rack-protection 3.2.0 → 4.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7640a15f8659807abd53474e7ce538a42e476e4bd99dc745f3b9b8c16161c008
-  data.tar.gz: '05468ec6c8113d3afce2df62221e4c866616999700c30ba3ef94a2705b11138b'
+  metadata.gz: 4c04192c3b3ef137443ac72495e4d948a544c1f7c7fd514f422045b870071b54
+  data.tar.gz: 5fc1d9022ef2d26e1c18dd56752883d3d99c6293fbd2a67708628bd414ab2f3f
 SHA512:
-  metadata.gz: eeaff5e584a8ee3be6c80dc92c67fcc95bdbb97b084509ed90ca9ad524598fba63690cfa372586edd27940cd609fa44210637e9c95fbf1191e1a5cc297f222ac
-  data.tar.gz: 26e2160d65b6015c7aaa52266b7241d15f645eb259d1371b864b3e2b6a3b1fbef841e62304bc8e39a83fab1a52ddb0c3455a51385a9a451c833cbed91b75d00a
+  metadata.gz: 26d822dde064625a3520d8bd95b0b2499e4d94d081e8943bfeb4283cab18fd0f70d98b7e5e3cdea5298a75edc70a0a5fc44444e5563fab90db179136901758b6
+  data.tar.gz: d9618b6af6ffc69006e8404a1dc18dc4bd082a516042f25d804613e67438a27830f81b3fc87f2f82d2c7ff5e6607d461e30117515bf2f0be9ea36a0ff094f28d

data/Gemfile

@@ -1,16 +1,13 @@
 # frozen_string_literal: true
 
 source 'https://rubygems.org'
-# encoding: utf-8
+gemspec
 
 gem 'rake'
 gem 'rspec', '~> 3'
+gem 'rack-test'
 
 rack_version = ENV['rack'].to_s
 rack_version = nil if rack_version.empty? || (rack_version == 'stable')
 rack_version = { github: 'rack/rack' } if rack_version == 'head'
 gem 'rack', rack_version
-
-gemspec
-
-gem 'rack-test'

data/README.md

@@ -34,6 +34,10 @@ run MyApp
 
 # Prevented Attacks
 
+## DNS rebinding and other Host header attacks
+
+* [`Rack::Protection::HostAuthorization`][host-authorization] (not included by `use Rack::Protection`)
+
 ## Cross Site Request Forgery
 
 Prevented by:
@@ -69,7 +73,7 @@ Prevented by:
 
 Prevented by:
 
-* [`Rack::Protection::SessionHijacking`][session-hijacking]
+* [`Rack::Protection::SessionHijacking`][session-hijacking] (not included by `use Rack::Protection`)
 
 ## Cookie Tossing
 
@@ -109,6 +113,7 @@ The instrumenter is passed a namespace (String) and environment (Hash). The name
 [escaped-params]: http://www.sinatrarb.com/protection/escaped_params
 [form-token]: http://www.sinatrarb.com/protection/form_token
 [frame-options]: http://www.sinatrarb.com/protection/frame_options
+[host-authorization]: https://github.com/sinatra/sinatra/blob/main/rack-protection/lib/rack/protection/host_authorization.rb
 [http-origin]: http://www.sinatrarb.com/protection/http_origin
 [ip-spoofing]: http://www.sinatrarb.com/protection/ip_spoofing
 [json-csrf]: http://www.sinatrarb.com/protection/json_csrf

data/lib/rack/protection/authenticity_token.rb

@@ -46,14 +46,15 @@ module Rack
     # Install the gem, then run the program:
     #
     #   gem install 'rack-protection'
-    #   ruby server.rb
+    #   puma server.ru
     #
-    # Here is <tt>server.rb</tt>:
+    # Here is <tt>server.ru</tt>:
     #
     #   require 'rack/protection'
+    #   require 'rack/session'
     #
     #   app = Rack::Builder.app do
-    #     use Rack::Session::Cookie, secret: 'secret'
+    #     use Rack::Session::Cookie, secret: 'CHANGEMEaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
     #     use Rack::Protection::AuthenticityToken
     #
     #     run -> (env) do
@@ -87,7 +88,7 @@ module Rack
     #     end
     #   end
     #
-    #   Rack::Handler::WEBrick.run app
+    #   run app
     #
     # == Example: Customize which POST parameter holds the token
     #

data/lib/rack/protection/base.rb

@@ -58,6 +58,13 @@ module Rack
         result if (Array === result) && (result.size == 3)
       end
 
