rack-protection 2.0.0.rc1 → 2.0.0.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7866e19271188b3c5668af566e5d61f305d7ebfd
-  data.tar.gz: 3cbee3fe323d7dbf531741731cda60dfe76b451e
+  metadata.gz: 9ba263455e21ef3a57c282270022ca1a02c4e9f0
+  data.tar.gz: 7e297009a1ff3f7e42a9a11a69ad1a6c58de5ba5
 SHA512:
-  metadata.gz: d740e0613f51e92b942e33611f29f317dd197be142818724c67a06be9536dbdba2d1e7b890d0f7444db6c804e4e77d9f156ab392ab503481985bd7481e6d3beb
-  data.tar.gz: ca24a69a0ef6b19bb3087d6c60f70ff51043e3e8ab7da691ab2311d2d7da73129e24c5adacbd37ce9b9436ee8541f29b2c96d98b6276e8373f00d0754860ed08
+  metadata.gz: 58c7dc2603726a22a19a910f15858bb7cf52496e43ce9cc3b306ff01bba37771b08a05c9ed1a874f9e4294d6f6ebc73c2c0671f60fc31f9203bfc8a24b83a3bd
+  data.tar.gz: c2a99e1e29b37012ab43a4dba44381645fc7018901f509494c49a0b06ec70ffd9268f2e34a8bd0015104221e5db85bd4ea25b22ff2d7e5ae810d8c4148425bb2

data/License

@@ -1,4 +1,7 @@
-Copyright (c) 2011 Konstantin Haase
+The MIT License (MIT)
+
+Copyright (c) 2011-2017 Konstantin Haase
+Copyright (c) 2015-2017 Zachary Scott
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/lib/rack/protection/content_security_policy.rb

@@ -0,0 +1,80 @@
+# -*- coding: utf-8 -*-
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   XSS and others
+    # Supported browsers:: Firefox 23+, Safari 7+, Chrome 25+, Opera 15+
+    #
+    # Description:: Content Security Policy, a mechanism web applications
+    #               can use to mitigate a broad class of content injection
+    #               vulnerabilities, such as cross-site scripting (XSS).
+    #               Content Security Policy is a declarative policy that lets
+    #               the authors (or server administrators) of a web application
+    #               inform the client about the sources from which the
+    #               application expects to load resources.
+    #
+    # More info::   W3C CSP Level 1 : https://www.w3.org/TR/CSP1/ (deprecated)
+    #               W3C CSP Level 2 : https://www.w3.org/TR/CSP2/ (current)
+    #               W3C CSP Level 3 : https://www.w3.org/TR/CSP3/ (draft)
+    #               https://developer.mozilla.org/en-US/docs/Web/Security/CSP
+    #               http://caniuse.com/#search=ContentSecurityPolicy
+    #               http://content-security-policy.com/
+    #               https://securityheaders.io
+    #               https://scotthelme.co.uk/csp-cheat-sheet/
+    #               http://www.html5rocks.com/en/tutorials/security/content-security-policy/
+    #
+    # Sets the 'Content-Security-Policy[-Report-Only]' header.
+    #
+    # Options: ContentSecurityPolicy configuration is a complex topic with
+    #          several levels of support that has evolved over time.
+    #          See the W3C documentation and the links in the more info
+    #          section for CSP usage examples and best practices. The
+    #          CSP3 directives in the 'NO_ARG_DIRECTIVES' constant need to be
+    #          presented in the options hash with a boolean 'true' in order
+    #          to be used in a policy.
+    #
+    class ContentSecurityPolicy < Base
+      default_options default_src: :none, script_src: "'self'",
+                      img_src: "'self'", style_src: "'self'",
+                      connect_src: "'self'", report_only: false
+
+      DIRECTIVES = %i(base_uri child_src connect_src default_src
+                      font_src form_action frame_ancestors frame_src
+                      img_src manifest_src media_src object_src
+                      plugin_types referrer reflected_xss report_to
+                      report_uri require_sri_for sandbox script_src
+                      style_src worker_src).freeze
+
+      NO_ARG_DIRECTIVES = %i(block_all_mixed_content disown_opener
+                             upgrade_insecure_requests).freeze
+
+      def csp_policy
+        directives = []
+
+        DIRECTIVES.each do |d|
+          if options.key?(d)
+            directives << "#{d.to_s.sub(/_/, '-')} #{options[d]}"
+          end
+        end
+
+        # Set these key values to boolean 'true' to include in policy
+        NO_ARG_DIRECTIVES.each do |d|
+          if options.key?(d) && options[d].is_a?(TrueClass)
+            directives << d.to_s.sub(/_/, '-')
+          end
+        end
+
+        directives.compact.sort.join('; ')
+      end
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        header = options[:report_only] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
+        headers[header] ||= csp_policy if html? headers
+        [status, headers, body]
+      end
+    end
+  end
+end

