rack-protection 2.1.0 → 4.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a3268bb2b60f8095b38658717f5e267da2e1dfbee57f487baf39a185d3cf9266
-  data.tar.gz: fc40122b95963a81333da038536782d85a9abdc92b823eb5d3044ef3c5c807c4
+  metadata.gz: 98553e74b3c41ed1630ad332c07ac4be4d2cf7f9f7d42c4ea383ed10b36cfda8
+  data.tar.gz: d1af8ebd50af6447a3879ae531de1dd5e664cb7493919f2af94c4d2a5d0036d4
 SHA512:
-  metadata.gz: 7b381c903bb99d1e8cfcd00554642aafc2644f4432987be95e094a84b0f020648efb92b4a48e082cda5749045c44d14e5f08d97a1a733bf2b1e850eeaf69d67b
-  data.tar.gz: bfb60cf9484528f0096cd68a6da55b66fa3471407a120caff83ee961b54043f3e4aca45a219273e7e48cc85ce70742ee75dab750609239fb887dfc35dfbcae59
+  metadata.gz: 7c38bcefaa24abe73b6d19562e3ac028aa857458ba9a60230e94b383c94b5493e1e0488ec08f4afdd6d09fd4a6cf088662be0f48e21da55cbadf45eaf1599f47
+  data.tar.gz: ddaf456e0d4d72f433f1d08f7dcf0c12280b228f43aaca4119ed60201170bcf57ba3cb9383be0b86e179ac664b568bb7fa37dbb5695d6f2a8583e8edc8b706c7

data/Gemfile

@@ -1,13 +1,13 @@
-source "https://rubygems.org"
-# encoding: utf-8
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+gemspec
 
 gem 'rake'
+gem 'rspec', '~> 3'
+gem 'rack-test'
 
 rack_version = ENV['rack'].to_s
-rack_version = nil if rack_version.empty? or rack_version == 'stable'
-rack_version = {:github => 'rack/rack'} if rack_version == 'master'
+rack_version = nil if rack_version.empty? || (rack_version == 'stable')
+rack_version = { github: 'rack/rack' } if rack_version == 'head'
 gem 'rack', rack_version
-
-gem 'sinatra', path: '..'
-
-gemspec

data/README.md

@@ -34,6 +34,10 @@ run MyApp
 
 # Prevented Attacks
 
+## DNS rebinding and other Host header attacks
+
+* [`Rack::Protection::HostAuthorization`][host-authorization] (not included by `use Rack::Protection`)
+
 ## Cross Site Request Forgery
 
 Prevented by:
@@ -69,11 +73,12 @@ Prevented by:
 
 Prevented by:
 
-* [`Rack::Protection::SessionHijacking`][session-hijacking]
+* [`Rack::Protection::SessionHijacking`][session-hijacking] (not included by `use Rack::Protection`)
 
 ## Cookie Tossing
 
 Prevented by:
+
 * [`Rack::Protection::CookieTossing`][cookie-tossing] (not included by `use Rack::Protection`)
 
 ## IP Spoofing
@@ -95,6 +100,7 @@ Prevented by:
 # Instrumentation
 
 Instrumentation is enabled by passing in an instrumenter as an option.
+
 ```
 use Rack::Protection, instrumenter: ActiveSupport::Notifications
 ```
@@ -107,6 +113,7 @@ The instrumenter is passed a namespace (String) and environment (Hash). The name
 [escaped-params]: http://www.sinatrarb.com/protection/escaped_params
 [form-token]: http://www.sinatrarb.com/protection/form_token
 [frame-options]: http://www.sinatrarb.com/protection/frame_options
+[host-authorization]: https://github.com/sinatra/sinatra/blob/main/rack-protection/lib/rack/protection/host_authorization.rb
 [http-origin]: http://www.sinatrarb.com/protection/http_origin
 [ip-spoofing]: http://www.sinatrarb.com/protection/ip_spoofing
 [json-csrf]: http://www.sinatrarb.com/protection/json_csrf

data/Rakefile

@@ -1,53 +1,55 @@
-# encoding: utf-8
-$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift File.expand_path('lib', __dir__)
 
 begin
   require 'bundler'
   Bundler::GemHelper.install_tasks
 rescue LoadError => e
-  $stderr.puts e
+  warn e
 end
 
