rack-protection 2.0.3 → 2.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/rack/protection/authenticity_token.rb +9 -2
- data/lib/rack/protection/content_security_policy.rb +4 -5
- data/lib/rack/protection/http_origin.rb +11 -4
- data/lib/rack/protection/path_traversal.rb +4 -12
- data/lib/rack/protection/referrer_policy.rb +25 -0
- data/lib/rack/protection/session_hijacking.rb +1 -1
- data/lib/rack/protection/version.rb +1 -1
- data/lib/rack/protection.rb +4 -1
- data/rack-protection.gemspec +16 -1
- metadata +9 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a3268bb2b60f8095b38658717f5e267da2e1dfbee57f487baf39a185d3cf9266
|
|
4
|
+
data.tar.gz: fc40122b95963a81333da038536782d85a9abdc92b823eb5d3044ef3c5c807c4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7b381c903bb99d1e8cfcd00554642aafc2644f4432987be95e094a84b0f020648efb92b4a48e082cda5749045c44d14e5f08d97a1a733bf2b1e850eeaf69d67b
|
|
7
|
+
data.tar.gz: bfb60cf9484528f0096cd68a6da55b66fa3471407a120caff83ee961b54043f3e4aca45a219273e7e48cc85ce70742ee75dab750609239fb887dfc35dfbcae59
|
|
@@ -63,7 +63,7 @@ module Rack
|
|
|
63
63
|
# <h1>With Authenticity Token</h1>
|
|
64
64
|
# <p>This successfully takes you to back to this form.</p>
|
|
65
65
|
# <form action="" method="post">
|
|
66
|
-
# <input type="hidden" name="authenticity_token" value="#{env['rack.session']
|
|
66
|
+
# <input type="hidden" name="authenticity_token" value="#{Rack::Protection::AuthenticityToken.token(env['rack.session'])}" />
|
|
67
67
|
# <input type="text" name="foo" />
|
|
68
68
|
# <input type="submit" />
|
|
69
69
|
# </form>
|
|
@@ -189,7 +189,14 @@ module Rack
|
|
|
189
189
|
end
|
|
190
190
|
|
|
191
191
|
def xor_byte_strings(s1, s2)
|
|
192
|
-
|
|
192
|
+
s2 = s2.dup
|
|
193
|
+
size = s1.bytesize
|
|
194
|
+
i = 0
|
|
195
|
+
while i < size
|
|
196
|
+
s2.setbyte(i, s1.getbyte(i) ^ s2.getbyte(i))
|
|
197
|
+
i += 1
|
|
198
|
+
end
|
|
199
|
+
s2
|
|
193
200
|
end
|
|
194
201
|
end
|
|
195
202
|
end
|
|
@@ -36,16 +36,15 @@ module Rack
|
|
|
36
36
|
# to be used in a policy.
|
|
37
37
|
#
|
|
38
38
|
class ContentSecurityPolicy < Base
|
|
39
|
-
default_options default_src:
|
|
40
|
-
img_src: "'self'", style_src: "'self'",
|
|
41
|
-
connect_src: "'self'", report_only: false
|
|
39
|
+
default_options default_src: "'self'", report_only: false
|
|
42
40
|
|
|
43
41
|
DIRECTIVES = %i(base_uri child_src connect_src default_src
|
|
44
42
|
font_src form_action frame_ancestors frame_src
|
|
45
43
|
img_src manifest_src media_src object_src
|
|
46
44
|
plugin_types referrer reflected_xss report_to
|
|
47
45
|
report_uri require_sri_for sandbox script_src
|
|
48
|
-
style_src worker_src
|
|
46
|
+
style_src worker_src webrtc_src navigate_to
|
|
47
|
+
prefetch_src).freeze
|
|
49
48
|
|
|
50
49
|
NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
|
|
51
50
|
upgrade_insecure_requests).freeze
|
|
@@ -62,7 +61,7 @@ module Rack
|
|
|
62
61
|
# Set these key values to boolean 'true' to include in policy
|
|
63
62
|
NO_ARG_DIRECTIVES.each do |d|
|
|
64
63
|
if options.key?(d) && options[d].is_a?(TrueClass)
|
|
65
|
-
directives << d.to_s.
