rack-protection 2.0.3 → 3.0.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +7 -3
- data/Rakefile +24 -22
- data/lib/rack/protection/authenticity_token.rb +85 -26
- data/lib/rack/protection/base.rb +23 -15
- data/lib/rack/protection/content_security_policy.rb +9 -9
- data/lib/rack/protection/cookie_tossing.rb +7 -5
- data/lib/rack/protection/encrypted_cookie.rb +273 -0
- data/lib/rack/protection/encryptor.rb +62 -0
- data/lib/rack/protection/escaped_params.rb +14 -10
- data/lib/rack/protection/form_token.rb +3 -1
- data/lib/rack/protection/frame_options.rb +3 -1
- data/lib/rack/protection/http_origin.rb +11 -8
- data/lib/rack/protection/ip_spoofing.rb +7 -3
- data/lib/rack/protection/json_csrf.rb +6 -3
- data/lib/rack/protection/path_traversal.rb +12 -17
- data/lib/rack/protection/referrer_policy.rb +27 -0
- data/lib/rack/protection/remote_referrer.rb +2 -0
- data/lib/rack/protection/remote_token.rb +2 -0
- data/lib/rack/protection/session_hijacking.rb +8 -7
- data/lib/rack/protection/strict_transport.rb +4 -2
- data/lib/rack/protection/version.rb +3 -1
- data/lib/rack/protection/xss_header.rb +3 -1
- data/lib/rack/protection.rb +9 -2
- data/lib/rack-protection.rb +1 -1
- data/lib/rack_protection.rb +3 -0
- data/rack-protection.gemspec +35 -15
- metadata +23 -16
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'rack/protection'
|
2
4
|
|
3
5
|
module Rack
|
@@ -12,7 +14,7 @@ module Rack
|
|
12
14
|
# Options:
|
13
15
|
# xss_mode:: How the browser should prevent the attack (default: :block)
|
14
16
|
class XSSHeader < Base
|
15
|
-
default_options :
|
17
|
+
default_options xss_mode: :block, nosniff: true
|
16
18
|
|
17
19
|
def call(env)
|
18
20
|
status, headers, body = @app.call(env)
|
data/lib/rack/protection.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'rack/protection/version'
|
2
4
|
require 'rack'
|
3
5
|
|
@@ -7,6 +9,8 @@ module Rack
|
|
7
9
|
autoload :Base, 'rack/protection/base'
|
8
10
|
autoload :CookieTossing, 'rack/protection/cookie_tossing'
|
9
11
|
autoload :ContentSecurityPolicy, 'rack/protection/content_security_policy'
|
12
|
+
autoload :Encryptor, 'rack/protection/encryptor'
|
13
|
+
autoload :EncryptedCookie, 'rack/protection/encrypted_cookie'
|
10
14
|
autoload :EscapedParams, 'rack/protection/escaped_params'
|
11
15
|
autoload :FormToken, 'rack/protection/form_token'
|
12
16
|
autoload :FrameOptions, 'rack/protection/frame_options'
|
@@ -14,6 +18,7 @@ module Rack
|
|
14
18
|
autoload :IPSpoofing, 'rack/protection/ip_spoofing'
|
15
19
|
autoload :JsonCsrf, 'rack/protection/json_csrf'
|
16
20
|
autoload :PathTraversal, 'rack/protection/path_traversal'
|
21
|
+
autoload :ReferrerPolicy, 'rack/protection/referrer_policy'
|
17
22
|
autoload :RemoteReferrer, 'rack/protection/remote_referrer'
|
18
23
|
autoload :RemoteToken, 'rack/protection/remote_token'
|
19
24
|
autoload :SessionHijacking, 'rack/protection/session_hijacking'
|
@@ -26,15 +31,17 @@ module Rack
|
|
26
31
|
use_these = Array options[:use]
|
27
32
|
|
28
33
|
if options.fetch(:without_session, false)
|
29
|
-
except += [
|
34
|
+
except += %i[session_hijacking remote_token]
|
30
35
|
end
|
31
36
|
|
32
37
|
Rack::Builder.new do
|
33
38
|
# Off by default, unless added
|
34
39
|
use ::Rack::Protection::AuthenticityToken, options if use_these.include? :authenticity_token
|
35
|
-
use ::Rack::Protection::CookieTossing, options if use_these.include? :cookie_tossing
|
36
40
|
use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
|
41
|
+
use ::Rack::Protection::CookieTossing, options if use_these.include? :cookie_tossing
|
42
|
+
use ::Rack::Protection::EscapedParams, options if use_these.include? :escaped_params
|
37
43
|
