rack-protection 2.2.0 → 3.1.0

data/lib/rack/protection/encrypted_cookie.rb

@@ -0,0 +1,273 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'zlib'
+require 'json'
+require 'rack/request'
+require 'rack/response'
+require 'rack/session/abstract/id'
+
+module Rack
+  module Protection
+    # Rack::Protection::EncryptedCookie provides simple cookie based session management.
+    # By default, the session is a Ruby Hash stored as base64 encoded marshalled
+    # data set to :key (default: rack.session).  The object that encodes the
+    # session data is configurable and must respond to +encode+ and +decode+.
+    # Both methods must take a string and return a string.
+    #
+    # When the secret key is set, cookie data is checked for data integrity.
+    # The old_secret key is also accepted and allows graceful secret rotation.
+    # A legacy_hmac_secret is also accepted and is used to upgrade existing
+    # sessions to the new encryption scheme.
+    #
+    # There is also a legacy_hmac_coder option which can be set if a non-default
+    # coder was used for legacy session cookies.
+    #
+    # Example:
+    #
+    #     use Rack::Protection::EncryptedCookie,
+    #                                :key => 'rack.session',
+    #                                :domain => 'foo.com',
+    #                                :path => '/',
+    #                                :expire_after => 2592000,
+    #                                :secret => 'change_me',
+    #                                :old_secret => 'old_secret'
+    #
+    #     All parameters are optional.
+    #
+    # Example using legacy HMAC options
+    #
+    #   Rack::Protection:EncryptedCookie.new(application, {
+    #     # The secret used for legacy HMAC cookies
+    #     legacy_hmac_secret: 'legacy secret',
+    #     # legacy_hmac_coder will default to Rack::Protection::EncryptedCookie::Base64::Marshal
+    #     legacy_hmac_coder: Rack::Protection::EncryptedCookie::Identity.new,
+    #     # legacy_hmac will default to OpenSSL::Digest::SHA1
+    #     legacy_hmac: OpenSSL::Digest::SHA256
+    #   })
+    #
+    # Example of a cookie with no encoding:
+    #
+    #   Rack::Protection::EncryptedCookie.new(application, {
+    #     :coder => Rack::Protection::EncryptedCookie::Identity.new
+    #   })
+    #
+    # Example of a cookie with custom encoding:
+    #
+    #   Rack::Protection::EncryptedCookie.new(application, {
+    #     :coder => Class.new {
+    #       def encode(str); str.reverse; end
+    #       def decode(str); str.reverse; end
+    #     }.new
+    #   })
+    #
+    class EncryptedCookie < Rack::Session::Abstract::Persisted
+      # Encode session cookies as Base64
+      class Base64
+        def encode(str)
+          [str].pack('m0')
+        end
+
+        def decode(str)
+          str.unpack1('m')
+        end
+
+        # Encode session cookies as Marshaled Base64 data
+        class Marshal < Base64
+          def encode(str)
+            super(::Marshal.dump(str))
+          end
+
+          def decode(str)
+            return unless str
+
+            begin
+              ::Marshal.load(super(str))
+            rescue StandardError
+              nil
+            end
+          end
+        end
+
+        # N.B. Unlike other encoding methods, the contained objects must be a
+        # valid JSON composite type, either a Hash or an Array.
+        class JSON < Base64
+          def encode(obj)
+            super(::JSON.dump(obj))
+          end
+
+          def decode(str)
+            return unless str
+
+            begin
+              ::JSON.parse(super(str))
+            rescue StandardError
+              nil
+            end
+          end
+        end
+
+        class ZipJSON < Base64
+          def encode(obj)
+            super(Zlib::Deflate.deflate(::JSON.dump(obj)))
+          end
+
+          def decode(str)
+            return unless str
+
+            ::JSON.parse(Zlib::Inflate.inflate(super(str)))
+          rescue StandardError
+            nil
+          end
+        end
+      end
+
+      # Use no encoding for session cookies
+      class Identity
+        def encode(str); str; end
+        def decode(str); str; end
+      end
+
+      class Marshal
+        def encode(str)
+          ::Marshal.dump(str)
+        end
+
+        def decode(str)
+          ::Marshal.load(str) if str
+        end
+      end
+
+      attr_reader :coder
+
+      def initialize(app, options = {})
+        # Assume keys are hex strings and convert them to raw byte strings for
+        # actual key material
+        @secrets = options.values_at(:secret, :old_secret).compact.map do |secret|
