RubyGems - rack-session - Versions diffs - 1.0.2 → 2.1.1 - Mend

rack-session 1.0.2 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/lib/rack/session/abstract/id.rb +535 -0
data/lib/rack/session/constants.rb +13 -0
data/lib/rack/session/cookie.rb +313 -0
data/lib/rack/session/encryptor.rb +192 -0
data/lib/rack/session/pool.rb +82 -0
data/lib/rack/session/version.rb +1 -1
data/lib/rack/session.rb +13 -5
data/license.md +50 -2
data/releases.md +27 -0
metadata +30 -9

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 11a5c280b017199d82d7ac8f5518048cedb48f1e0e01ee162cefe4a4751b1931
-  data.tar.gz: 3e38b13932869caacf14361cb9921b6b084feb2393f6c945cf9884f9647ac445
+  metadata.gz: 24dbcb8931b1a26d39b7165f872231e9ce7f9006e8495616416faeb4538ed8e6
+  data.tar.gz: c26f979218fb4ac3b626d8638ee7b0e00183ac1acffdc1fb393fd85919e1cf46
 SHA512:
-  metadata.gz: e5c519939f66107a12bc1d561329fd3c4df2ea085d099395b190a3dd7dde0455677ff1b31c55e09528abd7223e3058d27d8a7ef12a0a25cba2dc18bec6b80910
-  data.tar.gz: 789a2af79f74672cac563fbc2e0d00163393499d491a02107390cca3fffa3d4d1f53e6d35a494b0b0b057a7ba3b2aee70d5d5c4d3b249b1f1c0e116ea98f372c
+  metadata.gz: e345e1424c6092e771a16f15fee04c19128dacfa50b586fbd7795ce1699fe50cbf2b7028624dc945e60a055f20c99c0d88c7c1eec729b13d527f3c3bcc7d6e6e
+  data.tar.gz: 8da88daf469c01ebeef2bb75b5ee04efc42e836807b3000b028fa2eb73f11db3585410321297e7607bd0e9413f768dab2a55e54f08e5326697e1d472f9363e6c

