rack-session 1.0.2 → 2.1.2

data/lib/rack/session/encryptor.rb

@@ -0,0 +1,415 @@
+# frozen_string_literal: true
+
+# Released under the MIT License.
+# Copyright, 2022-2023, by Samuel Williams.
+# Copyright, 2022, by Philip Arndt.
+
+require 'base64'
+require 'json'
+require 'openssl'
+require 'securerandom'
+
+require 'rack/utils'
+
+module Rack
+  module Session
+    class Encryptor
+      class Error < StandardError
+      end
+
+      class InvalidSignature < Error
+      end
+
+      class InvalidMessage < Error
+      end
+
+      module Serializable
+        private
+
+        # Returns a serialized payload of the message. If a :pad_size is supplied,
+        # the message will be padded. The first 2 bytes of the returned string will
+        # indicating the amount of padding.
+        def serialize_payload(message)
+          serialized_data = serializer.dump(message)
+
+          return "#{[0].pack('v')}#{serialized_data.force_encoding(Encoding::BINARY)}" if @options[:pad_size].nil?
+
+          padding_bytes = @options[:pad_size] - (2 + serialized_data.size) % @options[:pad_size]
+          padding_data = SecureRandom.random_bytes(padding_bytes)
+
+          "#{[padding_bytes].pack('v')}#{padding_data}#{serialized_data.force_encoding(Encoding::BINARY)}"
+        end
+
+        # Return the deserialized message. The first 2 bytes will be read as the
+        # amount of padding.
+        def deserialized_message(data)
+          # Read the first 2 bytes as the padding_bytes size
+          padding_bytes, = data.unpack('v')
+
+          # Slice out the serialized_data and deserialize it
+          serialized_data = data.slice(2 + padding_bytes, data.bytesize)
+          serializer.load serialized_data
+        end
+
+        def serializer
+          @serializer ||= @options[:serialize_json] ? JSON : Marshal
+        end
+      end
+
+      class V1
+        include Serializable
+
+        # The secret String must be at least 64 bytes in size. The first 32 bytes
+        # will be used for the encryption cipher key. The remainder will be used
+        # for an HMAC key.
+        #
+        # Options may include:
+        # * :serialize_json
+        #     Use JSON for message serialization instead of Marshal. This can be
+        #     viewed as a security enhancement.
+        # * :pad_size
+        #     Pad encrypted message data, to a multiple of this many bytes
+        #     (default: 32). This can be between 2-4096 bytes, or +nil+ to disable
+        #     padding.
+        # * :purpose
+        #     Limit messages to a specific purpose. This can be viewed as a
+        #     security enhancement to prevent message reuse from different contexts
+        #     if keys are reused.
+        #
+        # Cryptography and Output Format:
+        #
+        #   urlsafe_encode64(version + random_data + IV + encrypted data + HMAC)
+        #
+        #  Where:
+        #  * version - 1 byte with value 0x01
+        #  * random_data - 32 bytes used for generating the per-message secret
+        #  * IV - 16 bytes random initialization vector
+        #  * HMAC - 32 bytes HMAC-SHA-256 of all preceding data, plus the purpose
+        #    value
+        def initialize(secret, opts = {})
+          raise ArgumentError, 'secret must be a String' unless secret.is_a?(String)
+          raise ArgumentError, "invalid secret: #{secret.bytesize}, must be >=64" unless secret.bytesize >= 64
+
+          case opts[:pad_size]
+          when nil
+          # padding is disabled
+          when Integer
+            raise ArgumentError, "invalid pad_size: #{opts[:pad_size]}" unless (2..4096).include? opts[:pad_size]
+          else
+            raise ArgumentError, "invalid pad_size: #{opts[:pad_size]}; must be Integer or nil"
+          end
+
+          @options = {
+            serialize_json: false, pad_size: 32, purpose: nil
+          }.update(opts)
+
+          @hmac_secret = secret.dup.force_encoding(Encoding::BINARY)
+          @cipher_secret = @hmac_secret.slice!(0, 32)
+