-desc "run specs"
-task(:spec) { ruby '-S rspec spec' }
+desc 'run specs'
+task(:spec) { ruby '-S rspec' }
 
 namespace :doc do
   task :readmes do
     Dir.glob 'lib/rack/protection/*.rb' do |file|
       excluded_files = %w[lib/rack/protection/base.rb lib/rack/protection/version.rb]
       next if excluded_files.include?(file)
+
       doc  = File.read(file)[/^  module Protection(\n)+(    #[^\n]*\n)*/m].scan(/^ *#(?!#) ?(.*)\n/).join("\n")
-      file = "doc/#{file[4..-4].tr("/_", "-")}.rdoc"
-      Dir.mkdir "doc" unless File.directory? "doc"
+      file = "doc/#{file[4..-4].tr('/_', '-')}.rdoc"
+      Dir.mkdir 'doc' unless File.directory? 'doc'
       puts "writing #{file}"
-      File.open(file, "w") { |f| f << doc }
+      File.open(file, 'w') { |f| f << doc }
     end
   end
 
   task :index do
-    doc = File.read("README.md")
-    file = "doc/rack-protection-readme.md"
-    Dir.mkdir "doc" unless File.directory? "doc"
+    doc = File.read('README.md')
+    file = 'doc/rack-protection-readme.md'
+    Dir.mkdir 'doc' unless File.directory? 'doc'
     puts "writing #{file}"
-    File.open(file, "w") { |f| f << doc }
+    File.open(file, 'w') { |f| f << doc }
   end
 
-  task :all => [:readmes, :index]
+  task all: %i[readmes index]
 end
 
-desc "generate documentation"
-task :doc => 'doc:all'
+desc 'generate documentation'
+task doc: 'doc:all'
 
-desc "generate gemspec"
+desc 'generate gemspec'
 task 'rack-protection.gemspec' do
   require 'rack/protection/version'
   content = File.binread 'rack-protection.gemspec'
 
   # fetch data
   fields = {
-    :authors => `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
-    :email   => ["mail@zzak.io", "konstantin.haase@gmail.com"],
-    :files   => %w(License README.md Rakefile Gemfile rack-protection.gemspec) + Dir['lib/**/*']
+    authors: `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
+    email: ['mail@zzak.io', 'konstantin.haase@gmail.com'],
+    files: %w[License README.md Rakefile Gemfile rack-protection.gemspec] + Dir['lib/**/*']
   }
 
   # insert data
@@ -67,6 +69,6 @@ task 'rack-protection.gemspec' do
   File.open('rack-protection.gemspec', 'w') { |f| f << content }
 end
 
-task :gemspec => 'rack-protection.gemspec'
-task :default => :spec
-task :test    => :spec
+task gemspec: 'rack-protection.gemspec'
+task default: :spec
+task test: :spec

data/lib/rack/protection/authenticity_token.rb

@@ -1,5 +1,8 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 require 'securerandom'
+require 'openssl'
 require 'base64'
 
