rack-protection 2.1.0 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a3268bb2b60f8095b38658717f5e267da2e1dfbee57f487baf39a185d3cf9266
-  data.tar.gz: fc40122b95963a81333da038536782d85a9abdc92b823eb5d3044ef3c5c807c4
+  metadata.gz: 7640a15f8659807abd53474e7ce538a42e476e4bd99dc745f3b9b8c16161c008
+  data.tar.gz: '05468ec6c8113d3afce2df62221e4c866616999700c30ba3ef94a2705b11138b'
 SHA512:
-  metadata.gz: 7b381c903bb99d1e8cfcd00554642aafc2644f4432987be95e094a84b0f020648efb92b4a48e082cda5749045c44d14e5f08d97a1a733bf2b1e850eeaf69d67b
-  data.tar.gz: bfb60cf9484528f0096cd68a6da55b66fa3471407a120caff83ee961b54043f3e4aca45a219273e7e48cc85ce70742ee75dab750609239fb887dfc35dfbcae59
+  metadata.gz: eeaff5e584a8ee3be6c80dc92c67fcc95bdbb97b084509ed90ca9ad524598fba63690cfa372586edd27940cd609fa44210637e9c95fbf1191e1a5cc297f222ac
+  data.tar.gz: 26e2160d65b6015c7aaa52266b7241d15f645eb259d1371b864b3e2b6a3b1fbef841e62304bc8e39a83fab1a52ddb0c3455a51385a9a451c833cbed91b75d00a

data/Gemfile

@@ -1,13 +1,16 @@
-source "https://rubygems.org"
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
 # encoding: utf-8
 
 gem 'rake'
+gem 'rspec', '~> 3'
 
 rack_version = ENV['rack'].to_s
-rack_version = nil if rack_version.empty? or rack_version == 'stable'
-rack_version = {:github => 'rack/rack'} if rack_version == 'master'
+rack_version = nil if rack_version.empty? || (rack_version == 'stable')
+rack_version = { github: 'rack/rack' } if rack_version == 'head'
 gem 'rack', rack_version
 
-gem 'sinatra', path: '..'
-
 gemspec
+
+gem 'rack-test'

data/README.md

@@ -74,6 +74,7 @@ Prevented by:
 ## Cookie Tossing
 
 Prevented by:
+
 * [`Rack::Protection::CookieTossing`][cookie-tossing] (not included by `use Rack::Protection`)
 
 ## IP Spoofing
@@ -95,6 +96,7 @@ Prevented by:
 # Instrumentation
 
 Instrumentation is enabled by passing in an instrumenter as an option.
+
 ```
 use Rack::Protection, instrumenter: ActiveSupport::Notifications
 ```

data/Rakefile

@@ -1,53 +1,55 @@
-# encoding: utf-8
-$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift File.expand_path('lib', __dir__)
 
 begin
   require 'bundler'
   Bundler::GemHelper.install_tasks
 rescue LoadError => e
-  $stderr.puts e
+  warn e
 end
 
-desc "run specs"
-task(:spec) { ruby '-S rspec spec' }
+desc 'run specs'
+task(:spec) { ruby '-S rspec' }
 
 namespace :doc do
   task :readmes do
     Dir.glob 'lib/rack/protection/*.rb' do |file|
       excluded_files = %w[lib/rack/protection/base.rb lib/rack/protection/version.rb]
       next if excluded_files.include?(file)
+
       doc  = File.read(file)[/^  module Protection(\n)+(    #[^\n]*\n)*/m].scan(/^ *#(?!#) ?(.*)\n/).join("\n")
-      file = "doc/#{file[4..-4].tr("/_", "-")}.rdoc"
-      Dir.mkdir "doc" unless File.directory? "doc"
+      file = "doc/#{file[4..-4].tr('/_', '-')}.rdoc"
+      Dir.mkdir 'doc' unless File.directory? 'doc'
       puts "writing #{file}"
-      File.open(file, "w") { |f| f << doc }
+      File.open(file, 'w') { |f| f << doc }
     end
   end
 
   task :index do
-    doc = File.read("README.md")
-    file = "doc/rack-protection-readme.md"
-    Dir.mkdir "doc" unless File.directory? "doc"
+    doc = File.read('README.md')
+    file = 'doc/rack-protection-readme.md'
+    Dir.mkdir 'doc' unless File.directory? 'doc'
     puts "writing #{file}"
-    File.open(file, "w") { |f| f << doc }
+    File.open(file, 'w') { |f| f << doc }
   end
 
