rack-protection 2.2.2 → 4.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fa9d7fd8b6dd44cfd54fd833a1679efedfccdf76619d0b01e0aa2057f2e8b586
-  data.tar.gz: f0541b4bf7e3cc865bdca886de807968787e90a26ca4fcd3ff3787496e64a9de
+  metadata.gz: 8762f8b7bc260c94e353c6c9eb9a24d3a0efe695cb5904f526a5a84094f567db
+  data.tar.gz: d3c7e05bf8bfea7c6b077025f330429f386b416bccce5ebfab2d91d0513e437b
 SHA512:
-  metadata.gz: 89f4d7bd2b9ee4a1e51fb9a7d9699f0d1d3881a82bb3b8813527f6ce8cce96274462fd502e8df4d5f6b21cbf2d79da9bd69bff6a4e6e7e289e69aa7cb4e18893
-  data.tar.gz: 381cdab10dffb59181caef1a80b46e9d584e1f20fa602843f1649164bbd16d44cbfd5ba5aef2ebd0a447e52fad7437644d29188e98b9998a19a4377abbc0051f
+  metadata.gz: 48b9fffade45349249d1122c3acc8618f2cb8ca05cde4ce1959b063899faad7c5c433bf6481518beedd0a0dd2ff28c878b1f5898fc3f21629ea39233fa747dc6
+  data.tar.gz: ec3176d39b37dfdd97b4d230f98251681a93c6dddcb17db4659c998d8f296dc9fc97808a9b732bbf055d0d2b0504f9696f541b6d6864983b214df94ceff636a5

data/Gemfile

@@ -1,13 +1,13 @@
-source "https://rubygems.org"
-# encoding: utf-8
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+gemspec
 
 gem 'rake'
+gem 'rspec', '~> 3'
+gem 'rack-test'
 
 rack_version = ENV['rack'].to_s
-rack_version = nil if rack_version.empty? or rack_version == 'stable'
-rack_version = {:github => 'rack/rack'} if rack_version == 'master'
+rack_version = nil if rack_version.empty? || (rack_version == 'stable')
+rack_version = { github: 'rack/rack' } if rack_version == 'head'
 gem 'rack', rack_version
-
-gem 'sinatra', path: '..'
-
-gemspec

data/README.md

@@ -69,11 +69,12 @@ Prevented by:
 
 Prevented by:
 
-* [`Rack::Protection::SessionHijacking`][session-hijacking]
+* [`Rack::Protection::SessionHijacking`][session-hijacking] (not included by `use Rack::Protection`)
 
 ## Cookie Tossing
 
 Prevented by:
+
 * [`Rack::Protection::CookieTossing`][cookie-tossing] (not included by `use Rack::Protection`)
 
 ## IP Spoofing
@@ -95,6 +96,7 @@ Prevented by:
 # Instrumentation
 
 Instrumentation is enabled by passing in an instrumenter as an option.
+
 ```
 use Rack::Protection, instrumenter: ActiveSupport::Notifications
 ```

data/Rakefile

@@ -1,53 +1,55 @@
-# encoding: utf-8
-$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift File.expand_path('lib', __dir__)
 
 begin
   require 'bundler'
   Bundler::GemHelper.install_tasks
 rescue LoadError => e
-  $stderr.puts e
+  warn e
 end
 
-desc "run specs"
-task(:spec) { ruby '-S rspec spec' }
+desc 'run specs'
+task(:spec) { ruby '-S rspec' }
 
 namespace :doc do
   task :readmes do
     Dir.glob 'lib/rack/protection/*.rb' do |file|
       excluded_files = %w[lib/rack/protection/base.rb lib/rack/protection/version.rb]
       next if excluded_files.include?(file)
+
       doc  = File.read(file)[/^  module Protection(\n)+(    #[^\n]*\n)*/m].scan(/^ *#(?!#) ?(.*)\n/).join("\n")
-      file = "doc/#{file[4..-4].tr("/_", "-")}.rdoc"
-      Dir.mkdir "doc" unless File.directory? "doc"
+      file = "doc/#{file[4..-4].tr('/_', '-')}.rdoc"
+      Dir.mkdir 'doc' unless File.directory? 'doc'
       puts "writing #{file}"
-      File.open(file, "w") { |f| f << doc }
+      File.open(file, 'w') { |f| f << doc }
     end
   end
 
   task :index do
-    doc = File.read("README.md")
-    file = "doc/rack-protection-readme.md"
-    Dir.mkdir "doc" unless File.directory? "doc"
+    doc = File.read('README.md')
+    file = 'doc/rack-protection-readme.md'
+    Dir.mkdir 'doc' unless File.directory? 'doc'
     puts "writing #{file}"
-    File.open(file, "w") { |f| f << doc }
+    File.open(file, 'w') { |f| f << doc }
   end
 
