rack-protection 1.5.5 → 2.0.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA256:
-  metadata.gz: 2b7d78da301d9f7fc81ae73e46a389c2b8ce10ab8121f169fd760018ac506d47
-  data.tar.gz: a91bd28f8624f325d6714262ac11d83e0a347405f14e600780cb1bfd846e5b34
+SHA1:
+  metadata.gz: 64d5507a2ecfe3df38d6e733ba3b27ad3c9f9c4a
+  data.tar.gz: dd394521e2416add01c08698ecb63921a14f97b1
 SHA512:
-  metadata.gz: 0c5de92c0283313c00d50c1f9a219c808ad587caabff81c4d1530abd8f0e7d9c0f3753ad9bab7c06a29ce97b2a717fddc04ced642adff058f3431419286e4da6
-  data.tar.gz: d3bf5830bf30475871b73ba54ee38f962bd93c2e1f420b59b649d6dcb7f97d89f091d3add3f692ba847ffe5f5c6cade665d522c86220087d977fb3706e41bd58
+  metadata.gz: 48c54f8ae258c75a608fa3b5ed92be46bf24fdc9f9c91ab9bd1ce23403c6f7f2ab6203a84ca9c65a0208b4c55dea1ebb6241d7bfa277625b65604615679473b1
+  data.tar.gz: 05296de527c7b29c072faeaa30596fdc811f268bfe5f741fc1280593ba7022db2656efb8e288a81f405f10c2c71f82a30b5a3d50324bfa736aa886f1abc48247

data/Gemfile

@@ -0,0 +1,13 @@
+source "http://rubygems.org"
+# encoding: utf-8
+
+gem 'rake'
+
+rack_version = ENV['rack'].to_s
+rack_version = nil if rack_version.empty? or rack_version == 'stable'
+rack_version = {:github => 'rack/rack'} if rack_version == 'master'
+gem 'rack', rack_version
+
+gem 'sinatra', path: '..'
+
+gemspec

data/README.md

@@ -1,4 +1,6 @@
-You should use protection!
+# Rack::Protection
+
+[![Build Status](https://secure.travis-ci.org/sinatra/rack-protection.png)](http://travis-ci.org/sinatra/rack-protection)
 
 This gem protects against typical web attacks.
 Should work for all Rack apps, including Rails.
@@ -50,7 +52,8 @@ Prevented by:
 Prevented by:
 
 * `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
-* `Rack::Protection::XSSHeader` (Internet Explorer only)
+* `Rack::Protection::XSSHeader` (Internet Explorer and Chrome only)
+* `Rack::Protection::ContentSecurityPolicy`
 
 ## Clickjacking
 
@@ -70,12 +73,23 @@ Prevented by:
 
 * `Rack::Protection::SessionHijacking`
 
+## Cookie Tossing
+
+Prevented by:
+* `Rack::Protection::CookieTossing` (not included by `use Rack::Protection`)
+
 ## IP Spoofing
 
 Prevented by:
 
 * `Rack::Protection::IPSpoofing`
 
+## Helps to protect against protocol downgrade attacks and cookie hijacking
+
+Prevented by:
+
+* `Rack::Protection::StrictTransport` (not included by `use Rack::Protection`)
+
 # Installation
 
     gem install rack-protection

data/Rakefile

@@ -19,13 +19,10 @@ task 'rack-protection.gemspec' do
   # fetch data
   fields = {
     :authors => `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
-    :email   => `git shortlog -sne`.force_encoding('utf-8').scan(/[^<]+@[^>]+/),
-    :files   => `git ls-files`.force_encoding('utf-8').split("\n").reject { |f| f =~ /^(\.|Gemfile)/ }
+    :email   => ["mail@zzak.io", "konstantin.haase@gmail.com"],
+    :files   => %w(License README.md Rakefile Gemfile rack-protection.gemspec) + Dir['lib/**/*']
   }
 