data/lib/rack/session/abstract/id.rb ADDED Viewed

@@ -0,0 +1,535 @@
+# frozen_string_literal: true
+# Released under the MIT License.
+# Copyright, 2022-2023, by Samuel Williams.
+# Copyright, 2022, by Jeremy Evans.
+require 'time'
+require 'securerandom'
+require 'digest/sha2'
+require 'rack/constants'
+require 'rack/request'
+require 'rack/response'
+require_relative '../constants'
+module Rack
+  module Session
+    class SessionId
+      ID_VERSION = 2
+      attr_reader :public_id
+      def initialize(public_id)
+        @public_id = public_id
+      end
+      def private_id
+        "#{ID_VERSION}::#{hash_sid(public_id)}"
+      end
+      alias :cookie_value :public_id
+      alias :to_s :public_id
+      def empty?; false; end
+      def inspect; public_id.inspect; end
+      private
+      def hash_sid(sid)
+        Digest::SHA256.hexdigest(sid)
+      end
+    end
+    module Abstract
+      # SessionHash is responsible to lazily load the session from store.
+      class SessionHash
+        include Enumerable
+        attr_writer :id
+        Unspecified = Object.new
+        def self.find(req)
+          req.get_header RACK_SESSION
+        end
+        def self.set(req, session)
+          req.set_header RACK_SESSION, session
+        end
+        def self.set_options(req, options)
+          req.set_header RACK_SESSION_OPTIONS, options.dup
+        end
+        def initialize(store, req)
+          @store = store
+          @req = req
+          @loaded = false
+        end
+        def id
+          return @id if @loaded or instance_variable_defined?(:@id)
+          @id = @store.send(:extract_session_id, @req)
+        end
+        def options
+          @req.session_options
+        end
+        def each(&block)
+          load_for_read!
+          @data.each(&block)
+        end
+        def [](key)
+          load_for_read!
+          @data[key.to_s]
+        end
+        def dig(key, *keys)
+          load_for_read!
+          @data.dig(key.to_s, *keys)
+        end
+        def fetch(key, default = Unspecified, &block)
+          load_for_read!
+          if default == Unspecified
+            @data.fetch(key.to_s, &block)
+          else
+            @data.fetch(key.to_s, default, &block)
+          end
+        end
+        def has_key?(key)
+          load_for_read!
+          @data.has_key?(key.to_s)
+        end
+        alias :key? :has_key?
+        alias :include? :has_key?
+        def []=(key, value)
+          load_for_write!
+          @data[key.to_s] = value
+        end
+        alias :store :[]=
+        def clear
+          load_for_write!
+          @data.clear
+        end
+        def destroy
+          clear
+          @id = @store.send(:delete_session, @req, id, options)
+        end
+        def to_hash
+          load_for_read!
+          @data.dup
+        end
+        def update(hash)
+          load_for_write!
+          @data.update(stringify_keys(hash))
+        end
+        alias :merge! :update
+        def replace(hash)
+          load_for_write!
+          @data.replace(stringify_keys(hash))
+        end
+        def delete(key)
+          load_for_write!
+          @data.delete(key.to_s)
+        end
+        def inspect
+          if loaded?
+            @data.inspect
+          else
+            "#<#{self.class}:0x#{self.object_id.to_s(16)} not yet loaded>"
+          end
+        end
+        def exists?
+          return @exists if instance_variable_defined?(:@exists)
+          @data = {}
+          @exists = @store.send(:session_exists?, @req)
+        end
+        def loaded?
+          @loaded
+        end
+        def empty?
+          load_for_read!
+          @data.empty?
+        end
+        def keys
+          load_for_read!
+          @data.keys
+        end
+        def values
+          load_for_read!
+          @data.values
+        end
+      private
+        def load_for_read!
+          load! if !loaded? && exists?
+        end
+        def load_for_write!
+          load! unless loaded?
+        end
+        def load!
+          @id, session = @store.send(:load_session, @req)
+          @data = stringify_keys(session)
+          @loaded = true
+        end
+        def stringify_keys(other)
+          # Use transform_keys after dropping Ruby 2.4 support
+          hash = {}
+          other.to_hash.each do |key, value|
+            hash[key.to_s] = value
+          end
+          hash
+        end
+      end
+      # ID sets up a basic framework for implementing an id based sessioning
+      # service. Cookies sent to the client for maintaining sessions will only
+      # contain an id reference. Only #find_session, #write_session and
+      # #delete_session are required to be overwritten.
+      #
+      # All parameters are optional.
+      # * :key determines the name of the cookie, by default it is
+      #   'rack.session'
+      # * :path, :domain, :expire_after, :secure, :httponly, :partitioned and :same_site set
+      #   the related cookie options as by Rack::Response#set_cookie
+      # * :skip will not a set a cookie in the response nor update the session state
+      # * :defer will not set a cookie in the response but still update the session
+      #   state if it is used with a backend
+      # * :renew (implementation dependent) will prompt the generation of a new
+      #   session id, and migration of data to be referenced at the new id. If
+      #   :defer is set, it will be overridden and the cookie will be set.
+      # * :sidbits sets the number of bits in length that a generated session
+      #   id will be.
+      #
+      # These options can be set on a per request basis, at the location of
+      # <tt>env['rack.session.options']</tt>. Additionally the id of the
+      # session can be found within the options hash at the key :id. It is
+      # highly not recommended to change its value.
+      #
+      # Is Rack::Utils::Context compatible.
+      #
+      # Not included by default; you must require 'rack/session/abstract/id'
+      # to use.
+      class Persisted
+        DEFAULT_OPTIONS = {
+          key: RACK_SESSION,
+          path: '/',
+          domain: nil,
+          expire_after: nil,
+          secure: false,
+          httponly: true,
+          partitioned: false,
+          defer: false,
+          renew: false,
+          sidbits: 128,
+          cookie_only: true,
+          secure_random: ::SecureRandom
+        }.freeze
+        attr_reader :key, :default_options, :sid_secure, :same_site
+        def initialize(app, options = {})
+          @app = app
+          @default_options = self.class::DEFAULT_OPTIONS.merge(options)
+          @key = @default_options.delete(:key)
+          @assume_ssl = @default_options.delete(:assume_ssl)
+          @cookie_only = @default_options.delete(:cookie_only)
+          @same_site = @default_options.delete(:same_site)
+          initialize_sid
+        end
+        def call(env)
+          context(env)
+        end
+        def context(env, app = @app)
+          req = make_request env
+          prepare_session(req)
+          status, headers, body = app.call(req.env)
+          res = Rack::Response::Raw.new status, headers
+          commit_session(req, res)
+          [status, headers, body]
+        end
+        private
+        def make_request(env)
+          Rack::Request.new env
+        end
+        def initialize_sid
+          @sidbits = @default_options[:sidbits]
+          @sid_secure = @default_options[:secure_random]
+          @sid_length = @sidbits / 4
+        end
+        # Generate a new session id using Ruby #rand.  The size of the
+        # session id is controlled by the :sidbits option.
+        # Monkey patch this to use custom methods for session id generation.
+        def generate_sid(secure = @sid_secure)
+          if secure
+            secure.hex(@sid_length)
+          else
