rack-protection 2.0.5 → 2.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/rack/protection.rb +4 -1
- data/lib/rack/protection/authenticity_token.rb +9 -2
- data/lib/rack/protection/content_security_policy.rb +4 -5
- data/lib/rack/protection/http_origin.rb +11 -4
- data/lib/rack/protection/path_traversal.rb +4 -12
- data/lib/rack/protection/referrer_policy.rb +25 -0
- data/lib/rack/protection/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a3268bb2b60f8095b38658717f5e267da2e1dfbee57f487baf39a185d3cf9266
|
|
4
|
+
data.tar.gz: fc40122b95963a81333da038536782d85a9abdc92b823eb5d3044ef3c5c807c4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7b381c903bb99d1e8cfcd00554642aafc2644f4432987be95e094a84b0f020648efb92b4a48e082cda5749045c44d14e5f08d97a1a733bf2b1e850eeaf69d67b
|
|
7
|
+
data.tar.gz: bfb60cf9484528f0096cd68a6da55b66fa3471407a120caff83ee961b54043f3e4aca45a219273e7e48cc85ce70742ee75dab750609239fb887dfc35dfbcae59
|
data/lib/rack/protection.rb
CHANGED
|
@@ -14,6 +14,7 @@ module Rack
|
|
|
14
14
|
autoload :IPSpoofing, 'rack/protection/ip_spoofing'
|
|
15
15
|
autoload :JsonCsrf, 'rack/protection/json_csrf'
|
|
16
16
|
autoload :PathTraversal, 'rack/protection/path_traversal'
|
|
17
|
+
autoload :ReferrerPolicy, 'rack/protection/referrer_policy'
|
|
17
18
|
autoload :RemoteReferrer, 'rack/protection/remote_referrer'
|
|
18
19
|
autoload :RemoteToken, 'rack/protection/remote_token'
|
|
19
20
|
autoload :SessionHijacking, 'rack/protection/session_hijacking'
|
|
@@ -32,9 +33,11 @@ module Rack
|
|
|
32
33
|
Rack::Builder.new do
|
|
33
34
|
# Off by default, unless added
|
|
34
35
|
use ::Rack::Protection::AuthenticityToken, options if use_these.include? :authenticity_token
|
|
35
|
-
use ::Rack::Protection::CookieTossing, options if use_these.include? :cookie_tossing
|
|
36
36
|
use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
|
|
37
|
+
use ::Rack::Protection::CookieTossing, options if use_these.include? :cookie_tossing
|
|
38
|
+
use ::Rack::Protection::EscapedParams, options if use_these.include? :escaped_params
|
|
37
39
|
use ::Rack::Protection::FormToken, options if use_these.include? :form_token
|
|
40
|
+
use ::Rack::Protection::ReferrerPolicy, options if use_these.include? :referrer_policy
|
|
38
41
|
use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer
|
|
39
42
|
use ::Rack::Protection::StrictTransport, options if use_these.include? :strict_transport
|
|
40
43
|
|
|
@@ -63,7 +63,7 @@ module Rack
|
|
|
63
63
|
# <h1>With Authenticity Token</h1>
|
|
64
64
|
# <p>This successfully takes you to back to this form.</p>
|
|
65
65
|
# <form action="" method="post">
|
|
66
|
-
# <input type="hidden" name="authenticity_token" value="#{env['rack.session']
|
|
66
|
+
# <input type="hidden" name="authenticity_token" value="#{Rack::Protection::AuthenticityToken.token(env['rack.session'])}" />
|
|
67
67
|
# <input type="text" name="foo" />
|
|
68
68
|
# <input type="submit" />
|
|
69
69
|
# </form>
|
|
@@ -189,7 +189,14 @@ module Rack
|
|
|
189
189
|
end
|
|
190
190
|
|
|
191
191
|
def xor_byte_strings(s1, s2)
|
|
192
|
-
|
|
192
|
+
s2 = s2.dup
|
|
193
|
+
size = s1.bytesize
|
|
194
|
+
i = 0
|
|
195
|
+
while i < size
|
|
196
|
+
s2.setbyte(i, s1.getbyte(i) ^ s2.getbyte(i))
|
|
197
|
+
i += 1
|
|
198
|
+
end
|
|
199
|
+
s2
|
|
193
200
|
end
|
|
194
201
|
end
|
|
195
202
|
end
|
|
@@ -36,16 +36,15 @@ module Rack
|
|
|
36
36
|
# to be used in a policy.
|
|
37
37
|
#
|
|
38
38
|
class ContentSecurityPolicy < Base
|
|
39
|
-
default_options default_src:
|
|
40
|
-
img_src: "'self'", style_src: "'self'",
|
|
41
|
-
connect_src: "'self'", report_only: false
|
|
39
|
+
default_options default_src: "'self'", report_only: false
|
|
42
40
|
|
|
43
41
|
DIRECTIVES = %i(base_uri child_src connect_src default_src
|
|
44
42
|
font_src form_action frame_ancestors frame_src
|
|
45
43
|
img_src manifest_src media_src object_src
|
|
46
44
|
plugin_types referrer reflected_xss report_to
|
|
47
45
|
report_uri require_sri_for sandbox script_src
|
|
48
|
-
style_src worker_src
|
|
46
|
+
style_src worker_src webrtc_src navigate_to
|
|
47
|
+
prefetch_src).freeze
|
|
49
48
|
|
|
50
49
|
NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
|
|
51
50
|
upgrade_insecure_requests).freeze
|
|
@@ -62,7 +61,7 @@ module Rack
|
|
|
62
61
|
# Set these key values to boolean 'true' to include in policy
|
|
63
62
|
NO_ARG_DIRECTIVES.each do |d|
|
|
64
63
|
if options.key?(d) && options[d].is_a?(TrueClass)
|
|
65
|
-
directives << d.to_s.
