rack-protection 2.0.0 → 2.0.1.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rack-protection might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +31 -17
  3. data/Rakefile +9 -1
  4. data/lib/rack/protection/path_traversal.rb +4 -1
  5. data/lib/rack/protection/version.rb +1 -1
  6. data/rack-protection.gemspec +2 -2
  7. metadata +8 -8
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 60b24d006884c214484d2d6275ddfd9a09719fe6
4
- data.tar.gz: b43b08983d4fc1fcf5525d28e0b704e49ee93a25
3
+ metadata.gz: 9ca2e92c0c0ea291a4fe70147390728620e34484
4
+ data.tar.gz: 2d0def4c47eeb73f7bb726d30efe6c89211c8a7e
5
5
  SHA512:
6
- metadata.gz: 926c434a0da749f9e615786c4600d7f3a933454ba179b4f3671d3abeb65d843281b95038258edaac3f01ae447c032aa8844141de0a399fd5447e6cbab12deac6
7
- data.tar.gz: 64892fdb92b20c537ffebbbc00d374e4d0bd07cf37dab25c21c95676b371477356c7ba3a52945e0f9a84b0db40bbd3fc964aa21a8525ed2bfac4dd3be204817f
6
+ metadata.gz: 4f63dd691c176f7a1d765c6780565797441d203df82473d5e75c4ebbdd84771f5aee2ba318726292e8692d5c489e4794b16c5fa1c40c5bb722782d615524272e
7
+ data.tar.gz: d3c6150b41f30cf81e0fe4135d3cd470e76a2506b9578ed5500ba5c4211d8a76a2d07650c149e151d06b8fc12752ce40899dcd992f80b4b9f7f6b98707f77f13
data/README.md CHANGED
@@ -1,7 +1,5 @@
1
1
  # Rack::Protection
2
2
 
3
- [![Build Status](https://secure.travis-ci.org/sinatra/rack-protection.png)](http://travis-ci.org/sinatra/rack-protection)
4
-
5
3
  This gem protects against typical web attacks.
6
4
  Should work for all Rack apps, including Rails.
7
5
 
@@ -40,55 +38,55 @@ run MyApp
40
38
 
41
39
  Prevented by:
42
40
 
43
- * `Rack::Protection::AuthenticityToken` (not included by `use Rack::Protection`)
44
- * `Rack::Protection::FormToken` (not included by `use Rack::Protection`)
45
- * `Rack::Protection::JsonCsrf`
46
- * `Rack::Protection::RemoteReferrer` (not included by `use Rack::Protection`)
47
- * `Rack::Protection::RemoteToken`
48
- * `Rack::Protection::HttpOrigin`
41
+ * [`Rack::Protection::AuthenticityToken`][authenticity-token] (not included by `use Rack::Protection`)
42
+ * [`Rack::Protection::FormToken`][form-token] (not included by `use Rack::Protection`)
43
+ * [`Rack::Protection::JsonCsrf`][json-csrf]
44
+ * [`Rack::Protection::RemoteReferrer`][remote-referrer] (not included by `use Rack::Protection`)
45
+ * [`Rack::Protection::RemoteToken`][remote-token]
46
+ * [`Rack::Protection::HttpOrigin`][http-origin]
49
47
 
50
48
  ## Cross Site Scripting
51
49
 
52
50
  Prevented by:
53
51
 
54
- * `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
55
- * `Rack::Protection::XSSHeader` (Internet Explorer and Chrome only)
56
- * `Rack::Protection::ContentSecurityPolicy`
52
+ * [`Rack::Protection::EscapedParams`][escaped-params] (not included by `use Rack::Protection`)
53
+ * [`Rack::Protection::XSSHeader`][xss-header] (Internet Explorer and Chrome only)
54
+ * [`Rack::Protection::ContentSecurityPolicy`][content-security-policy]
57
55
 
58
56
  ## Clickjacking
59
57
 
60
58
  Prevented by:
61
59
 
62
- * `Rack::Protection::FrameOptions`
60
+ * [`Rack::Protection::FrameOptions`][frame-options]
63
61
 
64
62
  ## Directory Traversal
65
63
 
66
64
  Prevented by:
67
65
 
68
- * `Rack::Protection::PathTraversal`
66
+ * [`Rack::Protection::PathTraversal`][path-traversal]
69
67
 
70
68
  ## Session Hijacking
71
69
 
72
70
  Prevented by:
73
71
 
74
- * `Rack::Protection::SessionHijacking`
72
+ * [`Rack::Protection::SessionHijacking`][session-hijacking]
75
73
 
76
74
  ## Cookie Tossing
77
75
 
78
76
  Prevented by:
79
- * `Rack::Protection::CookieTossing` (not included by `use Rack::Protection`)
77
+ * [`Rack::Protection::CookieTossing`][cookie-tossing] (not included by `use Rack::Protection`)
80
78
 
81
79
  ## IP Spoofing
82
80
 
83
81
  Prevented by:
84
82
 
85
- * `Rack::Protection::IPSpoofing`
83
+ * [`Rack::Protection::IPSpoofing`][ip-spoofing]
86
84
 
87
85
  ## Helps to protect against protocol downgrade attacks and cookie hijacking
88
86
 
89
87
  Prevented by:
90
88
 
91
- * `Rack::Protection::StrictTransport` (not included by `use Rack::Protection`)
89
+ * [`Rack::Protection::StrictTransport`][strict-transport] (not included by `use Rack::Protection`)
92
90
 
