rack-protection 2.0.3 → 3.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +7 -3
- data/Rakefile +24 -22
- data/lib/rack/protection/authenticity_token.rb +85 -26
- data/lib/rack/protection/base.rb +23 -15
- data/lib/rack/protection/content_security_policy.rb +9 -9
- data/lib/rack/protection/cookie_tossing.rb +7 -5
- data/lib/rack/protection/encrypted_cookie.rb +273 -0
- data/lib/rack/protection/encryptor.rb +62 -0
- data/lib/rack/protection/escaped_params.rb +14 -10
- data/lib/rack/protection/form_token.rb +3 -1
- data/lib/rack/protection/frame_options.rb +3 -1
- data/lib/rack/protection/http_origin.rb +11 -8
- data/lib/rack/protection/ip_spoofing.rb +7 -3
- data/lib/rack/protection/json_csrf.rb +6 -3
- data/lib/rack/protection/path_traversal.rb +12 -17
- data/lib/rack/protection/referrer_policy.rb +27 -0
- data/lib/rack/protection/remote_referrer.rb +2 -0
- data/lib/rack/protection/remote_token.rb +2 -0
- data/lib/rack/protection/session_hijacking.rb +8 -7
- data/lib/rack/protection/strict_transport.rb +4 -2
- data/lib/rack/protection/version.rb +3 -1
- data/lib/rack/protection/xss_header.rb +3 -1
- data/lib/rack/protection.rb +9 -2
- data/lib/rack-protection.rb +1 -1
- data/lib/rack_protection.rb +3 -0
- data/rack-protection.gemspec +35 -15
- metadata +23 -16
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'rack/protection'
|
2
4
|
|
3
5
|
module Rack
|
@@ -12,7 +14,7 @@ module Rack
|
|
12
14
|
# Options:
|
13
15
|
# xss_mode:: How the browser should prevent the attack (default: :block)
|
14
16
|
class XSSHeader < Base
|
15
|
-
default_options :
|
17
|
+
default_options xss_mode: :block, nosniff: true
|
16
18
|
|
17
19
|
def call(env)
|
18
20
|
status, headers, body = @app.call(env)
|
data/lib/rack/protection.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'rack/protection/version'
|
2
4
|
require 'rack'
|
3
5
|
|
@@ -7,6 +9,8 @@ module Rack
|
|
7
9
|
autoload :Base, 'rack/protection/base'
|
8
10
|
autoload :CookieTossing, 'rack/protection/cookie_tossing'
|
9
11
|
autoload :ContentSecurityPolicy, 'rack/protection/content_security_policy'
|
12
|
+
autoload :Encryptor, 'rack/protection/encryptor'
|
13
|
+
autoload :EncryptedCookie, 'rack/protection/encrypted_cookie'
|
10
14
|
autoload :EscapedParams, 'rack/protection/escaped_params'
|
11
15
|
autoload :FormToken, 'rack/protection/form_token'
|
12
16
|
autoload :FrameOptions, 'rack/protection/frame_options'
|
@@ -14,6 +18,7 @@ module Rack
|
|
14
18
|
autoload :IPSpoofing, 'rack/protection/ip_spoofing'
|
15
19
|
autoload :JsonCsrf, 'rack/protection/json_csrf'
|
16
20
|
autoload :PathTraversal, 'rack/protection/path_traversal'
|
21
|
+
autoload :ReferrerPolicy, 'rack/protection/referrer_policy'
|
17
22
|
autoload :RemoteReferrer, 'rack/protection/remote_referrer'
|
18
23
|
autoload :RemoteToken, 'rack/protection/remote_token'
|
19
24
|
autoload :SessionHijacking, 'rack/protection/session_hijacking'
|
@@ -26,15 +31,17 @@ module Rack
|
|
26
31
|
use_these = Array options[:use]
|
27
32
|
|
28
33
|
if options.fetch(:without_session, false)
|
29
|
-
except += [
|
34
|
+
except += %i[session_hijacking remote_token]
|
30
35
|
end
|
31
36
|
|
32
37
|
Rack::Builder.new do
|
33
38
|
# Off by default, unless added
|
34
39
|
use ::Rack::Protection::AuthenticityToken, options if use_these.include? :authenticity_token
|
35
|
-
use ::Rack::Protection::CookieTossing, options if use_these.include? :cookie_tossing
|
36
40
|
use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
|
41
|
+
use ::Rack::Protection::CookieTossing, options if use_these.include? :cookie_tossing
|
42
|
+
use ::Rack::Protection::EscapedParams, options if use_these.include? :escaped_params
|
37
43
|