+            "%0#{@sid_length}x" % Kernel.rand(2**@sidbits - 1)
+          end
+        rescue NotImplementedError
+          generate_sid(false)
+        end
+        # Sets the lazy session at 'rack.session' and places options and session
+        # metadata into 'rack.session.options'.
+        def prepare_session(req)
+          session_was               = req.get_header RACK_SESSION
+          session                   = session_class.new(self, req)
+          req.set_header RACK_SESSION, session
+          req.set_header RACK_SESSION_OPTIONS, @default_options.dup
+          session.merge! session_was if session_was
+        end
+        # Extracts the session id from provided cookies and passes it and the
+        # environment to #find_session.
+        def load_session(req)
+          sid = current_session_id(req)
+          sid, session = find_session(req, sid)
+          [sid, session || {}]
+        end
+        # Extract session id from request object.
+        def extract_session_id(request)
+          sid = request.cookies[@key]
+          sid ||= request.params[@key] unless @cookie_only
+          sid
+        end
+        # Returns the current session id from the SessionHash.
+        def current_session_id(req)
+          req.get_header(RACK_SESSION).id
+        end
+        # Check if the session exists or not.
+        def session_exists?(req)
+          value = current_session_id(req)
+          value && !value.empty?
+        end
+        # Session should be committed if it was loaded, any of specific options like :renew, :drop
+        # or :expire_after was given and the security permissions match. Skips if skip is given.
+        def commit_session?(req, session, options)
+          if options[:skip]
+            false
+          else
+            has_session = loaded_session?(session) || forced_session_update?(session, options)
+            has_session && security_matches?(req, options)
+          end
+        end
+        def loaded_session?(session)
+          !session.is_a?(session_class) || session.loaded?
+        end
+        def forced_session_update?(session, options)
+          force_options?(options) && session && !session.empty?
+        end
+        def force_options?(options)
+          options.values_at(:max_age, :renew, :drop, :defer, :expire_after).any?
+        end
+        def security_matches?(request, options)
+          return true unless options[:secure]
+          request.ssl? || @assume_ssl == true
+        end
+        # Acquires the session from the environment and the session id from
+        # the session options and passes them to #write_session. If successful
+        # and the :defer option is not true, a cookie will be added to the
+        # response with the session's id.
+        def commit_session(req, res)
+          session = req.get_header RACK_SESSION
+          options = session.options
+          if options[:drop] || options[:renew]
+            session_id = delete_session(req, session.id || generate_sid, options)
+            return unless session_id
+          end
+          return unless commit_session?(req, session, options)
+          session.send(:load!) unless loaded_session?(session)
+          session_id ||= session.id
+          session_data = session.to_hash.delete_if { |k, v| v.nil? }
+          if not data = write_session(req, session_id, session_data, options)
+            req.get_header(RACK_ERRORS).puts("Warning! #{self.class.name} failed to save session. Content dropped.")
+          elsif options[:defer] and not options[:renew]
+            req.get_header(RACK_ERRORS).puts("Deferring cookie for #{session_id}") if $VERBOSE
+          else
+            cookie = Hash.new
+            cookie[:value] = cookie_value(data)
+            cookie[:expires] = Time.now + options[:expire_after] if options[:expire_after]
+            cookie[:expires] = Time.now + options[:max_age] if options[:max_age]
+            if @same_site.respond_to? :call
+              cookie[:same_site] = @same_site.call(req, res)
+            else
+              cookie[:same_site] = @same_site
+            end
+            set_cookie(req, res, cookie.merge!(options))
+          end
+        end
+        public :commit_session
+        def cookie_value(data)
+          data
+        end
+        # Sets the cookie back to the client with session id. We skip the cookie
+        # setting if the value didn't change (sid is the same) or expires was given.
+        def set_cookie(request, response, cookie)
+          if request.cookies[@key] != cookie[:value] || cookie[:expires]
+            response.set_cookie(@key, cookie)
+          end
+        end
+        # Allow subclasses to prepare_session for different Session classes
+        def session_class
+          SessionHash
+        end
+        # All thread safety and session retrieval procedures should occur here.
+        # Should return [session_id, session].
+        # If nil is provided as the session id, generation of a new valid id
+        # should occur within.
+        def find_session(env, sid)
+          raise '#find_session not implemented.'
+        end
+        # All thread safety and session storage procedures should occur here.
+        # Must return the session id if the session was saved successfully, or
+        # false if the session could not be saved.
+        def write_session(req, sid, session, options)
+          raise '#write_session not implemented.'
+        end
+        # All thread safety and session destroy procedures should occur here.
+        # Should return a new session id or nil if options[:drop]
+        def delete_session(req, sid, options)
+          raise '#delete_session not implemented'
+        end
+      end
+      class PersistedSecure < Persisted
+        class SecureSessionHash < SessionHash
+          def [](key)
+            if key == "session_id"
+              load_for_read!
+              case id
+              when SessionId
+                id.public_id
+              else
+                id
+              end
+            else
+              super
+            end
+          end
+        end
+        def generate_sid(*)
+          public_id = super
+          SessionId.new(public_id)
+        end
+        def extract_session_id(*)
+          public_id = super
+          public_id && SessionId.new(public_id)
+        end
+        private
+        def session_class
+          SecureSessionHash
+        end
+        def cookie_value(data)
+          data.cookie_value
+        end
+      end
+      class ID < Persisted
+        def self.inherited(klass)
+          k = klass.ancestors.find { |kl| kl.respond_to?(:superclass) && kl.superclass == ID }
+          unless k.instance_variable_defined?(:"@_rack_warned")
+            warn "#{klass} is inheriting from #{ID}.  Inheriting from #{ID} is deprecated, please inherit from #{Persisted} instead" if $VERBOSE
+            k.instance_variable_set(:"@_rack_warned", true)
+          end
+          super
+        end
+        # All thread safety and session retrieval procedures should occur here.
+        # Should return [session_id, session].
+        # If nil is provided as the session id, generation of a new valid id
+        # should occur within.
+        def find_session(req, sid)
+          get_session req.env, sid
+        end
+        # All thread safety and session storage procedures should occur here.
+        # Must return the session id if the session was saved successfully, or
+        # false if the session could not be saved.
+        def write_session(req, sid, session, options)
+          set_session req.env, sid, session, options
+        end
+        # All thread safety and session destroy procedures should occur here.
+        # Should return a new session id or nil if options[:drop]
+        def delete_session(req, sid, options)
+          destroy_session req.env, sid, options
+        end
+      end
+    end
+  end
+end