+      def debug(env, message)
+        return unless options[:logging]
+
+        l = options[:logger] || env['rack.logger'] || ::Logger.new(env['rack.errors'])
+        l.debug(message)
+      end
+
       def warn(env, message)
         return unless options[:logging]
 
@@ -74,7 +81,7 @@ module Rack
 
       def deny(env)
         warn env, "attack prevented by #{self.class}"
-        [options[:status], { 'Content-Type' => 'text/plain' }, [options[:message]]]
+        [options[:status], { 'content-type' => 'text/plain' }, [options[:message]]]
       end
 
       def report(env)

data/lib/rack/protection/content_security_policy.rb

@@ -26,7 +26,7 @@ module Rack
     #               https://scotthelme.co.uk/csp-cheat-sheet/
     #               http://www.html5rocks.com/en/tutorials/security/content-security-policy/
     #
-    # Sets the 'Content-Security-Policy[-Report-Only]' header.
+    # Sets the 'content-security-policy[-report-only]' header.
     #
     # Options: ContentSecurityPolicy configuration is a complex topic with
     #          several levels of support that has evolved over time.
@@ -71,7 +71,7 @@ module Rack
 
       def call(env)
         status, headers, body = @app.call(env)
-        header = options[:report_only] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
+        header = options[:report_only] ? 'content-security-policy-report-only' : 'content-security-policy'
         headers[header] ||= csp_policy if html? headers
         [status, headers, body]
       end

data/lib/rack/protection/cookie_tossing.rb

@@ -51,7 +51,7 @@ module Rack
       def redirect(env)
         request = Request.new(env)
         warn env, "attack prevented by #{self.class}"
-        [302, { 'Content-Type' => 'text/html', 'Location' => request.path }, []]
+        [302, { 'content-type' => 'text/html', 'location' => request.path }, []]
       end
 
       def bad_cookies

data/lib/rack/protection/frame_options.rb

@@ -31,7 +31,7 @@ module Rack
 
       def call(env)
         status, headers, body        = @app.call(env)
-        headers['X-Frame-Options'] ||= frame_options if html? headers
+        headers['x-frame-options'] ||= frame_options if html? headers
         [status, headers, body]
       end
     end

