rack-protection 1.2.0 → 1.3.1

data/README.md

@@ -43,12 +43,13 @@ Prevented by:
 * `Rack::Protection::JsonCsrf`
 * `Rack::Protection::RemoteReferrer` (not included by `use Rack::Protection`)
 * `Rack::Protection::RemoteToken`
+* `Rack::Protection::HttpOrigin`
 
 ## Cross Site Scripting
 
 Prevented by:
 
-* `Rack::Protection::EscapedParams`
+* `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
 * `Rack::Protection::XssHeader` (Internet Explorer only)
 
 ## Clickjacking
@@ -79,24 +80,3 @@ Prevented by:
 
     gem install rack-protection
 
-# History
-
-## v0.1.0 (2011/06/20)
-
-First public release.
-
-## v1.0.0 (2011/09/02)
-
-First stable release.
-
-Changes:
-
-* Fix bug in JsonCsrf
-
-## v1.1.0 (2011/09/03)
-
-Second public release.
-
-Changes:
-
-* Dependency on `escape_utils` is now optional

data/lib/rack/protection.rb

@@ -8,6 +8,7 @@ module Rack
     autoload :EscapedParams,     'rack/protection/escaped_params'
     autoload :FormToken,         'rack/protection/form_token'
     autoload :FrameOptions,      'rack/protection/frame_options'
+    autoload :HttpOrigin,        'rack/protection/http_origin'
     autoload :IPSpoofing,        'rack/protection/ip_spoofing'
     autoload :JsonCsrf,          'rack/protection/json_csrf'
     autoload :PathTraversal,     'rack/protection/path_traversal'
@@ -21,6 +22,7 @@ module Rack
       except = Array options[:except]
       Rack::Builder.new do
         use ::Rack::Protection::FrameOptions,     options unless except.include? :frame_options
+        use ::Rack::Protection::HttpOrigin,       options unless except.include? :http_origin
         use ::Rack::Protection::IPSpoofing,       options unless except.include? :ip_spoofing
         use ::Rack::Protection::JsonCsrf,         options unless except.include? :json_csrf
         use ::Rack::Protection::PathTraversal,    options unless except.include? :path_traversal

data/lib/rack/protection/base.rb

@@ -10,7 +10,8 @@ module Rack
         :reaction    => :default_reaction, :logging   => true,
         :message     => 'Forbidden',       :encryptor => Digest::SHA1,
         :session_key => 'rack.session',    :status    => 403,
-        :allow_empty_referrer => true
+        :allow_empty_referrer => true,
+        :html_types           => %w[text/html application/xhtml]
       }
 
       attr_reader :app, :options
@@ -81,6 +82,10 @@ module Rack
         URI.parse(ref).host || Request.new(env).host
       end
 
+      def origin(env)
+        env['HTTP_ORIGIN'] || env['HTTP_X_ORIGIN']
+      end
+
       def random_string(secure = defined? SecureRandom)
         secure ? SecureRandom.hex(32) : "%032x" % rand(2**128-1)
       rescue NotImplementedError
@@ -92,6 +97,11 @@ module Rack
       end
 
       alias default_reaction deny
+
+      def html?(headers)
+        return false unless header = headers.detect { |k,v| k.downcase == 'content-type' }
+        options[:html_types].include? header.last[/^\w+\/\w+/]
+      end
     end
   end
 end

data/lib/rack/protection/escaped_params.rb

@@ -66,7 +66,7 @@ module Rack
         when Hash   then escape_hash(object)
         when Array  then object.map { |o| escape(o) }
         when String then escape_string(object)
-        else raise ArgumentError, "cannot escape #{object.inspect}"
+        else nil
         end
       end
 

data/lib/rack/protection/frame_options.rb

@@ -18,8 +18,13 @@ module Rack
     #                 to allow embedding from the same origin (default).
     class FrameOptions < XSSHeader
       default_options :frame_options => :sameorigin
+
       def header
-        { 'X-Frame-Options' => options[:frame_options].to_s }
+        @header ||= begin
+          frame_options = options[:frame_options]
+          frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str
+          { 'X-Frame-Options' => frame_options.to_str }
+        end
       end
     end
   end