use ::Rack::Protection::FormToken, options if use_these.include? :form_token
|
44
|
+
use ::Rack::Protection::ReferrerPolicy, options if use_these.include? :referrer_policy
|
38
45
|
use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer
|
39
46
|
use ::Rack::Protection::StrictTransport, options if use_these.include? :strict_transport
|
40
47
|
|
data/lib/rack-protection.rb
CHANGED
@@ -1 +1 @@
|
|
1
|
-
require
|
1
|
+
require 'rack/protection'
|
data/rack-protection.gemspec
CHANGED
@@ -1,25 +1,45 @@
|
|
1
|
-
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
version = File.read(File.expand_path('../VERSION', __dir__)).strip
|
2
4
|
|
3
5
|
Gem::Specification.new do |s|
|
4
6
|
# general infos
|
5
|
-
s.name =
|
7
|
+
s.name = 'rack-protection'
|
6
8
|
s.version = version
|
7
|
-
s.description =
|
8
|
-
s.homepage =
|
9
|
+
s.description = 'Protect against typical web attacks, works with all Rack apps, including Rails.'
|
10
|
+
s.homepage = 'https://sinatrarb.com/protection/'
|
9
11
|
s.summary = s.description
|
10
12
|
s.license = 'MIT'
|
11
|
-
s.authors = [
|
12
|
-
s.email =
|
13
|
-
s.files = Dir[
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
13
|
+
s.authors = ['https://github.com/sinatra/sinatra/graphs/contributors']
|
14
|
+
s.email = 'sinatrarb@googlegroups.com'
|
15
|
+
s.files = Dir['lib/**/*.rb'] + [
|
16
|
+
'License',
|
17
|
+
'README.md',
|
18
|
+
'Rakefile',
|
19
|
+
'Gemfile',
|
20
|
+
'rack-protection.gemspec'
|
19
21
|
]
|
20
22
|
|
23
|
+
unless s.respond_to?(:metadata)
|
24
|
+
raise <<-WARN
|
25
|
+
RubyGems 2.0 or newer is required to protect against public gem pushes. You can update your rubygems version by running:
|
26
|
+
gem install rubygems-update
|
27
|
+
update_rubygems:
|
28
|
+
gem update --system
|
29
|
+
WARN
|
30
|
+
end
|
31
|
+
|
32
|
+
s.metadata = {
|
33
|
+
'source_code_uri' => 'https://github.com/sinatra/sinatra/tree/main/rack-protection',
|
34
|
+
'homepage_uri' => 'http://sinatrarb.com/protection/',
|
35
|
+
'documentation_uri' => 'https://www.rubydoc.info/gems/rack-protection',
|
36
|
+
'rubygems_mfa_required' => 'true'
|
37
|
+
}
|
38
|
+
|
39
|
+
s.required_ruby_version = '>= 2.6.0'
|
40
|
+
|
21
41
|
# dependencies
|
22
|
-
s.add_dependency
|
23
|
-
s.add_development_dependency
|
24
|
-
s.add_development_dependency
|
42
|
+
s.add_dependency 'rack'
|
43
|
+
s.add_development_dependency 'rack-test', '~> 2'
|
44
|
+
s.add_development_dependency 'rspec', '~> 3'
|
25
45
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-protection
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 3.0.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- https://github.com/sinatra/sinatra/graphs/contributors
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-04-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rack
|
@@ -28,30 +28,30 @@ dependencies:
|
|
28
28
|
name: rack-test
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
|
-
- - "
|
31
|
+
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: '
|
33
|
+
version: '2'
|
34
34
|
type: :development
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
|
-
- - "
|
38
|
+
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: '
|
40
|
+
version: '2'
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: rspec
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
44
44
|
requirements:
|
45
45
|
- - "~>"
|
46
46
|
- !ruby/object:Gem::Version
|
47
|
-
version: '3
|
47
|
+
version: '3'
|
48
48
|
type: :development
|
49
49
|
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
52
|
- - "~>"
|
53
53
|
- !ruby/object:Gem::Version
|
54
|
-
version: '3
|
54
|
+
version: '3'
|
55
55
|
description: Protect against typical web attacks, works with all Rack apps, including
|
56
56
|
Rails.