-  # double email :(
-  fields[:email].delete("konstantin.haase@gmail.com")
-
   # insert data
   fields.each do |field, values|
     updated = "  s.#{field} = ["

data/lib/rack/protection.rb

@@ -3,36 +3,50 @@ require 'rack'
 
 module Rack
   module Protection
-    autoload :AuthenticityToken, 'rack/protection/authenticity_token'
-    autoload :Base,              'rack/protection/base'
-    autoload :EscapedParams,     'rack/protection/escaped_params'
-    autoload :FormToken,         'rack/protection/form_token'
-    autoload :FrameOptions,      'rack/protection/frame_options'
-    autoload :HttpOrigin,        'rack/protection/http_origin'
-    autoload :IPSpoofing,        'rack/protection/ip_spoofing'
-    autoload :JsonCsrf,          'rack/protection/json_csrf'
-    autoload :PathTraversal,     'rack/protection/path_traversal'
-    autoload :RemoteReferrer,    'rack/protection/remote_referrer'
-    autoload :RemoteToken,       'rack/protection/remote_token'
-    autoload :SessionHijacking,  'rack/protection/session_hijacking'
-    autoload :XSSHeader,         'rack/protection/xss_header'
+    autoload :AuthenticityToken,     'rack/protection/authenticity_token'
+    autoload :Base,                  'rack/protection/base'
+    autoload :CookieTossing,         'rack/protection/cookie_tossing'
+    autoload :ContentSecurityPolicy, 'rack/protection/content_security_policy'
+    autoload :EscapedParams,         'rack/protection/escaped_params'
+    autoload :FormToken,             'rack/protection/form_token'
+    autoload :FrameOptions,          'rack/protection/frame_options'
+    autoload :HttpOrigin,            'rack/protection/http_origin'
+    autoload :IPSpoofing,            'rack/protection/ip_spoofing'
+    autoload :JsonCsrf,              'rack/protection/json_csrf'
+    autoload :PathTraversal,         'rack/protection/path_traversal'
+    autoload :RemoteReferrer,        'rack/protection/remote_referrer'
+    autoload :RemoteToken,           'rack/protection/remote_token'
+    autoload :SessionHijacking,      'rack/protection/session_hijacking'
+    autoload :StrictTransport,       'rack/protection/strict_transport'
+    autoload :XSSHeader,             'rack/protection/xss_header'
 
     def self.new(app, options = {})
       # does not include: RemoteReferrer, AuthenticityToken and FormToken
       except = Array options[:except]
       use_these = Array options[:use]
+
+      if options.fetch(:without_session, false)
+        except += [:session_hijacking, :remote_token]
+      end
+
       Rack::Builder.new do
-        use ::Rack::Protection::RemoteReferrer,   options if use_these.include? :remote_referrer
-        use ::Rack::Protection::AuthenticityToken,options if use_these.include? :authenticity_token
-        use ::Rack::Protection::FormToken,        options if use_these.include? :form_token
-        use ::Rack::Protection::FrameOptions,     options unless except.include? :frame_options
-        use ::Rack::Protection::HttpOrigin,       options unless except.include? :http_origin
-        use ::Rack::Protection::IPSpoofing,       options unless except.include? :ip_spoofing
-        use ::Rack::Protection::JsonCsrf,         options unless except.include? :json_csrf
-        use ::Rack::Protection::PathTraversal,    options unless except.include? :path_traversal
-        use ::Rack::Protection::RemoteToken,      options unless except.include? :remote_token
-        use ::Rack::Protection::SessionHijacking, options unless except.include? :session_hijacking
-        use ::Rack::Protection::XSSHeader,        options unless except.include? :xss_header
+        # Off by default, unless added
+        use ::Rack::Protection::AuthenticityToken,     options if use_these.include? :authenticity_token
+        use ::Rack::Protection::CookieTossing,         options if use_these.include? :cookie_tossing
+        use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
+        use ::Rack::Protection::FormToken,             options if use_these.include? :form_token
+        use ::Rack::Protection::RemoteReferrer,        options if use_these.include? :remote_referrer
+        use ::Rack::Protection::StrictTransport,       options if use_these.include? :strict_transport
+
+        # On by default, unless skipped
+        use ::Rack::Protection::FrameOptions,          options unless except.include? :frame_options
+        use ::Rack::Protection::HttpOrigin,            options unless except.include? :http_origin
+        use ::Rack::Protection::IPSpoofing,            options unless except.include? :ip_spoofing
+        use ::Rack::Protection::JsonCsrf,              options unless except.include? :json_csrf
+        use ::Rack::Protection::PathTraversal,         options unless except.include? :path_traversal
+        use ::Rack::Protection::RemoteToken,           options unless except.include? :remote_token
+        use ::Rack::Protection::SessionHijacking,      options unless except.include? :session_hijacking
+        use ::Rack::Protection::XSSHeader,             options unless except.include? :xss_header
         run app
       end.to_app
     end

data/lib/rack/protection/authenticity_token.rb

@@ -1,4 +1,6 @@
 require 'rack/protection'
+require 'securerandom'
+require 'base64'
 