data/lib/rack/protection/http_origin.rb

@@ -0,0 +1,32 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: Google Chrome 2, Safari 4 and later
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #                      http://tools.ietf.org/html/draft-abarth-origin
+    #
+    # Does not accept unsafe HTTP requests when value of Origin HTTP request header
+    # does not match default or whitelisted URIs.
+    class HttpOrigin < Base
+      default_reaction :deny
+
+      def accepts?(env)
+        # only for unsafe request methods
+        safe?(env) and return true
+        # ignore if origin is not set
+        origin = env['HTTP_ORIGIN'] or return true
+
+        # check base url
+        Request.new(env).base_url == origin and return true
+
+        # check whitelist
+        options[:origin_whitelist] or return false
+        options[:origin_whitelist].include?(origin)
+      end
+
+    end
+  end
+end

data/lib/rack/protection/json_csrf.rb

@@ -16,7 +16,7 @@ module Rack
       def call(env)
         status, headers, body = app.call(env)
         if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
-          if referrer(env) != Request.new(env).host
+          if origin(env).nil? and referrer(env) != Request.new(env).host
             result = react(env)
             warn env, "attack prevented by #{self.class}"
           end

data/lib/rack/protection/path_traversal.rb

@@ -12,7 +12,7 @@ module Rack
     class PathTraversal < Base
       def call(env)
         path_was         = env["PATH_INFO"]
-        env["PATH_INFO"] = cleanup path_was if path_was
+        env["PATH_INFO"] = cleanup path_was if path_was && !path_was.empty?
         app.call env
       ensure
         env["PATH_INFO"] = path_was

data/lib/rack/protection/session_hijacking.rb

@@ -28,7 +28,8 @@ module Rack
       end
 
       def encrypt(value)
-        options[:encrypt_tracking] ? super(value) : value.to_s
+        value = value.to_s.downcase
+        options[:encrypt_tracking] ? super(value) : value
       end
     end
   end

data/lib/rack/protection/version.rb

@@ -4,7 +4,7 @@ module Rack
       VERSION
     end
 
-    SIGNATURE = [1, 2, 0]
+    SIGNATURE = [1, 3, 1]
     VERSION   = SIGNATURE.join('.')
 
     VERSION.extend Comparable

data/lib/rack/protection/xss_header.rb

@@ -12,15 +12,21 @@ module Rack
     # Options:
     # xss_mode:: How the browser should prevent the attack (default: :block)
     class XSSHeader < Base
-      default_options :xss_mode => :block
+      default_options :xss_mode => :block, :nosniff => true
 
       def header
-        { 'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}" }
+        headers = {
+          'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}",
+          'X-Content-Type-Options' => "nosniff"
+        }
+        headers.delete("X-Content-Type-Options") unless options[:nosniff]
+        headers
       end
 
       def call(env)
         status, headers, body = @app.call(env)
-        [status, header.merge(headers), body]
+        headers = header.merge(headers) if options[:nosniff] and html?(headers)
+        [status, headers, body]
       end
     end
   end

data/rack-protection.gemspec

@@ -2,7 +2,7 @@
 Gem::Specification.new do |s|
   # general infos
   s.name        = "rack-protection"
-  s.version     = "1.2.0"
+  s.version     = "1.3.1"
   s.description = "You should use protection!"
   s.homepage    = "http://github.com/rkh/rack-protection"
   s.summary     = s.description
@@ -10,21 +10,39 @@ Gem::Specification.new do |s|
   # generated from git shortlog -sn
   s.authors = [
     "Konstantin Haase",
-    "Akzhan Abdulin",
+    "Alex Rodionov",
+    "Chris Heald",
+    "Chris Mytton",
     "Corey Ward",
     "David Kellum",
     "Fojas",
-    "Martin Mauch"
+    "Mael Clerambault",
+    "Martin Mauch",
+    "SAKAI, Kazuaki",
+    "Stanislav Savulchik",
+    "Steve Agalloco",
+    "Akzhan Abdulin",
+    "TOBY",
+    "Bjørge Næss"
   ]
 