|
57
57
|
email: sinatrarb@googlegroups.com
|
@@ -69,6 +69,8 @@ files:
|
|
69
69
|
- lib/rack/protection/base.rb
|
70
70
|
- lib/rack/protection/content_security_policy.rb
|
71
71
|
- lib/rack/protection/cookie_tossing.rb
|
72
|
+
- lib/rack/protection/encrypted_cookie.rb
|
73
|
+
- lib/rack/protection/encryptor.rb
|
72
74
|
- lib/rack/protection/escaped_params.rb
|
73
75
|
- lib/rack/protection/form_token.rb
|
74
76
|
- lib/rack/protection/frame_options.rb
|
@@ -76,18 +78,24 @@ files:
|
|
76
78
|
- lib/rack/protection/ip_spoofing.rb
|
77
79
|
- lib/rack/protection/json_csrf.rb
|
78
80
|
- lib/rack/protection/path_traversal.rb
|
81
|
+
- lib/rack/protection/referrer_policy.rb
|
79
82
|
- lib/rack/protection/remote_referrer.rb
|
80
83
|
- lib/rack/protection/remote_token.rb
|
81
84
|
- lib/rack/protection/session_hijacking.rb
|
82
85
|
- lib/rack/protection/strict_transport.rb
|
83
86
|
- lib/rack/protection/version.rb
|
84
87
|
- lib/rack/protection/xss_header.rb
|
88
|
+
- lib/rack_protection.rb
|
85
89
|
- rack-protection.gemspec
|
86
|
-
homepage:
|
90
|
+
homepage: https://sinatrarb.com/protection/
|
87
91
|
licenses:
|
88
92
|
- MIT
|
89
|
-
metadata:
|
90
|
-
|
93
|
+
metadata:
|
94
|
+
source_code_uri: https://github.com/sinatra/sinatra/tree/main/rack-protection
|
95
|
+
homepage_uri: http://sinatrarb.com/protection/
|
96
|
+
documentation_uri: https://www.rubydoc.info/gems/rack-protection
|
97
|
+
rubygems_mfa_required: 'true'
|
98
|
+
post_install_message:
|
91
99
|
rdoc_options: []
|
92
100
|
require_paths:
|
93
101
|
- lib
|
@@ -95,16 +103,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
95
103
|
requirements:
|
96
104
|
- - ">="
|
97
105
|
- !ruby/object:Gem::Version
|
98
|
-
version:
|
106
|
+
version: 2.6.0
|
99
107
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
100
108
|
requirements:
|
101
109
|
- - ">="
|
102
110
|
- !ruby/object:Gem::Version
|
103
111
|
version: '0'
|
104
112
|
requirements: []
|
105
|
-
|
106
|
-
|
107
|
-
signing_key:
|
113
|
+
rubygems_version: 3.4.10
|
114
|
+
signing_key:
|
108
115
|
specification_version: 4
|
109
116
|
summary: Protect against typical web attacks, works with all Rack apps, including
|
110
117
|
Rails.
|