+          @hmac_secret.freeze
+          @cipher_secret.freeze
+        end
+
+        def decrypt(base64_data)
+          data = Base64.urlsafe_decode64(base64_data)
+
+          signature = data.slice!(-32..-1)
+          verify_authenticity!(data, signature)
+
+          version = data.slice!(0, 1)
+          raise InvalidMessage, 'wrong version' unless version == "\1"
+
+          message_secret = data.slice!(0, 32)
+          cipher_iv = data.slice!(0, 16)
+
+          cipher = new_cipher
+          cipher.decrypt
+
+          set_cipher_key(cipher, cipher_secret_from_message_secret(message_secret))
+
+          cipher.iv = cipher_iv
+          data = cipher.update(data) << cipher.final
+
+          deserialized_message data
+        rescue ArgumentError
+          raise InvalidSignature, 'Message invalid'
+        end
+
+        def encrypt(message)
+          version = "\1"
+
+          serialized_payload = serialize_payload(message)
+          message_secret, cipher_secret = new_message_and_cipher_secret
+
+          cipher = new_cipher
+          cipher.encrypt
+
+          set_cipher_key(cipher, cipher_secret)
+
+          cipher_iv = cipher.random_iv
+
+          encrypted_data = cipher.update(serialized_payload) << cipher.final
+
+          data = String.new
+          data << version
+          data << message_secret
+          data << cipher_iv
+          data << encrypted_data
+          data << compute_signature(data)
+
+          Base64.urlsafe_encode64(data)
+        end
+
+        private
+
+        def new_cipher
+          OpenSSL::Cipher.new('aes-256-ctr')
+        end
+
+        def new_message_and_cipher_secret
+          message_secret = SecureRandom.random_bytes(32)
+
+          [message_secret, cipher_secret_from_message_secret(message_secret)]
+        end
+
+        def cipher_secret_from_message_secret(message_secret)
+          OpenSSL::HMAC.digest(OpenSSL::Digest.new('SHA256'), @cipher_secret, message_secret)
+        end
+
+        def set_cipher_key(cipher, key)
+          cipher.key = key
+        end
+
+        def compute_signature(data)
+          signing_data = data
+          signing_data += @options[:purpose] if @options[:purpose]
+
+          OpenSSL::HMAC.digest(OpenSSL::Digest.new('SHA256'), @hmac_secret, signing_data)
+        end
+
+        def verify_authenticity!(data, signature)
+          raise InvalidMessage, 'Message is invalid' if data.nil? || signature.nil?
+
+          unless Rack::Utils.secure_compare(signature, compute_signature(data))
+            raise InvalidSignature, 'HMAC is invalid'
+          end
+        end
+      end
+
+      class V2
+        include Serializable
+
+        # The secret String must be at least 32 bytes in size.
+        #
+        # Options may include:
+        # * :pad_size
+        #     Pad encrypted message data, to a multiple of this many bytes
+        #     (default: 32). This can be between 2-4096 bytes, or +nil+ to disable
+        #     padding.
+        # * :purpose
+        #     Limit messages to a specific purpose. This can be viewed as a
+        #     security enhancement to prevent message reuse from different contexts
+        #     if keys are reused.
+        #
+        # Cryptography and Output Format:
+        #
+        #   strict_encode64(version + salt + IV + authentication tag + ciphertext)
+        #
+        #  Where:
+        #  * version - 1 byte with value 0x02
+        #  * salt - 32 bytes used for generating the per-message secret
+        #  * IV - 12 bytes random initialization vector
+        #  * authentication tag - 16 bytes authentication tag generated by the GCM mode, covering version and salt
+        #
+        # Considerations about V2:
+        #
+        # 1) It uses non URL-safe Base64 encoding as it's faster than its
+        #    URL-safe counterpart - as of Ruby 3.2, Base64.urlsafe_encode64 is
+        #    roughly equivalent to
+        #
+        #    Base64.strict_encode64(data).tr("-_", "+/")
+        #
+        #    - and cookie values don't need to be URL-safe.
