rack-session-smart_cookie 0.1.3 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +7 -7
  3. data/lib/rack/session/smart_cookie.rb +8 -17
  4. data/lib/rack/session/smart_cookie/version.rb +1 -1
  5. data/rack-session-smart_cookie.gemspec +1 -1
  6. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 1810a34a2f96c7812e4d15fa413b375614d51997
4
- data.tar.gz: 899d9e588489e1250d1c5617861b2b0c18d74953
3
+ metadata.gz: e83bdebac8d1746d4918c878dfa16fdfcd8f4b03
4
+ data.tar.gz: 77739204186ab0b9d50c0b15abca508d326cb990
5
5
  SHA512:
6
- metadata.gz: 6b78233babd67dee7a0d90dad14d5110f89224afeb2c755e72fdcccd600cdedec7d7455c0cb0925ca0c4614c703eb0f8fcf228913fcb7e74f3d69a34bdbc9dab
7
- data.tar.gz: 676876cf5c8c5cb309aec3a44e9c81f23404a319eaa68185088aeb311dc9abc31944d434f77c5313a2a76d860d443086fabfa4fe22dd622d9c9a6d72ebc752c8
6
+ metadata.gz: 4b026b789349a4e07d5da56fb01ae3012f62ff91b0cea6b87e7fdb89589638f5721cc1bbb9b0b88a4443ed351541785fe1f92cb74c95f3d64a143b22e5baa60e
7
+ data.tar.gz: 1642c2bf3230c4b6f0e0ad0e52dccc7a2073f11982d1019b9b1ee3dddf9d6dc42e1146f7591820fbdca7876d12a5e072a7382a3e2140a96e771ab033053ed00e
data/README.md CHANGED
@@ -6,21 +6,21 @@
6
6
  The version of Rack::Session::Cookie that ships with Rack 2 has the following
7
7
  limitations:
8
8
 
9
- * Insecure SHA1 (HMAC-SHA1) by default
9
+ * HMAC-SHA1 by default
10
10
  * Slow and/or bloated JSON, ZipJSON, or Marshal encoding out of the box
11
11
  * JSON encodings do not preserve Symbols
12
12
  * Digest is double-encoded and bloated (hexdigest of a base64)
13
13
  * Base64-encoded strings contain unecessary padding and characters that need to
14
14
  be escaped (e.g. `/` becomes `%2F`), wasting precious cookie bytes
15
- * It has some bugs in the size check that may lead to truncated cookies, token
16
- leakage, and/or cross-site request forgery
15
+ * It has some bugs in the size check that may lead to dropped or truncated
16
+ cookies, token leakage, and/or cross-site request forgery
17
17
 
18
18
  Of course, none of these are true show-stoppers, and the worst can be worked
19
19
  around by passing e.g. `:hmac` and `:coder` to the initializer. But we are nice
20
20
  people and we deserve nice things. This gem provides a minor derivative of
21
21
  Rack::Session::Cookie with the following improvements:
22
22
 
23
- * Secure SHA2 (HMAC-SHA-256) by default
23
+ * HMAC-SHA256 by default
24
24
  * Compact binary serialization format (currently [MessagePack][3] but will
25
25
  likely change to [CBOR][4] in the future) out of the box
26
26
  * Symbols are preserved with the default `:coder`
@@ -49,7 +49,7 @@ stringification scheme other than non-padded, URL-safe Base64! It doesn't need
49
49
  to be configurable. The serializer remains configurable as the `:coder`.
50
50
 
51
51
  The remaining differences are mostly just better defaults: MessagePack and
52
- SHA2.
52
+ HMAC-SHA256.
53
53
 
54
54
  ## Installation
55
55
 
@@ -103,8 +103,8 @@ and add ZipJSON. Although it comes in second-most compact at 289 bytes (cf.
103
103
  protocol buffers and MessagePack at 204 and 373 bytes, respectively), it was
104
104
  97% slower to encode and 91% slower to decode cf. MessagePack.
105
105
 
106
- I put this mock session payload through the following configurations with SHA2
107
- and 128 sidbits and here are the results:
106
+ I put this mock session payload through the following configurations with
107
+ HMAC-SHA256 and 128 sidbits and here are the results:
108
108
 