|
|
64
|
+
directives << d.to_s.tr('_', '-')
|
|
66
65
|
end
|
|
67
66
|
end
|
|
68
67
|
|
|
@@ -9,11 +9,11 @@ module Rack
|
|
|
9
9
|
# http://tools.ietf.org/html/draft-abarth-origin
|
|
10
10
|
#
|
|
11
11
|
# Does not accept unsafe HTTP requests when value of Origin HTTP request header
|
|
12
|
-
# does not match default or
|
|
12
|
+
# does not match default or permitted URIs.
|
|
13
13
|
#
|
|
14
|
-
# If you want to
|
|
14
|
+
# If you want to permit a specific domain, you can pass in as the `:permitted_origins` option:
|
|
15
15
|
#
|
|
16
|
-
# use Rack::Protection,
|
|
16
|
+
# use Rack::Protection, permitted_origins: ["http://localhost:3000", "http://127.0.01:3000"]
|
|
17
17
|
#
|
|
18
18
|
# The `:allow_if` option can also be set to a proc to use custom allow/deny logic.
|
|
19
19
|
class HttpOrigin < Base
|
|
@@ -32,7 +32,14 @@ module Rack
|
|
|
32
32
|
return true unless origin = env['HTTP_ORIGIN']
|
|
33
33
|
return true if base_url(env) == origin
|
|
34
34
|
return true if options[:allow_if] && options[:allow_if].call(env)
|
|
35
|
-
|
|
35
|
+
|
|
36
|
+
if options.key? :origin_whitelist
|
|
37
|
+
warn "Rack::Protection origin_whitelist option is deprecated and will be removed, " \
|
|
38
|
+
"use permitted_origins instead.\n"
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
permitted_origins = options[:permitted_origins] || options[:origin_whitelist]
|
|
42
|
+
Array(permitted_origins).include? origin
|
|
36
43
|
end
|
|
37
44
|
|
|
38
45
|
end
|
|
@@ -19,18 +19,10 @@ module Rack
|
|
|
19
19
|
end
|
|
20
20
|
|
|
21
21
|
def cleanup(path)
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
slash = '/'.encode(encoding)
|
|
27
|
-
backslash = '\\'.encode(encoding)
|
|
28
|
-
else
|
|
29
|
-
# Ruby 1.8
|
|
30
|
-
dot = '.'
|
|
31
|
-
slash = '/'
|
|
32
|
-
backslash = '\\'
|
|
33
|
-
end
|
|
22
|
+
encoding = path.encoding
|
|
23
|
+
dot = '.'.encode(encoding)
|
|
24
|
+
slash = '/'.encode(encoding)
|
|
25
|
+
backslash = '\\'.encode(encoding)
|
|
34
26
|
|
|
35
27
|
parts = []
|
|
36
28
|
unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
require 'rack/protection'
|
|
2
|
+
|
|
3
|
+
module Rack
|
|
4
|
+
module Protection
|
|
5
|
+
##
|
|
6
|
+
# Prevented attack:: Secret leakage, third party tracking
|
|
7
|
+
# Supported browsers:: mixed support
|
|
8
|
+
# More infos:: https://www.w3.org/TR/referrer-policy/
|
|
9
|
+
# https://caniuse.com/#search=referrer-policy
|
|
10
|
+
#
|
|
11
|
+
# Sets Referrer-Policy header to tell the browser to limit the Referer header.
|
|
12
|
+
#
|
|
13
|
+
# Options:
|
|
14
|
+
# referrer_policy:: The policy to use (default: 'strict-origin-when-cross-origin')
|
|
15
|
+
class ReferrerPolicy < Base
|
|
16
|
+
default_options :referrer_policy => 'strict-origin-when-cross-origin'
|
|
17
|
+
|
|
18
|
+
def call(env)
|
|
19
|
+
status, headers, body = @app.call(env)
|
|
20
|
+
headers['Referrer-Policy'] ||= options[:referrer_policy]
|
|
21
|
+
[status, headers, body]
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
end
|
|
@@ -14,7 +14,7 @@ module Rack
|
|
|
14
14
|
class SessionHijacking < Base
|
|
15
15
|
default_reaction :drop_session
|
|
16
16
|
default_options :tracking_key => :tracking, :encrypt_tracking => true,
|
|
17
|
-
:track => %w[HTTP_USER_AGENT
|
|
17
|
+
:track => %w[HTTP_USER_AGENT]
|
|
18
18
|
|
|
19
19
|
def accepts?(env)
|
|
20
20
|
session = session env
|
data/lib/rack/protection.rb
CHANGED
|
@@ -14,6 +14,7 @@ module Rack
|
|
|
14
14
|
autoload :IPSpoofing, 'rack/protection/ip_spoofing'
|
|
15
15
|
autoload :JsonCsrf, 'rack/protection/json_csrf'
|
|
16
16
|
autoload :PathTraversal, 'rack/protection/path_traversal'
|
|
17
|
+
autoload :ReferrerPolicy, 'rack/protection/referrer_policy'
|
|
17
18
|
autoload :RemoteReferrer, 'rack/protection/remote_referrer'
|
|
18
19
|
autoload :RemoteToken, 'rack/protection/remote_token'
|
|
19
20
|
autoload :SessionHijacking, 'rack/protection/session_hijacking'
|
|
@@ -32,9 +33,11 @@ module Rack
|
|
|
32
33
|
Rack::Builder.new do
|
|
33
34
|
# Off by default, unless added
|
|
34
35
|
use ::Rack::Protection::AuthenticityToken, options if use_these.include? :authenticity_token
|
|
35
|
-
use ::Rack::Protection::CookieTossing, options if use_these.include? :cookie_tossing
|
|
36
36
|
use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
|
|
37
|
+
use ::Rack::Protection::CookieTossing, options if use_these.include? :cookie_tossing
|
|
38
|
+
use ::Rack::Protection::EscapedParams, options if use_these.include? :escaped_params
|
|
37
39
|
use ::Rack::Protection::FormToken, options if use_these.include? :form_token
|
|
40
|
+
use ::Rack::Protection::ReferrerPolicy, options if use_these.include? :referrer_policy
|
|
38
41
|
use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer
|
|
39
42
|
use ::Rack::Protection::StrictTransport, options if use_these.include? :strict_transport
|
|
40
43
|
|
data/rack-protection.gemspec
CHANGED
|
@@ -5,7 +5,7 @@ Gem::Specification.new do |s|
|
|
|
5
5
|
s.name = "rack-protection"
|
|
6
6
|
s.version = version
|
|
7
7
|
s.description = "Protect against typical web attacks, works with all Rack apps, including Rails."