 module Rack
@@ -16,7 +19,10 @@ module Rack
     # It checks the <tt>X-CSRF-Token</tt> header and the <tt>POST</tt> form
     # data.
     #
-    # Compatible with the {rack-csrf}[https://rubygems.org/gems/rack_csrf] gem.
+    # It is not OOTB-compatible with the {rack-csrf}[https://rubygems.org/gems/rack_csrf] gem.
+    # For that, the following patch needs to be applied:
+    #
+    #   Rack::Protection::AuthenticityToken.default_options(key: "csrf.token", authenticity_param: "_csrf")
     #
     # == Options
     #
@@ -24,6 +30,13 @@ module Rack
     #                                the token on a request. Default value:
     #                                <tt>"authenticity_token"</tt>
     #
+    # [<tt>:key</tt>] the name of the param that should contain
+    #                                the token in the session. Default value:
+    #                                <tt>:csrf</tt>
+    #
+    # [<tt>:allow_if</tt>] a proc for custom allow/deny logic. Default value:
+    #                                <tt>nil</tt>
+    #
     # == Example: Forms application
     #
     # To show what the AuthenticityToken does, this section includes a sample
@@ -33,14 +46,15 @@ module Rack
     # Install the gem, then run the program:
     #
     #   gem install 'rack-protection'
-    #   ruby server.rb
+    #   puma server.ru
     #
-    # Here is <tt>server.rb</tt>:
+    # Here is <tt>server.ru</tt>:
     #
     #   require 'rack/protection'
+    #   require 'rack/session'
     #
     #   app = Rack::Builder.app do
-    #     use Rack::Session::Cookie, secret: 'secret'
+    #     use Rack::Session::Cookie, secret: 'CHANGEMEaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
     #     use Rack::Protection::AuthenticityToken
     #
     #     run -> (env) do
@@ -74,7 +88,7 @@ module Rack
     #     end
     #   end
     #
-    #   Rack::Handler::WEBrick.run app
+    #   run app
     #
     # == Example: Customize which POST parameter holds the token
     #
@@ -84,42 +98,57 @@ module Rack
     class AuthenticityToken < Base
       TOKEN_LENGTH = 32
 
-      default_options :authenticity_param => 'authenticity_token',
-                      :allow_if => nil
+      default_options authenticity_param: 'authenticity_token',
+                      key: :csrf,
+                      allow_if: nil
 
-      def self.token(session)
-        self.new(nil).mask_authenticity_token(session)
+      def self.token(session, path: nil, method: :post)
+        new(nil).mask_authenticity_token(session, path: path, method: method)
       end
 
       def self.random_token
-        SecureRandom.base64(TOKEN_LENGTH)
+        SecureRandom.urlsafe_base64(TOKEN_LENGTH, padding: false)
       end
 
       def accepts?(env)
-        session = session env
+        session = session(env)
         set_token(session)
 
         safe?(env) ||
-          valid_token?(session, env['HTTP_X_CSRF_TOKEN']) ||
-          valid_token?(session, Request.new(env).params[options[:authenticity_param]]) ||
-          ( options[:allow_if] && options[:allow_if].call(env) )
+          valid_token?(env, env['HTTP_X_CSRF_TOKEN']) ||
+          valid_token?(env, Request.new(env).params[options[:authenticity_param]]) ||
+          options[:allow_if]&.call(env)
+      rescue StandardError
+        false
       end
 
-      def mask_authenticity_token(session)
-        token = set_token(session)
+      def mask_authenticity_token(session, path: nil, method: :post)
+        set_token(session)
+
+        token = if path && method
+                  per_form_token(session, path, method)
+                else
+                  global_token(session)
+                end
+
         mask_token(token)
       end
 
+      GLOBAL_TOKEN_IDENTIFIER = '!real_csrf_token'
+      private_constant :GLOBAL_TOKEN_IDENTIFIER
+
       private
 
       def set_token(session)
-        session[:csrf] ||= self.class.random_token
+        session[options[:key]] ||= self.class.random_token
       end
 
       # Checks the client's masked token to see if it matches the
       # session token.
-      def valid_token?(session, token)
-        return false if token.nil? || token.empty?
+      def valid_token?(env, token)
+        return false if token.nil? || !token.is_a?(String) || token.empty?
+
+        session = session(env)
 
         begin
           token = decode_token(token)
@@ -131,13 +160,13 @@ module Rack
         # to handle any unmasked tokens that we've issued without error.
 
         if unmasked_token?(token)
-          compare_with_real_token token, session
-
+          compare_with_real_token(token, session)
         elsif masked_token?(token)
           token = unmask_token(token)
 