use ::Rack::Protection::FormToken, options if use_these.include? :form_token
|
44
|
+
use ::Rack::Protection::ReferrerPolicy, options if use_these.include? :referrer_policy
|
38
45
|
use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer
|
39
46
|
use ::Rack::Protection::StrictTransport, options if use_these.include? :strict_transport
|
40
47
|
|
data/lib/rack-protection.rb
CHANGED
@@ -1 +1 @@
|
|
1
|
-
require
|
1
|
+
require 'rack/protection'
|
data/rack-protection.gemspec
CHANGED
@@ -1,25 +1,45 @@
|
|
1
|
-
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
version = File.read(File.expand_path('../VERSION', __dir__)).strip
|
2
4
|
|
3
5
|
Gem::Specification.new do |s|
|
4
6
|
# general infos
|
5
|
-
s.name =
|
7
|
+
s.name = 'rack-protection'
|
6
8
|
s.version = version
|
7
|
-
s.description =
|
8
|
-
s.homepage =
|
9
|
+
s.description = 'Protect against typical web attacks, works with all Rack apps, including Rails.'
|
10
|
+
s.homepage = 'https://sinatrarb.com/protection/'
|
9
11
|
s.summary = s.description
|
10
12
|
s.license = 'MIT'
|
11
|
-
s.authors = [
|
12
|
-
s.email =
|
13
|
-
s.files = Dir[
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
13
|
+
s.authors = ['https://github.com/sinatra/sinatra/graphs/contributors']
|
14
|
+
s.email = 'sinatrarb@googlegroups.com'
|
15
|
+
s.files = Dir['lib/**/*.rb'] + [
|
16
|
+
'License',
|
17
|
+
'README.md',
|
18
|
+
'Rakefile',
|
19
|
+
'Gemfile',
|
20
|
+
'rack-protection.gemspec'
|
19
21
|
]
|
20
22
|
|
23
|
+
unless s.respond_to?(:metadata)
|
24
|
+
raise <<-WARN
|
25
|
+
RubyGems 2.0 or newer is required to protect against public gem pushes. You can update your rubygems version by running:
|
26
|
+
gem install rubygems-update
|
27
|
+
update_rubygems:
|
28
|
+
gem update --system
|
29
|
+
WARN
|
30
|
+
end
|
31
|
+
|
32
|
+
s.metadata = {
|
33
|
+
'source_code_uri' => 'https://github.com/sinatra/sinatra/tree/main/rack-protection',
|
34
|
+
'homepage_uri' => 'http://sinatrarb.com/protection/',
|
35
|
+
'documentation_uri' => 'https://www.rubydoc.info/gems/rack-protection',
|
36
|
+
'rubygems_mfa_required' => 'true'
|
37
|
+
}
|
38
|
+
|
39
|
+
s.required_ruby_version = '>= 2.6.0'
|
40
|
+
|
21
41
|
# dependencies
|
22
|
-
s.add_dependency
|
23
|
-
s.add_development_dependency
|
24
|
-
s.add_development_dependency
|
42
|
+
s.add_dependency 'rack'
|
43
|
+
s.add_development_dependency 'rack-test', '~> 2'
|
44
|
+
s.add_development_dependency 'rspec', '~> 3'
|
25
45
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-protection
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 3.0.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- https://github.com/sinatra/sinatra/graphs/contributors
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-04-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rack
|
@@ -28,30 +28,30 @@ dependencies:
|
|
28
28
|
name: rack-test
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
|
-
- - "
|
31
|
+
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: '
|
33
|
+
version: '2'
|
34
34
|
type: :development
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
|
-
- - "
|
38
|
+
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: '
|
40
|
+
version: '2'
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: rspec
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
44
44
|
requirements:
|
45
45
|
- - "~>"
|
46
46
|
- !ruby/object:Gem::Version
|
47
|
-
version: '3
|
47
|
+
version: '3'
|
48
48
|
type: :development
|
49
49
|
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
52
|
- - "~>"
|
53
53
|
- !ruby/object:Gem::Version
|
54
|
-
version: '3
|
54
|
+
version: '3'
|
55
55
|
description: Protect against typical web attacks, works with all Rack apps, including
|
56
56
|
Rails.