+          [secret].pack('H*')
+        end
+
+        warn <<-MSG unless secure?(options)
+        SECURITY WARNING: No secret option provided to Rack::Protection::EncryptedCookie.
+        This poses a security threat. It is strongly recommended that you
+        provide a secret to prevent exploits that may be possible from crafted
+        cookies. This will not be supported in future versions of Rack, and
+        future versions will even invalidate your existing user cookies.
+
+        Called from: #{caller[0]}.
+        MSG
+
+        warn <<-MSG if @secrets.first && @secrets.first.length < 32
+        SECURITY WARNING: Your secret is not long enough. It must be at least
+        32 bytes long and securely random. To generate such a key for use
+        you can run the following command:
+
+        ruby -rsecurerandom -e 'p SecureRandom.hex(32)'
+
+        Called from: #{caller[0]}.
+        MSG
+
+        if options.key?(:legacy_hmac_secret)
+          @legacy_hmac = options.fetch(:legacy_hmac, OpenSSL::Digest::SHA1)
+
+          # Multiply the :digest_length: by 2 because this value is the length of
+          # the digest in bytes but session digest strings are encoded as hex
+          # strings
+          @legacy_hmac_length = @legacy_hmac.new.digest_length * 2
+          @legacy_hmac_secret = options[:legacy_hmac_secret]
+          @legacy_hmac_coder  = (options[:legacy_hmac_coder] ||= Base64::Marshal.new)
+        else
+          @legacy_hmac = false
+        end
+
+        # If encryption is used we can just use a default Marshal encoder
+        # without Base64 encoding the results.
+        #
+        # If no encryption is used, rely on the previous default (Base64::Marshal)
+        @coder = (options[:coder] ||= (@secrets.any? ? Marshal.new : Base64::Marshal.new))
+
+        super(app, options.merge!(cookie_only: true))
+      end
+
+      private
+
+      def find_session(req, _sid)
+        data = unpacked_cookie_data(req)
+        data = persistent_session_id!(data)
+        [data['session_id'], data]
+      end
+
+      def extract_session_id(request)
+        unpacked_cookie_data(request)['session_id']
+      end
+
+      def unpacked_cookie_data(request)
+        request.fetch_header(RACK_SESSION_UNPACKED_COOKIE_DATA) do |k|
+          session_data = cookie_data = request.cookies[@key]
+
+          # Try to decrypt with the first secret, if that returns nil, try
+          # with old_secret
+          unless @secrets.empty?
+            session_data = Rack::Protection::Encryptor.decrypt_message(cookie_data, @secrets.first)
+            session_data ||= Rack::Protection::Encryptor.decrypt_message(cookie_data, @secrets[1]) if @secrets.size > 1
+          end
+
+          # If session_data is still nil, are there is a legacy HMAC
+          # configured, try verify and parse the cookie that way
+          if !session_data && @legacy_hmac
+            digest = cookie_data.slice!(-@legacy_hmac_length..-1)
+            cookie_data.slice!(-2..-1) # remove double dash
+            session_data = cookie_data if digest_match?(cookie_data, digest)
+
+            # Decode using legacy HMAC decoder
+            request.set_header(k, @legacy_hmac_coder.decode(session_data) || {})
+          else
+            request.set_header(k, coder.decode(session_data) || {})
+          end
+        end
+      end
+
+      def persistent_session_id!(data, sid = nil)
+        data ||= {}
+        data['session_id'] ||= sid || generate_sid
+        data
+      end
+
+      def write_session(req, session_id, session, _options)
+        session = session.merge('session_id' => session_id)
+        session_data = coder.encode(session)
+
+        unless @secrets.empty?
+          session_data = Rack::Protection::Encryptor.encrypt_message(session_data, @secrets.first)
+        end
+
+        if session_data.size > (4096 - @key.size)
+          req.get_header(RACK_ERRORS).puts('Warning! Rack::Protection::EncryptedCookie data size exceeds 4K.')
+          nil
+        else
+          session_data
+        end
+      end
+
+      def delete_session(_req, _session_id, options)
+        # Nothing to do here, data is in the client
+        generate_sid unless options[:drop]
+      end
+
+      def digest_match?(data, digest)
+        return false unless data && digest
+
+        Rack::Utils.secure_compare(digest, generate_hmac(data))
+      end
+
+      def generate_hmac(data)
+        OpenSSL::HMAC.hexdigest(@legacy_hmac.new, @legacy_hmac_secret, data)
+      end
+
+      def secure?(options)
+        @secrets.size >= 1 ||
+          (options[:coder] && options[:let_coder_handle_secure_encoding])
+      end
+    end
+  end
+end