data/lib/rack/session/constants.rb ADDED Viewed

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+# Released under the MIT License.
+# Copyright, 2022-2023, by Samuel Williams.
+# Copyright, 2022, by Jeremy Evans.
+module Rack
+  module Session
+    RACK_SESSION                        = 'rack.session'
+    RACK_SESSION_OPTIONS                = 'rack.session.options'
+    RACK_SESSION_UNPACKED_COOKIE_DATA   = 'rack.session.unpacked_cookie_data'
+  end
+end

data/lib/rack/session/cookie.rb ADDED Viewed

@@ -0,0 +1,313 @@
+# frozen_string_literal: true
+# Released under the MIT License.
+# Copyright, 2022-2023, by Samuel Williams.
+# Copyright, 2022, by Jeremy Evans.
+# Copyright, 2022, by Jon Dufresne.
+require 'openssl'
+require 'zlib'
+require 'json'
+require 'base64'
+require 'delegate'
+require 'rack/constants'
+require 'rack/utils'
+require_relative 'abstract/id'
+require_relative 'encryptor'
+require_relative 'constants'
+module Rack
+  module Session
+    # Rack::Session::Cookie provides simple cookie based session management.
+    # By default, the session is a Ruby Hash that is serialized and encoded as
+    # a cookie set to :key (default: rack.session).
+    #
+    # This middleware accepts a :secrets option which enables encryption of
+    # session cookies. This option should be one or more random "secret keys"
+    # that are each at least 64 bytes in length. Multiple secret keys can be
+    # supplied in an Array, which is useful when rotating secrets.
+    #
+    # Several options are also accepted that are passed to Rack::Session::Encryptor.
+    # These options include:
+    # * :serialize_json
+    #     Use JSON for message serialization instead of Marshal. This can be
+    #     viewed as a security enhancement.
+    # * :gzip_over
+    #     For message data over this many bytes, compress it with the deflate
+    #     algorithm.
+    #
+    # Refer to Rack::Session::Encryptor for more details on these options.
+    #
+    # Prior to version TODO, the session hash was stored as base64 encoded
+    # marshalled data. When a :secret option was supplied, the integrity of the
+    # encoded data was protected with HMAC-SHA1. This functionality is still
+    # supported using a set of a legacy options.
+    #
+    # Lastly, a :coder option is also accepted. When used, both encryption and
+    # the legacy HMAC will be skipped. This option could create security issues
+    # in your application!
+    #
+    # Example:
+    #
+    #   use Rack::Session::Cookie, {
+    #     key: 'rack.session',
+    #     domain: 'foo.com',
+    #     path: '/',
+    #     expire_after: 2592000,
+    #     secrets: 'a randomly generated, raw binary string 64 bytes in size',
+    #   }
+    #
+    # Example using legacy HMAC options:
+    #
+    #   Rack::Session:Cookie.new(application, {
+    #     # The secret used for legacy HMAC cookies, this enables the functionality
+    #     legacy_hmac_secret: 'legacy secret',
+    #     # legacy_hmac_coder will default to Rack::Session::Cookie::Base64::Marshal
+    #     legacy_hmac_coder: Rack::Session::Cookie::Identity.new,
+    #     # legacy_hmac will default to OpenSSL::Digest::SHA1
+    #     legacy_hmac: OpenSSL::Digest::SHA256
+    #   })
+    #
+    # Example of a cookie with no encoding:
+    #
+    #   Rack::Session::Cookie.new(application, {
+    #     :coder => Rack::Session::Cookie::Identity.new
+    #   })
+    #
+    # Example of a cookie with custom encoding:
+    #
+    #   Rack::Session::Cookie.new(application, {
+    #     :coder => Class.new {
+    #       def encode(str); str.reverse; end
+    #       def decode(str); str.reverse; end
+    #     }.new
+    #   })
+    #
+    class Cookie < Abstract::PersistedSecure
+      # Encode session cookies as Base64
+      class Base64
+        def encode(str)
+          ::Base64.strict_encode64(str)
+        end
+        def decode(str)
+          ::Base64.decode64(str)
+        end
+        # Encode session cookies as Marshaled Base64 data
+        class Marshal < Base64
+          def encode(str)
+            super(::Marshal.dump(str))
+          end
+          def decode(str)
+            return unless str
+            ::Marshal.load(super(str)) rescue nil
+          end
+        end
+        # N.B. Unlike other encoding methods, the contained objects must be a
+        # valid JSON composite type, either a Hash or an Array.
+        class JSON < Base64
+          def encode(obj)
+            super(::JSON.dump(obj))
+          end
+          def decode(str)
+            return unless str
+            ::JSON.parse(super(str)) rescue nil
+          end
+        end
+        class ZipJSON < Base64
+          def encode(obj)
+            super(Zlib::Deflate.deflate(::JSON.dump(obj)))
+          end
+          def decode(str)
+            return unless str
+            ::JSON.parse(Zlib::Inflate.inflate(super(str)))
+          rescue
+            nil
+          end
+        end
+      end
+      # Use no encoding for session cookies
+      class Identity
+        def encode(str); str; end
+        def decode(str); str; end
+      end
+      class Marshal
+        def encode(str)
+          ::Marshal.dump(str)
+        end
+        def decode(str)
+          ::Marshal.load(str) if str
+        end
+      end
+      attr_reader :coder, :encryptors
+      def initialize(app, options = {})