|
|
8
|
-
s.homepage = "http://
|
|
8
|
+
s.homepage = "http://sinatrarb.com/protection/"
|
|
9
9
|
s.summary = s.description
|
|
10
10
|
s.license = 'MIT'
|
|
11
11
|
s.authors = ["https://github.com/sinatra/sinatra/graphs/contributors"]
|
|
@@ -18,6 +18,21 @@ Gem::Specification.new do |s|
|
|
|
18
18
|
"rack-protection.gemspec"
|
|
19
19
|
]
|
|
20
20
|
|
|
21
|
+
if s.respond_to?(:metadata)
|
|
22
|
+
s.metadata = {
|
|
23
|
+
'source_code_uri' => 'https://github.com/sinatra/sinatra/tree/master/rack-protection',
|
|
24
|
+
'homepage_uri' => 'http://sinatrarb.com/protection/',
|
|
25
|
+
'documentation_uri' => 'https://www.rubydoc.info/gems/rack-protection'
|
|
26
|
+
}
|
|
27
|
+
else
|
|
28
|
+
raise <<-EOF
|
|
29
|
+
RubyGems 2.0 or newer is required to protect against public gem pushes. You can update your rubygems version by running:
|
|
30
|
+
gem install rubygems-update
|
|
31
|
+
update_rubygems:
|
|
32
|
+
gem update --system
|
|
33
|
+
EOF
|
|
34
|
+
end
|
|
35
|
+
|
|
21
36
|
# dependencies
|
|
22
37
|
s.add_dependency "rack"
|
|
23
38
|
s.add_development_dependency "rack-test"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-protection
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0
|
|
4
|
+
version: 2.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- https://github.com/sinatra/sinatra/graphs/contributors
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-09-04 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -76,6 +76,7 @@ files:
|
|
|
76
76
|
- lib/rack/protection/ip_spoofing.rb
|
|
77
77
|
- lib/rack/protection/json_csrf.rb
|
|
78
78
|
- lib/rack/protection/path_traversal.rb
|
|
79
|
+
- lib/rack/protection/referrer_policy.rb
|
|
79
80
|
- lib/rack/protection/remote_referrer.rb
|
|
80
81
|
- lib/rack/protection/remote_token.rb
|
|
81
82
|
- lib/rack/protection/session_hijacking.rb
|
|
@@ -83,10 +84,13 @@ files:
|
|
|
83
84
|
- lib/rack/protection/version.rb
|
|
84
85
|
- lib/rack/protection/xss_header.rb
|
|
85
86
|
- rack-protection.gemspec
|
|
86
|
-
homepage: http://
|
|
87
|
+
homepage: http://sinatrarb.com/protection/
|
|
87
88
|
licenses:
|
|
88
89
|
- MIT
|
|
89
|
-
metadata:
|
|
90
|
+
metadata:
|
|
91
|
+
source_code_uri: https://github.com/sinatra/sinatra/tree/master/rack-protection
|
|
92
|
+
homepage_uri: http://sinatrarb.com/protection/
|
|
93
|
+
documentation_uri: https://www.rubydoc.info/gems/rack-protection
|
|
90
94
|
post_install_message:
|
|
91
95
|
rdoc_options: []
|
|
92
96
|
require_paths:
|
|
@@ -102,8 +106,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
102
106
|
- !ruby/object:Gem::Version
|
|
103
107
|
version: '0'
|
|
104
108
|
requirements: []
|
|
105
|
-
|
|
106
|
-
rubygems_version: 2.7.6
|
|
109
|
+
rubygems_version: 3.1.2
|
|
107
110
|
signing_key:
|
|
108
111
|
specification_version: 4
|
|
109
112
|
summary: Protect against typical web attacks, works with all Rack apps, including
|