-  task :all => [:readmes, :index]
+  task all: %i[readmes index]
 end
 
-desc "generate documentation"
-task :doc => 'doc:all'
+desc 'generate documentation'
+task doc: 'doc:all'
 
-desc "generate gemspec"
+desc 'generate gemspec'
 task 'rack-protection.gemspec' do
   require 'rack/protection/version'
   content = File.binread 'rack-protection.gemspec'
 
   # fetch data
   fields = {
-    :authors => `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
-    :email   => ["mail@zzak.io", "konstantin.haase@gmail.com"],
-    :files   => %w(License README.md Rakefile Gemfile rack-protection.gemspec) + Dir['lib/**/*']
+    authors: `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
+    email: ['mail@zzak.io', 'konstantin.haase@gmail.com'],
+    files: %w[License README.md Rakefile Gemfile rack-protection.gemspec] + Dir['lib/**/*']
   }
 
   # insert data
@@ -67,6 +69,6 @@ task 'rack-protection.gemspec' do
   File.open('rack-protection.gemspec', 'w') { |f| f << content }
 end
 
-task :gemspec => 'rack-protection.gemspec'
-task :default => :spec
-task :test    => :spec
+task gemspec: 'rack-protection.gemspec'
+task default: :spec
+task test: :spec

data/lib/rack/protection/authenticity_token.rb

@@ -1,5 +1,8 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 require 'securerandom'
+require 'openssl'
 require 'base64'
 
 module Rack
@@ -16,7 +19,10 @@ module Rack
     # It checks the <tt>X-CSRF-Token</tt> header and the <tt>POST</tt> form
     # data.
     #
-    # Compatible with the {rack-csrf}[https://rubygems.org/gems/rack_csrf] gem.
+    # It is not OOTB-compatible with the {rack-csrf}[https://rubygems.org/gems/rack_csrf] gem.
+    # For that, the following patch needs to be applied:
+    #
+    #   Rack::Protection::AuthenticityToken.default_options(key: "csrf.token", authenticity_param: "_csrf")
     #
     # == Options
     #
@@ -24,6 +30,13 @@ module Rack
     #                                the token on a request. Default value:
     #                                <tt>"authenticity_token"</tt>
     #
+    # [<tt>:key</tt>] the name of the param that should contain
+    #                                the token in the session. Default value:
+    #                                <tt>:csrf</tt>
+    #
+    # [<tt>:allow_if</tt>] a proc for custom allow/deny logic. Default value:
+    #                                <tt>nil</tt>
+    #
     # == Example: Forms application
     #
     # To show what the AuthenticityToken does, this section includes a sample
@@ -84,42 +97,57 @@ module Rack
     class AuthenticityToken < Base
       TOKEN_LENGTH = 32
 
-      default_options :authenticity_param => 'authenticity_token',
-                      :allow_if => nil
+      default_options authenticity_param: 'authenticity_token',
+                      key: :csrf,
+                      allow_if: nil
 
-      def self.token(session)
-        self.new(nil).mask_authenticity_token(session)
+      def self.token(session, path: nil, method: :post)
+        new(nil).mask_authenticity_token(session, path: path, method: method)
       end
 
       def self.random_token
-        SecureRandom.base64(TOKEN_LENGTH)
+        SecureRandom.urlsafe_base64(TOKEN_LENGTH, padding: false)
       end
 
       def accepts?(env)
-        session = session env
+        session = session(env)
         set_token(session)
 
         safe?(env) ||
-          valid_token?(session, env['HTTP_X_CSRF_TOKEN']) ||
-          valid_token?(session, Request.new(env).params[options[:authenticity_param]]) ||
-          ( options[:allow_if] && options[:allow_if].call(env) )
+          valid_token?(env, env['HTTP_X_CSRF_TOKEN']) ||
+          valid_token?(env, Request.new(env).params[options[:authenticity_param]]) ||
+          options[:allow_if]&.call(env)
+      rescue StandardError
+        false
       end
 
-      def mask_authenticity_token(session)
-        token = set_token(session)
+      def mask_authenticity_token(session, path: nil, method: :post)
+        set_token(session)
+
+        token = if path && method
+                  per_form_token(session, path, method)
+                else
+                  global_token(session)
+                end
+
         mask_token(token)
       end
 
+      GLOBAL_TOKEN_IDENTIFIER = '!real_csrf_token'
+      private_constant :GLOBAL_TOKEN_IDENTIFIER
+
       private
 
       def set_token(session)
-        session[:csrf] ||= self.class.random_token
+        session[options[:key]] ||= self.class.random_token
       end
 