data/lib/rack/protection/encryptor.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+module Rack
+  module Protection
+    module Encryptor
+      CIPHER     = 'aes-256-gcm'
+      DELIMITER  = '--'
+
+      def self.base64_encode(str)
+        [str].pack('m0')
+      end
+
+      def self.base64_decode(str)
+        str.unpack1('m0')
+      end
+
+      def self.encrypt_message(data, secret, auth_data = '')
+        raise ArgumentError, 'data cannot be nil' if data.nil?
+
+        cipher = OpenSSL::Cipher.new(CIPHER)
+        cipher.encrypt
+        cipher.key = secret[0, cipher.key_len]
+
+        # Rely on OpenSSL for the initialization vector
+        iv = cipher.random_iv
+
+        # This must be set to properly use AES GCM for the OpenSSL module
+        cipher.auth_data = auth_data
+
+        cipher_text = cipher.update(data)
+        cipher_text << cipher.final
+
+        "#{base64_encode cipher_text}#{DELIMITER}#{base64_encode iv}#{DELIMITER}#{base64_encode cipher.auth_tag}"
+      end
+
+      def self.decrypt_message(data, secret)
+        return unless data
+
+        cipher = OpenSSL::Cipher.new(CIPHER)
+        cipher_text, iv, auth_tag = data.split(DELIMITER, 3).map! { |v| base64_decode(v) }
+
+        # This check is from ActiveSupport::MessageEncryptor
+        # see: https://github.com/ruby/openssl/issues/63
+        return if auth_tag.nil? || auth_tag.bytes.length != 16
+
+        cipher.decrypt
+        cipher.key = secret[0, cipher.key_len]
+        cipher.iv  = iv
+        cipher.auth_tag = auth_tag
+        cipher.auth_data = ''
+
+        decrypted_data = cipher.update(cipher_text)
+        decrypted_data << cipher.final
+        decrypted_data
+      rescue OpenSSL::Cipher::CipherError, TypeError, ArgumentError
+        nil
+      end
+    end
+  end
+end

data/lib/rack/protection/escaped_params.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 require 'rack/utils'
 require 'tempfile'
@@ -15,8 +17,7 @@ module Rack
     # More infos::         http://en.wikipedia.org/wiki/Cross-site_scripting
     #
     # Automatically escapes Rack::Request#params so they can be embedded in HTML
-    # or JavaScript without any further issues. Calls +html_safe+ on the escaped
-    # strings if defined, to avoid double-escaping in Rails.
+    # or JavaScript without any further issues.
     #
     # Options:
     # escape:: What escaping modes to use, should be Symbol or Array of Symbols.
@@ -29,8 +30,8 @@ module Rack
         public :escape_html
       end
 
-      default_options :escape => :html,
-        :escaper => defined?(EscapeUtils) ? EscapeUtils : self
+      default_options escape: :html,
+                      escaper: defined?(EscapeUtils) ? EscapeUtils : self
 
       def initialize(*)
         super
@@ -41,15 +42,19 @@ module Rack
         @javascript = modes.include? :javascript
         @url        = modes.include? :url
 
