 403 Forbidden response.
+    #
+    # Install the gem, then run the program:
+    #
+    #   gem install 'rack-protection'
+    #   ruby server.rb
+    #
+    # Here is <tt>server.rb</tt>:
+    #
+    #   require 'rack/protection'
+    #
+    #   app = Rack::Builder.app do
+    #     use Rack::Session::Cookie, secret: 'secret'
+    #     use Rack::Protection::AuthenticityToken
+    #
+    #     run -> (env) do
+    #       [200, {}, [
+    #         <<~EOS
+    #           <!DOCTYPE html>
+    #           <html lang="en">
+    #           <head>
+    #             <meta charset="UTF-8" />
+    #             <title>rack-protection minimal example</title>
+    #           </head>
+    #           <body>
+    #             <h1>Without Authenticity Token</h1>
+    #             <p>This takes you to <tt>Forbidden</tt></p>
+    #             <form action="" method="post">
+    #               <input type="text" name="foo" />
+    #               <input type="submit" />
+    #             </form>
+    #
+    #             <h1>With Authenticity Token</h1>
+    #             <p>This successfully takes you to back to this form.</p>
+    #             <form action="" method="post">
+    #               <input type="hidden" name="authenticity_token" value="#{Rack::Protection::AuthenticityToken.token(env['rack.session'])}" />
+    #               <input type="text" name="foo" />
+    #               <input type="submit" />
+    #             </form>
+    #           </body>
+    #           </html>
+    #         EOS
+    #       ]]
+    #     end
+    #   end
+    #
+    #   Rack::Handler::WEBrick.run app
+    #
+    # == Example: Customize which POST parameter holds the token
+    #
+    # To customize the authenticity parameter for form data, use the
+    # <tt>:authenticity_param</tt> option:
+    #   use Rack::Protection::AuthenticityToken, authenticity_param: 'your_token_param_name'
     class AuthenticityToken < Base
       TOKEN_LENGTH = 32
 
@@ -125,7 +189,14 @@ module Rack
       end
 
       def xor_byte_strings(s1, s2)
-        s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
+        s2 = s2.dup
+        size = s1.bytesize
+        i = 0
+        while i < size
+          s2.setbyte(i, s1.getbyte(i) ^ s2.getbyte(i))
+          i += 1
+        end
+        s2
       end
     end
   end

data/lib/rack/protection/base.rb

@@ -13,7 +13,7 @@ module Rack
         :session_key => 'rack.session',    :status    => 403,
         :allow_empty_referrer => true,
         :report_key           => "protection.failed",
-        :html_types           => %w[text/html application/xhtml]
+        :html_types           => %w[text/html application/xhtml text/xml application/xml]
       }
 
       attr_reader :app, :options

data/lib/rack/protection/content_security_policy.rb

@@ -36,16 +36,15 @@ module Rack
     #          to be used in a policy.
     #
     class ContentSecurityPolicy < Base
-      default_options default_src: :none, script_src: "'self'",
-                      img_src: "'self'", style_src: "'self'",
-                      connect_src: "'self'", report_only: false
+      default_options default_src: "'self'", report_only: false
 
       DIRECTIVES = %i(base_uri child_src connect_src default_src
                       font_src form_action frame_ancestors frame_src
                       img_src manifest_src media_src object_src
                       plugin_types referrer reflected_xss report_to
                       report_uri require_sri_for sandbox script_src
-                      style_src worker_src).freeze
+                      style_src worker_src webrtc_src navigate_to
+                      prefetch_src).freeze
 
       NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
                              upgrade_insecure_requests).freeze
@@ -62,7 +61,7 @@ module Rack
         # Set these key values to boolean 'true' to include in policy
         NO_ARG_DIRECTIVES.each do |d|
           if options.key?(d) && options[d].is_a?(TrueClass)
-            directives << d.to_s.sub(/_/, '-')
+            directives << d.to_s.tr('_', '-')
           end
         end
 

data/lib/rack/protection/http_origin.rb

@@ -9,11 +9,11 @@ module Rack
     #                      http://tools.ietf.org/html/draft-abarth-origin
     #
     # Does not accept unsafe HTTP requests when value of Origin HTTP request header
-    # does not match default or whitelisted URIs.
+    # does not match default or permitted URIs.
     #
-    # If you want to whitelist a specific domain, you can pass in as the `:origin_whitelist` option:
+    # If you want to permit a specific domain, you can pass in as the `:permitted_origins` option:
     #
-    #     use Rack::Protection, origin_whitelist: ["http://localhost:3000", "http://127.0.01:3000"]
+    #     use Rack::Protection, permitted_origins: ["http://localhost:3000", "http://127.0.01:3000"]
     #
     # The `:allow_if` option can also be set to a proc to use custom allow/deny logic.
     class HttpOrigin < Base
@@ -32,7 +32,14 @@ module Rack
         return true unless origin = env['HTTP_ORIGIN']
         return true if base_url(env) == origin
         return true if options[:allow_if] && options[:allow_if].call(env)
-        Array(options[:origin_whitelist]).include? origin
+
+        if options.key? :origin_whitelist
+          warn "Rack::Protection origin_whitelist option is deprecated and will be removed, " \
+            "use permitted_origins instead.\n"
+        end
+
+        permitted_origins = options[:permitted_origins] || options[:origin_whitelist]
+        Array(permitted_origins).include? origin
       end
 