       # Checks the client's masked token to see if it matches the
       # session token.
-      def valid_token?(session, token)
-        return false if token.nil? || token.empty?
+      def valid_token?(env, token)
+        return false if token.nil? || !token.is_a?(String) || token.empty?
+
+        session = session(env)
 
         begin
           token = decode_token(token)
@@ -131,13 +159,13 @@ module Rack
         # to handle any unmasked tokens that we've issued without error.
 
         if unmasked_token?(token)
-          compare_with_real_token token, session
-
+          compare_with_real_token(token, session)
         elsif masked_token?(token)
           token = unmask_token(token)
 
-          compare_with_real_token token, session
-
+          compare_with_global_token(token, session) ||
+            compare_with_real_token(token, session) ||
+            compare_with_per_form_token(token, session, Request.new(env))
         else
           false # Token is malformed
         end
@@ -147,7 +175,6 @@ module Rack
       # on each request. The masking is used to mitigate SSL attacks
       # like BREACH.
       def mask_token(token)
-        token = decode_token(token)
         one_time_pad = SecureRandom.random_bytes(token.length)
         encrypted_token = xor_byte_strings(one_time_pad, token)
         masked_token = one_time_pad + encrypted_token
@@ -160,7 +187,7 @@ module Rack
         # value and decrypt it
         token_length = masked_token.length / 2
         one_time_pad = masked_token[0...token_length]
-        encrypted_token = masked_token[token_length..-1]
+        encrypted_token = masked_token[token_length..]
         xor_byte_strings(one_time_pad, encrypted_token)
       end
 
@@ -176,16 +203,41 @@ module Rack
         secure_compare(token, real_token(session))
       end
 
+      def compare_with_global_token(token, session)
+        secure_compare(token, global_token(session))
+      end
+
+      def compare_with_per_form_token(token, session, request)
+        secure_compare(token,
+                       per_form_token(session, request.path.chomp('/'), request.request_method))
+      end
+
       def real_token(session)
-        decode_token(session[:csrf])
+        decode_token(session[options[:key]])
+      end
+
+      def global_token(session)
+        token_hmac(session, GLOBAL_TOKEN_IDENTIFIER)
+      end
+
+      def per_form_token(session, path, method)
+        token_hmac(session, "#{path}##{method.downcase}")
       end
 
       def encode_token(token)
-        Base64.strict_encode64(token)
+        Base64.urlsafe_encode64(token)
       end
 
       def decode_token(token)
-        Base64.strict_decode64(token)
+        Base64.urlsafe_decode64(token)
+      end
+
+      def token_hmac(session, identifier)
+        OpenSSL::HMAC.digest(
+          OpenSSL::Digest.new('SHA256'),
+          real_token(session),
+          identifier
+        )
       end
 
       def xor_byte_strings(s1, s2)

data/lib/rack/protection/base.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 require 'rack/utils'
 require 'digest'
@@ -8,12 +10,12 @@ module Rack
   module Protection
     class Base
       DEFAULT_OPTIONS = {
-        :reaction    => :default_reaction, :logging   => true,
-        :message     => 'Forbidden',       :encryptor => Digest::SHA1,
-        :session_key => 'rack.session',    :status    => 403,
-        :allow_empty_referrer => true,
-        :report_key           => "protection.failed",
-        :html_types           => %w[text/html application/xhtml text/xml application/xml]
+        reaction: :default_reaction, logging: true,
+        message: 'Forbidden', encryptor: Digest::SHA1,
+        session_key: 'rack.session', status: 403,
+        allow_empty_referrer: true,
+        report_key: 'protection.failed',
+        html_types: %w[text/html application/xhtml text/xml application/xml]
       }
 
       attr_reader :app, :options
@@ -31,7 +33,8 @@ module Rack
       end
 
       def initialize(app, options = {})
-        @app, @options = app, default_options.merge(options)
+        @app = app
+        @options = default_options.merge(options)
       end
 
       def safe?(env)
@@ -52,24 +55,26 @@ module Rack
 
       def react(env)
         result = send(options[:reaction], env)
-        result if Array === result and result.size == 3
+        result if (Array === result) && (result.size == 3)
       end
 
       def warn(env, message)
         return unless options[:logging]
+
         l = options[:logger] || env['rack.logger'] || ::Logger.new(env['rack.errors'])
         l.warn(message)
       end
 
       def instrument(env)
-        return unless i = options[:instrumenter]
+        return unless (i = options[:instrumenter])
+
         env['rack.protection.attack'] = self.class.name.split('::').last.downcase
         i.instrument('rack.protection', env)
       end
 