+        def initialize(secret, opts = {})
+          raise ArgumentError, 'secret must be a String' unless secret.is_a?(String)
+
+          unless secret.bytesize >= 32
+            raise ArgumentError, "invalid secret: it's #{secret.bytesize}-byte long, must be >=32"
+          end
+
+          case opts[:pad_size]
+          when nil
+          # padding is disabled
+          when Integer
+            raise ArgumentError, "invalid pad_size: #{opts[:pad_size]}" unless (2..4096).include? opts[:pad_size]
+          else
+            raise ArgumentError, "invalid pad_size: #{opts[:pad_size]}; must be Integer or nil"
+          end
+
+          @options = {
+            serialize_json: false, pad_size: 32, purpose: nil
+          }.update(opts)
+
+          @cipher_secret = secret.dup.force_encoding(Encoding::BINARY).slice!(0, 32)
+          @cipher_secret.freeze
+        end
+
+        def decrypt(base64_data)
+          data = Base64.strict_decode64(base64_data)
+          if data.bytesize <= 61 # version + salt + iv + auth_tag = 61 byte (and we also need some ciphertext :)
+            raise InvalidMessage, 'invalid message'
+          end
+
+          version = data[0]
+          raise InvalidMessage, 'invalid message' unless version == "\2"
+
+          ciphertext = data.slice!(61..-1)
+          auth_tag = data.slice!(45, 16)
+          cipher_iv = data.slice!(33, 12)
+
+          cipher = new_cipher
+          cipher.decrypt
+          salt = data.slice(1, 32)
+          set_cipher_key(cipher, message_secret_from_salt(salt))
+          cipher.iv = cipher_iv
+          cipher.auth_tag = auth_tag
+          cipher.auth_data = (purpose = @options[:purpose]) ? data + purpose : data
+
+          plaintext = cipher.update(ciphertext) << cipher.final
+
+          deserialized_message plaintext
+        rescue ArgumentError, OpenSSL::Cipher::CipherError
+          raise InvalidSignature, 'invalid message'
+        end
+
+        def encrypt(message)
+          version = "\2"
+
+          serialized_payload = serialize_payload(message)
+
+          cipher = new_cipher
+          cipher.encrypt
+          salt, message_secret = new_salt_and_message_secret
+          set_cipher_key(cipher, message_secret)
+          cipher.iv_len = 12
+          cipher_iv = cipher.random_iv
+
+          data = String.new
+          data << version
+          data << salt
+
+          cipher.auth_data = (purpose = @options[:purpose]) ? data + purpose : data
+          encrypted_data = cipher.update(serialized_payload) << cipher.final
+
+          data << cipher_iv
+          data << auth_tag_from(cipher)
+          data << encrypted_data
+
+          Base64.strict_encode64(data)
+        end
+
+        private
+
+        def new_cipher
+          OpenSSL::Cipher.new('aes-256-gcm')
+        end
+
+        def new_salt_and_message_secret
+          salt = SecureRandom.random_bytes(32)
+
+          [salt, message_secret_from_salt(salt)]
+        end
+
+        def message_secret_from_salt(salt)
+          OpenSSL::HMAC.digest(OpenSSL::Digest.new('SHA256'), @cipher_secret, salt)
+        end
+
+        def set_cipher_key(cipher, key)
+          cipher.key = key
+        end
+
+        if RUBY_ENGINE == 'jruby'
+          # JRuby's OpenSSL implementation doesn't currently support passing
+          # an argument to #auth_tag. Here we work around that.