data/lib/rack/protection/cookie_tossing.rb

@@ -0,0 +1,75 @@
+require 'rack/protection'
+require 'pathname'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Cookie Tossing
+    # Supported browsers:: all
+    # More infos::         https://github.com/blog/1466-yummy-cookies-across-domains
+    #
+    # Does not accept HTTP requests if the HTTP_COOKIE header contains more than one
+    # session cookie. This does not protect against a cookie overflow attack.
+    #
+    # Options:
+    #
+    # session_key:: The name of the session cookie (default: 'rack.session')
+    class CookieTossing < Base
+      default_reaction :deny
+
+      def call(env)
+        status, headers, body = super
+        response = Rack::Response.new(body, status, headers)
+        request = Rack::Request.new(env)
+        remove_bad_cookies(request, response)
+        response.finish
+      end
+
+      def accepts?(env)
+        cookie_header = env['HTTP_COOKIE']
+        cookies = Rack::Utils.parse_query(cookie_header, ';,') { |s| s }
+        cookies.each do |k, v|
+          if k == session_key && Array(v).size > 1
+            bad_cookies << k
+          elsif k != session_key && Rack::Utils.unescape(k) == session_key
+            bad_cookies << k
+          end
+        end
+        bad_cookies.empty?
+      end
+
+      def remove_bad_cookies(request, response)
+        return if bad_cookies.empty?
+        paths = cookie_paths(request.path)
+        bad_cookies.each do |name|
+          paths.each { |path| response.set_cookie name, empty_cookie(request.host, path) }
+        end
+      end
+
+      def redirect(env)
+        request = Request.new(env)
+        warn env, "attack prevented by #{self.class}"
+        [302, {'Content-Type' => 'text/html', 'Location' => request.path}, []]
+      end
+
+      def bad_cookies
+        @bad_cookies ||= []
+      end
+
+      def cookie_paths(path)
+        path = '/' if path.to_s.empty?
+        paths = []
+        Pathname.new(path).descend { |p| paths << p.to_s }
+        paths
+      end
+
+      def empty_cookie(host, path)
+        {:value => '', :domain => host, :path => path, :expires => Time.at(0)}
+      end
+
+      def session_key
+        @session_key ||= options[:session_key]
+      end
+    end
+  end
+end

data/lib/rack/protection/json_csrf.rb

@@ -5,15 +5,20 @@ module Rack
     ##
     # Prevented attack::   CSRF
     # Supported browsers:: all
-    # More infos::         http://flask.pocoo.org/docs/security/#json-security
+    # More infos::         http://flask.pocoo.org/docs/0.10/security/#json-security
+    #                      http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
     #
-    # JSON GET APIs are vulnerable to being embedded as JavaScript while the
+    # JSON GET APIs are vulnerable to being embedded as JavaScript when the
     # Array prototype has been patched to track data. Checks the referrer
     # even on GET requests if the content type is JSON.
     #
-    # Uses HttpOrigin to determine if requests are safe, please refer to the
-    # documentation for more.
+    # If request includes Origin HTTP header, defers to HttpOrigin to determine
+    # if the request is safe. Please refer to the documentation for more info.
+    #
+    # The `:allow_if` option can be set to a proc to use custom allow/deny logic.
     class JsonCsrf < Base
+      default_options :allow_if => nil
+
       alias react deny
 