data/lib/rack/protection/host_authorization.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+require 'ipaddr'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   DNS rebinding and other Host header attacks
+    # Supported browsers:: all
+    # More infos::         https://en.wikipedia.org/wiki/DNS_rebinding
+    #                      https://portswigger.net/web-security/host-header
+    #
+    # Blocks HTTP requests with an unrecognized hostname in any of the following
+    # HTTP headers: Host, X-Forwarded-Host, Forwarded
+    #
+    # If you want to permit a specific hostname, you can pass in as the `:permitted_hosts` option:
+    #
+    #     use Rack::Protection::HostAuthorization, permitted_hosts: ["www.example.org", "sinatrarb.com"]
+    #
+    # The `:allow_if` option can also be set to a proc to use custom allow/deny logic.
+    class HostAuthorization < Base
+      DOT = '.'
+      PORT_REGEXP = /:\d+\z/.freeze
+      SUBDOMAINS = /[a-z0-9\-.]+/.freeze
+      private_constant :DOT,
+                       :PORT_REGEXP,
+                       :SUBDOMAINS
+      default_reaction :deny
+      default_options allow_if: nil,
+                      message: 'Host not permitted'
+
+      def initialize(*)
+        super
+        @permitted_hosts = []
+        @domain_hosts = []
+        @ip_hosts = []
+        @all_permitted_hosts = Array(options[:permitted_hosts])
+
+        @all_permitted_hosts.each do |host|
+          case host
+          when String
+            if host.start_with?(DOT)
+              domain = host[1..-1]
+              @permitted_hosts << domain.downcase
+              @domain_hosts << /\A#{SUBDOMAINS}#{Regexp.escape(domain)}\z/i
+            else
+              @permitted_hosts << host.downcase
+            end
+          when IPAddr then @ip_hosts << host
+          end
+        end
+      end
+
+      def accepts?(env)
+        return true if options[:allow_if]&.call(env)
+        return true if @all_permitted_hosts.empty?
+
+        request = Request.new(env)
+        origin_host = extract_host(request.host_authority)
+        forwarded_host = extract_host(request.forwarded_authority)
+
+        debug env, "#{self.class} " \
+                   "@all_permitted_hosts=#{@all_permitted_hosts.inspect} " \
+                   "@permitted_hosts=#{@permitted_hosts.inspect} " \
+                   "@domain_hosts=#{@domain_hosts.inspect} " \
+                   "@ip_hosts=#{@ip_hosts.inspect} " \
+                   "origin_host=#{origin_host.inspect} " \
+                   "forwarded_host=#{forwarded_host.inspect}"
+
+        if host_permitted?(origin_host)
+          if forwarded_host.nil?
+            true
+          else
+            host_permitted?(forwarded_host)
+          end
+        else
+          false
+        end
+      end
+
+      private
+
+      def extract_host(authority)
+        authority.to_s.split(PORT_REGEXP).first&.downcase
+      end
+
+      def host_permitted?(host)
+        exact_match?(host) || domain_match?(host) || ip_match?(host)
+      end
+
+      def exact_match?(host)
+        @permitted_hosts.include?(host)
+      end
+
+      def domain_match?(host)
+        return false if host.nil?
+        return false if host.start_with?(DOT)
+
+        @domain_hosts.any? { |domain_host| host.match?(domain_host) }
+      end
+
+      def ip_match?(host)
+        @ip_hosts.any? { |ip_host| ip_host.include?(host) }
+      rescue IPAddr::InvalidAddressError
+        false
+      end
+    end
+  end
+end

data/lib/rack/protection/json_csrf.rb

@@ -39,7 +39,7 @@ module Rack
       def has_vector?(request, headers)
         return false if request.xhr?
         return false if options[:allow_if]&.call(request.env)
-        return false unless headers['Content-Type'].to_s.split(';', 2).first =~ %r{^\s*application/json\s*$}
+        return false unless headers['content-type'].to_s.split(';', 2).first =~ %r{^\s*application/json\s*$}
 
         origin(request.env).nil? and referrer(request.env) != request.host
       end

data/lib/rack/protection/referrer_policy.rb

@@ -19,7 +19,7 @@ module Rack
 
       def call(env)
         status, headers, body = @app.call(env)
-        headers['Referrer-Policy'] ||= options[:referrer_policy]
+        headers['referrer-policy'] ||= options[:referrer_policy]
         [status, headers, body]
       end
     end

data/lib/rack/protection/strict_transport.rb

@@ -33,7 +33,7 @@ module Rack
 
       def call(env)
         status, headers, body = @app.call(env)
-        headers['Strict-Transport-Security'] ||= strict_transport
+        headers['strict-transport-security'] ||= strict_transport
         [status, headers, body]
       end
     end

data/lib/rack/protection/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   module Protection
-    VERSION = '3.2.0'
+    VERSION = '4.1.0'
   end
 end

data/lib/rack/protection/xss_header.rb

@@ -18,8 +18,8 @@ module Rack
 
       def call(env)
         status, headers, body = @app.call(env)
-        headers['X-XSS-Protection']       ||= "1; mode=#{options[:xss_mode]}" if html? headers
-        headers['X-Content-Type-Options'] ||= 'nosniff'                       if options[:nosniff]
+        headers['x-xss-protection']       ||= "1; mode=#{options[:xss_mode]}" if html? headers
+        headers['x-content-type-options'] ||= 'nosniff'                       if options[:nosniff]
         [status, headers, body]
       end
     end

data/lib/rack/protection.rb

@@ -9,11 +9,10 @@ module Rack
     autoload :Base,                  'rack/protection/base'
     autoload :CookieTossing,         'rack/protection/cookie_tossing'
     autoload :ContentSecurityPolicy, 'rack/protection/content_security_policy'
-    autoload :Encryptor,             'rack/protection/encryptor'
-    autoload :EncryptedCookie,       'rack/protection/encrypted_cookie'
     autoload :EscapedParams,         'rack/protection/escaped_params'
     autoload :FormToken,             'rack/protection/form_token'
     autoload :FrameOptions,          'rack/protection/frame_options'
+    autoload :HostAuthorization,     'rack/protection/host_authorization'
     autoload :HttpOrigin,            'rack/protection/http_origin'
     autoload :IPSpoofing,            'rack/protection/ip_spoofing'
     autoload :JsonCsrf,              'rack/protection/json_csrf'
@@ -26,12 +25,11 @@ module Rack
     autoload :XSSHeader,             'rack/protection/xss_header'
 
     def self.new(app, options = {})
-      # does not include: RemoteReferrer, AuthenticityToken and FormToken
       except = Array options[:except]
       use_these = Array options[:use]
 
       if options.fetch(:without_session, false)
-        except += %i[session_hijacking remote_token]
+        except += %i[remote_token]
       end
 
       Rack::Builder.new do
@@ -43,6 +41,7 @@ module Rack
         use ::Rack::Protection::FormToken,             options if use_these.include? :form_token
         use ::Rack::Protection::ReferrerPolicy,        options if use_these.include? :referrer_policy
         use ::Rack::Protection::RemoteReferrer,        options if use_these.include? :remote_referrer
+        use ::Rack::Protection::SessionHijacking,      options if use_these.include? :session_hijacking
         use ::Rack::Protection::StrictTransport,       options if use_these.include? :strict_transport
 
         # On by default, unless skipped
@@ -52,7 +51,6 @@ module Rack
         use ::Rack::Protection::JsonCsrf,              options unless except.include? :json_csrf
         use ::Rack::Protection::PathTraversal,         options unless except.include? :path_traversal
         use ::Rack::Protection::RemoteToken,           options unless except.include? :remote_token
-        use ::Rack::Protection::SessionHijacking,      options unless except.include? :session_hijacking
         use ::Rack::Protection::XSSHeader,             options unless except.include? :xss_header
         run app
       end.to_app

data/rack-protection.gemspec

@@ -36,9 +36,10 @@ RubyGems 2.0 or newer is required to protect against public gem pushes. You can
     'rubygems_mfa_required' => 'true'
   }
 
-  s.required_ruby_version = '>= 2.6.0'
+  s.required_ruby_version = '>= 2.7.8'
 
   # dependencies
   s.add_dependency 'base64', '>= 0.1.0'
-  s.add_dependency 'rack', '~> 2.2', '>= 2.2.4'
+  s.add_dependency 'logger', '>= 1.6.0'
+  s.add_dependency 'rack', '>= 3.0.0', '< 4'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 3.2.0
+  version: 4.1.0
 platform: ruby
 authors:
 - https://github.com/sinatra/sinatra/graphs/contributors
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-12-29 00:00:00.000000000 Z
+date: 2024-11-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -25,25 +25,39 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 0.1.0
 - !ruby/object:Gem::Dependency
-  name: rack
+  name: logger
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.2'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.2.4
+        version: 1.6.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: 1.6.0
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.2.4
+        version: 3.0.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
 description: Protect against typical web attacks, works with all Rack apps, including
   Rails
 email: sinatrarb@googlegroups.com
@@ -61,11 +75,10 @@ files:
 - lib/rack/protection/base.rb
 - lib/rack/protection/content_security_policy.rb
 - lib/rack/protection/cookie_tossing.rb
-- lib/rack/protection/encrypted_cookie.rb
-- lib/rack/protection/encryptor.rb
 - lib/rack/protection/escaped_params.rb
 - lib/rack/protection/form_token.rb
 - lib/rack/protection/frame_options.rb
+- lib/rack/protection/host_authorization.rb
 - lib/rack/protection/http_origin.rb
 - lib/rack/protection/ip_spoofing.rb
 - lib/rack/protection/json_csrf.rb
@@ -95,14 +108,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.6.0
+      version: 2.7.8
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
+rubygems_version: 3.5.22
 signing_key: 
 specification_version: 4
 summary: Protect against typical web attacks, works with all Rack apps, including

data/lib/rack/protection/encrypted_cookie.rb

@@ -1,273 +0,0 @@
-# frozen_string_literal: true
-
-require 'openssl'
-require 'zlib'
-require 'json'
-require 'rack/request'
-require 'rack/response'
-require 'rack/session/abstract/id'
-
-module Rack
-  module Protection
-    # Rack::Protection::EncryptedCookie provides simple cookie based session management.
-    # By default, the session is a Ruby Hash stored as base64 encoded marshalled
-    # data set to :key (default: rack.session).  The object that encodes the
-    # session data is configurable and must respond to +encode+ and +decode+.
-    # Both methods must take a string and return a string.
-    #
-    # When the secret key is set, cookie data is checked for data integrity.
-    # The old_secret key is also accepted and allows graceful secret rotation.
-    # A legacy_hmac_secret is also accepted and is used to upgrade existing
-    # sessions to the new encryption scheme.
-    #
-    # There is also a legacy_hmac_coder option which can be set if a non-default
-    # coder was used for legacy session cookies.
-    #
-    # Example:
-    #
-    #     use Rack::Protection::EncryptedCookie,
-    #                                :key => 'rack.session',
-    #                                :domain => 'foo.com',
-    #                                :path => '/',
-    #                                :expire_after => 2592000,
-    #                                :secret => 'change_me',
-    #                                :old_secret => 'old_secret'
-    #
-    #     All parameters are optional.
-    #
-    # Example using legacy HMAC options
-    #
-    #   Rack::Protection:EncryptedCookie.new(application, {
-    #     # The secret used for legacy HMAC cookies
-    #     legacy_hmac_secret: 'legacy secret',
-    #     # legacy_hmac_coder will default to Rack::Protection::EncryptedCookie::Base64::Marshal
-    #     legacy_hmac_coder: Rack::Protection::EncryptedCookie::Identity.new,
-    #     # legacy_hmac will default to OpenSSL::Digest::SHA1
-    #     legacy_hmac: OpenSSL::Digest::SHA256
-    #   })
-    #
-    # Example of a cookie with no encoding:
-    #
-    #   Rack::Protection::EncryptedCookie.new(application, {
-    #     :coder => Rack::Protection::EncryptedCookie::Identity.new
-    #   })
-    #
-    # Example of a cookie with custom encoding:
-    #
-    #   Rack::Protection::EncryptedCookie.new(application, {
-    #     :coder => Class.new {
-    #       def encode(str); str.reverse; end
-    #       def decode(str); str.reverse; end
-    #     }.new
-    #   })
-    #
-    class EncryptedCookie < Rack::Session::Abstract::Persisted
-      # Encode session cookies as Base64
-      class Base64
-        def encode(str)
-          [str].pack('m0')
-        end
-
-        def decode(str)
-          str.unpack1('m')
-        end
-
-        # Encode session cookies as Marshaled Base64 data
-        class Marshal < Base64
-          def encode(str)
-            super(::Marshal.dump(str))
-          end
-
-          def decode(str)
-            return unless str
-
-            begin
-              ::Marshal.load(super(str))
-            rescue StandardError
-              nil
-            end
-          end
-        end
-
-        # N.B. Unlike other encoding methods, the contained objects must be a
-        # valid JSON composite type, either a Hash or an Array.
-        class JSON < Base64
-          def encode(obj)
-            super(::JSON.dump(obj))
-          end
-
-          def decode(str)
-            return unless str
-
-            begin
-              ::JSON.parse(super(str))
-            rescue StandardError
-              nil
-            end
-          end
-        end
-
-        class ZipJSON < Base64
-          def encode(obj)
-            super(Zlib::Deflate.deflate(::JSON.dump(obj)))
-          end
-
-          def decode(str)
-            return unless str
-
-            ::JSON.parse(Zlib::Inflate.inflate(super(str)))
-          rescue StandardError
-            nil
-          end
-        end
-      end
-
-      # Use no encoding for session cookies
-      class Identity
-        def encode(str); str; end
-        def decode(str); str; end
-      end
-
-      class Marshal
-        def encode(str)
-          ::Marshal.dump(str)
-        end
-
-        def decode(str)
-          ::Marshal.load(str) if str
-        end
-      end
-
-      attr_reader :coder
-
-      def initialize(app, options = {})
-        # Assume keys are hex strings and convert them to raw byte strings for
-        # actual key material
-        @secrets = options.values_at(:secret, :old_secret).compact.map do |secret|
-          [secret].pack('H*')