       def deny(env)
         warn env, "attack prevented by #{self.class}"
-        [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
+        [options[:status], { 'Content-Type' => 'text/plain' }, [options[:message]]]
       end
 
       def report(env)
@@ -83,16 +88,24 @@ module Rack
 
       def session(env)
         return env[options[:session_key]] if session? env
-        fail "you need to set up a session middleware *before* #{self.class}"
+
+        raise "you need to set up a session middleware *before* #{self.class}"
       end
 
       def drop_session(env)
-        session(env).clear if session? env
+        return unless session? env
+
+        session(env).clear
+
+        return if ["1", "true"].include?(ENV["RACK_PROTECTION_SILENCE_DROP_SESSION_WARNING"])
+
+        warn env, "session dropped by #{self.class}"
       end
 
       def referrer(env)
         ref = env['HTTP_REFERER'].to_s
-        return if !options[:allow_empty_referrer] and ref.empty?
+        return if !options[:allow_empty_referrer] && ref.empty?
+
         URI.parse(ref).host || Request.new(env).host
       rescue URI::InvalidURIError
       end
@@ -102,7 +115,7 @@ module Rack
       end
 
       def random_string(secure = defined? SecureRandom)
-        secure ? SecureRandom.hex(16) : "%032x" % rand(2**128-1)
+        secure ? SecureRandom.hex(16) : '%032x' % rand((2**128) - 1)
       rescue NotImplementedError
         random_string false
       end
@@ -118,8 +131,9 @@ module Rack
       alias default_reaction deny
 
       def html?(headers)
-        return false unless header = headers.detect { |k,v| k.downcase == 'content-type' }
-        options[:html_types].include? header.last[/^\w+\/\w+/]
+        return false unless (header = headers.detect { |k, _v| k.downcase == 'content-type' })
+
+        options[:html_types].include? header.last[%r{^\w+/\w+}]
       end
     end
   end

data/lib/rack/protection/content_security_policy.rb

@@ -1,4 +1,5 @@
-# -*- coding: utf-8 -*-
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -38,16 +39,16 @@ module Rack
     class ContentSecurityPolicy < Base
       default_options default_src: "'self'", report_only: false
 
-      DIRECTIVES = %i(base_uri child_src connect_src default_src
+      DIRECTIVES = %i[base_uri child_src connect_src default_src
                       font_src form_action frame_ancestors frame_src
                       img_src manifest_src media_src object_src
                       plugin_types referrer reflected_xss report_to
                       report_uri require_sri_for sandbox script_src
                       style_src worker_src webrtc_src navigate_to
-                      prefetch_src).freeze
+                      prefetch_src].freeze
 
-      NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
-                             upgrade_insecure_requests).freeze
+      NO_ARG_DIRECTIVES = %i[block_all_mixed_content disown_opener
+                             upgrade_insecure_requests].freeze
 
       def csp_policy
         directives = []

data/lib/rack/protection/cookie_tossing.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 require 'pathname'
 
@@ -29,9 +31,8 @@ module Rack
         cookie_header = env['HTTP_COOKIE']
         cookies = Rack::Utils.parse_query(cookie_header, ';,') { |s| s }
         cookies.each do |k, v|
-          if k == session_key && Array(v).size > 1
-            bad_cookies << k
-          elsif k != session_key && Rack::Utils.unescape(k) == session_key
+          if (k == session_key && Array(v).size > 1) ||
+             (k != session_key && Rack::Utils.unescape(k) == session_key)
             bad_cookies << k
           end
         end
@@ -40,6 +41,7 @@ module Rack
 
       def remove_bad_cookies(request, response)
         return if bad_cookies.empty?
+
         paths = cookie_paths(request.path)
         bad_cookies.each do |name|
           paths.each { |path| response.set_cookie name, empty_cookie(request.host, path) }
@@ -49,7 +51,7 @@ module Rack
       def redirect(env)
         request = Request.new(env)
         warn env, "attack prevented by #{self.class}"
-        [302, {'Content-Type' => 'text/html', 'Location' => request.path}, []]
+        [302, { 'Content-Type' => 'text/html', 'Location' => request.path }, []]
       end
 
       def bad_cookies
@@ -64,7 +66,7 @@ module Rack
       end
 
       def empty_cookie(host, path)
-        {:value => '', :domain => host, :path => path, :expires => Time.at(0)}
+        { value: '', domain: host, path: path, expires: Time.at(0) }
       end
 
       def session_key