       def call(env)
@@ -31,6 +36,7 @@ module Rack
 
       def has_vector?(request, headers)
         return false if request.xhr?
+        return false if options[:allow_if] && options[:allow_if].call(request.env)
         return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
         origin(request.env).nil? and referrer(request.env) != request.host
       end

data/lib/rack/protection/strict_transport.rb

@@ -0,0 +1,39 @@
+require 'rack/protection'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   Protects against against protocol downgrade attacks and cookie hijacking.
+    # Supported browsers:: all
+    # More infos::         https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+    #
+    # browser will prevent any communications from being sent over HTTP
+    # to the specified domain and will instead send all communications over HTTPS.
+    # It also prevents HTTPS click through prompts on browsers.
+    #
+    # Options:
+    #
+    # max_age:: How long future requests to the domain should go over HTTPS; specified in seconds
+    # include_subdomains:: If all present and future subdomains will be HTTPS
+    # preload:: Allow this domain to be included in browsers HSTS preload list. See https://hstspreload.appspot.com/
+
+    class StrictTransport < Base
+      default_options :max_age => 31_536_000, :include_subdomains => false, :preload => false
+
+      def strict_transport
+        @strict_transport ||= begin
+          strict_transport = 'max-age=' + options[:max_age].to_s
+          strict_transport += '; includeSubDomains' if options[:include_subdomains]
+          strict_transport += '; preload' if options[:preload]
+          strict_transport.to_str
+        end
+      end
+
+      def call(env)
+        status, headers, body = @app.call(env)
+        headers['Strict-Transport-Security'] ||= strict_transport
+        [status, headers, body]
+      end
+    end
+  end
+end

data/lib/rack/protection/version.rb

@@ -1,5 +1,5 @@
 module Rack
   module Protection
-    VERSION = "2.0.0.rc1"
+    VERSION = "2.0.0.rc2"
   end
 end

data/rack-protection.gemspec

@@ -6,79 +6,17 @@ Gem::Specification.new do |s|
   s.name        = "rack-protection"
   s.version     = Rack::Protection::VERSION
   s.description = "Protect against typical web attacks, works with all Rack apps, including Rails."
-  s.homepage    = "http://github.com/sinatra/rack-protection"
+  s.homepage    = "http://github.com/sinatra/sinatra/tree/master/rack-protection"
   s.summary     = s.description
   s.license     = 'MIT'
-
-  # generated from git shortlog -sn
-  s.authors = [
-    "Konstantin Haase",
-    "Maurizio De Santis",
-    "Alex Rodionov",
-    "Jason Staten",
-    "Patrick Ellis",
-    "ITO Nobuaki",
-    "Jeff Welling",
-    "Matteo Centenaro",
-    "Akzhan Abdulin",
-    "Alan deLevie",
-    "Bj\u{f8}rge N\u{e6}ss",
-    "Chris Heald",
-    "Chris Mytton",
-    "Corey Ward",
-    "Dario Cravero",
-    "David Kellum",
-    "Egor Homakov",
-    "Florian Gilcher",
-    "Fojas",
-    "Igor Bochkariov",
-    "Josef Stribny",
-    "Katrina Owen",
-    "Mael Clerambault",
-    "Martin Mauch",
-    "Renne Nissinen",
-    "SAKAI, Kazuaki",
-    "Stanislav Savulchik",
-    "Steve Agalloco",
-    "TOBY",
-    "Thais Camilo and Konstantin Haase",
-    "Vipul A M",
-    "Zachary Scott",
-    "ashley williams",
-    "brookemckim"
-  ]
-
-  # generated from git shortlog -sne
-  s.email = [
-    "mail@zzak.io",
-    "konstantin.haase@gmail.com"
-  ]
-
-  # generated from git ls-files
-  s.files = [
+  s.authors     = ["https://github.com/sinatra/sinatra/graphs/contributors"]
+  s.email       = "sinatrarb@googlegroups.com"
+  s.files       = Dir["lib/**/*.rb"] + [
     "License",
     "README.md",
     "Rakefile",
     "Gemfile",
-    "rack-protection.gemspec",
-    "lib/rack",
-    "lib/rack/protection",
-    "lib/rack/protection/escaped_params.rb",
-    "lib/rack/protection/remote_referrer.rb",
-    "lib/rack/protection/ip_spoofing.rb",
-    "lib/rack/protection/base.rb",
-    "lib/rack/protection/session_hijacking.rb",
-    "lib/rack/protection/authenticity_token.rb",
-    "lib/rack/protection/version.rb",
-    "lib/rack/protection/path_traversal.rb",
-    "lib/rack/protection/form_token.rb",
-    "lib/rack/protection/json_csrf.rb",
-    "lib/rack/protection/http_origin.rb",
-    "lib/rack/protection/frame_options.rb",
-    "lib/rack/protection/xss_header.rb",
-    "lib/rack/protection/remote_token.rb",
-    "lib/rack/protection.rb",
-    "lib/rack-protection.rb"
+    "rack-protection.gemspec"
   ]
 