+        # support both :secrets and :secret for backwards compatibility
+        secrets = [*(options[:secrets] || options[:secret])]
+        encryptor_opts = {
+          purpose: options[:key], serialize_json: options[:serialize_json]
+        }
+        # For each secret, create an Encryptor. We have iterate this Array at
+        # decryption time to achieve key rotation.
+        @encryptors = secrets.map do |secret|
+          Rack::Session::Encryptor.new secret, encryptor_opts
+        end
+        # If a legacy HMAC secret is present, initialize those features.
+        # Fallback to :secret for backwards compatibility.
+        if options.has_key?(:legacy_hmac_secret) || options.has_key?(:secret)
+          @legacy_hmac = options.fetch(:legacy_hmac, 'SHA1')
+          @legacy_hmac_secret = options[:legacy_hmac_secret] || options[:secret]
+          @legacy_hmac_coder  = options.fetch(:legacy_hmac_coder, Base64::Marshal.new)
+        else
+          @legacy_hmac = false
+        end
+        warn <<-MSG unless secure?(options)
+        SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
+        This poses a security threat. It is strongly recommended that you
+        provide a secret to prevent exploits that may be possible from crafted
+        cookies. This will not be supported in future versions of Rack, and
+        future versions will even invalidate your existing user cookies.
+        Called from: #{caller[0]}.
+        MSG
+        # Potential danger ahead! Marshal without verification and/or
+        # encryption could present a major security issue.
+        @coder = options[:coder] ||= Base64::Marshal.new
+        super(app, options.merge!(cookie_only: true))
+      end
+      private
+      def find_session(req, sid)
+        data = unpacked_cookie_data(req)
+        data = persistent_session_id!(data)
+        [data["session_id"], data]
+      end
+      def extract_session_id(request)
+        unpacked_cookie_data(request)&.[]("session_id")
+      end
+      def unpacked_cookie_data(request)
+        request.fetch_header(RACK_SESSION_UNPACKED_COOKIE_DATA) do |k|
+          if cookie_data = request.cookies[@key]
+            session_data = nil
+            # Try to decrypt the session data with our encryptors
+            encryptors.each do |encryptor|
+              begin
+                session_data = encryptor.decrypt(cookie_data)
+                break
+              rescue Rack::Session::Encryptor::Error => error
+                request.env[Rack::RACK_ERRORS].puts "Session cookie encryptor error: #{error.message}"
+                next
+              end
+            end
+            # If session decryption fails but there is @legacy_hmac_secret
+            # defined, attempt legacy HMAC verification
+            if !session_data && @legacy_hmac_secret
+              # Parse and verify legacy HMAC session cookie
+              session_data, _, digest = cookie_data.rpartition('--')
+              session_data = nil unless legacy_digest_match?(session_data, digest)
+              # Decode using legacy HMAC decoder
+              session_data = @legacy_hmac_coder.decode(session_data)
+            elsif !session_data && coder
+              # Use the coder option, which has the potential to be very unsafe
+              session_data = coder.decode(cookie_data)
+            end
+          end
+          request.set_header(k, session_data || {})
+        end
+      end
+      def persistent_session_id!(data, sid = nil)
+        data ||= {}
+        data["session_id"] ||= sid || generate_sid
+        data
+      end
+      class SessionId < DelegateClass(Session::SessionId)
+        attr_reader :cookie_value
+        def initialize(session_id, cookie_value)
+          super(session_id)
+          @cookie_value = cookie_value
+        end
+      end
+      def write_session(req, session_id, session, options)
+        session = session.merge("session_id" => session_id)
+        session_data = encode_session_data(session)
+        if session_data.size > (4096 - @key.size)
+          req.get_header(RACK_ERRORS).puts("Warning! Rack::Session::Cookie data size exceeds 4K.")
+          nil
+        else
+          SessionId.new(session_id, session_data)
+        end
+      end
+      def delete_session(req, session_id, options)
+        # Nothing to do here, data is in the client
+        generate_sid unless options[:drop]
+      end
+      def legacy_digest_match?(data, digest)
+        return false unless data && digest
+        Rack::Utils.secure_compare(digest, legacy_generate_hmac(data))
+      end
+      def legacy_generate_hmac(data)
+        OpenSSL::HMAC.hexdigest(@legacy_hmac, @legacy_hmac_secret, data)
+      end
+      def encode_session_data(session)
+        if encryptors.empty?
+          coder.encode(session)
+        else
+          encryptors.first.encrypt(session)
+        end
+      end
+      # Were consider "secure" if:
+      # * Encrypted cookies are enabled and one or more encryptor is
+      #   initialized
+      # * The legacy HMAC option is enabled
+      # * Customer :coder is used, with :let_coder_handle_secure_encoding
+      #   set to true
+      def secure?(options)
+        !@encryptors.empty? ||
+          @legacy_hmac ||
+          (options[:coder] && options[:let_coder_handle_secure_encoding])
+      end
+    end
+  end
+end

