rack-protection 2.0.5 → 3.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1645fb98ee14fc588d8d1ed5b84b003669c69e6d68c5947f0b11c6215bec4e8b
-  data.tar.gz: bb3ebec58b1470a0264350925c235717f8444174fe95b9d6b7d17588d115915a
+  metadata.gz: 7fef35d427c0ff406165fdf913c53089e65f94d759aaf5610aebd5ef0c43cd30
+  data.tar.gz: 4a458e4fada2015274bde82e4209bfe4c94618227fc7a2dc8df198258c1b7404
 SHA512:
-  metadata.gz: 3e602b265493bf03cf6745a4c862ed032ef4c99568fe4d32d2c5c86253e7b776e31c454e758ca38b31ea142aa315309e98081e096ba68405adf9d9c68746d929
-  data.tar.gz: 012d8b172cd4e18b78b8774a32c94c9a5e4d4b9af21ec1b40df2acf17e6ce74f91b27c60c06de02edf6eb5adeba3f1ccae191e483e7b6a172ff2e6b21805d5fd
+  metadata.gz: e8b1ba3b66ae172be989c43133f111fbe416706df83735f51aa785146242bbab8e55c5b0fa4667dff165ac462db518c1209f9957ec3bf95744da1dc4881cd5c9
+  data.tar.gz: cd46380780ad4c7078a6fc31f46cfaa6dda79bcbf2b47cf6e973592d85c35d4ef1c0bff5fee0b910e29e5cb579307447eae4d4c5880f2440586ee204a9d37da8

data/Gemfile

@@ -1,13 +1,17 @@
-source "https://rubygems.org"
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
 # encoding: utf-8
 
 gem 'rake'
 
 rack_version = ENV['rack'].to_s
-rack_version = nil if rack_version.empty? or rack_version == 'stable'
-rack_version = {:github => 'rack/rack'} if rack_version == 'master'
+rack_version = nil if rack_version.empty? || (rack_version == 'stable')
+rack_version = { github: 'rack/rack' } if rack_version == 'main'
 gem 'rack', rack_version
 
 gem 'sinatra', path: '..'
 
 gemspec
+
+gem 'rack-test', github: 'rack/rack-test'

data/Rakefile

@@ -1,53 +1,55 @@
-# encoding: utf-8
-$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift File.expand_path('lib', __dir__)
 
 begin
   require 'bundler'
   Bundler::GemHelper.install_tasks
 rescue LoadError => e
-  $stderr.puts e
+  warn e
 end
 
-desc "run specs"
-task(:spec) { ruby '-S rspec spec' }
+desc 'run specs'
+task(:spec) { ruby '-S rspec' }
 
 namespace :doc do
   task :readmes do
     Dir.glob 'lib/rack/protection/*.rb' do |file|
       excluded_files = %w[lib/rack/protection/base.rb lib/rack/protection/version.rb]
       next if excluded_files.include?(file)
+
       doc  = File.read(file)[/^  module Protection(\n)+(    #[^\n]*\n)*/m].scan(/^ *#(?!#) ?(.*)\n/).join("\n")
-      file = "doc/#{file[4..-4].tr("/_", "-")}.rdoc"
-      Dir.mkdir "doc" unless File.directory? "doc"
+      file = "doc/#{file[4..-4].tr('/_', '-')}.rdoc"
+      Dir.mkdir 'doc' unless File.directory? 'doc'
       puts "writing #{file}"
-      File.open(file, "w") { |f| f << doc }
+      File.open(file, 'w') { |f| f << doc }
     end
   end
 
   task :index do
-    doc = File.read("README.md")
-    file = "doc/rack-protection-readme.md"
-    Dir.mkdir "doc" unless File.directory? "doc"
+    doc = File.read('README.md')
+    file = 'doc/rack-protection-readme.md'
+    Dir.mkdir 'doc' unless File.directory? 'doc'
     puts "writing #{file}"
-    File.open(file, "w") { |f| f << doc }
+    File.open(file, 'w') { |f| f << doc }
   end
 
-  task :all => [:readmes, :index]
+  task all: %i[readmes index]
 end
 
-desc "generate documentation"
-task :doc => 'doc:all'
+desc 'generate documentation'
+task doc: 'doc:all'
 
-desc "generate gemspec"
+desc 'generate gemspec'
 task 'rack-protection.gemspec' do
   require 'rack/protection/version'
   content = File.binread 'rack-protection.gemspec'
 
   # fetch data
   fields = {
-    :authors => `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
-    :email   => ["mail@zzak.io", "konstantin.haase@gmail.com"],
-    :files   => %w(License README.md Rakefile Gemfile rack-protection.gemspec) + Dir['lib/**/*']
+    authors: `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
+    email: ['mail@zzak.io', 'konstantin.haase@gmail.com'],
+    files: %w[License README.md Rakefile Gemfile rack-protection.gemspec] + Dir['lib/**/*']
   }
 
