rack-protection 3.2.0 → 4.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7640a15f8659807abd53474e7ce538a42e476e4bd99dc745f3b9b8c16161c008
-  data.tar.gz: '05468ec6c8113d3afce2df62221e4c866616999700c30ba3ef94a2705b11138b'
+  metadata.gz: 8762f8b7bc260c94e353c6c9eb9a24d3a0efe695cb5904f526a5a84094f567db
+  data.tar.gz: d3c7e05bf8bfea7c6b077025f330429f386b416bccce5ebfab2d91d0513e437b
 SHA512:
-  metadata.gz: eeaff5e584a8ee3be6c80dc92c67fcc95bdbb97b084509ed90ca9ad524598fba63690cfa372586edd27940cd609fa44210637e9c95fbf1191e1a5cc297f222ac
-  data.tar.gz: 26e2160d65b6015c7aaa52266b7241d15f645eb259d1371b864b3e2b6a3b1fbef841e62304bc8e39a83fab1a52ddb0c3455a51385a9a451c833cbed91b75d00a
+  metadata.gz: 48b9fffade45349249d1122c3acc8618f2cb8ca05cde4ce1959b063899faad7c5c433bf6481518beedd0a0dd2ff28c878b1f5898fc3f21629ea39233fa747dc6
+  data.tar.gz: ec3176d39b37dfdd97b4d230f98251681a93c6dddcb17db4659c998d8f296dc9fc97808a9b732bbf055d0d2b0504f9696f541b6d6864983b214df94ceff636a5

data/Gemfile

@@ -1,16 +1,13 @@
 # frozen_string_literal: true
 
 source 'https://rubygems.org'
-# encoding: utf-8
+gemspec
 
 gem 'rake'
 gem 'rspec', '~> 3'
+gem 'rack-test'
 
 rack_version = ENV['rack'].to_s
 rack_version = nil if rack_version.empty? || (rack_version == 'stable')
 rack_version = { github: 'rack/rack' } if rack_version == 'head'
 gem 'rack', rack_version
-
-gemspec
-
-gem 'rack-test'

data/README.md

@@ -69,7 +69,7 @@ Prevented by:
 
 Prevented by:
 
-* [`Rack::Protection::SessionHijacking`][session-hijacking]
+* [`Rack::Protection::SessionHijacking`][session-hijacking] (not included by `use Rack::Protection`)
 
 ## Cookie Tossing
 

data/lib/rack/protection/authenticity_token.rb

@@ -51,6 +51,7 @@ module Rack
     # Here is <tt>server.rb</tt>:
     #
     #   require 'rack/protection'
+    #   require 'rack/session'
     #
     #   app = Rack::Builder.app do
     #     use Rack::Session::Cookie, secret: 'secret'

data/lib/rack/protection/base.rb

@@ -74,7 +74,7 @@ module Rack
 
       def deny(env)
         warn env, "attack prevented by #{self.class}"
-        [options[:status], { 'Content-Type' => 'text/plain' }, [options[:message]]]
+        [options[:status], { 'content-type' => 'text/plain' }, [options[:message]]]
       end
 
       def report(env)

data/lib/rack/protection/content_security_policy.rb

@@ -26,7 +26,7 @@ module Rack
     #               https://scotthelme.co.uk/csp-cheat-sheet/
     #               http://www.html5rocks.com/en/tutorials/security/content-security-policy/
     #
-    # Sets the 'Content-Security-Policy[-Report-Only]' header.
+    # Sets the 'content-security-policy[-report-only]' header.
     #
     # Options: ContentSecurityPolicy configuration is a complex topic with
     #          several levels of support that has evolved over time.
@@ -71,7 +71,7 @@ module Rack
 
       def call(env)
         status, headers, body = @app.call(env)
-        header = options[:report_only] ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'
+        header = options[:report_only] ? 'content-security-policy-report-only' : 'content-security-policy'
         headers[header] ||= csp_policy if html? headers
         [status, headers, body]
       end

data/lib/rack/protection/cookie_tossing.rb

@@ -51,7 +51,7 @@ module Rack
       def redirect(env)
         request = Request.new(env)
         warn env, "attack prevented by #{self.class}"
-        [302, { 'Content-Type' => 'text/html', 'Location' => request.path }, []]
+        [302, { 'content-type' => 'text/html', 'location' => request.path }, []]
       end
 