|
|
64
|
+
directives << d.to_s.tr('_', '-')
|
|
66
65
|
end
|
|
67
66
|
end
|
|
68
67
|
|
|
@@ -9,11 +9,11 @@ module Rack
|
|
|
9
9
|
# http://tools.ietf.org/html/draft-abarth-origin
|
|
10
10
|
#
|
|
11
11
|
# Does not accept unsafe HTTP requests when value of Origin HTTP request header
|
|
12
|
-
# does not match default or
|
|
12
|
+
# does not match default or permitted URIs.
|
|
13
13
|
#
|
|
14
|
-
# If you want to
|
|
14
|
+
# If you want to permit a specific domain, you can pass in as the `:permitted_origins` option:
|
|
15
15
|
#
|
|
16
|
-
# use Rack::Protection,
|
|
16
|
+
# use Rack::Protection, permitted_origins: ["http://localhost:3000", "http://127.0.01:3000"]
|
|
17
17
|
#
|
|
18
18
|
# The `:allow_if` option can also be set to a proc to use custom allow/deny logic.
|
|
19
19
|
class HttpOrigin < Base
|
|
@@ -32,7 +32,14 @@ module Rack
|
|
|
32
32
|
return true unless origin = env['HTTP_ORIGIN']
|
|
33
33
|
return true if base_url(env) == origin
|
|
34
34
|
return true if options[:allow_if] && options[:allow_if].call(env)
|
|
35
|
-
|
|
35
|
+
|
|
36
|
+
if options.key? :origin_whitelist
|
|
37
|
+
warn "Rack::Protection origin_whitelist option is deprecated and will be removed, " \
|
|
38
|
+
"use permitted_origins instead.\n"
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
permitted_origins = options[:permitted_origins] || options[:origin_whitelist]
|
|
42
|
+
Array(permitted_origins).include? origin
|
|
36
43
|
end
|
|
37
44
|
|
|
38
45
|
end
|
|
@@ -19,18 +19,10 @@ module Rack
|
|
|
19
19
|
end
|
|
20
20
|
|
|
21
21
|
def cleanup(path)
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
slash = '/'.encode(encoding)
|
|
27
|
-
backslash = '\\'.encode(encoding)
|
|
28
|
-
else
|
|
29
|
-
# Ruby 1.8
|
|
30
|
-
dot = '.'
|
|
31
|
-
slash = '/'
|
|
32
|
-
backslash = '\\'
|
|
33
|
-
end
|
|
22
|
+
encoding = path.encoding
|
|
23
|
+
dot = '.'.encode(encoding)
|
|
24
|
+
slash = '/'.encode(encoding)
|
|
25
|
+
backslash = '\\'.encode(encoding)
|
|
34
26
|
|
|
35
27
|
parts = []
|
|
36
28
|
unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
require 'rack/protection'
|
|
2
|
+
|
|
3
|
+
module Rack
|
|
4
|
+
module Protection
|
|
5
|
+
##
|
|
6
|
+
# Prevented attack:: Secret leakage, third party tracking
|
|
7
|
+
# Supported browsers:: mixed support
|
|
8
|
+
# More infos:: https://www.w3.org/TR/referrer-policy/
|
|
9
|
+
# https://caniuse.com/#search=referrer-policy
|
|
10
|
+
#
|
|
11
|
+
# Sets Referrer-Policy header to tell the browser to limit the Referer header.
|
|
12
|
+
#
|
|
13
|
+
# Options:
|
|
14
|
+
# referrer_policy:: The policy to use (default: 'strict-origin-when-cross-origin')
|
|
15
|
+
class ReferrerPolicy < Base
|
|
16
|
+
default_options :referrer_policy => 'strict-origin-when-cross-origin'
|
|
17
|
+
|
|
18
|
+
def call(env)
|
|
19
|
+
status, headers, body = @app.call(env)
|
|
20
|
+
headers['Referrer-Policy'] ||= options[:referrer_policy]
|
|
21
|
+
[status, headers, body]
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-protection
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0
|
|
4
|
+
version: 2.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- https://github.com/sinatra/sinatra/graphs/contributors
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-09-04 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -76,6 +76,7 @@ files:
|
|
|
76
76
|
- lib/rack/protection/ip_spoofing.rb
|
|
77
77
|
- lib/rack/protection/json_csrf.rb
|
|
78
78
|
- lib/rack/protection/path_traversal.rb
|
|
79
|
+
- lib/rack/protection/referrer_policy.rb
|
|
79
80
|
- lib/rack/protection/remote_referrer.rb
|
|
80
81
|
- lib/rack/protection/remote_token.rb
|
|
81
82
|
- lib/rack/protection/session_hijacking.rb
|
|
@@ -105,8 +106,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
105
106
|
- !ruby/object:Gem::Version
|
|
106
107
|
version: '0'
|
|
107
108
|
requirements: []
|
|
108
|
-
|
|
109
|
-
rubygems_version: 2.7.6
|
|
109
|
+
rubygems_version: 3.1.2
|
|
110
110
|
signing_key:
|
|
111
111
|
specification_version: 4
|
|
112
112
|
summary: Protect against typical web attacks, works with all Rack apps, including
|