     end

data/lib/rack/protection/path_traversal.rb

@@ -19,19 +19,14 @@ module Rack
       end
 
       def cleanup(path)
-        if path.respond_to?(:encoding)
-          # Ruby 1.9+ M17N
-          encoding = path.encoding
-          dot   = '.'.encode(encoding)
-          slash = '/'.encode(encoding)
-        else
-          # Ruby 1.8
-          dot   = '.'
-          slash = '/'
-        end
+        encoding = path.encoding
+        dot   = '.'.encode(encoding)
+        slash = '/'.encode(encoding)
+        backslash = '\\'.encode(encoding)
 
         parts     = []
-        unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash)
+        unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
+        unescaped = unescaped.gsub(backslash, slash)
 
         unescaped.split(slash).each do |part|
           next if part.empty? or part == dot

data/lib/rack/protection/referrer_policy.rb

@@ -0,0 +1,25 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Secret leakage, third party tracking
+    # Supported browsers:: mixed support
+    # More infos::         https://www.w3.org/TR/referrer-policy/
+    #                      https://caniuse.com/#search=referrer-policy
+    #
+    # Sets Referrer-Policy header to tell the browser to limit the Referer header.
+    #
+    # Options:
+    # referrer_policy:: The policy to use (default: 'strict-origin-when-cross-origin')
+    class ReferrerPolicy < Base
+      default_options :referrer_policy => 'strict-origin-when-cross-origin'
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        headers['Referrer-Policy'] ||= options[:referrer_policy]
+        [status, headers, body]
+      end
+    end
+  end
+end

data/lib/rack/protection/session_hijacking.rb

@@ -14,7 +14,7 @@ module Rack
     class SessionHijacking < Base
       default_reaction :drop_session
       default_options :tracking_key => :tracking, :encrypt_tracking => true,
-        :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_LANGUAGE]
+        :track => %w[HTTP_USER_AGENT]
 
       def accepts?(env)
         session = session env

data/lib/rack/protection/version.rb

@@ -1,5 +1,5 @@
 module Rack
   module Protection
-    VERSION = '2.0.0'
+    VERSION = '2.1.0'
   end
 end

data/rack-protection.gemspec

@@ -5,7 +5,7 @@ Gem::Specification.new do |s|
   s.name        = "rack-protection"
   s.version     = version
   s.description = "Protect against typical web attacks, works with all Rack apps, including Rails."
-  s.homepage    = "http://github.com/sinatra/sinatra/tree/master/rack-protection"
+  s.homepage    = "http://sinatrarb.com/protection/"
   s.summary     = s.description
   s.license     = 'MIT'
   s.authors     = ["https://github.com/sinatra/sinatra/graphs/contributors"]
@@ -18,8 +18,23 @@ Gem::Specification.new do |s|
     "rack-protection.gemspec"
   ]
 
+  if s.respond_to?(:metadata)
+    s.metadata = {
+      'source_code_uri'   => 'https://github.com/sinatra/sinatra/tree/master/rack-protection',
+      'homepage_uri'      => 'http://sinatrarb.com/protection/',
+      'documentation_uri' => 'https://www.rubydoc.info/gems/rack-protection'
+    }
+  else
+    raise <<-EOF
+RubyGems 2.0 or newer is required to protect against public gem pushes. You can update your rubygems version by running:
+  gem install rubygems-update
+  update_rubygems:
+  gem update --system
+EOF
+  end
+
   # dependencies
   s.add_dependency "rack"
   s.add_development_dependency "rack-test"
-  s.add_development_dependency "rspec", "~> 3.0.0"
+  s.add_development_dependency "rspec", "~> 3.6"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - https://github.com/sinatra/sinatra/graphs/contributors
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-07 00:00:00.000000000 Z
+date: 2020-09-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.0.0
+        version: '3.6'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.0.0
+        version: '3.6'
 description: Protect against typical web attacks, works with all Rack apps, including
   Rails.
 email: sinatrarb@googlegroups.com
@@ -76,6 +76,7 @@ files:
 - lib/rack/protection/ip_spoofing.rb
 - lib/rack/protection/json_csrf.rb
 - lib/rack/protection/path_traversal.rb
+- lib/rack/protection/referrer_policy.rb
 - lib/rack/protection/remote_referrer.rb
 - lib/rack/protection/remote_token.rb
 - lib/rack/protection/session_hijacking.rb
@@ -83,10 +84,13 @@ files:
 - lib/rack/protection/version.rb
 - lib/rack/protection/xss_header.rb
 - rack-protection.gemspec
-homepage: http://github.com/sinatra/sinatra/tree/master/rack-protection
+homepage: http://sinatrarb.com/protection/
 licenses:
 - MIT
-metadata: {}
+metadata:
+  source_code_uri: https://github.com/sinatra/sinatra/tree/master/rack-protection
+  homepage_uri: http://sinatrarb.com/protection/
+  documentation_uri: https://www.rubydoc.info/gems/rack-protection
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -102,8 +106,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.11
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Protect against typical web attacks, works with all Rack apps, including