   # insert data
@@ -67,6 +69,6 @@ task 'rack-protection.gemspec' do
   File.open('rack-protection.gemspec', 'w') { |f| f << content }
 end
 
-task :gemspec => 'rack-protection.gemspec'
-task :default => :spec
-task :test    => :spec
+task gemspec: 'rack-protection.gemspec'
+task default: :spec
+task test: :spec

data/lib/rack/protection/authenticity_token.rb

@@ -1,5 +1,8 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 require 'securerandom'
+require 'openssl'
 require 'base64'
 
 module Rack
@@ -16,7 +19,10 @@ module Rack
     # It checks the <tt>X-CSRF-Token</tt> header and the <tt>POST</tt> form
     # data.
     #
-    # Compatible with the {rack-csrf}[https://rubygems.org/gems/rack_csrf] gem.
+    # It is not OOTB-compatible with the {rack-csrf}[https://rubygems.org/gems/rack_csrf] gem.
+    # For that, the following patch needs to be applied:
+    #
+    #   Rack::Protection::AuthenticityToken.default_options(key: "csrf.token", authenticity_param: "_csrf")
     #
     # == Options
     #
@@ -24,6 +30,13 @@ module Rack
     #                                the token on a request. Default value:
     #                                <tt>"authenticity_token"</tt>
     #
+    # [<tt>:key</tt>] the name of the param that should contain
+    #                                the token in the session. Default value:
+    #                                <tt>:csrf</tt>
+    #
+    # [<tt>:allow_if</tt>] a proc for custom allow/deny logic. Default value:
+    #                                <tt>nil</tt>
+    #
     # == Example: Forms application
     #
     # To show what the AuthenticityToken does, this section includes a sample
@@ -63,7 +76,7 @@ module Rack
     #             <h1>With Authenticity Token</h1>
     #             <p>This successfully takes you to back to this form.</p>
     #             <form action="" method="post">
-    #               <input type="hidden" name="authenticity_token" value="#{env['rack.session'][:csrf]}" />
+    #               <input type="hidden" name="authenticity_token" value="#{Rack::Protection::AuthenticityToken.token(env['rack.session'])}" />
     #               <input type="text" name="foo" />
     #               <input type="submit" />
     #             </form>
@@ -84,42 +97,57 @@ module Rack
     class AuthenticityToken < Base
       TOKEN_LENGTH = 32
 
-      default_options :authenticity_param => 'authenticity_token',
-                      :allow_if => nil
+      default_options authenticity_param: 'authenticity_token',
+                      key: :csrf,
+                      allow_if: nil
 
-      def self.token(session)
-        self.new(nil).mask_authenticity_token(session)
+      def self.token(session, path: nil, method: :post)
+        new(nil).mask_authenticity_token(session, path: path, method: method)
       end
 
       def self.random_token
-        SecureRandom.base64(TOKEN_LENGTH)
+        SecureRandom.urlsafe_base64(TOKEN_LENGTH, padding: false)
       end
 
       def accepts?(env)
-        session = session env
+        session = session(env)
         set_token(session)
 
         safe?(env) ||
-          valid_token?(session, env['HTTP_X_CSRF_TOKEN']) ||
-          valid_token?(session, Request.new(env).params[options[:authenticity_param]]) ||
-          ( options[:allow_if] && options[:allow_if].call(env) )
+          valid_token?(env, env['HTTP_X_CSRF_TOKEN']) ||
+          valid_token?(env, Request.new(env).params[options[:authenticity_param]]) ||
+          options[:allow_if]&.call(env)
+      rescue StandardError
+        false
       end
 
-      def mask_authenticity_token(session)
-        token = set_token(session)
+      def mask_authenticity_token(session, path: nil, method: :post)
+        set_token(session)
+
+        token = if path && method
+                  per_form_token(session, path, method)
+                else
+                  global_token(session)
+                end
+
         mask_token(token)
       end
 
+      GLOBAL_TOKEN_IDENTIFIER = '!real_csrf_token'
+      private_constant :GLOBAL_TOKEN_IDENTIFIER
+
       private
 
       def set_token(session)
-        session[:csrf] ||= self.class.random_token
+        session[options[:key]] ||= self.class.random_token
       end
 
       # Checks the client's masked token to see if it matches the
       # session token.
-      def valid_token?(session, token)
-        return false if token.nil? || token.empty?
+      def valid_token?(env, token)
+        return false if token.nil? || !token.is_a?(String) || token.empty?
+
+        session = session(env)
 
         begin
           token = decode_token(token)
@@ -131,13 +159,13 @@ module Rack
         # to handle any unmasked tokens that we've issued without error.
 
