rack-session-smart_cookie 0.1.3 → 0.1.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +7 -7
  3. data/lib/rack/session/smart_cookie.rb +8 -17
  4. data/lib/rack/session/smart_cookie/version.rb +1 -1
  5. data/rack-session-smart_cookie.gemspec +1 -1
  6. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 1810a34a2f96c7812e4d15fa413b375614d51997
4
- data.tar.gz: 899d9e588489e1250d1c5617861b2b0c18d74953
3
+ metadata.gz: e83bdebac8d1746d4918c878dfa16fdfcd8f4b03
4
+ data.tar.gz: 77739204186ab0b9d50c0b15abca508d326cb990
5
5
  SHA512:
6
- metadata.gz: 6b78233babd67dee7a0d90dad14d5110f89224afeb2c755e72fdcccd600cdedec7d7455c0cb0925ca0c4614c703eb0f8fcf228913fcb7e74f3d69a34bdbc9dab
7
- data.tar.gz: 676876cf5c8c5cb309aec3a44e9c81f23404a319eaa68185088aeb311dc9abc31944d434f77c5313a2a76d860d443086fabfa4fe22dd622d9c9a6d72ebc752c8
6
+ metadata.gz: 4b026b789349a4e07d5da56fb01ae3012f62ff91b0cea6b87e7fdb89589638f5721cc1bbb9b0b88a4443ed351541785fe1f92cb74c95f3d64a143b22e5baa60e
7
+ data.tar.gz: 1642c2bf3230c4b6f0e0ad0e52dccc7a2073f11982d1019b9b1ee3dddf9d6dc42e1146f7591820fbdca7876d12a5e072a7382a3e2140a96e771ab033053ed00e
data/README.md CHANGED
@@ -6,21 +6,21 @@
6
6
  The version of Rack::Session::Cookie that ships with Rack 2 has the following
7
7
  limitations:
8
8
 
9
- * Insecure SHA1 (HMAC-SHA1) by default
9
+ * HMAC-SHA1 by default
10
10
  * Slow and/or bloated JSON, ZipJSON, or Marshal encoding out of the box
11
11
  * JSON encodings do not preserve Symbols
12
12
  * Digest is double-encoded and bloated (hexdigest of a base64)
13
13
  * Base64-encoded strings contain unecessary padding and characters that need to
14
14
  be escaped (e.g. `/` becomes `%2F`), wasting precious cookie bytes
15
- * It has some bugs in the size check that may lead to truncated cookies, token
16
- leakage, and/or cross-site request forgery
15
+ * It has some bugs in the size check that may lead to dropped or truncated
16
+ cookies, token leakage, and/or cross-site request forgery
17
17
 
18
18
  Of course, none of these are true show-stoppers, and the worst can be worked
19
19
  around by passing e.g. `:hmac` and `:coder` to the initializer. But we are nice
20
20
  people and we deserve nice things. This gem provides a minor derivative of
21
21
  Rack::Session::Cookie with the following improvements:
22
22
 
23
- * Secure SHA2 (HMAC-SHA-256) by default
23
+ * HMAC-SHA256 by default
24
24
  * Compact binary serialization format (currently [MessagePack][3] but will
25
25
  likely change to [CBOR][4] in the future) out of the box
26
26
  * Symbols are preserved with the default `:coder`
@@ -49,7 +49,7 @@ stringification scheme other than non-padded, URL-safe Base64! It doesn't need
49
49
  to be configurable. The serializer remains configurable as the `:coder`.
50
50
 
51
51
  The remaining differences are mostly just better defaults: MessagePack and
52
- SHA2.
52
+ HMAC-SHA256.
53
53
 
54
54
  ## Installation
55
55
 
@@ -103,8 +103,8 @@ and add ZipJSON. Although it comes in second-most compact at 289 bytes (cf.
103
103
  protocol buffers and MessagePack at 204 and 373 bytes, respectively), it was
104
104
  97% slower to encode and 91% slower to decode cf. MessagePack.
105
105
 
106
- I put this mock session payload through the following configurations with SHA2
107
- and 128 sidbits and here are the results:
106
+ I put this mock session payload through the following configurations with
107
+ HMAC-SHA256 and 128 sidbits and here are the results:
108
108
 