-          compare_with_real_token token, session
-
+          compare_with_global_token(token, session) ||
+            compare_with_real_token(token, session) ||
+            compare_with_per_form_token(token, session, Request.new(env))
         else
           false # Token is malformed
         end
@@ -147,7 +176,6 @@ module Rack
       # on each request. The masking is used to mitigate SSL attacks
       # like BREACH.
       def mask_token(token)
-        token = decode_token(token)
         one_time_pad = SecureRandom.random_bytes(token.length)
         encrypted_token = xor_byte_strings(one_time_pad, token)
         masked_token = one_time_pad + encrypted_token
@@ -160,7 +188,7 @@ module Rack
         # value and decrypt it
         token_length = masked_token.length / 2
         one_time_pad = masked_token[0...token_length]
-        encrypted_token = masked_token[token_length..-1]
+        encrypted_token = masked_token[token_length..]
         xor_byte_strings(one_time_pad, encrypted_token)
       end
 
@@ -176,16 +204,41 @@ module Rack
         secure_compare(token, real_token(session))
       end
 
+      def compare_with_global_token(token, session)
+        secure_compare(token, global_token(session))
+      end
+
+      def compare_with_per_form_token(token, session, request)
+        secure_compare(token,
+                       per_form_token(session, request.path.chomp('/'), request.request_method))
+      end
+
       def real_token(session)
-        decode_token(session[:csrf])
+        decode_token(session[options[:key]])
+      end
+
+      def global_token(session)
+        token_hmac(session, GLOBAL_TOKEN_IDENTIFIER)
+      end
+
+      def per_form_token(session, path, method)
+        token_hmac(session, "#{path}##{method.downcase}")
       end
 
       def encode_token(token)
-        Base64.strict_encode64(token)
+        Base64.urlsafe_encode64(token)
       end
 
       def decode_token(token)
-        Base64.strict_decode64(token)
+        Base64.urlsafe_decode64(token)
+      end
+
+      def token_hmac(session, identifier)
+        OpenSSL::HMAC.digest(
+          OpenSSL::Digest.new('SHA256'),
+          real_token(session),
+          identifier
+        )
       end
 
       def xor_byte_strings(s1, s2)

data/lib/rack/protection/base.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 require 'rack/utils'
 require 'digest'
@@ -8,12 +10,12 @@ module Rack
   module Protection
     class Base
       DEFAULT_OPTIONS = {
-        :reaction    => :default_reaction, :logging   => true,
-        :message     => 'Forbidden',       :encryptor => Digest::SHA1,
-        :session_key => 'rack.session',    :status    => 403,
-        :allow_empty_referrer => true,
-        :report_key           => "protection.failed",
-        :html_types           => %w[text/html application/xhtml text/xml application/xml]
+        reaction: :default_reaction, logging: true,
+        message: 'Forbidden', encryptor: Digest::SHA1,
+        session_key: 'rack.session', status: 403,
+        allow_empty_referrer: true,
+        report_key: 'protection.failed',
+        html_types: %w[text/html application/xhtml text/xml application/xml]
       }
 
       attr_reader :app, :options
@@ -31,7 +33,8 @@ module Rack
       end
 
       def initialize(app, options = {})
-        @app, @options = app, default_options.merge(options)
+        @app = app
+        @options = default_options.merge(options)
       end
 
       def safe?(env)
@@ -52,24 +55,33 @@ module Rack
 
       def react(env)
         result = send(options[:reaction], env)
-        result if Array === result and result.size == 3
+        result if (Array === result) && (result.size == 3)
+      end
+
+      def debug(env, message)
+        return unless options[:logging]
+
+        l = options[:logger] || env['rack.logger'] || ::Logger.new(env['rack.errors'])
+        l.debug(message)
       end
 
       def warn(env, message)
         return unless options[:logging]
+
         l = options[:logger] || env['rack.logger'] || ::Logger.new(env['rack.errors'])
         l.warn(message)
       end
 