-        if @javascript and not @escaper.respond_to? :escape_javascript
-          fail("Use EscapeUtils for JavaScript escaping.")
-        end
+        return unless @javascript && (!@escaper.respond_to? :escape_javascript)
+
+        raise('Use EscapeUtils for JavaScript escaping.')
       end
 
       def call(env)
         request  = Request.new(env)
         get_was  = handle(request.GET)
-        post_was = handle(request.POST) rescue nil
+        post_was = begin
+          handle(request.POST)
+        rescue StandardError
+          nil
+        end
         app.call env
       ensure
         request.GET.replace  get_was  if get_was
@@ -68,13 +73,12 @@ module Rack
         when Array  then object.map { |o| escape(o) }
         when String then escape_string(object)
         when Tempfile then object
-        else nil
         end
       end
 
       def escape_hash(hash)
         hash = hash.dup
-        hash.each { |k,v| hash[k] = escape(v) }
+        hash.each { |k, v| hash[k] = escape(v) }
         hash
       end
 

data/lib/rack/protection/form_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -16,7 +18,7 @@ module Rack
     # Compatible with rack-csrf.
     class FormToken < AuthenticityToken
       def accepts?(env)
-        env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest" or super
+        env['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' or super
       end
     end
   end

data/lib/rack/protection/frame_options.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -17,7 +19,7 @@ module Rack
     #                 frame. Use :deny to forbid any embedding, :sameorigin
     #                 to allow embedding from the same origin (default).
     class FrameOptions < Base
-      default_options :frame_options => :sameorigin
+      default_options frame_options: :sameorigin
 
       def frame_options
         @frame_options ||= begin

data/lib/rack/protection/http_origin.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -19,7 +21,7 @@ module Rack
     class HttpOrigin < Base
       DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
       default_reaction :deny
-      default_options :allow_if => nil
+      default_options allow_if: nil
 
       def base_url(env)
         request = Rack::Request.new(env)
@@ -29,19 +31,13 @@ module Rack
 
       def accepts?(env)
         return true if safe? env
-        return true unless origin = env['HTTP_ORIGIN']
+        return true unless (origin = env['HTTP_ORIGIN'])
         return true if base_url(env) == origin
-        return true if options[:allow_if] && options[:allow_if].call(env)
-
-        if options.key? :origin_whitelist
-          warn env, "Rack::Protection origin_whitelist option is deprecated and will be removed, " \
-            "use permitted_origins instead.\n"
-        end
+        return true if options[:allow_if]&.call(env)
 
-        permitted_origins = options[:permitted_origins] || options[:origin_whitelist]
+        permitted_origins = options[:permitted_origins]
         Array(permitted_origins).include? origin
       end
-
     end
   end
 end

data/lib/rack/protection/ip_spoofing.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -13,9 +15,11 @@ module Rack
 
       def accepts?(env)
         return true unless env.include? 'HTTP_X_FORWARDED_FOR'
-        ips = env['HTTP_X_FORWARDED_FOR'].split(/\s*,\s*/)
-        return false if env.include? 'HTTP_CLIENT_IP' and not ips.include? env['HTTP_CLIENT_IP']
-        return false if env.include? 'HTTP_X_REAL_IP' and not ips.include? env['HTTP_X_REAL_IP']
+
+        ips = env['HTTP_X_FORWARDED_FOR'].split(',').map(&:strip)
+        return false if env.include?('HTTP_CLIENT_IP') && (!ips.include? env['HTTP_CLIENT_IP'])
+        return false if env.include?('HTTP_X_REAL_IP') && (!ips.include? env['HTTP_X_REAL_IP'])
+
         true
       end
     end

data/lib/rack/protection/json_csrf.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -17,7 +19,7 @@ module Rack
     #
     # The `:allow_if` option can be set to a proc to use custom allow/deny logic.
     class JsonCsrf < Base
-      default_options :allow_if => nil
+      default_options allow_if: nil
 
       alias react deny
 
@@ -36,8 +38,9 @@ module Rack
 
       def has_vector?(request, headers)
         return false if request.xhr?
-        return false if options[:allow_if] && options[:allow_if].call(request.env)
-        return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
+        return false if options[:allow_if]&.call(request.env)
+        return false unless headers['Content-Type'].to_s.split(';', 2).first =~ %r{^\s*application/json\s*$}
+
         origin(request.env).nil? and referrer(request.env) != request.host
       end
 