   # generated from git shortlog -sne
   s.email = [
     "konstantin.mailinglists@googlemail.com",
-    "akzhan.abdulin@gmail.com",
+    "p0deje@gmail.com",
+    "cheald@gmail.com",
+    "self@hecticjeff.net",
     "coreyward@me.com",
     "dek-oss@gravitext.com",
     "developer@fojasaur.us",
-    "martin.mauch@gmail.com"
+    "mael@clerambault.fr",
+    "martin.mauch@gmail.com",
+    "kaz.july.7@gmail.com",
+    "s.savulchik@gmail.com",
+    "steve.agalloco@gmail.com",
+    "akzhan.abdulin@gmail.com",
+    "toby.net.info.mail+git@gmail.com",
+    "bjoerge@bengler.no"
   ]
 
   # generated from git ls-files
@@ -39,6 +57,7 @@ Gem::Specification.new do |s|
     "lib/rack/protection/escaped_params.rb",
     "lib/rack/protection/form_token.rb",
     "lib/rack/protection/frame_options.rb",
+    "lib/rack/protection/http_origin.rb",
     "lib/rack/protection/ip_spoofing.rb",
     "lib/rack/protection/json_csrf.rb",
     "lib/rack/protection/path_traversal.rb",
@@ -52,6 +71,7 @@ Gem::Specification.new do |s|
     "spec/escaped_params_spec.rb",
     "spec/form_token_spec.rb",
     "spec/frame_options_spec.rb",
+    "spec/http_origin_spec.rb",
     "spec/ip_spoofing_spec.rb",
     "spec/json_csrf_spec.rb",
     "spec/path_traversal_spec.rb",

data/spec/escaped_params_spec.rb

@@ -30,5 +30,15 @@ describe Rack::Protection::EscapedParams do
       get '/', :foo => {:bar => "<bar>"}
       body.should == '&lt;bar&gt;'
     end
+
+    it 'leaves cache-breaker params untouched' do
+      mock_app do |env|
+        request = Rack::Request.new(env)
+        [200, {'Content-Type' => 'text/plain'}, ['hi']]
+      end
+
+      get '/?95df8d9bf5237ad08df3115ee74dcb10'
+      body.should == 'hi'
+    end
   end
 end

data/spec/frame_options_spec.rb

@@ -3,8 +3,12 @@ require File.expand_path('../spec_helper.rb', __FILE__)
 describe Rack::Protection::FrameOptions do
   it_behaves_like "any rack application"
 
-  it 'should set the X-XSS-Protection' do
-    get('/').headers["X-Frame-Options"].should == "sameorigin"
+  it 'should set the X-Frame-Options' do
+    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "SAMEORIGIN"
+  end
+
+  it 'should not set the X-Frame-Options for other content types' do
+    get('/', {}, 'wants' => 'text/foo').headers["X-Frame-Options"].should be_nil
   end
 
   it 'should allow changing the protection mode' do
@@ -14,11 +18,22 @@ describe Rack::Protection::FrameOptions do
       run DummyApp
     end
 
-    get('/').headers["X-Frame-Options"].should == "deny"
+    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "DENY"
+  end
+
+
+  it 'should allow changing the protection mode to a string' do
+    # I have no clue what other modes are available
+    mock_app do
+      use Rack::Protection::FrameOptions, :frame_options => "ALLOW-FROM foo"
+      run DummyApp
+    end
+
+    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "ALLOW-FROM foo"
   end
 
   it 'should not override the header if already set' do
     mock_app with_headers("X-Frame-Options" => "allow")
-    get('/').headers["X-Frame-Options"].should == "allow"
+    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "allow"
   end
 end