data/lib/rack/session/encryptor.rb ADDED Viewed

@@ -0,0 +1,192 @@
+# frozen_string_literal: true
+# Released under the MIT License.
+# Copyright, 2022-2023, by Samuel Williams.
+# Copyright, 2022, by Philip Arndt.
+require 'base64'
+require 'openssl'
+require 'securerandom'
+require 'zlib'
+require 'rack/utils'
+module Rack
+  module Session
+    class Encryptor
+      class Error < StandardError
+      end
+      class InvalidSignature < Error
+      end
+      class InvalidMessage < Error
+      end
+      # The secret String must be at least 64 bytes in size. The first 32 bytes
+      # will be used for the encryption cipher key. The remainder will be used
+      # for an HMAC key.
+      #
+      # Options may include:
+      # * :serialize_json
+      #     Use JSON for message serialization instead of Marshal. This can be
+      #     viewed as a security enhancement.
+      # * :pad_size
+      #     Pad encrypted message data, to a multiple of this many bytes
+      #     (default: 32). This can be between 2-4096 bytes, or +nil+ to disable
+      #     padding.
+      # * :purpose
+      #     Limit messages to a specific purpose. This can be viewed as a
+      #     security enhancement to prevent message reuse from different contexts
+      #     if keys are reused.
+      #
+      # Cryptography and Output Format:
+      #
+      #   urlsafe_encode64(version + random_data + IV + encrypted data + HMAC)
+      #
+      #  Where:
+      #  * version - 1 byte and is currently always 0x01
+      #  * random_data - 32 bytes used for generating the per-message secret
+      #  * IV - 16 bytes random initialization vector
+      #  * HMAC - 32 bytes HMAC-SHA-256 of all preceding data, plus the purpose
+      #    value
+      def initialize(secret, opts = {})
+        raise ArgumentError, "secret must be a String" unless String === secret
+        raise ArgumentError, "invalid secret: #{secret.bytesize}, must be >=64" unless secret.bytesize >= 64
+        case opts[:pad_size]
+        when nil
+          # padding is disabled
+        when Integer
+          raise ArgumentError, "invalid pad_size: #{opts[:pad_size]}" unless (2..4096).include? opts[:pad_size]
+        else
+          raise ArgumentError, "invalid pad_size: #{opts[:pad_size]}; must be Integer or nil"
+        end
+        @options = {
+          serialize_json: false, pad_size: 32, purpose: nil
+        }.update(opts)
+        @hmac_secret = secret.dup.force_encoding('BINARY')
+        @cipher_secret = @hmac_secret.slice!(0, 32)
+        @hmac_secret.freeze
+        @cipher_secret.freeze
+      end
+      def decrypt(base64_data)
+        data = Base64.urlsafe_decode64(base64_data)
+        signature = data.slice!(-32..-1)
+        verify_authenticity! data, signature
+        # The version is reserved for future
+        _version = data.slice!(0, 1)
+        message_secret = data.slice!(0, 32)
+        cipher_iv = data.slice!(0, 16)
+        cipher = new_cipher
+        cipher.decrypt
+        set_cipher_key(cipher, cipher_secret_from_message_secret(message_secret))
+        cipher.iv = cipher_iv
+        data = cipher.update(data) << cipher.final
+        deserialized_message data
+      rescue ArgumentError
+        raise InvalidSignature, 'Message invalid'
+      end
+      def encrypt(message)
+        version = "\1"
+        serialized_payload = serialize_payload(message)
+        message_secret, cipher_secret = new_message_and_cipher_secret
+        cipher = new_cipher
+        cipher.encrypt
+        set_cipher_key(cipher, cipher_secret)
+        cipher_iv = cipher.random_iv
+        encrypted_data = cipher.update(serialized_payload) << cipher.final
+        data = String.new
+        data << version
+        data << message_secret
+        data << cipher_iv
+        data << encrypted_data
+        data << compute_signature(data)
+        Base64.urlsafe_encode64(data)
+      end
+      private
+      def new_cipher
+        OpenSSL::Cipher.new('aes-256-ctr')
+      end
+      def new_message_and_cipher_secret
+        message_secret = SecureRandom.random_bytes(32)
+        [message_secret, cipher_secret_from_message_secret(message_secret)]
+      end
+      def cipher_secret_from_message_secret(message_secret)
+        OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, @cipher_secret, message_secret)
+      end
+      def set_cipher_key(cipher, key)
+        cipher.key = key
+      end
+      def serializer
+        @serializer ||= @options[:serialize_json] ? JSON : Marshal
+      end
+      def compute_signature(data)
+        signing_data = data
+        signing_data += @options[:purpose] if @options[:purpose]
+        OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, @hmac_secret, signing_data)
+      end
+      def verify_authenticity!(data, signature)
+        raise InvalidMessage, 'Message is invalid' if data.nil? || signature.nil?
+        unless Rack::Utils.secure_compare(signature, compute_signature(data))
+          raise InvalidSignature, 'HMAC is invalid'
+        end
+      end
+      # Returns a serialized payload of the message. If a :pad_size is supplied,
+      # the message will be padded. The first 2 bytes of the returned string will
+      # indicating the amount of padding.
+      def serialize_payload(message)
+        serialized_data = serializer.dump(message)
+        return "#{[0].pack('v')}#{serialized_data}" if @options[:pad_size].nil?
+        padding_bytes = @options[:pad_size] - (2 + serialized_data.size) % @options[:pad_size]
+        padding_data = SecureRandom.random_bytes(padding_bytes)
+        "#{[padding_bytes].pack('v')}#{padding_data}#{serialized_data}"
+      end
+      # Return the deserialized message. The first 2 bytes will be read as the
+      # amount of padding.
+      def deserialized_message(data)
+        # Read the first 2 bytes as the padding_bytes size
+        padding_bytes, = data.unpack('v')
+        # Slice out the serialized_data and deserialize it
+        serialized_data = data.slice(2 + padding_bytes, data.bytesize)
+        serializer.load serialized_data
+      end
+    end
+  end
+end

