rack-protection 2.1.0 → 2.2.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a3268bb2b60f8095b38658717f5e267da2e1dfbee57f487baf39a185d3cf9266
-  data.tar.gz: fc40122b95963a81333da038536782d85a9abdc92b823eb5d3044ef3c5c807c4
+  metadata.gz: 329a83327187635894cd3f8530c6e96b6cac29e8e28b1a8db0f1339cffa07a23
+  data.tar.gz: da8bea5ddeab7426d74fe977b7856a78c10f397da94b5769f5f72b83d5e0a1b1
 SHA512:
-  metadata.gz: 7b381c903bb99d1e8cfcd00554642aafc2644f4432987be95e094a84b0f020648efb92b4a48e082cda5749045c44d14e5f08d97a1a733bf2b1e850eeaf69d67b
-  data.tar.gz: bfb60cf9484528f0096cd68a6da55b66fa3471407a120caff83ee961b54043f3e4aca45a219273e7e48cc85ce70742ee75dab750609239fb887dfc35dfbcae59
+  metadata.gz: 6e4e35ae58ac6f131cff279bf7e68770eb87253d40c518980e1b44abbd9fbc7deb8952618e92289631d3641dd627ffb57f1963562536e8164aba2357544f36d6
+  data.tar.gz: 26b2c4e7413a6bf68386c474173ccad34ed7334064d4f262dfc0e04f546edc61b1de6ec95ca151544decbb1962957d85907734c38566b7e1b2501e6254d4956f

data/lib/rack/protection/authenticity_token.rb

@@ -1,5 +1,6 @@
 require 'rack/protection'
 require 'securerandom'
+require 'openssl'
 require 'base64'
 
 module Rack
@@ -24,6 +25,13 @@ module Rack
     #                                the token on a request. Default value:
     #                                <tt>"authenticity_token"</tt>
     #
+    # [<tt>:key</tt>] the name of the param that should contain
+    #                                the token in the session. Default value:
+    #                                <tt>:csrf</tt>
+    #
+    # [<tt>:allow_if</tt>] a proc for custom allow/deny logic. Default value:
+    #                                <tt>nil</tt>
+    #
     # == Example: Forms application
     #
     # To show what the AuthenticityToken does, this section includes a sample
@@ -85,42 +93,57 @@ module Rack
       TOKEN_LENGTH = 32
 
       default_options :authenticity_param => 'authenticity_token',
+                      :key => :csrf,
                       :allow_if => nil
 
-      def self.token(session)
-        self.new(nil).mask_authenticity_token(session)
+      def self.token(session, path: nil, method: :post)
+        self.new(nil).mask_authenticity_token(session, path: path, method: method)
       end
 
       def self.random_token
-        SecureRandom.base64(TOKEN_LENGTH)
+        SecureRandom.urlsafe_base64(TOKEN_LENGTH, padding: false)
       end
 
       def accepts?(env)
-        session = session env
+        session = session(env)
         set_token(session)
 
         safe?(env) ||
-          valid_token?(session, env['HTTP_X_CSRF_TOKEN']) ||
-          valid_token?(session, Request.new(env).params[options[:authenticity_param]]) ||
+          valid_token?(env, env['HTTP_X_CSRF_TOKEN']) ||
+          valid_token?(env, Request.new(env).params[options[:authenticity_param]]) ||
           ( options[:allow_if] && options[:allow_if].call(env) )
+      rescue
+        false
       end
 
-      def mask_authenticity_token(session)
-        token = set_token(session)
+      def mask_authenticity_token(session, path: nil, method: :post)
+        set_token(session)
+
+        token = if path && method
+          per_form_token(session, path, method)
+        else
+          global_token(session)
+        end
+
         mask_token(token)
       end
 
+      GLOBAL_TOKEN_IDENTIFIER = '!real_csrf_token'
+      private_constant :GLOBAL_TOKEN_IDENTIFIER
+
       private
 
       def set_token(session)
-        session[:csrf] ||= self.class.random_token
+        session[options[:key]] ||= self.class.random_token
       end
 
       # Checks the client's masked token to see if it matches the
       # session token.
-      def valid_token?(session, token)
+      def valid_token?(env, token)
         return false if token.nil? || token.empty?
 