       def bad_cookies

data/lib/rack/protection/frame_options.rb

@@ -31,7 +31,7 @@ module Rack
 
       def call(env)
         status, headers, body        = @app.call(env)
-        headers['X-Frame-Options'] ||= frame_options if html? headers
+        headers['x-frame-options'] ||= frame_options if html? headers
         [status, headers, body]
       end
     end

data/lib/rack/protection/json_csrf.rb

@@ -39,7 +39,7 @@ module Rack
       def has_vector?(request, headers)
         return false if request.xhr?
         return false if options[:allow_if]&.call(request.env)
-        return false unless headers['Content-Type'].to_s.split(';', 2).first =~ %r{^\s*application/json\s*$}
+        return false unless headers['content-type'].to_s.split(';', 2).first =~ %r{^\s*application/json\s*$}
 
         origin(request.env).nil? and referrer(request.env) != request.host
       end

data/lib/rack/protection/referrer_policy.rb

@@ -19,7 +19,7 @@ module Rack
 
       def call(env)
         status, headers, body = @app.call(env)
-        headers['Referrer-Policy'] ||= options[:referrer_policy]
+        headers['referrer-policy'] ||= options[:referrer_policy]
         [status, headers, body]
       end
     end

data/lib/rack/protection/strict_transport.rb

@@ -33,7 +33,7 @@ module Rack
 
       def call(env)
         status, headers, body = @app.call(env)
-        headers['Strict-Transport-Security'] ||= strict_transport
+        headers['strict-transport-security'] ||= strict_transport
         [status, headers, body]
       end
     end

data/lib/rack/protection/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   module Protection
-    VERSION = '3.2.0'
+    VERSION = '4.0.0'
   end
 end

data/lib/rack/protection/xss_header.rb

@@ -18,8 +18,8 @@ module Rack
 
       def call(env)
         status, headers, body = @app.call(env)
-        headers['X-XSS-Protection']       ||= "1; mode=#{options[:xss_mode]}" if html? headers
-        headers['X-Content-Type-Options'] ||= 'nosniff'                       if options[:nosniff]
+        headers['x-xss-protection']       ||= "1; mode=#{options[:xss_mode]}" if html? headers
+        headers['x-content-type-options'] ||= 'nosniff'                       if options[:nosniff]
         [status, headers, body]
       end
     end

data/lib/rack/protection.rb

@@ -9,8 +9,6 @@ module Rack
     autoload :Base,                  'rack/protection/base'
     autoload :CookieTossing,         'rack/protection/cookie_tossing'
     autoload :ContentSecurityPolicy, 'rack/protection/content_security_policy'
-    autoload :Encryptor,             'rack/protection/encryptor'
-    autoload :EncryptedCookie,       'rack/protection/encrypted_cookie'
     autoload :EscapedParams,         'rack/protection/escaped_params'
     autoload :FormToken,             'rack/protection/form_token'
     autoload :FrameOptions,          'rack/protection/frame_options'
@@ -26,12 +24,11 @@ module Rack
     autoload :XSSHeader,             'rack/protection/xss_header'
 
     def self.new(app, options = {})
-      # does not include: RemoteReferrer, AuthenticityToken and FormToken
       except = Array options[:except]
       use_these = Array options[:use]
 
       if options.fetch(:without_session, false)
-        except += %i[session_hijacking remote_token]
+        except += %i[remote_token]
       end
 
       Rack::Builder.new do
@@ -43,6 +40,7 @@ module Rack
         use ::Rack::Protection::FormToken,             options if use_these.include? :form_token
         use ::Rack::Protection::ReferrerPolicy,        options if use_these.include? :referrer_policy
         use ::Rack::Protection::RemoteReferrer,        options if use_these.include? :remote_referrer
+        use ::Rack::Protection::SessionHijacking,      options if use_these.include? :session_hijacking
         use ::Rack::Protection::StrictTransport,       options if use_these.include? :strict_transport
 
         # On by default, unless skipped
@@ -52,7 +50,6 @@ module Rack
         use ::Rack::Protection::JsonCsrf,              options unless except.include? :json_csrf
         use ::Rack::Protection::PathTraversal,         options unless except.include? :path_traversal
         use ::Rack::Protection::RemoteToken,           options unless except.include? :remote_token
-        use ::Rack::Protection::SessionHijacking,      options unless except.include? :session_hijacking
         use ::Rack::Protection::XSSHeader,             options unless except.include? :xss_header
         run app
       end.to_app

data/rack-protection.gemspec

@@ -36,9 +36,9 @@ RubyGems 2.0 or newer is required to protect against public gem pushes. You can
     'rubygems_mfa_required' => 'true'
   }
 