data/spec/http_origin_spec.rb

@@ -0,0 +1,38 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::HttpOrigin do
+  it_behaves_like "any rack application"
+
+  before(:each) do
+    mock_app do
+      use Rack::Protection::HttpOrigin
+      run DummyApp
+    end
+  end
+
+  %w(GET HEAD POST PUT DELETE).each do |method|
+    it "accepts #{method} requests with no Origin" do
+      send(method.downcase, '/').should be_ok
+    end
+  end
+
+  %w(GET HEAD).each do |method|
+    it "accepts #{method} requests with non-whitelisted Origin" do
+      send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com').should be_ok
+    end
+  end
+
+  %w(POST PUT DELETE).each do |method|
+    it "denies #{method} requests with non-whitelisted Origin" do
+      send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com').should_not be_ok
+    end
+
+    it "accepts #{method} requests with whitelisted Origin" do
+      mock_app do
+        use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://www.friend.com']
+        run DummyApp
+      end
+      send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://www.friend.com').should be_ok
+    end
+  end
+end

data/spec/json_csrf_spec.rb

@@ -12,6 +12,14 @@ describe Rack::Protection::JsonCsrf do
       get('/', {}, 'HTTP_REFERER' => 'http://evil.com').should_not be_ok
     end
 
+    it "accepts requests with json responses with a remote referrer when there's an origin header set" do
+      get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_ORIGIN' => 'http://good.com').should be_ok
+    end
+
+    it "accepts requests with json responses with a remote referrer when there's an x-origin header set" do
+      get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_X_ORIGIN' => 'http://good.com').should be_ok
+    end
+
     it "accepts get requests with json responses with a local referrer" do
       get('/', {}, 'HTTP_REFERER' => '/').should be_ok
     end

data/spec/protection_spec.rb

@@ -17,4 +17,21 @@ describe Rack::Protection do
     get '/', {}, 'rack.session' => session, 'HTTP_FOO' => 'BAR'
     session.should be_empty
   end
+
+  describe "#html?" do
+    context "given an appropriate content-type header" do
+      subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/html" }
+      it { should be_true }
+    end
+
+    context "given an inappropriate content-type header" do
+      subject { Rack::Protection::Base.new(nil).html? 'content-type' => "image/gif" }
+      it { should be_false }
+    end
+
+    context "given no content-type header" do
+      subject { Rack::Protection::Base.new(nil).html?({}) }
+      it { should be_false }
+    end
+  end
 end

data/spec/session_hijacking_spec.rb

@@ -31,6 +31,20 @@ describe Rack::Protection::SessionHijacking do
     session.should be_empty
   end
 
+  it "accepts requests with the same Accept-Language header" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
+    session.should_not be_empty
+  end
+
+  it "comparison of Accept-Language header is not case sensitive" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'A'
+    session.should_not be_empty
+  end
+
   it "accepts requests with a changing Version header"do
     session = {:foo => :bar}
     get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.0'

data/spec/spec_helper.rb

@@ -24,7 +24,8 @@ end
 module DummyApp
   def self.call(env)
     Thread.current[:last_env] = env
-    [200, {'Content-Type' => 'text/plain'}, ['ok']]
+    body = (env['REQUEST_METHOD'] == 'HEAD' ? '' : 'ok')
+    [200, {'Content-Type' => env['wants'] || 'text/plain'}, [body]]
   end
 end
 

data/spec/xss_header_spec.rb

@@ -4,7 +4,15 @@ describe Rack::Protection::XSSHeader do
   it_behaves_like "any rack application"
 
   it 'should set the X-XSS-Protection' do
-    get('/').headers["X-XSS-Protection"].should == "1; mode=block"
+    get('/', {}, 'wants' => 'text/html;charset=utf-8').headers["X-XSS-Protection"].should == "1; mode=block"
+  end
+
+  it 'should set the X-XSS-Protection for XHTML' do
+    get('/', {}, 'wants' => 'application/xhtml+xml').headers["X-XSS-Protection"].should == "1; mode=block"
+  end
+
+  it 'should not set the X-XSS-Protection for other content types' do
+    get('/', {}, 'wants' => 'application/foo').headers["X-XSS-Protection"].should be_nil
   end
 
   it 'should allow changing the protection mode' do
@@ -14,11 +22,29 @@ describe Rack::Protection::XSSHeader do
       run DummyApp
     end
 