data/lib/rack/session/pool.rb ADDED Viewed

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+# Released under the MIT License.
+# Copyright, 2022-2023, by Samuel Williams.
+require_relative 'abstract/id'
+module Rack
+  module Session
+    # Rack::Session::Pool provides simple cookie based session management.
+    # Session data is stored in a hash held by @pool.
+    # In the context of a multithreaded environment, sessions being
+    # committed to the pool is done in a merging manner.
+    #
+    # The :drop option is available in rack.session.options if you wish to
+    # explicitly remove the session from the session cache.
+    #
+    # Example:
+    #   myapp = MyRackApp.new
+    #   sessioned = Rack::Session::Pool.new(myapp,
+    #     :domain => 'foo.com',
+    #     :expire_after => 2592000
+    #   )
+    #   Rack::Handler::WEBrick.run sessioned
+    class Pool < Abstract::PersistedSecure
+      attr_reader :mutex, :pool
+      DEFAULT_OPTIONS = Abstract::ID::DEFAULT_OPTIONS.merge(drop: false, allow_fallback: true)
+      def initialize(app, options = {})
+        super
+        @pool = Hash.new
+        @mutex = Mutex.new
+        @allow_fallback = @default_options.delete(:allow_fallback)
+      end
+      def generate_sid(*args, use_mutex: true)
+        loop do
+          sid = super(*args)
+          break sid unless use_mutex ? @mutex.synchronize { @pool.key? sid.private_id } : @pool.key?(sid.private_id)
+        end
+      end
+      def find_session(req, sid)
+        @mutex.synchronize do
+          unless sid and session = get_session_with_fallback(sid)
+            sid, session = generate_sid(use_mutex: false), {}
+            @pool.store sid.private_id, session
+          end
+          [sid, session]
+        end
+      end
+      def write_session(req, session_id, new_session, options)
+        @mutex.synchronize do
+          return false unless get_session_with_fallback(session_id)
+          @pool.store session_id.private_id, new_session
+          session_id
+        end
+      end
+      def delete_session(req, session_id, options)
+        @mutex.synchronize do
+          @pool.delete(session_id.public_id)
+          @pool.delete(session_id.private_id)
+          unless options[:drop]
+            sid = generate_sid(use_mutex: false)
+            @pool.store(sid.private_id, {})
+            sid
+          end
+        end
+      end
+      private
+      def get_session_with_fallback(sid)
+        @pool[sid.private_id] || (@pool[sid.public_id] if @allow_fallback)
+      end
+    end
+  end
+end

data/lib/rack/session/version.rb CHANGED Viewed

@@ -5,6 +5,6 @@
 module Rack
   module Session
-    VERSION = "1.0.2"
+    VERSION = "2.1.1"
   end
 end