-  s.required_ruby_version = '>= 2.6.0'
+  s.required_ruby_version = '>= 2.7.8'
 
   # dependencies
   s.add_dependency 'base64', '>= 0.1.0'
-  s.add_dependency 'rack', '~> 2.2', '>= 2.2.4'
+  s.add_dependency 'rack', '>= 3.0.0', '< 4'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 3.2.0
+  version: 4.0.0
 platform: ruby
 authors:
 - https://github.com/sinatra/sinatra/graphs/contributors
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-12-29 00:00:00.000000000 Z
+date: 2024-01-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -28,22 +28,22 @@ dependencies:
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.2'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.2.4
+        version: 3.0.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.2'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.2.4
+        version: 3.0.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
 description: Protect against typical web attacks, works with all Rack apps, including
   Rails
 email: sinatrarb@googlegroups.com
@@ -61,8 +61,6 @@ files:
 - lib/rack/protection/base.rb
 - lib/rack/protection/content_security_policy.rb
 - lib/rack/protection/cookie_tossing.rb
-- lib/rack/protection/encrypted_cookie.rb
-- lib/rack/protection/encryptor.rb
 - lib/rack/protection/escaped_params.rb
 - lib/rack/protection/form_token.rb
 - lib/rack/protection/frame_options.rb
@@ -95,7 +93,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.6.0
+      version: 2.7.8
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="