   # dependencies

metadata

@@ -1,47 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 2.0.0.rc1
+  version: 2.0.0.rc2
 platform: ruby
 authors:
-- Konstantin Haase
-- Maurizio De Santis
-- Alex Rodionov
-- Jason Staten
-- Patrick Ellis
-- ITO Nobuaki
-- Jeff Welling
-- Matteo Centenaro
-- Akzhan Abdulin
-- Alan deLevie
-- Bjørge Næss
-- Chris Heald
-- Chris Mytton
-- Corey Ward
-- Dario Cravero
-- David Kellum
-- Egor Homakov
-- Florian Gilcher
-- Fojas
-- Igor Bochkariov
-- Josef Stribny
-- Katrina Owen
-- Mael Clerambault
-- Martin Mauch
-- Renne Nissinen
-- SAKAI, Kazuaki
-- Stanislav Savulchik
-- Steve Agalloco
-- TOBY
-- Thais Camilo and Konstantin Haase
-- Vipul A M
-- Zachary Scott
-- ashley williams
-- brookemckim
+- https://github.com/sinatra/sinatra/graphs/contributors
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-04 00:00:00.000000000 Z
+date: 2017-03-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -87,9 +54,7 @@ dependencies:
         version: 3.0.0
 description: Protect against typical web attacks, works with all Rack apps, including
   Rails.
-email:
-- mail@zzak.io
-- konstantin.haase@gmail.com
+email: sinatrarb@googlegroups.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -102,6 +67,8 @@ files:
 - lib/rack/protection.rb
 - lib/rack/protection/authenticity_token.rb
 - lib/rack/protection/base.rb
+- lib/rack/protection/content_security_policy.rb
+- lib/rack/protection/cookie_tossing.rb
 - lib/rack/protection/escaped_params.rb
 - lib/rack/protection/form_token.rb
 - lib/rack/protection/frame_options.rb
@@ -112,10 +79,11 @@ files:
 - lib/rack/protection/remote_referrer.rb
 - lib/rack/protection/remote_token.rb
 - lib/rack/protection/session_hijacking.rb
+- lib/rack/protection/strict_transport.rb
 - lib/rack/protection/version.rb
 - lib/rack/protection/xss_header.rb
 - rack-protection.gemspec
-homepage: http://github.com/sinatra/rack-protection
+homepage: http://github.com/sinatra/sinatra/tree/master/rack-protection
 licenses:
 - MIT
 metadata: {}
@@ -135,7 +103,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.6.8
 signing_key: 
 specification_version: 4
 summary: Protect against typical web attacks, works with all Rack apps, including