data/lib/rack/session.rb CHANGED Viewed

@@ -1,5 +1,13 @@
-# Intentional NO-OP require target!
-#
-# See:
-# - https://github.com/rack/rack-session/issues/15
-# - https://github.com/rack/rack-session/issues/26
+# frozen_string_literal: true
+# Released under the MIT License.
+# Copyright, 2022-2023, by Samuel Williams.
+# Copyright, 2022, by Jeremy Evans.
+module Rack
+  module Session
+    autoload :Cookie, "rack/session/cookie"
+    autoload :Pool, "rack/session/pool"
+    autoload :Memcache, "rack/session/memcache"
+  end
+end

data/license.md CHANGED Viewed

@@ -1,7 +1,55 @@
 # MIT License
-Copyright, 2022-2023, by Samuel Williams.
-Copyright, 2022, by Jeremy Evans.
+Copyright, 2007-2008, by Leah Neukirchen.
+Copyright, 2007-2009, by Scytrin dai Kinthra.
+Copyright, 2008, by Daniel Roethlisberger.
+Copyright, 2009, by Joshua Peek.
+Copyright, 2009, by Mickaël Riga.
+Copyright, 2010, by Simon Chiang.
+Copyright, 2010-2011, by José Valim.
+Copyright, 2010-2013, by James Tucker.
+Copyright, 2010-2019, by Aaron Patterson.
+Copyright, 2011, by Max Cantor.
+Copyright, 2011-2012, by Konstantin Haase.
+Copyright, 2011, by Will Leinweber.
+Copyright, 2011, by John Manoogian III.
+Copyright, 2012, by Yun Huang Yong.
+Copyright, 2012, by Ravil Bayramgalin.
+Copyright, 2012, by Timothy Elliott.
+Copyright, 2012, by Jamie Macey.
+Copyright, 2012-2015, by Santiago Pastorino.
+Copyright, 2013, by Andrew Cole.
+Copyright, 2013, by Postmodern.
+Copyright, 2013, by Vipul A M.
+Copyright, 2013, by Charles Hornberger.
+Copyright, 2014, by Michal Bryxí.
+Copyright, 2015, by deepj.
+Copyright, 2015, by Doug McInnes.
+Copyright, 2015, by David Runger.
+Copyright, 2015, by Francesco Rodríguez.
+Copyright, 2015, by Yuichiro Kaneko.
+Copyright, 2015, by Michael Sauter.
+Copyright, 2016, by Kir Shatrov.
+Copyright, 2016, by Yann Vanhalewyn.
+Copyright, 2016, by Jian Weihang.
+Copyright, 2017, by Jordan Raine.
+Copyright, 2018, by Dillon Welch.
+Copyright, 2018, by Yoshiyuki Hirano.
+Copyright, 2019, by Krzysztof Rybka.
+Copyright, 2019, by Frederick Cheung.
+Copyright, 2019, by Adrian Setyadi.
+Copyright, 2019, by Rafael Mendonça França.
+Copyright, 2019-2020, by Pavel Rosicky.
+Copyright, 2019, by Dima Fatko.
+Copyright, 2019, by Oleh Demianiuk.
+Copyright, 2020-2023, by Samuel Williams.
+Copyright, 2020-2022, by Jeremy Evans.
+Copyright, 2020, by Alex Speller.
+Copyright, 2020, by Ryuta Kamizono.
+Copyright, 2020, by Yudai Suzuki.
+Copyright, 2020, by Bart de Water.
+Copyright, 2020, by Alec Clarke.
+Copyright, 2021, by Michael Coyne.
 Copyright, 2022, by Philip Arndt.
 Copyright, 2022, by Jon Dufresne.

data/releases.md ADDED Viewed

@@ -0,0 +1,27 @@
+# Releases
+## v2.1.1
+  - Prevent `Rack::Session::Pool` from recreating deleted sessions [CVE-2025-46336](https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj).
+## v2.1.0
+  - Improved compatibility with Ruby 3.3+ and Rack 3+.
+  - Add support for cookie option `partitioned`.
+  - Introduce `assume_ssl` option to allow secure session cookies through insecure proxy.
+## v2.0.0
+  - Initial migration of code from Rack 2, for Rack 3 release.
+## v1.0.2
+  - Fix missing `rack/session.rb` file.
+## v1.0.1
+  - Pin to `rack < 3`.
+## v1.0.0
+  - Empty shim release for Rack 2.

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-session
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 2.1.1
 platform: ruby
 authors:
 - Samuel Williams
@@ -11,22 +11,36 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-12-02 00:00:00.000000000 Z
+date: 2025-05-06 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.0
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "<"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3'
+        version: 3.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "<"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3'
+        version: 3.0.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -104,14 +118,21 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/rack/session.rb
+- lib/rack/session/abstract/id.rb
+- lib/rack/session/constants.rb
+- lib/rack/session/cookie.rb
+- lib/rack/session/encryptor.rb
+- lib/rack/session/pool.rb
 - lib/rack/session/version.rb
 - license.md
 - readme.md
+- releases.md
 - security.md
 homepage: https://github.com/rack/rack-session
 licenses:
 - MIT
-metadata: {}
+metadata:
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -120,14 +141,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.4.0
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.22
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: A session implementation for Rack.