rack-protection 2.0.7

data/lib/rack/protection/base.rb

@@ -0,0 +1,126 @@
+require 'rack/protection'
+require 'rack/utils'
+require 'digest'
+require 'logger'
+require 'uri'
+
+module Rack
+  module Protection
+    class Base
+      DEFAULT_OPTIONS = {
+        :reaction    => :default_reaction, :logging   => true,
+        :message     => 'Forbidden',       :encryptor => Digest::SHA1,
+        :session_key => 'rack.session',    :status    => 403,
+        :allow_empty_referrer => true,
+        :report_key           => "protection.failed",
+        :html_types           => %w[text/html application/xhtml text/xml application/xml]
+      }
+
+      attr_reader :app, :options
+
+      def self.default_options(options)
+        define_method(:default_options) { super().merge(options) }
+      end
+
+      def self.default_reaction(reaction)
+        alias_method(:default_reaction, reaction)
+      end
+
+      def default_options
+        DEFAULT_OPTIONS
+      end
+
+      def initialize(app, options = {})
+        @app, @options = app, default_options.merge(options)
+      end
+
+      def safe?(env)
+        %w[GET HEAD OPTIONS TRACE].include? env['REQUEST_METHOD']
+      end
+
+      def accepts?(env)
+        raise NotImplementedError, "#{self.class} implementation pending"
+      end
+
+      def call(env)
+        unless accepts? env
+          instrument env
+          result = react env
+        end
+        result or app.call(env)
+      end
+
+      def react(env)
+        result = send(options[:reaction], env)
+        result if Array === result and result.size == 3
+      end
+
+      def warn(env, message)
+        return unless options[:logging]
+        l = options[:logger] || env['rack.logger'] || ::Logger.new(env['rack.errors'])
+        l.warn(message)
+      end
+
+      def instrument(env)
+        return unless i = options[:instrumenter]
+        env['rack.protection.attack'] = self.class.name.split('::').last.downcase
+        i.instrument('rack.protection', env)
+      end
+
+      def deny(env)
+        warn env, "attack prevented by #{self.class}"
+        [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
+      end
+
+      def report(env)
+        warn env, "attack reported by #{self.class}"
+        env[options[:report_key]] = true
+      end
+
+      def session?(env)
+        env.include? options[:session_key]
+      end
+
+      def session(env)
+        return env[options[:session_key]] if session? env
+        fail "you need to set up a session middleware *before* #{self.class}"
+      end
+
+      def drop_session(env)
+        session(env).clear if session? env
+      end
+
+      def referrer(env)
+        ref = env['HTTP_REFERER'].to_s
+        return if !options[:allow_empty_referrer] and ref.empty?
+        URI.parse(ref).host || Request.new(env).host
+      rescue URI::InvalidURIError
+      end
+
+      def origin(env)
+        env['HTTP_ORIGIN'] || env['HTTP_X_ORIGIN']
+      end
+
+      def random_string(secure = defined? SecureRandom)
+        secure ? SecureRandom.hex(16) : "%032x" % rand(2**128-1)
+      rescue NotImplementedError
+        random_string false
+      end
+
+      def encrypt(value)
+        options[:encryptor].hexdigest value.to_s
+      end
+
+      def secure_compare(a, b)
+        Rack::Utils.secure_compare(a.to_s, b.to_s)
+      end
+
+      alias default_reaction deny
+
+      def html?(headers)
+        return false unless header = headers.detect { |k,v| k.downcase == 'content-type' }
+        options[:html_types].include? header.last[/^\w+\/\w+/]
+      end
+    end
+  end
+end