93
91
  # Installation
94
92
 
@@ -102,3 +100,19 @@ use Rack::Protection, instrumenter: ActiveSupport::Notifications
102
100
  ```
103
101
 
104
102
  The instrumenter is passed a namespace (String) and environment (Hash). The namespace is 'rack.protection' and the attack type can be obtained from the environment key 'rack.protection.attack'.
103
+
104
+ [authenticity-token]: http://www.sinatrarb.com/protection/authenticity_token
105
+ [content-security-policy]: http://www.sinatrarb.com/protection/content_security_policy
106
+ [cookie-tossing]: http://www.sinatrarb.com/protection/cookie_tossing
107
+ [escaped-params]: http://www.sinatrarb.com/protection/escaped_params
108
+ [form-token]: http://www.sinatrarb.com/protection/form_token
109
+ [frame-options]: http://www.sinatrarb.com/protection/frame_options
110
+ [http-origin]: http://www.sinatrarb.com/protection/http_origin
111
+ [ip-spoofing]: http://www.sinatrarb.com/protection/ip_spoofing
112
+ [json-csrf]: http://www.sinatrarb.com/protection/json_csrf
113
+ [path-traversal]: http://www.sinatrarb.com/protection/path_traversal
114
+ [remote-referrer]: http://www.sinatrarb.com/protection/remote_referrer
115
+ [remote-token]: http://www.sinatrarb.com/protection/remote_token
116
+ [session-hijacking]: http://www.sinatrarb.com/protection/session_hijacking
117
+ [strict-transport]: http://www.sinatrarb.com/protection/strict_transport
118
+ [xss-header]: http://www.sinatrarb.com/protection/xss_header
data/Rakefile CHANGED
@@ -24,7 +24,15 @@ namespace :doc do
24
24
  end
25
25
  end
26
26
 
27
- task :all => [:readmes]
27
+ task :index do
28
+ doc = File.read("README.md")
29
+ file = "doc/rack-protection-readme.md"
30
+ Dir.mkdir "doc" unless File.directory? "doc"
31
+ puts "writing #{file}"
32
+ File.open(file, "w") { |f| f << doc }
33
+ end
34
+
35
+ task :all => [:readmes, :index]
28
36
  end
29
37
 
30
38
  desc "generate documentation"
data/lib/rack/protection/path_traversal.rb CHANGED
@@ -24,14 +24,17 @@ module Rack
24
24
  encoding = path.encoding
25
25
  dot = '.'.encode(encoding)
26
26
  slash = '/'.encode(encoding)
27
+ backslash = '\\'.encode(encoding)
27
28
  else
28
29
  # Ruby 1.8
29
30
  dot = '.'
30
31
  slash = '/'
32
+ backslash = '\\'
31
33
  end
32
34
 
33
35
  parts = []
34
- unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash)
36
+ unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
37
+ unescaped = unescaped.gsub(backslash, slash)
35
38
 
36
39
  unescaped.split(slash).each do |part|
37
40
  next if part.empty? or part == dot
data/lib/rack/protection/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Rack
2
2
  module Protection
3
- VERSION = '2.0.0'
3
+ VERSION = '2.0.1.rc1'
4
4
  end
5
5
  end
data/rack-protection.gemspec CHANGED
@@ -5,7 +5,7 @@ Gem::Specification.new do |s|
5
5
  s.name = "rack-protection"
6
6
  s.version = version
7
7
  s.description = "Protect against typical web attacks, works with all Rack apps, including Rails."
8
- s.homepage = "http://github.com/sinatra/sinatra/tree/master/rack-protection"
8
+ s.homepage = "http://www.sinatrarb.com/protection/"
9
9
  s.summary = s.description
10
10
  s.license = 'MIT'
11
11
  s.authors = ["https://github.com/sinatra/sinatra/graphs/contributors"]
@@ -21,5 +21,5 @@ Gem::Specification.new do |s|
21
21
  # dependencies
22
22
  s.add_dependency "rack"
23
23
  s.add_development_dependency "rack-test"
24
- s.add_development_dependency "rspec", "~> 3.0.0"
24
+ s.add_development_dependency "rspec", "~> 3.6"
25
25
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-protection
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.0
4
+ version: 2.0.1.rc1
5
5
  platform: ruby
6
6
  authors:
7
7
  - https://github.com/sinatra/sinatra/graphs/contributors
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-05-07 00:00:00.000000000 Z
11
+ date: 2018-02-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rack
@@ -44,14 +44,14 @@ dependencies:
44
44
  requirements:
45
45
  - - "~>"
46
46
  - !ruby/object:Gem::Version
47
- version: 3.0.0
47
+ version: '3.6'
48
48
  type: :development
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
52
  - - "~>"
53
53
  - !ruby/object:Gem::Version
54
- version: 3.0.0
54
+ version: '3.6'
55
55
  description: Protect against typical web attacks, works with all Rack apps, including
56
56
  Rails.
57
57
  email: sinatrarb@googlegroups.com
@@ -83,7 +83,7 @@ files:
83
83
  - lib/rack/protection/version.rb
84
84
  - lib/rack/protection/xss_header.rb
85
85
  - rack-protection.gemspec
86
- homepage: http://github.com/sinatra/sinatra/tree/master/rack-protection
86
+ homepage: http://www.sinatrarb.com/protection/
87
87
  licenses:
88
88
  - MIT
89
89
  metadata: {}
@@ -98,12 +98,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
98
98
  version: '0'
99
99
  required_rubygems_version: !ruby/object:Gem::Requirement
100
100
  requirements:
101
- - - ">="
101
+ - - ">"
102
102
  - !ruby/object:Gem::Version
103
- version: '0'
103
+ version: 1.3.1
104
104
  requirements: []
105
105
  rubyforge_project:
106
- rubygems_version: 2.6.11
106
+ rubygems_version: 2.6.8
107
107
  signing_key:
108
108
  specification_version: 4
109
109
  summary: Protect against typical web attacks, works with all Rack apps, including