data/lib/rack/protection/encrypted_cookie.rb

@@ -1,273 +0,0 @@
-# frozen_string_literal: true
-
-require 'openssl'
-require 'zlib'
-require 'json'
-require 'rack/request'
-require 'rack/response'
-require 'rack/session/abstract/id'
-
-module Rack
-  module Protection
-    # Rack::Protection::EncryptedCookie provides simple cookie based session management.
-    # By default, the session is a Ruby Hash stored as base64 encoded marshalled
-    # data set to :key (default: rack.session).  The object that encodes the
-    # session data is configurable and must respond to +encode+ and +decode+.
-    # Both methods must take a string and return a string.
-    #
-    # When the secret key is set, cookie data is checked for data integrity.
-    # The old_secret key is also accepted and allows graceful secret rotation.
-    # A legacy_hmac_secret is also accepted and is used to upgrade existing
-    # sessions to the new encryption scheme.
-    #
-    # There is also a legacy_hmac_coder option which can be set if a non-default
-    # coder was used for legacy session cookies.
-    #
-    # Example:
-    #
-    #     use Rack::Protection::EncryptedCookie,
-    #                                :key => 'rack.session',
-    #                                :domain => 'foo.com',
-    #                                :path => '/',
-    #                                :expire_after => 2592000,
-    #                                :secret => 'change_me',
-    #                                :old_secret => 'old_secret'
-    #
-    #     All parameters are optional.
-    #
-    # Example using legacy HMAC options
-    #
-    #   Rack::Protection:EncryptedCookie.new(application, {
-    #     # The secret used for legacy HMAC cookies
-    #     legacy_hmac_secret: 'legacy secret',
-    #     # legacy_hmac_coder will default to Rack::Protection::EncryptedCookie::Base64::Marshal
-    #     legacy_hmac_coder: Rack::Protection::EncryptedCookie::Identity.new,
-    #     # legacy_hmac will default to OpenSSL::Digest::SHA1
-    #     legacy_hmac: OpenSSL::Digest::SHA256
-    #   })
-    #
-    # Example of a cookie with no encoding:
-    #
-    #   Rack::Protection::EncryptedCookie.new(application, {
-    #     :coder => Rack::Protection::EncryptedCookie::Identity.new
-    #   })
-    #
-    # Example of a cookie with custom encoding:
-    #
-    #   Rack::Protection::EncryptedCookie.new(application, {
-    #     :coder => Class.new {
-    #       def encode(str); str.reverse; end
-    #       def decode(str); str.reverse; end
-    #     }.new
-    #   })
-    #
-    class EncryptedCookie < Rack::Session::Abstract::Persisted
-      # Encode session cookies as Base64
-      class Base64
-        def encode(str)
-          [str].pack('m0')
-        end
-
-        def decode(str)
-          str.unpack1('m')
-        end
-
-        # Encode session cookies as Marshaled Base64 data
-        class Marshal < Base64
-          def encode(str)
-            super(::Marshal.dump(str))
-          end
-
-          def decode(str)
-            return unless str
-
-            begin
-              ::Marshal.load(super(str))
-            rescue StandardError
-              nil
-            end
-          end
-        end
-
-        # N.B. Unlike other encoding methods, the contained objects must be a
-        # valid JSON composite type, either a Hash or an Array.
-        class JSON < Base64
-          def encode(obj)
-            super(::JSON.dump(obj))
-          end
-
-          def decode(str)
-            return unless str
-
-            begin
-              ::JSON.parse(super(str))
-            rescue StandardError
-              nil
-            end
-          end
-        end
-
-        class ZipJSON < Base64
-          def encode(obj)
-            super(Zlib::Deflate.deflate(::JSON.dump(obj)))
-          end
-
-          def decode(str)
-            return unless str
-
-            ::JSON.parse(Zlib::Inflate.inflate(super(str)))
-          rescue StandardError
-            nil
-          end
-        end
-      end
-
-      # Use no encoding for session cookies
-      class Identity
-        def encode(str); str; end
-        def decode(str); str; end
-      end
-
-      class Marshal
-        def encode(str)
-          ::Marshal.dump(str)
-        end
-
-        def decode(str)
-          ::Marshal.load(str) if str
-        end
-      end
-
-      attr_reader :coder
-
-      def initialize(app, options = {})
-        # Assume keys are hex strings and convert them to raw byte strings for
-        # actual key material
-        @secrets = options.values_at(:secret, :old_secret).compact.map do |secret|
-          [secret].pack('H*')
-        end
-
-        warn <<-MSG unless secure?(options)
-        SECURITY WARNING: No secret option provided to Rack::Protection::EncryptedCookie.
-        This poses a security threat. It is strongly recommended that you
-        provide a secret to prevent exploits that may be possible from crafted
-        cookies. This will not be supported in future versions of Rack, and
-        future versions will even invalidate your existing user cookies.
-
-        Called from: #{caller[0]}.
-        MSG
-
-        warn <<-MSG if @secrets.first && @secrets.first.length < 32
-        SECURITY WARNING: Your secret is not long enough. It must be at least
-        32 bytes long and securely random. To generate such a key for use
-        you can run the following command:
-
-        ruby -rsecurerandom -e 'p SecureRandom.hex(32)'
-
-        Called from: #{caller[0]}.
-        MSG
-
-        if options.key?(:legacy_hmac_secret)
-          @legacy_hmac = options.fetch(:legacy_hmac, OpenSSL::Digest::SHA1)
-
-          # Multiply the :digest_length: by 2 because this value is the length of
-          # the digest in bytes but session digest strings are encoded as hex
-          # strings
-          @legacy_hmac_length = @legacy_hmac.new.digest_length * 2
-          @legacy_hmac_secret = options[:legacy_hmac_secret]
-          @legacy_hmac_coder  = (options[:legacy_hmac_coder] ||= Base64::Marshal.new)
-        else
-          @legacy_hmac = false
-        end
-
-        # If encryption is used we can just use a default Marshal encoder
-        # without Base64 encoding the results.
-        #
-        # If no encryption is used, rely on the previous default (Base64::Marshal)
-        @coder = (options[:coder] ||= (@secrets.any? ? Marshal.new : Base64::Marshal.new))
-
-        super(app, options.merge!(cookie_only: true))
-      end
-
-      private
-
-      def find_session(req, _sid)
-        data = unpacked_cookie_data(req)
-        data = persistent_session_id!(data)
-        [data['session_id'], data]
-      end
-
-      def extract_session_id(request)
-        unpacked_cookie_data(request)['session_id']
-      end
-
-      def unpacked_cookie_data(request)
-        request.fetch_header(RACK_SESSION_UNPACKED_COOKIE_DATA) do |k|
-          session_data = cookie_data = request.cookies[@key]
-
-          # Try to decrypt with the first secret, if that returns nil, try
-          # with old_secret
-          unless @secrets.empty?
-            session_data = Rack::Protection::Encryptor.decrypt_message(cookie_data, @secrets.first)
-            session_data ||= Rack::Protection::Encryptor.decrypt_message(cookie_data, @secrets[1]) if @secrets.size > 1
-          end
-
-          # If session_data is still nil, are there is a legacy HMAC
-          # configured, try verify and parse the cookie that way
-          if !session_data && @legacy_hmac
-            digest = cookie_data.slice!(-@legacy_hmac_length..-1)
-            cookie_data.slice!(-2..-1) # remove double dash
-            session_data = cookie_data if digest_match?(cookie_data, digest)
-
-            # Decode using legacy HMAC decoder
-            request.set_header(k, @legacy_hmac_coder.decode(session_data) || {})
-          else
-            request.set_header(k, coder.decode(session_data) || {})
-          end
-        end
-      end
-
-      def persistent_session_id!(data, sid = nil)
-        data ||= {}
-        data['session_id'] ||= sid || generate_sid
-        data
-      end
-
-      def write_session(req, session_id, session, _options)
-        session = session.merge('session_id' => session_id)
-        session_data = coder.encode(session)
-
-        unless @secrets.empty?
-          session_data = Rack::Protection::Encryptor.encrypt_message(session_data, @secrets.first)
-        end
-
-        if session_data.size > (4096 - @key.size)
-          req.get_header(RACK_ERRORS).puts('Warning! Rack::Protection::EncryptedCookie data size exceeds 4K.')
-          nil
-        else
-          session_data
-        end
-      end
-
-      def delete_session(_req, _session_id, options)
-        # Nothing to do here, data is in the client
-        generate_sid unless options[:drop]
-      end
-
-      def digest_match?(data, digest)
-        return false unless data && digest
-
-        Rack::Utils.secure_compare(digest, generate_hmac(data))
-      end
-
-      def generate_hmac(data)
-        OpenSSL::HMAC.hexdigest(@legacy_hmac.new, @legacy_hmac_secret, data)
-      end
-
-      def secure?(options)
-        @secrets.size >= 1 ||
-          (options[:coder] && options[:let_coder_handle_secure_encoding])
-      end
-    end
-  end
-end