         if unmasked_token?(token)
-          compare_with_real_token token, session
-
+          compare_with_real_token(token, session)
         elsif masked_token?(token)
           token = unmask_token(token)
 
-          compare_with_real_token token, session
-
+          compare_with_global_token(token, session) ||
+            compare_with_real_token(token, session) ||
+            compare_with_per_form_token(token, session, Request.new(env))
         else
           false # Token is malformed
         end
@@ -147,7 +175,6 @@ module Rack
       # on each request. The masking is used to mitigate SSL attacks
       # like BREACH.
       def mask_token(token)
-        token = decode_token(token)
         one_time_pad = SecureRandom.random_bytes(token.length)
         encrypted_token = xor_byte_strings(one_time_pad, token)
         masked_token = one_time_pad + encrypted_token
@@ -160,7 +187,7 @@ module Rack
         # value and decrypt it
         token_length = masked_token.length / 2
         one_time_pad = masked_token[0...token_length]
-        encrypted_token = masked_token[token_length..-1]
+        encrypted_token = masked_token[token_length..]
         xor_byte_strings(one_time_pad, encrypted_token)
       end
 
@@ -176,20 +203,52 @@ module Rack
         secure_compare(token, real_token(session))
       end
 
+      def compare_with_global_token(token, session)
+        secure_compare(token, global_token(session))
+      end
+
+      def compare_with_per_form_token(token, session, request)
+        secure_compare(token,
+                       per_form_token(session, request.path.chomp('/'), request.request_method))
+      end
+
       def real_token(session)
-        decode_token(session[:csrf])
+        decode_token(session[options[:key]])
+      end
+
+      def global_token(session)
+        token_hmac(session, GLOBAL_TOKEN_IDENTIFIER)
+      end
+
+      def per_form_token(session, path, method)
+        token_hmac(session, "#{path}##{method.downcase}")
       end
 
       def encode_token(token)
-        Base64.strict_encode64(token)
+        Base64.urlsafe_encode64(token)
       end
 
       def decode_token(token)
-        Base64.strict_decode64(token)
+        Base64.urlsafe_decode64(token)
+      end
+
+      def token_hmac(session, identifier)
+        OpenSSL::HMAC.digest(
+          OpenSSL::Digest.new('SHA256'),
+          real_token(session),
+          identifier
+        )
       end
 
       def xor_byte_strings(s1, s2)
-        s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
+        s2 = s2.dup
+        size = s1.bytesize
+        i = 0
+        while i < size
+          s2.setbyte(i, s1.getbyte(i) ^ s2.getbyte(i))
+          i += 1
+        end
+        s2
       end
     end
   end

data/lib/rack/protection/base.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 require 'rack/utils'
 require 'digest'
@@ -8,12 +10,12 @@ module Rack
   module Protection
     class Base
       DEFAULT_OPTIONS = {
-        :reaction    => :default_reaction, :logging   => true,
-        :message     => 'Forbidden',       :encryptor => Digest::SHA1,
-        :session_key => 'rack.session',    :status    => 403,
-        :allow_empty_referrer => true,
-        :report_key           => "protection.failed",
-        :html_types           => %w[text/html application/xhtml text/xml application/xml]
+        reaction: :default_reaction, logging: true,
+        message: 'Forbidden', encryptor: Digest::SHA1,
+        session_key: 'rack.session', status: 403,
+        allow_empty_referrer: true,
+        report_key: 'protection.failed',
+        html_types: %w[text/html application/xhtml text/xml application/xml]
       }
 
       attr_reader :app, :options
@@ -31,7 +33,8 @@ module Rack
       end
 
       def initialize(app, options = {})
-        @app, @options = app, default_options.merge(options)
+        @app = app
+        @options = default_options.merge(options)
       end
 
       def safe?(env)
@@ -52,24 +55,26 @@ module Rack
 
       def react(env)
         result = send(options[:reaction], env)
-        result if Array === result and result.size == 3
+        result if (Array === result) && (result.size == 3)
       end
 
       def warn(env, message)
         return unless options[:logging]
+
         l = options[:logger] || env['rack.logger'] || ::Logger.new(env['rack.errors'])
         l.warn(message)
       end
 
       def instrument(env)
-        return unless i = options[:instrumenter]
+        return unless (i = options[:instrumenter])
+
         env['rack.protection.attack'] = self.class.name.split('::').last.downcase
         i.instrument('rack.protection', env)
       end
 