data/lib/rack/protection/content_security_policy.rb

@@ -0,0 +1,80 @@
+# -*- coding: utf-8 -*-
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   XSS and others
+    # Supported browsers:: Firefox 23+, Safari 7+, Chrome 25+, Opera 15+
+    #
+    # Description:: Content Security Policy, a mechanism web applications
+    #               can use to mitigate a broad class of content injection
+    #               vulnerabilities, such as cross-site scripting (XSS).
+    #               Content Security Policy is a declarative policy that lets
+    #               the authors (or server administrators) of a web application
+    #               inform the client about the sources from which the
+    #               application expects to load resources.
+    #
+    # More info::   W3C CSP Level 1 : https://www.w3.org/TR/CSP1/ (deprecated)
+    #               W3C CSP Level 2 : https://www.w3.org/TR/CSP2/ (current)
+    #               W3C CSP Level 3 : https://www.w3.org/TR/CSP3/ (draft)
+    #               https://developer.mozilla.org/en-US/docs/Web/Security/CSP
+    #               http://caniuse.com/#search=ContentSecurityPolicy
+    #               http://content-security-policy.com/
+    #               https://securityheaders.io
+    #               https://scotthelme.co.uk/csp-cheat-sheet/
+    #               http://www.html5rocks.com/en/tutorials/security/content-security-policy/
+    #
+    # Sets the 'Content-Security-Policy[-Report-Only]' header.
+    #
+    # Options: ContentSecurityPolicy configuration is a complex topic with
+    #          several levels of support that has evolved over time.
+    #          See the W3C documentation and the links in the more info
+    #          section for CSP usage examples and best practices. The
+    #          CSP3 directives in the 'NO_ARG_DIRECTIVES' constant need to be
+    #          presented in the options hash with a boolean 'true' in order
+    #          to be used in a policy.
+    #
+    class ContentSecurityPolicy < Base
+      default_options default_src: :none, script_src: "'self'",
+                      img_src: "'self'", style_src: "'self'",
+                      connect_src: "'self'", report_only: false
+
+      DIRECTIVES = %i(base_uri child_src connect_src default_src
+                      font_src form_action frame_ancestors frame_src
+                      img_src manifest_src media_src object_src
+                      plugin_types referrer reflected_xss report_to
+                      report_uri require_sri_for sandbox script_src
+                      style_src worker_src).freeze
+
+      NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
+                             upgrade_insecure_requests).freeze
+
+      def csp_policy
+        directives = []
+
+        DIRECTIVES.each do |d|
+          if options.key?(d)
+            directives << "#{d.to_s.sub(/_/, '-')} #{options[d]}"
+          end
+        end
+
+        # Set these key values to boolean 'true' to include in policy
+        NO_ARG_DIRECTIVES.each do |d|
+          if options.key?(d) && options[d].is_a?(TrueClass)
+            directives << d.to_s.sub(/_/, '-')
+          end
+        end
+
+        directives.compact.sort.join('; ')
+      end
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        header = options[:report_only] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
+        headers[header] ||= csp_policy if html? headers
+        [status, headers, body]
+      end
+    end
+  end
+end

data/lib/rack/protection/cookie_tossing.rb

@@ -0,0 +1,75 @@
+require 'rack/protection'
+require 'pathname'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Cookie Tossing
+    # Supported browsers:: all
+    # More infos::         https://github.com/blog/1466-yummy-cookies-across-domains
+    #
+    # Does not accept HTTP requests if the HTTP_COOKIE header contains more than one
+    # session cookie. This does not protect against a cookie overflow attack.
+    #
+    # Options:
+    #
+    # session_key:: The name of the session cookie (default: 'rack.session')
+    class CookieTossing < Base
+      default_reaction :deny
+
+      def call(env)
+        status, headers, body = super
+        response = Rack::Response.new(body, status, headers)
+        request = Rack::Request.new(env)
+        remove_bad_cookies(request, response)
+        response.finish
+      end
+
+      def accepts?(env)
+        cookie_header = env['HTTP_COOKIE']
+        cookies = Rack::Utils.parse_query(cookie_header, ';,') { |s| s }
+        cookies.each do |k, v|
+          if k == session_key && Array(v).size > 1
+            bad_cookies << k
+          elsif k != session_key && Rack::Utils.unescape(k) == session_key
+            bad_cookies << k
+          end
+        end
+        bad_cookies.empty?
+      end
+
+      def remove_bad_cookies(request, response)
+        return if bad_cookies.empty?
+        paths = cookie_paths(request.path)
+        bad_cookies.each do |name|
+          paths.each { |path| response.set_cookie name, empty_cookie(request.host, path) }
+        end
+      end
+
+      def redirect(env)
+        request = Request.new(env)
+        warn env, "attack prevented by #{self.class}"
+        [302, {'Content-Type' => 'text/html', 'Location' => request.path}, []]
+      end
+
+      def bad_cookies
+        @bad_cookies ||= []
+      end
+
+      def cookie_paths(path)
+        path = '/' if path.to_s.empty?
+        paths = []
+        Pathname.new(path).descend { |p| paths << p.to_s }
+        paths
+      end
+
+      def empty_cookie(host, path)
+        {:value => '', :domain => host, :path => path, :expires => Time.at(0)}
+      end
+
+      def session_key
+        @session_key ||= options[:session_key]
+      end
+    end
+  end
+end