|
57
57
|
email: sinatrarb@googlegroups.com
|
@@ -69,6 +69,8 @@ files:
|
|
69
69
|
- lib/rack/protection/base.rb
|
70
70
|
- lib/rack/protection/content_security_policy.rb
|
71
71
|
- lib/rack/protection/cookie_tossing.rb
|
72
|
+
- lib/rack/protection/encrypted_cookie.rb
|
73
|
+
- lib/rack/protection/encryptor.rb
|
72
74
|
- lib/rack/protection/escaped_params.rb
|
73
75
|
- lib/rack/protection/form_token.rb
|
74
76
|
- lib/rack/protection/frame_options.rb
|
@@ -76,18 +78,24 @@ files:
|
|
76
78
|
- lib/rack/protection/ip_spoofing.rb
|
77
79
|
- lib/rack/protection/json_csrf.rb
|
78
80
|
- lib/rack/protection/path_traversal.rb
|
81
|
+
- lib/rack/protection/referrer_policy.rb
|
79
82
|
- lib/rack/protection/remote_referrer.rb
|
80
83
|
- lib/rack/protection/remote_token.rb
|
81
84
|
- lib/rack/protection/session_hijacking.rb
|
82
85
|
- lib/rack/protection/strict_transport.rb
|
83
86
|
- lib/rack/protection/version.rb
|
84
87
|
- lib/rack/protection/xss_header.rb
|
88
|
+
- lib/rack_protection.rb
|
85
89
|
- rack-protection.gemspec
|
86
|
-
homepage:
|
90
|
+
homepage: https://sinatrarb.com/protection/
|
87
91
|
licenses:
|
88
92
|
- MIT
|
89
|
-
metadata:
|
90
|
-
|
93
|
+
metadata:
|
94
|
+
source_code_uri: https://github.com/sinatra/sinatra/tree/main/rack-protection
|
95
|
+
homepage_uri: http://sinatrarb.com/protection/
|
96
|
+
documentation_uri: https://www.rubydoc.info/gems/rack-protection
|
97
|
+
rubygems_mfa_required: 'true'
|
98
|
+
post_install_message:
|
91
99
|
rdoc_options: []
|
92
100
|
require_paths:
|
93
101
|
- lib
|
@@ -95,16 +103,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
95
103
|
requirements:
|
96
104
|
- - ">="
|
97
105
|
- !ruby/object:Gem::Version
|
98
|
-
version:
|
106
|
+
version: 2.6.0
|
99
107
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
100
108
|
requirements:
|
101
109
|
- - ">="
|
102
110
|
- !ruby/object:Gem::Version
|
103
111
|
version: '0'
|
104
112
|
requirements: []
|
105
|
-
|
106
|
-
|
107
|
-
signing_key:
|
113
|
+
rubygems_version: 3.4.10
|
114
|
+
signing_key:
|
108
115
|
specification_version: 4
|
109
116
|
summary: Protect against typical web attacks, works with all Rack apps, including
|
110
117
|
Rails.
|