+        session = session(env)
+
         begin
           token = decode_token(token)
         rescue ArgumentError # encoded_masked_token is invalid Base64
@@ -131,13 +154,13 @@ module Rack
         # to handle any unmasked tokens that we've issued without error.
 
         if unmasked_token?(token)
-          compare_with_real_token token, session
-
+          compare_with_real_token(token, session)
         elsif masked_token?(token)
           token = unmask_token(token)
 
-          compare_with_real_token token, session
-
+          compare_with_global_token(token, session) ||
+            compare_with_real_token(token, session) ||
+            compare_with_per_form_token(token, session, Request.new(env))
         else
           false # Token is malformed
         end
@@ -147,7 +170,6 @@ module Rack
       # on each request. The masking is used to mitigate SSL attacks
       # like BREACH.
       def mask_token(token)
-        token = decode_token(token)
         one_time_pad = SecureRandom.random_bytes(token.length)
         encrypted_token = xor_byte_strings(one_time_pad, token)
         masked_token = one_time_pad + encrypted_token
@@ -176,16 +198,42 @@ module Rack
         secure_compare(token, real_token(session))
       end
 
+      def compare_with_global_token(token, session)
+        secure_compare(token, global_token(session))
+      end
+
+      def compare_with_per_form_token(token, session, request)
+        secure_compare(token,
+          per_form_token(session, request.path.chomp('/'), request.request_method)
+        )
+      end
+
       def real_token(session)
-        decode_token(session[:csrf])
+        decode_token(session[options[:key]])
+      end
+
+      def global_token(session)
+        token_hmac(session, GLOBAL_TOKEN_IDENTIFIER)
+      end
+
+      def per_form_token(session, path, method)
+        token_hmac(session, "#{path}##{method.downcase}")
       end
 
       def encode_token(token)
-        Base64.strict_encode64(token)
+        Base64.urlsafe_encode64(token)
       end
 
       def decode_token(token)
-        Base64.strict_decode64(token)
+        Base64.urlsafe_decode64(token)
+      end
+
+      def token_hmac(session, identifier)
+        OpenSSL::HMAC.digest(
+          OpenSSL::Digest::SHA256.new,
+          real_token(session),
+          identifier
+        )
       end
 
       def xor_byte_strings(s1, s2)

data/lib/rack/protection/http_origin.rb

@@ -34,7 +34,7 @@ module Rack
         return true if options[:allow_if] && options[:allow_if].call(env)
 
         if options.key? :origin_whitelist
-          warn "Rack::Protection origin_whitelist option is deprecated and will be removed, " \
+          warn env, "Rack::Protection origin_whitelist option is deprecated and will be removed, " \
             "use permitted_origins instead.\n"
         end
 

data/lib/rack/protection/ip_spoofing.rb

@@ -13,9 +13,11 @@ module Rack
 
       def accepts?(env)
         return true unless env.include? 'HTTP_X_FORWARDED_FOR'
-        ips = env['HTTP_X_FORWARDED_FOR'].split(/\s*,\s*/)
-        return false if env.include? 'HTTP_CLIENT_IP' and not ips.include? env['HTTP_CLIENT_IP']
-        return false if env.include? 'HTTP_X_REAL_IP' and not ips.include? env['HTTP_X_REAL_IP']
+
+        ips = env['HTTP_X_FORWARDED_FOR'].split(',').map(&:strip)
+        return false if env.include?('HTTP_CLIENT_IP') && (!ips.include? env['HTTP_CLIENT_IP'])
+        return false if env.include?('HTTP_X_REAL_IP') && (!ips.include? env['HTTP_X_REAL_IP'])
+
         true
       end
     end

data/lib/rack/protection/version.rb

@@ -1,5 +1,5 @@
 module Rack
   module Protection
-    VERSION = '2.1.0'
+    VERSION = '2.2.3'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.2.4
 platform: ruby
 authors:
 - https://github.com/sinatra/sinatra/graphs/contributors
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-09-04 00:00:00.000000000 Z
+date: 2022-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -91,7 +91,7 @@ metadata:
   source_code_uri: https://github.com/sinatra/sinatra/tree/master/rack-protection
   homepage_uri: http://sinatrarb.com/protection/
   documentation_uri: https://www.rubydoc.info/gems/rack-protection
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -106,8 +106,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubyforge_project:
+rubygems_version: 2.7.6.3
+signing_key:
 specification_version: 4
 summary: Protect against typical web attacks, works with all Rack apps, including
   Rails.