       def deny(env)
         warn env, "attack prevented by #{self.class}"
-        [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
+        [options[:status], { 'Content-Type' => 'text/plain' }, [options[:message]]]
       end
 
       def report(env)
@@ -83,7 +88,8 @@ module Rack
 
       def session(env)
         return env[options[:session_key]] if session? env
-        fail "you need to set up a session middleware *before* #{self.class}"
+
+        raise "you need to set up a session middleware *before* #{self.class}"
       end
 
       def drop_session(env)
@@ -92,7 +98,8 @@ module Rack
 
       def referrer(env)
         ref = env['HTTP_REFERER'].to_s
-        return if !options[:allow_empty_referrer] and ref.empty?
+        return if !options[:allow_empty_referrer] && ref.empty?
+
         URI.parse(ref).host || Request.new(env).host
       rescue URI::InvalidURIError
       end
@@ -102,7 +109,7 @@ module Rack
       end
 
       def random_string(secure = defined? SecureRandom)
-        secure ? SecureRandom.hex(16) : "%032x" % rand(2**128-1)
+        secure ? SecureRandom.hex(16) : '%032x' % rand((2**128) - 1)
       rescue NotImplementedError
         random_string false
       end
@@ -118,8 +125,9 @@ module Rack
       alias default_reaction deny
 
       def html?(headers)
-        return false unless header = headers.detect { |k,v| k.downcase == 'content-type' }
-        options[:html_types].include? header.last[/^\w+\/\w+/]
+        return false unless (header = headers.detect { |k, _v| k.downcase == 'content-type' })
+
+        options[:html_types].include? header.last[%r{^\w+/\w+}]
       end
     end
   end

data/lib/rack/protection/content_security_policy.rb

@@ -1,4 +1,5 @@
-# -*- coding: utf-8 -*-
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -36,19 +37,18 @@ module Rack
     #          to be used in a policy.
     #
     class ContentSecurityPolicy < Base
-      default_options default_src: :none, script_src: "'self'",
-                      img_src: "'self'", style_src: "'self'",
-                      connect_src: "'self'", report_only: false
+      default_options default_src: "'self'", report_only: false
 
-      DIRECTIVES = %i(base_uri child_src connect_src default_src
+      DIRECTIVES = %i[base_uri child_src connect_src default_src
                       font_src form_action frame_ancestors frame_src
                       img_src manifest_src media_src object_src
                       plugin_types referrer reflected_xss report_to
                       report_uri require_sri_for sandbox script_src
-                      style_src worker_src).freeze
+                      style_src worker_src webrtc_src navigate_to
+                      prefetch_src].freeze
 
-      NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
-                             upgrade_insecure_requests).freeze
+      NO_ARG_DIRECTIVES = %i[block_all_mixed_content disown_opener
+                             upgrade_insecure_requests].freeze
 
       def csp_policy
         directives = []
@@ -62,7 +62,7 @@ module Rack
         # Set these key values to boolean 'true' to include in policy
         NO_ARG_DIRECTIVES.each do |d|
           if options.key?(d) && options[d].is_a?(TrueClass)
-            directives << d.to_s.sub(/_/, '-')
+            directives << d.to_s.tr('_', '-')
           end
         end
 

data/lib/rack/protection/cookie_tossing.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 require 'pathname'
 
@@ -29,9 +31,8 @@ module Rack
         cookie_header = env['HTTP_COOKIE']
         cookies = Rack::Utils.parse_query(cookie_header, ';,') { |s| s }
         cookies.each do |k, v|
-          if k == session_key && Array(v).size > 1
-            bad_cookies << k
-          elsif k != session_key && Rack::Utils.unescape(k) == session_key
+          if (k == session_key && Array(v).size > 1) ||
+             (k != session_key && Rack::Utils.unescape(k) == session_key)
             bad_cookies << k
           end
         end
@@ -40,6 +41,7 @@ module Rack
 
       def remove_bad_cookies(request, response)
         return if bad_cookies.empty?
+
         paths = cookie_paths(request.path)
         bad_cookies.each do |name|
           paths.each { |path| response.set_cookie name, empty_cookie(request.host, path) }
@@ -49,7 +51,7 @@ module Rack
       def redirect(env)
         request = Request.new(env)
         warn env, "attack prevented by #{self.class}"
-        [302, {'Content-Type' => 'text/html', 'Location' => request.path}, []]
+        [302, { 'Content-Type' => 'text/html', 'Location' => request.path }, []]
       end
 
       def bad_cookies
@@ -64,7 +66,7 @@ module Rack
       end
 
       def empty_cookie(host, path)
-        {:value => '', :domain => host, :path => path, :expires => Time.at(0)}
+        { value: '', domain: host, path: path, expires: Time.at(0) }
       end
 
       def session_key