109
109
  ```ruby
110
110
  {
data/lib/rack/session/smart_cookie.rb CHANGED
@@ -3,13 +3,13 @@ require 'rack/session/smart_cookie/version'
3
3
 
4
4
  require 'base64'
5
5
  require 'msgpack'
6
- require 'openssl'
6
+ require 'openssl/digest'
7
7
  require 'rack/session/cookie'
8
8
 
9
9
  module Rack
10
10
  module Session
11
11
  class SmartCookie < Cookie
12
- BAD_DIGESTS = %w[MD2 MD4 MD5 SHA SHA1].freeze
12
+ BAD_DIGESTS = %w[MD2 MD4 MD5 SHA].freeze
13
13
  DEFAULT_DIGEST = 'SHA256'
14
14
  SECRET_MIN_BYTESIZE = 16
15
15
 
@@ -33,16 +33,7 @@ module Rack
33
33
  def self.decode(str)
34
34
  return unless str
35
35
 
36
- num_pad_chars =
37
- case str.bytesize % 4
38
- when 0 then 0
39
- when 2 then 2
40
- when 3 then 1
41
- else
42
- fail 'Invalid Base64-encoded string!'
43
- end
44
-
45
- ::Base64.urlsafe_decode64(str + '=' * num_pad_chars)
36
+ ::Base64.urlsafe_decode64(str + '=' * (-str.bytesize % 4))
46
37
  rescue
47
38
  end
48
39
  end
@@ -79,7 +70,7 @@ module Rack
79
70
 
80
71
  def initialize(app, options={})
81
72
  options[:coder] ||= MessagePack.new
82
- options[:hmac] = OpenSSL::Digest.const_get(DEFAULT_DIGEST) unless options.key?(:hmac)
73
+ options[:hmac] = OpenSSL::Digest(DEFAULT_DIGEST) unless options.key?(:hmac)
83
74
 
84
75
  super
85
76
 
@@ -91,10 +82,10 @@ module Rack
91
82
  digest algorithm (#{hmac.class}).
92
83
 
93
84
  Such algorithms are generally considered to be effectively broken. It
94
- is strongly recommended that you elect to use a message digest algorithm
95
- from the SHA2 family: SHA224, SHA256, SHA384, or SHA512, or one of the
96
- derivatives such as SHA512/256. This will help prevent exploits that
97
- may be possible from crafted cookies.
85
+ is strongly recommended that you elect to use a message digest
86
+ algorithm from the SHA2 family: SHA224, SHA256, SHA384, or SHA512, or
87
+ one of the derivatives such as SHA512/256. This will help prevent
88
+ exploits that may be possible from crafted cookies.
98
89
 
99
90
  Called from: #{caller[0]}.
100
91
  MSG
data/lib/rack/session/smart_cookie/version.rb CHANGED
@@ -10,7 +10,7 @@ module Rack
10
10
  Cookie = Class.new unless defined?(Cookie)
11
11
 
12
12
  class SmartCookie < Cookie
13
- VERSION = '0.1.3'.freeze
13
+ VERSION = '0.1.4'.freeze
14
14
  end
15
15
  end
16
16
  end
data/rack-session-smart_cookie.gemspec CHANGED
@@ -9,7 +9,7 @@ Gem::Specification.new do |spec|
9
9
  spec.authors = ['Mike Pastore']
10
10
  spec.email = ['mike@oobak.org']
11
11
 
12
- spec.summary = %q{Slightly smarter session cookies for Rack apps}
12
+ spec.summary = %q{Slightly smarter session cookies for Rack 2 apps}
13
13
  spec.homepage = 'https://github.com/mwpastore/rack-session-smart_cookie#readme'
14
14
  spec.license = 'MIT'
15
15
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-session-smart_cookie
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.3
4
+ version: 0.1.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mike Pastore
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2017-11-01 00:00:00.000000000 Z
11
+ date: 2017-11-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: msgpack
@@ -150,5 +150,5 @@ rubyforge_project:
150
150
  rubygems_version: 2.6.13
151
151
  signing_key:
152
152
  specification_version: 4
153
- summary: Slightly smarter session cookies for Rack apps
153
+ summary: Slightly smarter session cookies for Rack 2 apps
154
154
  test_files: []