data/lib/rack/protection/encryptor.rb

@@ -1,62 +0,0 @@
-# frozen_string_literal: true
-
-require 'openssl'
-
-module Rack
-  module Protection
-    module Encryptor
-      CIPHER     = 'aes-256-gcm'
-      DELIMITER  = '--'
-
-      def self.base64_encode(str)
-        [str].pack('m0')
-      end
-
-      def self.base64_decode(str)
-        str.unpack1('m0')
-      end
-
-      def self.encrypt_message(data, secret, auth_data = '')
-        raise ArgumentError, 'data cannot be nil' if data.nil?
-
-        cipher = OpenSSL::Cipher.new(CIPHER)
-        cipher.encrypt
-        cipher.key = secret[0, cipher.key_len]
-
-        # Rely on OpenSSL for the initialization vector
-        iv = cipher.random_iv
-
-        # This must be set to properly use AES GCM for the OpenSSL module
-        cipher.auth_data = auth_data
-
-        cipher_text = cipher.update(data)
-        cipher_text << cipher.final
-
-        "#{base64_encode cipher_text}#{DELIMITER}#{base64_encode iv}#{DELIMITER}#{base64_encode cipher.auth_tag}"
-      end
-
-      def self.decrypt_message(data, secret)
-        return unless data
-
-        cipher = OpenSSL::Cipher.new(CIPHER)
-        cipher_text, iv, auth_tag = data.split(DELIMITER, 3).map! { |v| base64_decode(v) }
-
-        # This check is from ActiveSupport::MessageEncryptor
-        # see: https://github.com/ruby/openssl/issues/63
-        return if auth_tag.nil? || auth_tag.bytes.length != 16
-
-        cipher.decrypt
-        cipher.key = secret[0, cipher.key_len]
-        cipher.iv  = iv
-        cipher.auth_tag = auth_tag
-        cipher.auth_data = ''
-
-        decrypted_data = cipher.update(cipher_text)
-        decrypted_data << cipher.final
-        decrypted_data
-      rescue OpenSSL::Cipher::CipherError, TypeError, ArgumentError
-        nil
-      end
-    end
-  end
-end