-  task :all => [:readmes, :index]
+  task all: %i[readmes index]
 end
 
-desc "generate documentation"
-task :doc => 'doc:all'
+desc 'generate documentation'
+task doc: 'doc:all'
 
-desc "generate gemspec"
+desc 'generate gemspec'
 task 'rack-protection.gemspec' do
   require 'rack/protection/version'
   content = File.binread 'rack-protection.gemspec'
 
   # fetch data
   fields = {
-    :authors => `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
-    :email   => ["mail@zzak.io", "konstantin.haase@gmail.com"],
-    :files   => %w(License README.md Rakefile Gemfile rack-protection.gemspec) + Dir['lib/**/*']
+    authors: `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
+    email: ['mail@zzak.io', 'konstantin.haase@gmail.com'],
+    files: %w[License README.md Rakefile Gemfile rack-protection.gemspec] + Dir['lib/**/*']
   }
 
   # insert data
@@ -67,6 +69,6 @@ task 'rack-protection.gemspec' do
   File.open('rack-protection.gemspec', 'w') { |f| f << content }
 end
 
-task :gemspec => 'rack-protection.gemspec'
-task :default => :spec
-task :test    => :spec
+task gemspec: 'rack-protection.gemspec'
+task default: :spec
+task test: :spec

data/lib/rack/protection/authenticity_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 require 'securerandom'
 require 'openssl'
@@ -17,7 +19,10 @@ module Rack
     # It checks the <tt>X-CSRF-Token</tt> header and the <tt>POST</tt> form
     # data.
     #
-    # Compatible with the {rack-csrf}[https://rubygems.org/gems/rack_csrf] gem.
+    # It is not OOTB-compatible with the {rack-csrf}[https://rubygems.org/gems/rack_csrf] gem.
+    # For that, the following patch needs to be applied:
+    #
+    #   Rack::Protection::AuthenticityToken.default_options(key: "csrf.token", authenticity_param: "_csrf")
     #
     # == Options
     #
@@ -46,6 +51,7 @@ module Rack
     # Here is <tt>server.rb</tt>:
     #
     #   require 'rack/protection'
+    #   require 'rack/session'
     #
     #   app = Rack::Builder.app do
     #     use Rack::Session::Cookie, secret: 'secret'
@@ -92,12 +98,12 @@ module Rack
     class AuthenticityToken < Base
       TOKEN_LENGTH = 32
 
-      default_options :authenticity_param => 'authenticity_token',
-                      :key => :csrf,
-                      :allow_if => nil
+      default_options authenticity_param: 'authenticity_token',
+                      key: :csrf,
+                      allow_if: nil
 
       def self.token(session, path: nil, method: :post)
-        self.new(nil).mask_authenticity_token(session, path: path, method: method)
+        new(nil).mask_authenticity_token(session, path: path, method: method)
       end
 
       def self.random_token
@@ -111,8 +117,8 @@ module Rack
         safe?(env) ||
           valid_token?(env, env['HTTP_X_CSRF_TOKEN']) ||
           valid_token?(env, Request.new(env).params[options[:authenticity_param]]) ||
-          ( options[:allow_if] && options[:allow_if].call(env) )
-      rescue
+          options[:allow_if]&.call(env)
+      rescue StandardError
         false
       end
 
@@ -120,10 +126,10 @@ module Rack
         set_token(session)
 
         token = if path && method
-          per_form_token(session, path, method)
-        else
-          global_token(session)
-        end
+                  per_form_token(session, path, method)
+                else
+                  global_token(session)
+                end
 
         mask_token(token)
       end
@@ -140,7 +146,7 @@ module Rack
       # Checks the client's masked token to see if it matches the
       # session token.
       def valid_token?(env, token)
-        return false if token.nil? || token.empty?
+        return false if token.nil? || !token.is_a?(String) || token.empty?
 
         session = session(env)
 
@@ -182,7 +188,7 @@ module Rack
         # value and decrypt it
         token_length = masked_token.length / 2
         one_time_pad = masked_token[0...token_length]
-        encrypted_token = masked_token[token_length..-1]
+        encrypted_token = masked_token[token_length..]
         xor_byte_strings(one_time_pad, encrypted_token)
       end
 
@@ -204,8 +210,7 @@ module Rack
 
       def compare_with_per_form_token(token, session, request)
         secure_compare(token,
-          per_form_token(session, request.path.chomp('/'), request.request_method)
-        )
+                       per_form_token(session, request.path.chomp('/'), request.request_method))
       end
 
       def real_token(session)
@@ -230,7 +235,7 @@ module Rack
 
       def token_hmac(session, identifier)
         OpenSSL::HMAC.digest(
-          OpenSSL::Digest::SHA256.new,
+          OpenSSL::Digest.new('SHA256'),
           real_token(session),
           identifier
         )

data/lib/rack/protection/base.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 require 'rack/utils'
 require 'digest'
@@ -8,12 +10,12 @@ module Rack
   module Protection
     class Base
       DEFAULT_OPTIONS = {
-        :reaction    => :default_reaction, :logging   => true,
-        :message     => 'Forbidden',       :encryptor => Digest::SHA1,
-        :session_key => 'rack.session',    :status    => 403,
-        :allow_empty_referrer => true,
-        :report_key           => "protection.failed",
-        :html_types           => %w[text/html application/xhtml text/xml application/xml]
+        reaction: :default_reaction, logging: true,
+        message: 'Forbidden', encryptor: Digest::SHA1,
+        session_key: 'rack.session', status: 403,
+        allow_empty_referrer: true,
+        report_key: 'protection.failed',
+        html_types: %w[text/html application/xhtml text/xml application/xml]
       }
 
       attr_reader :app, :options
@@ -31,7 +33,8 @@ module Rack
       end
 
       def initialize(app, options = {})
-        @app, @options = app, default_options.merge(options)
+        @app = app
+        @options = default_options.merge(options)
       end
 
       def safe?(env)
@@ -52,24 +55,26 @@ module Rack
 
       def react(env)
         result = send(options[:reaction], env)
-        result if Array === result and result.size == 3
+        result if (Array === result) && (result.size == 3)
       end
 
       def warn(env, message)
         return unless options[:logging]
+
         l = options[:logger] || env['rack.logger'] || ::Logger.new(env['rack.errors'])
         l.warn(message)
       end
 
       def instrument(env)
-        return unless i = options[:instrumenter]
+        return unless (i = options[:instrumenter])
+
         env['rack.protection.attack'] = self.class.name.split('::').last.downcase
         i.instrument('rack.protection', env)
       end
 
       def deny(env)
         warn env, "attack prevented by #{self.class}"
-        [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
+        [options[:status], { 'content-type' => 'text/plain' }, [options[:message]]]
       end
 
       def report(env)
@@ -83,16 +88,24 @@ module Rack
 
       def session(env)
         return env[options[:session_key]] if session? env
-        fail "you need to set up a session middleware *before* #{self.class}"
+
+        raise "you need to set up a session middleware *before* #{self.class}"
       end
 
       def drop_session(env)
-        session(env).clear if session? env
+        return unless session? env
+
+        session(env).clear
+
+        return if ["1", "true"].include?(ENV["RACK_PROTECTION_SILENCE_DROP_SESSION_WARNING"])
+
+        warn env, "session dropped by #{self.class}"
       end
 
       def referrer(env)
         ref = env['HTTP_REFERER'].to_s
-        return if !options[:allow_empty_referrer] and ref.empty?
+        return if !options[:allow_empty_referrer] && ref.empty?
+
         URI.parse(ref).host || Request.new(env).host
       rescue URI::InvalidURIError
       end
@@ -102,7 +115,7 @@ module Rack
       end
 