-        end
-
-        warn <<-MSG unless secure?(options)
-        SECURITY WARNING: No secret option provided to Rack::Protection::EncryptedCookie.
-        This poses a security threat. It is strongly recommended that you
-        provide a secret to prevent exploits that may be possible from crafted
-        cookies. This will not be supported in future versions of Rack, and
-        future versions will even invalidate your existing user cookies.
-
-        Called from: #{caller[0]}.
-        MSG
-
-        warn <<-MSG if @secrets.first && @secrets.first.length < 32
-        SECURITY WARNING: Your secret is not long enough. It must be at least
-        32 bytes long and securely random. To generate such a key for use
-        you can run the following command:
-
-        ruby -rsecurerandom -e 'p SecureRandom.hex(32)'
-
-        Called from: #{caller[0]}.
-        MSG
-
-        if options.key?(:legacy_hmac_secret)
-          @legacy_hmac = options.fetch(:legacy_hmac, OpenSSL::Digest::SHA1)
-
-          # Multiply the :digest_length: by 2 because this value is the length of
-          # the digest in bytes but session digest strings are encoded as hex
-          # strings
-          @legacy_hmac_length = @legacy_hmac.new.digest_length * 2
-          @legacy_hmac_secret = options[:legacy_hmac_secret]
-          @legacy_hmac_coder  = (options[:legacy_hmac_coder] ||= Base64::Marshal.new)
-        else
-          @legacy_hmac = false
-        end
-
-        # If encryption is used we can just use a default Marshal encoder
-        # without Base64 encoding the results.
-        #
-        # If no encryption is used, rely on the previous default (Base64::Marshal)
-        @coder = (options[:coder] ||= (@secrets.any? ? Marshal.new : Base64::Marshal.new))
-
-        super(app, options.merge!(cookie_only: true))
-      end
-
-      private
-
-      def find_session(req, _sid)
-        data = unpacked_cookie_data(req)
-        data = persistent_session_id!(data)
-        [data['session_id'], data]
-      end
-
-      def extract_session_id(request)
-        unpacked_cookie_data(request)['session_id']
-      end
-
-      def unpacked_cookie_data(request)
-        request.fetch_header(RACK_SESSION_UNPACKED_COOKIE_DATA) do |k|
-          session_data = cookie_data = request.cookies[@key]
-
-          # Try to decrypt with the first secret, if that returns nil, try
-          # with old_secret
-          unless @secrets.empty?
-            session_data = Rack::Protection::Encryptor.decrypt_message(cookie_data, @secrets.first)
-            session_data ||= Rack::Protection::Encryptor.decrypt_message(cookie_data, @secrets[1]) if @secrets.size > 1
-          end
-
-          # If session_data is still nil, are there is a legacy HMAC
-          # configured, try verify and parse the cookie that way
-          if !session_data && @legacy_hmac
-            digest = cookie_data.slice!(-@legacy_hmac_length..-1)
-            cookie_data.slice!(-2..-1) # remove double dash
-            session_data = cookie_data if digest_match?(cookie_data, digest)
-
-            # Decode using legacy HMAC decoder
-            request.set_header(k, @legacy_hmac_coder.decode(session_data) || {})
-          else
-            request.set_header(k, coder.decode(session_data) || {})
-          end
-        end
-      end
-
-      def persistent_session_id!(data, sid = nil)
-        data ||= {}
-        data['session_id'] ||= sid || generate_sid
-        data
-      end
-
-      def write_session(req, session_id, session, _options)
-        session = session.merge('session_id' => session_id)
-        session_data = coder.encode(session)
-
-        unless @secrets.empty?
-          session_data = Rack::Protection::Encryptor.encrypt_message(session_data, @secrets.first)
-        end
-
-        if session_data.size > (4096 - @key.size)
-          req.get_header(RACK_ERRORS).puts('Warning! Rack::Protection::EncryptedCookie data size exceeds 4K.')
-          nil
-        else
-          session_data
-        end
-      end
-
-      def delete_session(_req, _session_id, options)
-        # Nothing to do here, data is in the client
-        generate_sid unless options[:drop]
-      end
-
-      def digest_match?(data, digest)
-        return false unless data && digest
-
-        Rack::Utils.secure_compare(digest, generate_hmac(data))
-      end
-
-      def generate_hmac(data)
-        OpenSSL::HMAC.hexdigest(@legacy_hmac.new, @legacy_hmac_secret, data)
-      end
-
-      def secure?(options)
-        @secrets.size >= 1 ||
-          (options[:coder] && options[:let_coder_handle_secure_encoding])
-      end
-    end
-  end
-end

data/lib/rack/protection/encryptor.rb

@@ -1,62 +0,0 @@
-# frozen_string_literal: true
-
-require 'openssl'
-
-module Rack
-  module Protection
-    module Encryptor
-      CIPHER     = 'aes-256-gcm'
-      DELIMITER  = '--'
-
-      def self.base64_encode(str)
-        [str].pack('m0')
-      end
-
-      def self.base64_decode(str)
-        str.unpack1('m0')
-      end
-
-      def self.encrypt_message(data, secret, auth_data = '')
-        raise ArgumentError, 'data cannot be nil' if data.nil?
-
-        cipher = OpenSSL::Cipher.new(CIPHER)
-        cipher.encrypt
-        cipher.key = secret[0, cipher.key_len]
-
-        # Rely on OpenSSL for the initialization vector
-        iv = cipher.random_iv
-
-        # This must be set to properly use AES GCM for the OpenSSL module
-        cipher.auth_data = auth_data
-
-        cipher_text = cipher.update(data)
-        cipher_text << cipher.final
-
-        "#{base64_encode cipher_text}#{DELIMITER}#{base64_encode iv}#{DELIMITER}#{base64_encode cipher.auth_tag}"
-      end
-
-      def self.decrypt_message(data, secret)
-        return unless data
-
-        cipher = OpenSSL::Cipher.new(CIPHER)
-        cipher_text, iv, auth_tag = data.split(DELIMITER, 3).map! { |v| base64_decode(v) }
-
-        # This check is from ActiveSupport::MessageEncryptor
-        # see: https://github.com/ruby/openssl/issues/63
-        return if auth_tag.nil? || auth_tag.bytes.length != 16
-
-        cipher.decrypt
-        cipher.key = secret[0, cipher.key_len]
-        cipher.iv  = iv
-        cipher.auth_tag = auth_tag
-        cipher.auth_data = ''
-
-        decrypted_data = cipher.update(cipher_text)
-        decrypted_data << cipher.final
-        decrypted_data
-      rescue OpenSSL::Cipher::CipherError, TypeError, ArgumentError
-        nil
-      end
-    end
-  end
-end