data/lib/rack/protection/path_traversal.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -11,11 +13,11 @@ module Rack
     # Thus <tt>GET /foo/%2e%2e%2fbar</tt> becomes <tt>GET /bar</tt>.
     class PathTraversal < Base
       def call(env)
-        path_was         = env["PATH_INFO"]
-        env["PATH_INFO"] = cleanup path_was if path_was && !path_was.empty?
+        path_was         = env['PATH_INFO']
+        env['PATH_INFO'] = cleanup path_was if path_was && !path_was.empty?
         app.call env
       ensure
-        env["PATH_INFO"] = path_was
+        env['PATH_INFO'] = path_was
       end
 
       def cleanup(path)
@@ -29,12 +31,13 @@ module Rack
         unescaped = unescaped.gsub(backslash, slash)
 
         unescaped.split(slash).each do |part|
-          next if part.empty? or part == dot
+          next if part.empty? || (part == dot)
+
           part == '..' ? parts.pop : parts << part
         end
 
         cleaned = slash + parts.join(slash)
-        cleaned << slash if parts.any? and unescaped =~ %r{/\.{0,2}$}
+        cleaned << slash if parts.any? && unescaped =~ (%r{/\.{0,2}$})
         cleaned
       end
     end

data/lib/rack/protection/referrer_policy.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -13,7 +15,7 @@ module Rack
     # Options:
     # referrer_policy:: The policy to use (default: 'strict-origin-when-cross-origin')
     class ReferrerPolicy < Base
-      default_options :referrer_policy => 'strict-origin-when-cross-origin'
+      default_options referrer_policy: 'strict-origin-when-cross-origin'
 
       def call(env)
         status, headers, body = @app.call(env)

data/lib/rack/protection/remote_referrer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack

data/lib/rack/protection/remote_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack

data/lib/rack/protection/session_hijacking.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -13,23 +15,22 @@ module Rack
     # spoofed, too, this will not prevent determined hijacking attempts.
     class SessionHijacking < Base
       default_reaction :drop_session
-      default_options :tracking_key => :tracking, :encrypt_tracking => true,
-        :track => %w[HTTP_USER_AGENT]
+      default_options tracking_key: :tracking,
+                      track: %w[HTTP_USER_AGENT]
 
       def accepts?(env)
         session = session env
         key     = options[:tracking_key]
         if session.include? key
-          session[key].all? { |k,v| v == encrypt(env[k]) }
+          session[key].all? { |k, v| v == encode(env[k]) }
         else
           session[key] = {}
-          options[:track].each { |k| session[key][k] = encrypt(env[k]) }
+          options[:track].each { |k| session[key][k] = encode(env[k]) }
         end
       end
 
-      def encrypt(value)
-        value = value.to_s.downcase
-        options[:encrypt_tracking] ? super(value) : value
+      def encode(value)
+        value.to_s.downcase
       end
     end
   end

data/lib/rack/protection/strict_transport.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -18,11 +20,11 @@ module Rack
     # preload:: Allow this domain to be included in browsers HSTS preload list. See https://hstspreload.appspot.com/
 
     class StrictTransport < Base
-      default_options :max_age => 31_536_000, :include_subdomains => false, :preload => false
+      default_options max_age: 31_536_000, include_subdomains: false, preload: false
 
       def strict_transport
         @strict_transport ||= begin
-          strict_transport = 'max-age=' + options[:max_age].to_s
+          strict_transport = "max-age=#{options[:max_age]}"
           strict_transport += '; includeSubDomains' if options[:include_subdomains]
           strict_transport += '; preload' if options[:preload]
           strict_transport.to_str

data/lib/rack/protection/version.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module Rack
   module Protection
-    VERSION = '2.2.0'
+    VERSION = '3.1.0'
   end
 end

data/lib/rack/protection/xss_header.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -12,7 +14,7 @@ module Rack
     # Options:
     # xss_mode:: How the browser should prevent the attack (default: :block)
     class XSSHeader < Base
-      default_options :xss_mode => :block, :nosniff => true
+      default_options xss_mode: :block, nosniff: true
 
       def call(env)
         status, headers, body = @app.call(env)