 module Rack
   module Protection
@@ -17,14 +19,112 @@ module Rack
     # authenticity_param: Defines the param's name that should contain the token on a request.
     #
     class AuthenticityToken < Base
-      default_options :authenticity_param => 'authenticity_token'
+      default_options :authenticity_param => 'authenticity_token',
+                      :authenticity_token_length => 32,
+                      :allow_if => nil
+
+      class << self
+        def token(session)
+          mask_token(session[:csrf])
+        end
+
+        def random_token(length = 32)
+          SecureRandom.base64(length)
+        end
+
+        # Creates a masked version of the authenticity token that varies
+        # on each request. The masking is used to mitigate SSL attacks
+        # like BREACH.
+        def mask_token(token)
+          token = decode_token(token)
+          one_time_pad = SecureRandom.random_bytes(token.length)
+          encrypted_token = xor_byte_strings(one_time_pad, token)
+          masked_token = one_time_pad + encrypted_token
+          encode_token masked_token
+        end
+
+        # Essentially the inverse of +mask_token+.
+        def unmask_decoded_token(masked_token)
+          # Split the token into the one-time pad and the encrypted
+          # value and decrypt it
+          token_length = masked_token.length / 2
+          one_time_pad = masked_token[0...token_length]
+          encrypted_token = masked_token[token_length..-1]
+          xor_byte_strings(one_time_pad, encrypted_token)
+        end
+
+        def encode_token(token)
+          Base64.strict_encode64(token)
+        end
+
+        def decode_token(token)
+          Base64.strict_decode64(token)
+        end
+
+        private
+
+        def xor_byte_strings(s1, s2)
+          s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
+        end
+      end
 
       def accepts?(env)
         session = session env
-        token   = session[:csrf] ||= session['_csrf_token'] || random_string
+        session[:csrf] ||= self.class.random_token(token_length)
+
         safe?(env) ||
-          secure_compare(env['HTTP_X_CSRF_TOKEN'].to_s, token) ||
-          secure_compare(Request.new(env).params[options[:authenticity_param]].to_s, token)
+          valid_token?(session, env['HTTP_X_CSRF_TOKEN']) ||
+          valid_token?(session, Request.new(env).params[options[:authenticity_param]]) ||
+          ( options[:allow_if] && options[:allow_if].call(env) )
+      end
+
+      private
+
+      def token_length
+        options[:authenticity_token_length]
+      end
+
+      # Checks the client's masked token to see if it matches the
+      # session token.
+      def valid_token?(session, token)
+        return false if token.nil? || token.empty?
+
+        begin
+          token = self.class.decode_token(token)
+        rescue ArgumentError # encoded_masked_token is invalid Base64
+          return false
+        end
+
+        # See if it's actually a masked token or not. We should be able
+        # to handle any unmasked tokens that we've issued without error.
+
+        if unmasked_token?(token)
+          compare_with_real_token token, session
+
+        elsif masked_token?(token)
+          token = self.class.unmask_decoded_token(token)
+
+          compare_with_real_token token, session
+
+        else
+          false # Token is malformed
+        end
+      end
+
+      def unmasked_token?(token)
+        token.length == token_length
+      end
+
+      def masked_token?(token)
+        token.length == token_length * 2
+      end
+
+      def compare_with_real_token(token, session)
+        secure_compare(token, real_token(session))
+      end
+
+      def real_token(session)
+        self.class.decode_token(session[:csrf])
       end
     end
   end

data/lib/rack/protection/base.rb

@@ -1,4 +1,5 @@
 require 'rack/protection'
+require 'rack/utils'
 require 'digest'
 require 'logger'
 require 'uri'
@@ -110,28 +111,8 @@ module Rack
         options[:encryptor].hexdigest value.to_s
       end
 