data/lib/rack/protection/escaped_params.rb

@@ -0,0 +1,89 @@
+require 'rack/protection'
+require 'rack/utils'
+require 'tempfile'
+
+begin
+  require 'escape_utils'
+rescue LoadError
+end
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   XSS
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_scripting
+    #
+    # Automatically escapes Rack::Request#params so they can be embedded in HTML
+    # or JavaScript without any further issues. Calls +html_safe+ on the escaped
+    # strings if defined, to avoid double-escaping in Rails.
+    #
+    # Options:
+    # escape:: What escaping modes to use, should be Symbol or Array of Symbols.
+    #          Available: :html (default), :javascript, :url
+    class EscapedParams < Base
+      extend Rack::Utils
+
+      class << self
+        alias escape_url escape
+        public :escape_html
+      end
+
+      default_options :escape => :html,
+        :escaper => defined?(EscapeUtils) ? EscapeUtils : self
+
+      def initialize(*)
+        super
+
+        modes       = Array options[:escape]
+        @escaper    = options[:escaper]
+        @html       = modes.include? :html
+        @javascript = modes.include? :javascript
+        @url        = modes.include? :url
+
+        if @javascript and not @escaper.respond_to? :escape_javascript
+          fail("Use EscapeUtils for JavaScript escaping.")
+        end
+      end
+
+      def call(env)
+        request  = Request.new(env)
+        get_was  = handle(request.GET)
+        post_was = handle(request.POST) rescue nil
+        app.call env
+      ensure
+        request.GET.replace  get_was  if get_was
+        request.POST.replace post_was if post_was
+      end
+
+      def handle(hash)
+        was = hash.dup
+        hash.replace escape(hash)
+        was
+      end
+
+      def escape(object)
+        case object
+        when Hash   then escape_hash(object)
+        when Array  then object.map { |o| escape(o) }
+        when String then escape_string(object)
+        when Tempfile then object
+        else nil
+        end
+      end
+
+      def escape_hash(hash)
+        hash = hash.dup
+        hash.each { |k,v| hash[k] = escape(v) }
+        hash
+      end
+
+      def escape_string(str)
+        str = @escaper.escape_url(str)        if @url
+        str = @escaper.escape_html(str)       if @html
+        str = @escaper.escape_javascript(str) if @javascript
+        str
+      end
+    end
+  end
+end

data/lib/rack/protection/form_token.rb

@@ -0,0 +1,23 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Only accepts submitted forms if a given access token matches the token
+    # included in the session. Does not expect such a token from Ajax request.
+    #
+    # This middleware is not used when using the Rack::Protection collection,
+    # since it might be a security issue, depending on your application
+    #
+    # Compatible with rack-csrf.
+    class FormToken < AuthenticityToken
+      def accepts?(env)
+        env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest" or super
+      end
+    end
+  end
+end

data/lib/rack/protection/frame_options.rb

@@ -0,0 +1,37 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Clickjacking
+    # Supported browsers:: Internet Explorer 8, Firefox 3.6.9, Opera 10.50,
+    #                      Safari 4.0, Chrome 4.1.249.1042 and later
+    # More infos::         https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
+    #
+    # Sets X-Frame-Options header to tell the browser avoid embedding the page
+    # in a frame.
+    #
+    # Options:
+    #
+    # frame_options:: Defines who should be allowed to embed the page in a
+    #                 frame. Use :deny to forbid any embedding, :sameorigin
+    #                 to allow embedding from the same origin (default).
+    class FrameOptions < Base
+      default_options :frame_options => :sameorigin
+
+      def frame_options
+        @frame_options ||= begin
+          frame_options = options[:frame_options]
+          frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str
+          frame_options.to_str
+        end
+      end
+
+      def call(env)
+        status, headers, body        = @app.call(env)
+        headers['X-Frame-Options'] ||= frame_options if html? headers
+        [status, headers, body]
+      end
+    end
+  end
+end

data/lib/rack/protection/http_origin.rb

@@ -0,0 +1,40 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: Google Chrome 2, Safari 4 and later
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #                      http://tools.ietf.org/html/draft-abarth-origin
+    #
+    # Does not accept unsafe HTTP requests when value of Origin HTTP request header
+    # does not match default or whitelisted URIs.
+    #
+    # If you want to whitelist a specific domain, you can pass in as the `:origin_whitelist` option:
+    #
+    #     use Rack::Protection, origin_whitelist: ["http://localhost:3000", "http://127.0.01:3000"]
+    #
+    # The `:allow_if` option can also be set to a proc to use custom allow/deny logic.
+    class HttpOrigin < Base
+      DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
+      default_reaction :deny
+      default_options :allow_if => nil
+
+      def base_url(env)
+        request = Rack::Request.new(env)
+        port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme]
+        "#{request.scheme}://#{request.host}#{port}"
+      end
+
+      def accepts?(env)
+        return true if safe? env
+        return true unless origin = env['HTTP_ORIGIN']
+        return true if base_url(env) == origin
+        return true if options[:allow_if] && options[:allow_if].call(env)
+        Array(options[:origin_whitelist]).include? origin
+      end
+
+    end
+  end
+end