       def random_string(secure = defined? SecureRandom)
-        secure ? SecureRandom.hex(16) : "%032x" % rand(2**128-1)
+        secure ? SecureRandom.hex(16) : '%032x' % rand((2**128) - 1)
       rescue NotImplementedError
         random_string false
       end
@@ -118,8 +131,9 @@ module Rack
       alias default_reaction deny
 
       def html?(headers)
-        return false unless header = headers.detect { |k,v| k.downcase == 'content-type' }
-        options[:html_types].include? header.last[/^\w+\/\w+/]
+        return false unless (header = headers.detect { |k, _v| k.downcase == 'content-type' })
+
+        options[:html_types].include? header.last[%r{^\w+/\w+}]
       end
     end
   end

data/lib/rack/protection/content_security_policy.rb

@@ -1,4 +1,5 @@
-# -*- coding: utf-8 -*-
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -25,7 +26,7 @@ module Rack
     #               https://scotthelme.co.uk/csp-cheat-sheet/
     #               http://www.html5rocks.com/en/tutorials/security/content-security-policy/
     #
-    # Sets the 'Content-Security-Policy[-Report-Only]' header.
+    # Sets the 'content-security-policy[-report-only]' header.
     #
     # Options: ContentSecurityPolicy configuration is a complex topic with
     #          several levels of support that has evolved over time.
@@ -38,16 +39,16 @@ module Rack
     class ContentSecurityPolicy < Base
       default_options default_src: "'self'", report_only: false
 
-      DIRECTIVES = %i(base_uri child_src connect_src default_src
+      DIRECTIVES = %i[base_uri child_src connect_src default_src
                       font_src form_action frame_ancestors frame_src
                       img_src manifest_src media_src object_src
                       plugin_types referrer reflected_xss report_to
                       report_uri require_sri_for sandbox script_src
                       style_src worker_src webrtc_src navigate_to
-                      prefetch_src).freeze
+                      prefetch_src].freeze
 
-      NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
-                             upgrade_insecure_requests).freeze
+      NO_ARG_DIRECTIVES = %i[block_all_mixed_content disown_opener
+                             upgrade_insecure_requests].freeze
 
       def csp_policy
         directives = []
@@ -70,7 +71,7 @@ module Rack
 
       def call(env)
         status, headers, body = @app.call(env)
-        header = options[:report_only] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
+        header = options[:report_only] ? 'content-security-policy-report-only' : 'content-security-policy'
         headers[header] ||= csp_policy if html? headers
         [status, headers, body]
       end

data/lib/rack/protection/cookie_tossing.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 require 'pathname'
 
@@ -29,9 +31,8 @@ module Rack
         cookie_header = env['HTTP_COOKIE']
         cookies = Rack::Utils.parse_query(cookie_header, ';,') { |s| s }
         cookies.each do |k, v|
-          if k == session_key && Array(v).size > 1
-            bad_cookies << k
-          elsif k != session_key && Rack::Utils.unescape(k) == session_key
+          if (k == session_key && Array(v).size > 1) ||
+             (k != session_key && Rack::Utils.unescape(k) == session_key)
             bad_cookies << k
           end
         end
@@ -40,6 +41,7 @@ module Rack
 
       def remove_bad_cookies(request, response)
         return if bad_cookies.empty?
+
         paths = cookie_paths(request.path)
         bad_cookies.each do |name|
           paths.each { |path| response.set_cookie name, empty_cookie(request.host, path) }
@@ -49,7 +51,7 @@ module Rack
       def redirect(env)
         request = Request.new(env)
         warn env, "attack prevented by #{self.class}"
-        [302, {'Content-Type' => 'text/html', 'Location' => request.path}, []]
+        [302, { 'content-type' => 'text/html', 'location' => request.path }, []]
       end
 
       def bad_cookies
@@ -64,7 +66,7 @@ module Rack
       end
 
       def empty_cookie(host, path)
-        {:value => '', :domain => host, :path => path, :expires => Time.at(0)}
+        { value: '', domain: host, path: path, expires: Time.at(0) }
       end
 
       def session_key

data/lib/rack/protection/escaped_params.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 require 'rack/utils'
 require 'tempfile'
@@ -15,8 +17,7 @@ module Rack
     # More infos::         http://en.wikipedia.org/wiki/Cross-site_scripting
     #
     # Automatically escapes Rack::Request#params so they can be embedded in HTML
-    # or JavaScript without any further issues. Calls +html_safe+ on the escaped
-    # strings if defined, to avoid double-escaping in Rails.
+    # or JavaScript without any further issues.
     #
     # Options:
     # escape:: What escaping modes to use, should be Symbol or Array of Symbols.
@@ -29,8 +30,8 @@ module Rack
         public :escape_html
       end
 
-      default_options :escape => :html,
-        :escaper => defined?(EscapeUtils) ? EscapeUtils : self
+      default_options escape: :html,
+                      escaper: defined?(EscapeUtils) ? EscapeUtils : self
 
       def initialize(*)
         super
@@ -41,15 +42,19 @@ module Rack
         @javascript = modes.include? :javascript
         @url        = modes.include? :url
 
-        if @javascript and not @escaper.respond_to? :escape_javascript
-          fail("Use EscapeUtils for JavaScript escaping.")
-        end
+        return unless @javascript && (!@escaper.respond_to? :escape_javascript)
+
+        raise('Use EscapeUtils for JavaScript escaping.')
       end
 
       def call(env)
         request  = Request.new(env)
         get_was  = handle(request.GET)
-        post_was = handle(request.POST) rescue nil
+        post_was = begin
+          handle(request.POST)
+        rescue StandardError
+          nil
+        end
         app.call env
       ensure
         request.GET.replace  get_was  if get_was
@@ -68,13 +73,12 @@ module Rack
         when Array  then object.map { |o| escape(o) }
         when String then escape_string(object)
         when Tempfile then object
-        else nil
         end
       end
 
       def escape_hash(hash)
         hash = hash.dup
-        hash.each { |k,v| hash[k] = escape(v) }
+        hash.each { |k, v| hash[k] = escape(v) }
         hash
       end
 

data/lib/rack/protection/form_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -16,7 +18,7 @@ module Rack
     # Compatible with rack-csrf.
     class FormToken < AuthenticityToken
       def accepts?(env)
-        env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest" or super
+        env['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' or super
       end
     end
   end

data/lib/rack/protection/frame_options.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -17,7 +19,7 @@ module Rack
     #                 frame. Use :deny to forbid any embedding, :sameorigin
     #                 to allow embedding from the same origin (default).
     class FrameOptions < Base
-      default_options :frame_options => :sameorigin
+      default_options frame_options: :sameorigin
 
       def frame_options
         @frame_options ||= begin
@@ -29,7 +31,7 @@ module Rack
 
       def call(env)
         status, headers, body        = @app.call(env)
-        headers['X-Frame-Options'] ||= frame_options if html? headers
+        headers['x-frame-options'] ||= frame_options if html? headers
         [status, headers, body]
       end
     end

data/lib/rack/protection/http_origin.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -19,7 +21,7 @@ module Rack
     class HttpOrigin < Base
       DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
       default_reaction :deny
-      default_options :allow_if => nil
+      default_options allow_if: nil
 
       def base_url(env)
         request = Rack::Request.new(env)
@@ -29,19 +31,13 @@ module Rack
 
       def accepts?(env)
         return true if safe? env
-        return true unless origin = env['HTTP_ORIGIN']
+        return true unless (origin = env['HTTP_ORIGIN'])
         return true if base_url(env) == origin
-        return true if options[:allow_if] && options[:allow_if].call(env)
-
-        if options.key? :origin_whitelist
-          warn env, "Rack::Protection origin_whitelist option is deprecated and will be removed, " \
-            "use permitted_origins instead.\n"
-        end
+        return true if options[:allow_if]&.call(env)
 
-        permitted_origins = options[:permitted_origins] || options[:origin_whitelist]
+        permitted_origins = options[:permitted_origins]
         Array(permitted_origins).include? origin
       end
-
     end
   end
 end

data/lib/rack/protection/ip_spoofing.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -13,9 +15,11 @@ module Rack
 
       def accepts?(env)
         return true unless env.include? 'HTTP_X_FORWARDED_FOR'
-        ips = env['HTTP_X_FORWARDED_FOR'].split(/\s*,\s*/)
-        return false if env.include? 'HTTP_CLIENT_IP' and not ips.include? env['HTTP_CLIENT_IP']
-        return false if env.include? 'HTTP_X_REAL_IP' and not ips.include? env['HTTP_X_REAL_IP']
+
+        ips = env['HTTP_X_FORWARDED_FOR'].split(',').map(&:strip)
+        return false if env.include?('HTTP_CLIENT_IP') && (!ips.include? env['HTTP_CLIENT_IP'])
+        return false if env.include?('HTTP_X_REAL_IP') && (!ips.include? env['HTTP_X_REAL_IP'])
+
         true
       end
     end

data/lib/rack/protection/json_csrf.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -17,7 +19,7 @@ module Rack
     #
     # The `:allow_if` option can be set to a proc to use custom allow/deny logic.
     class JsonCsrf < Base
-      default_options :allow_if => nil
+      default_options allow_if: nil
 
       alias react deny
 
@@ -36,8 +38,9 @@ module Rack
 
       def has_vector?(request, headers)
         return false if request.xhr?
-        return false if options[:allow_if] && options[:allow_if].call(request.env)
-        return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
+        return false if options[:allow_if]&.call(request.env)
+        return false unless headers['content-type'].to_s.split(';', 2).first =~ %r{^\s*application/json\s*$}
+
         origin(request.env).nil? and referrer(request.env) != request.host
       end
 

data/lib/rack/protection/path_traversal.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -11,11 +13,11 @@ module Rack
     # Thus <tt>GET /foo/%2e%2e%2fbar</tt> becomes <tt>GET /bar</tt>.
     class PathTraversal < Base
       def call(env)
-        path_was         = env["PATH_INFO"]
-        env["PATH_INFO"] = cleanup path_was if path_was && !path_was.empty?
+        path_was         = env['PATH_INFO']
+        env['PATH_INFO'] = cleanup path_was if path_was && !path_was.empty?
         app.call env
       ensure
-        env["PATH_INFO"] = path_was
+        env['PATH_INFO'] = path_was
       end
 
       def cleanup(path)
@@ -29,12 +31,13 @@ module Rack
         unescaped = unescaped.gsub(backslash, slash)
 
         unescaped.split(slash).each do |part|
-          next if part.empty? or part == dot
+          next if part.empty? || (part == dot)
+
           part == '..' ? parts.pop : parts << part
         end
 
         cleaned = slash + parts.join(slash)
-        cleaned << slash if parts.any? and unescaped =~ %r{/\.{0,2}$}
+        cleaned << slash if parts.any? && unescaped =~ (%r{/\.{0,2}$})
         cleaned
       end
     end

data/lib/rack/protection/referrer_policy.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -13,11 +15,11 @@ module Rack
     # Options:
     # referrer_policy:: The policy to use (default: 'strict-origin-when-cross-origin')
     class ReferrerPolicy < Base
-      default_options :referrer_policy => 'strict-origin-when-cross-origin'
+      default_options referrer_policy: 'strict-origin-when-cross-origin'
 
       def call(env)
         status, headers, body = @app.call(env)
-        headers['Referrer-Policy'] ||= options[:referrer_policy]
+        headers['referrer-policy'] ||= options[:referrer_policy]
         [status, headers, body]
       end
     end

data/lib/rack/protection/remote_referrer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack

data/lib/rack/protection/remote_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack

data/lib/rack/protection/session_hijacking.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -13,23 +15,22 @@ module Rack
     # spoofed, too, this will not prevent determined hijacking attempts.
     class SessionHijacking < Base
       default_reaction :drop_session
-      default_options :tracking_key => :tracking, :encrypt_tracking => true,
-        :track => %w[HTTP_USER_AGENT]
+      default_options tracking_key: :tracking,
+                      track: %w[HTTP_USER_AGENT]
 
       def accepts?(env)
         session = session env
         key     = options[:tracking_key]
         if session.include? key
-          session[key].all? { |k,v| v == encrypt(env[k]) }
+          session[key].all? { |k, v| v == encode(env[k]) }
         else
           session[key] = {}
-          options[:track].each { |k| session[key][k] = encrypt(env[k]) }
+          options[:track].each { |k| session[key][k] = encode(env[k]) }
         end
       end
 
-      def encrypt(value)
-        value = value.to_s.downcase
-        options[:encrypt_tracking] ? super(value) : value
+      def encode(value)
+        value.to_s.downcase
       end
     end
   end

data/lib/rack/protection/strict_transport.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -18,11 +20,11 @@ module Rack
     # preload:: Allow this domain to be included in browsers HSTS preload list. See https://hstspreload.appspot.com/
 
     class StrictTransport < Base
-      default_options :max_age => 31_536_000, :include_subdomains => false, :preload => false
+      default_options max_age: 31_536_000, include_subdomains: false, preload: false
 
       def strict_transport
         @strict_transport ||= begin
-          strict_transport = 'max-age=' + options[:max_age].to_s
+          strict_transport = "max-age=#{options[:max_age]}"
           strict_transport += '; includeSubDomains' if options[:include_subdomains]
           strict_transport += '; preload' if options[:preload]
           strict_transport.to_str
@@ -31,7 +33,7 @@ module Rack
 
       def call(env)
         status, headers, body = @app.call(env)
-        headers['Strict-Transport-Security'] ||= strict_transport
+        headers['strict-transport-security'] ||= strict_transport
         [status, headers, body]
       end
     end

data/lib/rack/protection/version.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module Rack
   module Protection
-    VERSION = '2.2.1'
+    VERSION = '4.0.0'
   end
 end

data/lib/rack/protection/xss_header.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -12,12 +14,12 @@ module Rack
     # Options:
     # xss_mode:: How the browser should prevent the attack (default: :block)
     class XSSHeader < Base
-      default_options :xss_mode => :block, :nosniff => true
+      default_options xss_mode: :block, nosniff: true
 
       def call(env)
         status, headers, body = @app.call(env)
-        headers['X-XSS-Protection']       ||= "1; mode=#{options[:xss_mode]}" if html? headers
-        headers['X-Content-Type-Options'] ||= 'nosniff'                       if options[:nosniff]
+        headers['x-xss-protection']       ||= "1; mode=#{options[:xss_mode]}" if html? headers
+        headers['x-content-type-options'] ||= 'nosniff'                       if options[:nosniff]
         [status, headers, body]
       end
     end

data/lib/rack/protection.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection/version'
 require 'rack'
 
@@ -22,12 +24,11 @@ module Rack
     autoload :XSSHeader,             'rack/protection/xss_header'
 
     def self.new(app, options = {})
-      # does not include: RemoteReferrer, AuthenticityToken and FormToken
       except = Array options[:except]
       use_these = Array options[:use]
 
       if options.fetch(:without_session, false)
-        except += [:session_hijacking, :remote_token]
+        except += %i[remote_token]
       end
 
       Rack::Builder.new do
@@ -39,6 +40,7 @@ module Rack
         use ::Rack::Protection::FormToken,             options if use_these.include? :form_token
         use ::Rack::Protection::ReferrerPolicy,        options if use_these.include? :referrer_policy
         use ::Rack::Protection::RemoteReferrer,        options if use_these.include? :remote_referrer
+        use ::Rack::Protection::SessionHijacking,      options if use_these.include? :session_hijacking
         use ::Rack::Protection::StrictTransport,       options if use_these.include? :strict_transport
 
         # On by default, unless skipped
@@ -48,7 +50,6 @@ module Rack
         use ::Rack::Protection::JsonCsrf,              options unless except.include? :json_csrf
         use ::Rack::Protection::PathTraversal,         options unless except.include? :path_traversal
         use ::Rack::Protection::RemoteToken,           options unless except.include? :remote_token
-        use ::Rack::Protection::SessionHijacking,      options unless except.include? :session_hijacking
         use ::Rack::Protection::XSSHeader,             options unless except.include? :xss_header
         run app
       end.to_app

data/lib/rack-protection.rb

@@ -1 +1 @@
-require "rack/protection"
+require 'rack/protection'

data/lib/rack_protection.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'rack/protection'

data/rack-protection.gemspec

@@ -1,40 +1,44 @@
-version = File.read(File.expand_path("../../VERSION", __FILE__)).strip
+# frozen_string_literal: true
+
+version = File.read(File.expand_path('../VERSION', __dir__)).strip
 
 Gem::Specification.new do |s|
   # general infos
-  s.name        = "rack-protection"
+  s.name        = 'rack-protection'
   s.version     = version
-  s.description = "Protect against typical web attacks, works with all Rack apps, including Rails."
-  s.homepage    = "http://sinatrarb.com/protection/"
-  s.summary     = s.description
+  s.description = 'Protect against typical web attacks, works with all Rack apps, including Rails'
+  s.homepage    = 'https://sinatrarb.com/protection/'
+  s.summary     = "#{s.description}."
   s.license     = 'MIT'
-  s.authors     = ["https://github.com/sinatra/sinatra/graphs/contributors"]
-  s.email       = "sinatrarb@googlegroups.com"
-  s.files       = Dir["lib/**/*.rb"] + [
-    "License",
-    "README.md",
-    "Rakefile",
-    "Gemfile",
-    "rack-protection.gemspec"
+  s.authors     = ['https://github.com/sinatra/sinatra/graphs/contributors']
+  s.email       = 'sinatrarb@googlegroups.com'
+  s.files       = Dir['lib/**/*.rb'] + [
+    'License',
+    'README.md',
+    'Rakefile',
+    'Gemfile',
+    'rack-protection.gemspec'
   ]
 
-  if s.respond_to?(:metadata)
-    s.metadata = {
-      'source_code_uri'   => 'https://github.com/sinatra/sinatra/tree/master/rack-protection',
-      'homepage_uri'      => 'http://sinatrarb.com/protection/',
-      'documentation_uri' => 'https://www.rubydoc.info/gems/rack-protection'
-    }
-  else
-    raise <<-EOF
+  unless s.respond_to?(:metadata)
+    raise <<-WARN
 RubyGems 2.0 or newer is required to protect against public gem pushes. You can update your rubygems version by running:
   gem install rubygems-update
   update_rubygems:
   gem update --system
-EOF
+    WARN
   end
 
+  s.metadata = {
+    'source_code_uri' => 'https://github.com/sinatra/sinatra/tree/main/rack-protection',
+    'homepage_uri' => 'http://sinatrarb.com/protection/',
+    'documentation_uri' => 'https://www.rubydoc.info/gems/rack-protection',
+    'rubygems_mfa_required' => 'true'
+  }
+
+  s.required_ruby_version = '>= 2.7.8'
+
   # dependencies
-  s.add_dependency "rack"
-  s.add_development_dependency "rack-test"
-  s.add_development_dependency "rspec", "~> 3.6"
+  s.add_dependency 'base64', '>= 0.1.0'
+  s.add_dependency 'rack', '>= 3.0.0', '< 4'
 end

metadata

@@ -1,59 +1,51 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 2.2.2
+  version: 4.0.0
 platform: ruby
 authors:
 - https://github.com/sinatra/sinatra/graphs/contributors
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-07-23 00:00:00.000000000 Z
+date: 2024-01-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: rack
+  name: base64
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.1.0
 - !ruby/object:Gem::Dependency
-  name: rack-test
+  name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
+        version: 3.0.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
+        version: 3.0.0
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '3.6'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.6'
+        version: '4'
 description: Protect against typical web attacks, works with all Rack apps, including
-  Rails.
+  Rails
 email: sinatrarb@googlegroups.com
 executables: []
 extensions: []
@@ -83,15 +75,17 @@ files:
 - lib/rack/protection/strict_transport.rb
 - lib/rack/protection/version.rb
 - lib/rack/protection/xss_header.rb
+- lib/rack_protection.rb
 - rack-protection.gemspec
-homepage: http://sinatrarb.com/protection/
+homepage: https://sinatrarb.com/protection/
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/sinatra/sinatra/tree/master/rack-protection
+  source_code_uri: https://github.com/sinatra/sinatra/tree/main/rack-protection
   homepage_uri: http://sinatrarb.com/protection/
   documentation_uri: https://www.rubydoc.info/gems/rack-protection
-post_install_message:
+  rubygems_mfa_required: 'true'
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -99,15 +93,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.7.8
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key:
+rubygems_version: 3.5.3
+signing_key: 
 specification_version: 4
 summary: Protect against typical web attacks, works with all Rack apps, including
   Rails.