-      # The implementations of secure_compare and bytesize are taken from
-      # Rack::Utils to be able to support rack older than XXXX.
       def secure_compare(a, b)
-        return false unless bytesize(a) == bytesize(b)
-
-        l = a.unpack("C*")
-
-        r, i = 0, -1
-        b.each_byte { |v| r |= v ^ l[i+=1] }
-        r == 0
-      end
-
-      # Return the bytesize of String; uses String#size under Ruby 1.8 and
-      # String#bytesize under 1.9.
-      if ''.respond_to?(:bytesize)
-        def bytesize(string)
-          string.bytesize
-        end
-      else
-        def bytesize(string)
-          string.size
-        end
+        Rack::Utils.secure_compare(a.to_s, b.to_s)
       end
 
       alias default_reaction deny

data/lib/rack/protection/escaped_params.rb

@@ -1,5 +1,6 @@
 require 'rack/protection'
 require 'rack/utils'
+require 'tempfile'
 
 begin
   require 'escape_utils'
@@ -66,6 +67,7 @@ module Rack
         when Hash   then escape_hash(object)
         when Array  then object.map { |o| escape(o) }
         when String then escape_string(object)
+        when Tempfile then object
         else nil
         end
       end

data/lib/rack/protection/http_origin.rb

@@ -10,9 +10,16 @@ module Rack
     #
     # Does not accept unsafe HTTP requests when value of Origin HTTP request header
     # does not match default or whitelisted URIs.
+    #
+    # If you want to whitelist a specific domain, you can pass in as the `:origin_whitelist` option:
+    #
+    #     use Rack::Protection, origin_whitelist: ["http://localhost:3000", "http://127.0.01:3000"]
+    #
+    # The `:allow_if` option can also be set to a proc to use custom allow/deny logic.
     class HttpOrigin < Base
       DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
       default_reaction :deny
+      default_options :allow_if => nil
 
       def base_url(env)
         request = Rack::Request.new(env)
@@ -24,6 +31,7 @@ module Rack
         return true if safe? env
         return true unless origin = env['HTTP_ORIGIN']
         return true if base_url(env) == origin
+        return true if options[:allow_if] && options[:allow_if].call(env)
         Array(options[:origin_whitelist]).include? origin
       end
 

data/lib/rack/protection/json_csrf.rb

@@ -10,6 +10,9 @@ module Rack
     # JSON GET APIs are vulnerable to being embedded as JavaScript while the
     # Array prototype has been patched to track data. Checks the referrer
     # even on GET requests if the content type is JSON.
+    #
+    # Uses HttpOrigin to determine if requests are safe, please refer to the
+    # documentation for more.
     class JsonCsrf < Base
       alias react deny
 
@@ -17,9 +20,10 @@ module Rack
         request               = Request.new(env)
         status, headers, body = app.call(env)
 
-        if has_vector? request, headers
+        if has_vector?(request, headers)
           warn env, "attack prevented by #{self.class}"
-          react(env) or [status, headers, body]
+
+          react_and_close(env, body) or [status, headers, body]
         else
           [status, headers, body]
         end
@@ -30,6 +34,18 @@ module Rack
         return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
         origin(request.env).nil? and referrer(request.env) != request.host
       end
+
+      def react_and_close(env, body)
+        reaction = react(env)
+
+        close_body(body) if reaction
+
+        reaction
+      end
+
+      def close_body(body)
+        body.close if body.respond_to?(:close)
+      end
     end
   end
 end

data/lib/rack/protection/path_traversal.rb

@@ -24,17 +24,14 @@ module Rack
           encoding = path.encoding
           dot   = '.'.encode(encoding)
           slash = '/'.encode(encoding)
-          backslash = '\\'.encode(encoding)
         else
           # Ruby 1.8
           dot   = '.'
           slash = '/'
-          backslash = '\\'
         end
 
         parts     = []
-        unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
-        unescaped = unescaped.gsub(backslash, slash)
+        unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash)
 
         unescaped.split(slash).each do |part|
           next if part.empty? or part == dot

data/lib/rack/protection/version.rb

@@ -1,16 +1,5 @@
 module Rack
   module Protection
-    def self.version
-      VERSION
-    end
-
-    SIGNATURE = [1, 5, 5]
-    VERSION   = SIGNATURE.join('.')
-
-    VERSION.extend Comparable
-    def VERSION.<=>(other)
-      other = other.split('.').map { |i| i.to_i } if other.respond_to? :split
-      SIGNATURE <=> Array(other)
-    end
+    VERSION = ::Sinatra::VERSION
   end
 end

data/lib/rack/protection/xss_header.rb

@@ -4,7 +4,7 @@ module Rack
   module Protection
     ##
     # Prevented attack::   Non-permanent XSS
-    # Supported browsers:: Internet Explorer 8 and later
+    # Supported browsers:: Internet Explorer 8+ and Chrome
     # More infos::         http://blogs.msdn.com/b/ie/archive/2008/07/01/ie8-security-part-iv-the-xss-filter.aspx
     #
     # Sets X-XSS-Protection header to tell the browser to block attacks.