       def instrument(env)
-        return unless i = options[:instrumenter]
+        return unless (i = options[:instrumenter])
+
         env['rack.protection.attack'] = self.class.name.split('::').last.downcase
         i.instrument('rack.protection', env)
       end
 
       def deny(env)
         warn env, "attack prevented by #{self.class}"
-        [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
+        [options[:status], { 'content-type' => 'text/plain' }, [options[:message]]]
       end
 
       def report(env)
@@ -83,16 +95,24 @@ module Rack
 
       def session(env)
         return env[options[:session_key]] if session? env
-        fail "you need to set up a session middleware *before* #{self.class}"
+
+        raise "you need to set up a session middleware *before* #{self.class}"
       end
 
       def drop_session(env)
-        session(env).clear if session? env
+        return unless session? env
+
+        session(env).clear
+
+        return if ["1", "true"].include?(ENV["RACK_PROTECTION_SILENCE_DROP_SESSION_WARNING"])
+
+        warn env, "session dropped by #{self.class}"
       end
 
       def referrer(env)
         ref = env['HTTP_REFERER'].to_s
-        return if !options[:allow_empty_referrer] and ref.empty?
+        return if !options[:allow_empty_referrer] && ref.empty?
+
         URI.parse(ref).host || Request.new(env).host
       rescue URI::InvalidURIError
       end
@@ -102,7 +122,7 @@ module Rack
       end
 
       def random_string(secure = defined? SecureRandom)
-        secure ? SecureRandom.hex(16) : "%032x" % rand(2**128-1)
+        secure ? SecureRandom.hex(16) : '%032x' % rand((2**128) - 1)
       rescue NotImplementedError
         random_string false
       end
@@ -118,8 +138,9 @@ module Rack
       alias default_reaction deny
 
       def html?(headers)
-        return false unless header = headers.detect { |k,v| k.downcase == 'content-type' }
-        options[:html_types].include? header.last[/^\w+\/\w+/]
+        return false unless (header = headers.detect { |k, _v| k.downcase == 'content-type' })
+
+        options[:html_types].include? header.last[%r{^\w+/\w+}]
       end
     end
   end

data/lib/rack/protection/content_security_policy.rb

@@ -1,4 +1,5 @@
-# -*- coding: utf-8 -*-
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -25,7 +26,7 @@ module Rack
     #               https://scotthelme.co.uk/csp-cheat-sheet/
     #               http://www.html5rocks.com/en/tutorials/security/content-security-policy/
     #
-    # Sets the 'Content-Security-Policy[-Report-Only]' header.
+    # Sets the 'content-security-policy[-report-only]' header.
     #
     # Options: ContentSecurityPolicy configuration is a complex topic with
     #          several levels of support that has evolved over time.
@@ -38,16 +39,16 @@ module Rack
     class ContentSecurityPolicy < Base
       default_options default_src: "'self'", report_only: false
 
-      DIRECTIVES = %i(base_uri child_src connect_src default_src
+      DIRECTIVES = %i[base_uri child_src connect_src default_src
                       font_src form_action frame_ancestors frame_src
                       img_src manifest_src media_src object_src
                       plugin_types referrer reflected_xss report_to
                       report_uri require_sri_for sandbox script_src
                       style_src worker_src webrtc_src navigate_to
-                      prefetch_src).freeze
+                      prefetch_src].freeze
 
-      NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
-                             upgrade_insecure_requests).freeze
+      NO_ARG_DIRECTIVES = %i[block_all_mixed_content disown_opener
+                             upgrade_insecure_requests].freeze
 
       def csp_policy
         directives = []
@@ -70,7 +71,7 @@ module Rack
 
       def call(env)
         status, headers, body = @app.call(env)
-        header = options[:report_only] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
+        header = options[:report_only] ? 'content-security-policy-report-only' : 'content-security-policy'
         headers[header] ||= csp_policy if html? headers
         [status, headers, body]
       end

data/lib/rack/protection/cookie_tossing.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 require 'pathname'
 
@@ -29,9 +31,8 @@ module Rack
         cookie_header = env['HTTP_COOKIE']
         cookies = Rack::Utils.parse_query(cookie_header, ';,') { |s| s }
         cookies.each do |k, v|
-          if k == session_key && Array(v).size > 1
-            bad_cookies << k
-          elsif k != session_key && Rack::Utils.unescape(k) == session_key
+          if (k == session_key && Array(v).size > 1) ||
+             (k != session_key && Rack::Utils.unescape(k) == session_key)
             bad_cookies << k
           end
         end
@@ -40,6 +41,7 @@ module Rack
 
       def remove_bad_cookies(request, response)
         return if bad_cookies.empty?
+
         paths = cookie_paths(request.path)
         bad_cookies.each do |name|
           paths.each { |path| response.set_cookie name, empty_cookie(request.host, path) }
@@ -49,7 +51,7 @@ module Rack
       def redirect(env)
         request = Request.new(env)
         warn env, "attack prevented by #{self.class}"
-        [302, {'Content-Type' => 'text/html', 'Location' => request.path}, []]
+        [302, { 'content-type' => 'text/html', 'location' => request.path }, []]
       end
 
       def bad_cookies
@@ -64,7 +66,7 @@ module Rack
       end
 
       def empty_cookie(host, path)
-        {:value => '', :domain => host, :path => path, :expires => Time.at(0)}
+        { value: '', domain: host, path: path, expires: Time.at(0) }
       end
 
       def session_key

data/lib/rack/protection/escaped_params.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 require 'rack/utils'
 require 'tempfile'
@@ -15,8 +17,7 @@ module Rack
     # More infos::         http://en.wikipedia.org/wiki/Cross-site_scripting
     #
     # Automatically escapes Rack::Request#params so they can be embedded in HTML
-    # or JavaScript without any further issues. Calls +html_safe+ on the escaped
-    # strings if defined, to avoid double-escaping in Rails.
+    # or JavaScript without any further issues.
     #
     # Options:
     # escape:: What escaping modes to use, should be Symbol or Array of Symbols.
@@ -29,8 +30,8 @@ module Rack
         public :escape_html
       end
 
-      default_options :escape => :html,
-        :escaper => defined?(EscapeUtils) ? EscapeUtils : self
+      default_options escape: :html,
+                      escaper: defined?(EscapeUtils) ? EscapeUtils : self
 
       def initialize(*)
         super
@@ -41,15 +42,19 @@ module Rack
         @javascript = modes.include? :javascript
         @url        = modes.include? :url
 
-        if @javascript and not @escaper.respond_to? :escape_javascript
-          fail("Use EscapeUtils for JavaScript escaping.")
-        end
+        return unless @javascript && (!@escaper.respond_to? :escape_javascript)
+
+        raise('Use EscapeUtils for JavaScript escaping.')
       end
 
       def call(env)
         request  = Request.new(env)
         get_was  = handle(request.GET)
-        post_was = handle(request.POST) rescue nil
+        post_was = begin
+          handle(request.POST)
+        rescue StandardError
+          nil
+        end
         app.call env
       ensure
         request.GET.replace  get_was  if get_was
@@ -68,13 +73,12 @@ module Rack
         when Array  then object.map { |o| escape(o) }
         when String then escape_string(object)
         when Tempfile then object
-        else nil
         end
       end
 
       def escape_hash(hash)
         hash = hash.dup
-        hash.each { |k,v| hash[k] = escape(v) }
+        hash.each { |k, v| hash[k] = escape(v) }
         hash
       end
 

data/lib/rack/protection/form_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -16,7 +18,7 @@ module Rack
     # Compatible with rack-csrf.
     class FormToken < AuthenticityToken
       def accepts?(env)
-        env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest" or super
+        env['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' or super
       end
     end
   end