-    get('/').headers["X-XSS-Protection"].should == "1; mode=foo"
+    get('/', {}, 'wants' => 'application/xhtml').headers["X-XSS-Protection"].should == "1; mode=foo"
   end
 
   it 'should not override the header if already set' do
     mock_app with_headers("X-XSS-Protection" => "0")
-    get('/').headers["X-XSS-Protection"].should == "0"
+    get('/', {}, 'wants' => 'text/html').headers["X-XSS-Protection"].should == "0"
+  end
+
+  it 'should set the X-Content-Type-Options' do
+    get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"].should == "nosniff"
+  end
+
+  it 'should allow changing the nosniff-mode off' do
+    mock_app do
+      use Rack::Protection::XSSHeader, :nosniff => false
+      run DummyApp
+    end
+
+    get('/').headers["X-Content-Type-Options"].should be_nil
+  end
+
+  it 'should not override the header if already set X-Content-Type-Options' do
+    mock_app with_headers("X-Content-Type-Options" => "sniff")
+    get('/', {}, 'wants' => 'text/html').headers["X-Content-Type-Options"].should == "sniff"
   end
 end

metadata

@@ -1,24 +1,33 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.1
   prerelease: 
 platform: ruby
 authors:
 - Konstantin Haase
-- Akzhan Abdulin
+- Alex Rodionov
+- Chris Heald
+- Chris Mytton
 - Corey Ward
 - David Kellum
 - Fojas
+- Mael Clerambault
 - Martin Mauch
+- SAKAI, Kazuaki
+- Stanislav Savulchik
+- Steve Agalloco
+- Akzhan Abdulin
+- TOBY
+- Bjørge Næss
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-12-30 00:00:00.000000000 Z
+date: 2012-12-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
-  requirement: &2153091280 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -26,10 +35,15 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *2153091280
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rack-test
-  requirement: &2153090800 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -37,10 +51,15 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2153090800
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &2153090140 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -48,15 +67,29 @@ dependencies:
         version: '2.0'
   type: :development
   prerelease: false
-  version_requirements: *2153090140
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.0'
 description: You should use protection!
 email:
 - konstantin.mailinglists@googlemail.com
-- akzhan.abdulin@gmail.com
+- p0deje@gmail.com
+- cheald@gmail.com
+- self@hecticjeff.net
 - coreyward@me.com
 - dek-oss@gravitext.com
 - developer@fojasaur.us
+- mael@clerambault.fr
 - martin.mauch@gmail.com
+- kaz.july.7@gmail.com
+- s.savulchik@gmail.com
+- steve.agalloco@gmail.com
+- akzhan.abdulin@gmail.com
+- toby.net.info.mail+git@gmail.com
+- bjoerge@bengler.no
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -71,6 +104,7 @@ files:
 - lib/rack/protection/escaped_params.rb
 - lib/rack/protection/form_token.rb
 - lib/rack/protection/frame_options.rb
+- lib/rack/protection/http_origin.rb
 - lib/rack/protection/ip_spoofing.rb
 - lib/rack/protection/json_csrf.rb
 - lib/rack/protection/path_traversal.rb
@@ -84,6 +118,7 @@ files:
 - spec/escaped_params_spec.rb
 - spec/form_token_spec.rb
 - spec/frame_options_spec.rb
+- spec/http_origin_spec.rb
 - spec/ip_spoofing_spec.rb
 - spec/json_csrf_spec.rb
 - spec/path_traversal_spec.rb
@@ -113,8 +148,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.10
+rubygems_version: 1.8.23
 signing_key: 
 specification_version: 3
 summary: You should use protection!
 test_files: []
+has_rdoc: