rack-protection 0.1.0

data/License

@@ -0,0 +1,20 @@
+Copyright (c) 2011 Konstantin Haase
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,80 @@
+You should use protection!
+
+This gem protects against typical web attacks.
+Should work for all Rack apps, including Rails.
+
+# Usage
+
+Use all protections you probably want to use:
+
+``` ruby
+# config.ru
+require 'rack/protection'
+use Rack::Protection
+run MyApp
+```
+
+Skip a single protection middleware:
+
+``` ruby
+# config.ru
+require 'rack/protection'
+use Rack::Protection, :except => :path_traversal
+run MyApp
+```
+
+Use a single protection middleware:
+
+``` ruby
+# config.ru
+require 'rack/protection'
+use Rack::Protection::AuthenticityToken
+run MyApp
+```
+
+# Prevented Attacks
+
+## Cross Site Request Forgery
+
+Prevented by:
+
+* `Rack::Protection::AuthenticityToken` (not included by `use Rack::Protection`)
+* `Rack::Protection::FormToken` (not included by `use Rack::Protection`)
+* `Rack::Protection::JsonCsrf`
+* `Rack::Protection::RemoteReferrer` (not included by `use Rack::Protection`)
+* `Rack::Protection::RemoteToken`
+## Cross Site Scripting
+
+Prevented by:
+
+* `Rack::Protection::EscapedParams`
+* `Rack::Protection::XssHeader` (Internet Explorer only)
+
+## Clickjacking
+
+Prevented by:
+
+* `Rack::Protection::FrameOptions`
+
+## Directory Traversal
+
+Prevented by:
+
+* `Rack::Protection::PathTraversal`
+
+## Session Hijacking
+
+Prevented by:
+
+* `Rack::Protection::SessionHijacking`
+
+## IP Spoofing
+
+
+Prevented by:
+
+* `Rack::Protection::IPSpoofing`
+
+# Installation
+
+    gem install rack-protection

data/Rakefile

@@ -0,0 +1,37 @@
+$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+
+begin
+  require 'bundler'
+  Bundler::GemHelper.install_tasks
+rescue LoadError => e
+  $stderr.puts e
+end
+
+desc "run specs"
+task(:spec) { ruby '-S rspec spec' }
+
+desc "generate gemspec"
+task 'rack-protection.gemspec' do
+  require 'rack/protection/version'
+  content = File.read 'rack-protection.gemspec'
+
+  fields = {
+    :authors => `git shortlog -sn`.scan(/[^\d\s].*/),
+    :email   => `git shortlog -sne`.scan(/[^<]+@[^>]+/),
+    :files   => `git ls-files`.split("\n").reject { |f| f =~ /^(\.|Gemfile)/ }
+  }
+
+  fields.each do |field, values|
+    updated = "  s.#{field} = ["
+    updated << values.map { |v| "\n    %p" % v }.join(',')
+    updated << "\n  ]"
+    content.sub!(/  s\.#{field} = \[\n(    .*\n)*  \]/, updated)
+  end
+
+  content.sub! /(s\.version.*=\s+).*/, "\\1\"#{Rack::Protection::VERSION}\""
+  File.open('rack-protection.gemspec', 'w') { |f| f << content }
+end
+
+task :gemspec => 'rack-protection.gemspec'
+task :default => :spec
+task :test    => :spec

data/lib/rack-protection.rb

@@ -0,0 +1 @@
+require "rack/protection"

data/lib/rack/protection.rb

@@ -0,0 +1,35 @@
+require 'rack/protection/version'
+require 'rack'
+
+module Rack
+  module Protection
+    autoload :AuthenticityToken, 'rack/protection/authenticity_token'
+    autoload :Base,              'rack/protection/base'
+    autoload :EscapedParams,     'rack/protection/escaped_params'
+    autoload :FormToken,         'rack/protection/form_token'
+    autoload :FrameOptions,      'rack/protection/frame_options'
+    autoload :IPSpoofing,        'rack/protection/ip_spoofing'
+    autoload :JsonCsrf,          'rack/protection/json_csrf'
+    autoload :PathTraversal,     'rack/protection/path_traversal'
+    autoload :RemoteReferrer,    'rack/protection/remote_referrer'
+    autoload :RemoteToken,       'rack/protection/remote_token'
+    autoload :SessionHijacking,  'rack/protection/session_hijacking'
+    autoload :XSSHeader,         'rack/protection/xss_header'
+
+    def self.new(app, options = {})
+      # does not include: RemoteReferrer, AuthenticityToken and FormToken
+      except = Array options[:except]
+      Rack::Builder.new do
+        use EscapedParams,    options unless except.include? :escaped_params
+        use FrameOptions,     options unless except.include? :frame_options
+        use IPSpoofing,       options unless except.include? :ip_spoofing
+        use JsonCsrf,         options unless except.include? :json_csrf
+        use PathTraversal,    options unless except.include? :path_traversal
+        use RemoteToken,      options unless except.include? :remote_token
+        use SessionHijacking, options unless except.include? :session_hijacking
+        use XSSHeader,        options unless except.include? :xss_header
+        run app
+      end.to_app
+    end
+  end
+end

data/lib/rack/protection/authenticity_token.rb

@@ -0,0 +1,24 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Only accepts unsafe HTTP requests if a given access token matches the token
+    # included in the session.
+    #
+    # Compatible with Rails and rack-csrf.
+    class AuthenticityToken < Base
+      def accepts?(env)
+        return true if safe? env
+        session = session env
+        token   = session[:csrf] ||= session['_csrf_token'] || random_string
+        env['HTTP_X_CSRF_TOKEN'] == token or
+          Request.new(env).params['authenticity_token'] == token
+      end
+    end
+  end
+end

data/lib/rack/protection/base.rb

@@ -0,0 +1,97 @@
+require 'rack/protection'
+require 'digest'
+require 'logger'
+require 'uri'
+
+module Rack
+  module Protection
+    class Base
+      DEFAULT_OPTIONS = {
+        :reaction    => :default_reaction, :logging   => true,
+        :message     => 'Forbidden',       :encryptor => Digest::SHA1,
+        :session_key => 'rack.session',    :status    => 403,
+        :allow_empty_referrer => true
+      }
+
+      attr_reader :app, :options
+
+      def self.default_options(options)
+        define_method(:default_options) { super().merge(options) }
+      end
+
+      def self.default_reaction(reaction)
+        alias_method(:default_reaction, reaction)
+      end
+
+      def default_options
+        DEFAULT_OPTIONS
+      end
+
+      def initialize(app, options = {})
+        @app, @options = app, default_options.merge(options)
+      end
+
+      def safe?(env)
+        %w[GET HEAD OPTIONS TRACE].include? env['REQUEST_METHOD']
+      end
+
+      def accepts?(env)
+        raise NotImplementedError, "#{self.class} implementation pending"
+      end
+
+      def call(env)
+        unless accepts? env
+          warn env, "attack prevented by #{self.class}"
+          result = react env
+        end
+        result or app.call(env)
+      end
+
+      def react(env)
+        result = send(options[:reaction], env)
+        result if Array === result and result.size == 3
+      end
+
+      def warn(env, message)
+        return unless options[:logging]
+        l = options[:logger] || env['rack.logger'] || ::Logger.new(env['rack.errors'])
+        l.warn(message)
+      end
+
+      def deny(env)
+        [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
+      end
+
+      def session?(env)
+        env.include? options[:session_key]
+      end
+
+      def session(env)
+        return env[options[:session_key]] if session? env
+        fail "you need to set up a session middleware *before* #{self.class}"
+      end
+
+      def drop_session(env)
+        session(env).clear if session? env
+      end
+
+      def referrer(env)
+        ref = env['HTTP_REFERER'].to_s
+        return if !options[:allow_empty_referrer] and ref.empty?
+        URI.parse(ref).host || Request.new(env).host
+      end
+
+      def random_string(secure = defined? SecureRandom)
+        secure ? SecureRandom.hex(32) : "%032x" % rand(2**128-1)
+      rescue NotImpelentedError
+        random_string false
+      end
+
+      def encrypt(value)
+        options[:encryptor].hexdigest value.to_s
+      end
+
+      alias default_reaction deny
+    end
+  end
+end

data/lib/rack/protection/escaped_params.rb

@@ -0,0 +1,61 @@
+require 'rack/protection'
+require 'escape_utils'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   XSS
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_scripting
+    #
+    # Automatically escapes Rack::Request#params so they can be embedded in HTML
+    # or JavaScript without any further issues. Calls +html_safe+ on the escaped
+    # strings if defined, to avoid double-escaping in Rails.
+    #
+    # Options:
+    # escape:: What escaping modes to use, should be Symbol or Array of Symbols.
+    #          Available: :html (default), :javascript, :url
+    class EscapedParams < Base
+      default_options :escape => :html
+
+      def initialize(*)
+        super
+        modes = Array options[:escape]
+        code  = "def self.escape_string(str) %s end"
+        modes.each { |m| code %= "EscapeUtils.escape_#{m}(%s)"}
+        eval code % 'str'
+      end
+
+      def call(env)
+        request  = Request.new(env)
+        get_was  = handle(request.GET)
+        post_was = handle(request.POST) rescue nil
+        app.call env
+      ensure
+        request.GET.replace get_was
+        request.POST.replace post_was if post_was
+      end
+
+      def handle(hash)
+        was = hash.dup
+        hash.replace escape(hash)
+        was
+      end
+
+      def escape(object)
+        case object
+        when Hash   then escape_hash(object)
+        when Array  then object.map { |o| escape(o) }
+        when String then escape_string(object)
+        else raise ArgumentError, "cannot escape #{object.inspect}"
+        end
+      end
+
+      def escape_hash(hash)
+        hash = hash.dup
+        hash.each { |k,v| hash[k] = escape(v) }
+        hash
+      end
+    end
+  end
+end

data/lib/rack/protection/form_token.rb

@@ -0,0 +1,23 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Only accepts submitted forms if a given access token matches the token
+    # included in the session. Does not expect such a token from Ajax request.
+    #
+    # This middleware is not used when using the Rack::Protection collection,
+    # since it might be a security issue, depending on your application
+    #
+    # Compatible with Rails and rack-csrf.
+    class FormToken < AuthenticityToken
+      def accepts?(env)
+        env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest" or super
+      end
+    end
+  end
+end

data/lib/rack/protection/frame_options.rb

@@ -0,0 +1,26 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Clickjacking
+    # Supported browsers:: Internet Explorer 8, Firefox 3.6.9, Opera 10.50,
+    #                      Safari 4.0, Chrome 4.1.249.1042 and later
+    # More infos::         https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
+    #
+    # Sets X-Frame-Options header to tell the browser avoid embedding the page
+    # in a frame.
+    #
+    # Options:
+    #
+    # frame_options:: Defines who should be allowed to embed the page in a
+    #                 frame. Use :deny to forbid any embedding, :sameorigin
+    #                 to allow embedding from the same origin (default).
+    class FrameOptions < XSSHeader
+      default_options :frame_options => :sameorigin
+      def header
+        { 'X-Frame-Options' => options[:frame_options].to_s }
+      end
+    end
+  end
+end

data/lib/rack/protection/ip_spoofing.rb

@@ -0,0 +1,23 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   IP spoofing
+    # Supported browsers:: all
+    # More infos::         http://blog.c22.cc/2011/04/22/surveymonkey-ip-spoofing/
+    #
+    # Detect (some) IP spoofing attacks.
+    class IPSpoofing < Base
+      default_reaction :deny
+
+      def accepts?(env)
+        return true unless env.include? 'HTTP_X_FORWARDED_FOR'
+        ips = env['HTTP_X_FORWARDED_FOR'].split /\s*,\s*/
+        return false if env.include? 'HTTP_CLIENT_IP' and not ips.include? env['HTTP_CLIENT_IP']
+        return false if env.include? 'HTTP_X_REAL_IP' and not ips.include? env['HTTP_X_REAL_IP']
+        true
+      end
+    end
+  end
+end

data/lib/rack/protection/json_csrf.rb

@@ -0,0 +1,25 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://flask.pocoo.org/docs/security/#json-security
+    #
+    # JSON GET APIs are volnurable to being embedded as JavaScript while the
+    # Array prototype has been patched to track data. Checks the referrer
+    # even on GET requests if the content type is JSON.
+    class JsonCsrf < Base
+      default_reaction :deny
+
+      def call(env)
+        status, headers, body = app.call(env)
+        if headers['Content-Type'].to_s.split(';', 2).first.strip == 'application/json'
+          result = react(env) if referrer(env) != Request.new(env).host
+        end
+        result or [status, headers, body]
+      end
+    end
+  end
+end