109
109
  ```ruby
110
110
  {
data/lib/rack/session/smart_cookie.rb CHANGED
@@ -3,13 +3,13 @@ require 'rack/session/smart_cookie/version'
3
3
 
4
4
  require 'base64'
5
5
  require 'msgpack'
6
- require 'openssl'
6
+ require 'openssl/digest'
7
7
  require 'rack/session/cookie'
8
8
 
9
9
  module Rack
10
10
  module Session
11
11
  class SmartCookie < Cookie
12
- BAD_DIGESTS = %w[MD2 MD4 MD5 SHA SHA1].freeze
12
+ BAD_DIGESTS = %w[MD2 MD4 MD5 SHA].freeze
13
13
  DEFAULT_DIGEST = 'SHA256'
14
14
  SECRET_MIN_BYTESIZE = 16
15
15
 
@@ -33,16 +33,7 @@ module Rack
33
33
  def self.decode(str)
34
34
  return unless str
35
35
 
36
- num_pad_chars =
37
- case str.bytesize % 4
38
- when 0 then 0
39
- when 2 then 2
40
- when 3 then 1
41
- else
42
- fail 'Invalid Base64-encoded string!'
43
- end
44
-
45
- ::Base64.urlsafe_decode64(str + '=' * num_pad_chars)
36
+ ::Base64.urlsafe_decode64(str + '=' * (-str.bytesize % 4))
46
37
  rescue
47
38
  end
48
39
  end
@@ -79,7 +70,7 @@ module Rack
79
70
 
80
71
  def initialize(app, options={})
81
72
  options[:coder] ||= MessagePack.new
82
- options[:hmac] = OpenSSL::Digest.const_get(DEFAULT_DIGEST) unless options.key?(:hmac)
73
+ options[:hmac] = OpenSSL::Digest(DEFAULT_DIGEST) unless options.key?(:hmac)
83
74
 
84
75
  super
85
76
 
@@ -91,10 +82,10 @@ module Rack
91
82
  digest algorithm (#{hmac.class}).
92
83
 
93
84
  Such algorithms are generally considered to be effectively broken. It
94
- is strongly recommended that you elect to use a message digest algorithm
95
- from the SHA2 family: SHA224, SHA256, SHA384, or SHA512, or one of the
96
- derivatives such as SHA512/256. This will help prevent exploits that
97
- may be possible from crafted cookies.
85
+ is strongly recommended that you elect to use a message digest
86
+ algorithm from the SHA2 family: SHA224, SHA256, SHA384, or SHA512, or
87
+ one of the derivatives such as SHA512/256. This will help prevent
88
+ exploits that may be possible from crafted cookies.
98
89
 
99
90
  Called from: #{caller[0]}.
100
91
  MSG
data/lib/rack/session/smart_cookie/version.rb CHANGED
@@ -10,7 +10,7 @@ module Rack
10
10
  Cookie = Class.new unless defined?(Cookie)
11
11
 
12
12
  class SmartCookie < Cookie
13
- VERSION = '0.1.3'.freeze
13
+ VERSION = '0.1.4'.freeze
14
14
  end
15
15
  end
16
16
  end
data/rack-session-smart_cookie.gemspec CHANGED
@@ -9,7 +9,7 @@ Gem::Specification.new do |spec|
9
9
  spec.authors = ['Mike Pastore']
10
10
  spec.email = ['mike@oobak.org']
11
11
 
12
- spec.summary = %q{Slightly smarter session cookies for Rack apps}
12
+ spec.summary = %q{Slightly smarter session cookies for Rack 2 apps}
13
13
  spec.homepage = 'https://github.com/mwpastore/rack-session-smart_cookie#readme'
14
14
  spec.license = 'MIT'
15
15
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-session-smart_cookie
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.3
4
+ version: 0.1.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mike Pastore
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2017-11-01 00:00:00.000000000 Z
11
+ date: 2017-11-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: msgpack
@@ -150,5 +150,5 @@ rubyforge_project:
150
150
  rubygems_version: 2.6.13
151
151
  signing_key:
152
152
  specification_version: 4
153
- summary: Slightly smarter session cookies for Rack apps
153
+ summary: Slightly smarter session cookies for Rack 2 apps
154
154
  test_files: []