+          def auth_tag_from(cipher)
+            tag = cipher.auth_tag
+            raise Error, 'the auth tag must be 16 bytes long' if tag.bytesize != 16
+
+            tag
+          end
+        else
+          def auth_tag_from(cipher)
+            cipher.auth_tag(16)
+          end
+        end
+      end
+
+      def initialize(secret, opts = {})
+        opts = opts.dup
+
+        @mode = opts.delete(:mode)&.to_sym || :guess_version
+        case @mode
+        when :v1
+          @v1 = V1.new(secret, opts)
+        when :v2
+          @v2 = V2.new(secret, opts)
+        else
+          @v1 = V1.new(secret, opts)
+          @v2 = V2.new(secret, opts)
+        end
+      end
+
+      def decrypt(base64_data)
+        decryptor =
+          case @mode
+          when :v2
+            v2
+          when :v1
+            v1
+          else
+            guess_decryptor(base64_data)
+          end
+
+        decryptor.decrypt(base64_data)
+      end
+
+      def encrypt(message)
+        encryptor =
+          case @mode
+          when :v1
+            v1
+          else
+            v2
+          end
+
+        encryptor.encrypt(message)
+      end
+
+      private
+
+      attr_reader :v1, :v2
+
+      def guess_decryptor(base64_data)
+        raise InvalidMessage, 'invalid message' if base64_data.nil? || base64_data.bytesize < 4
+
+        first_encoded_4_bytes = base64_data.slice(0, 4)
+        # Transform the 4 bytes into non-URL-safe base64-encoded data. Nothing
+        # happens if the data is already non-URL-safe base64.
+        first_encoded_4_bytes.tr!('-_', '+/')
+        first_decoded_3_bytes = Base64.strict_decode64(first_encoded_4_bytes)
+
+        version = first_decoded_3_bytes[0]
+        case version
+        when "\2"
+          v2
+        when "\1"
+          v1
+        else
+          raise InvalidMessage, 'invalid message'
+        end
+      rescue ArgumentError
+        raise InvalidMessage, 'invalid message'
+      end
+    end
+  end
+end

data/lib/rack/session/pool.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+# Released under the MIT License.
+# Copyright, 2022-2023, by Samuel Williams.
+
+require_relative 'abstract/id'
+
+module Rack
+  module Session
+    # Rack::Session::Pool provides simple cookie based session management.
+    # Session data is stored in a hash held by @pool.
+    # In the context of a multithreaded environment, sessions being
+    # committed to the pool is done in a merging manner.
+    #
+    # The :drop option is available in rack.session.options if you wish to
+    # explicitly remove the session from the session cache.
+    #
+    # Example:
+    #   myapp = MyRackApp.new
+    #   sessioned = Rack::Session::Pool.new(myapp,
+    #     :domain => 'foo.com',
+    #     :expire_after => 2592000
+    #   )
+    #   Rack::Handler::WEBrick.run sessioned
+
+    class Pool < Abstract::PersistedSecure
+      attr_reader :mutex, :pool
+      DEFAULT_OPTIONS = Abstract::ID::DEFAULT_OPTIONS.merge(drop: false, allow_fallback: true)
+
+      def initialize(app, options = {})
+        super
+        @pool = Hash.new
+        @mutex = Mutex.new
+        @allow_fallback = @default_options.delete(:allow_fallback)
+      end
+
+      def generate_sid(*args, use_mutex: true)
+        loop do
+          sid = super(*args)
+          break sid unless use_mutex ? @mutex.synchronize { @pool.key? sid.private_id } : @pool.key?(sid.private_id)
+        end
+      end
+
+      def find_session(req, sid)
+        @mutex.synchronize do
+          unless sid and session = get_session_with_fallback(sid)
+            sid, session = generate_sid(use_mutex: false), {}
+            @pool.store sid.private_id, session
+          end
+          [sid, session]
+        end
+      end
+
+      def write_session(req, session_id, new_session, options)
+        @mutex.synchronize do
+          return false unless get_session_with_fallback(session_id)
+          @pool.store session_id.private_id, new_session
+          session_id
+        end
+      end
+
+      def delete_session(req, session_id, options)
+        @mutex.synchronize do
+          @pool.delete(session_id.public_id)
+          @pool.delete(session_id.private_id)
+
+          unless options[:drop]
+            sid = generate_sid(use_mutex: false)
+            @pool.store(sid.private_id, {})
+            sid
+          end
+        end
+      end
+
+      private
+
+      def get_session_with_fallback(sid)
+        @pool[sid.private_id] || (@pool[sid.public_id] if @allow_fallback)
+      end
+    end
+  end
+end

data/lib/rack/session/version.rb

@@ -5,6 +5,6 @@
 
 module Rack
   module Session
-    VERSION = "1.0.2"
+    VERSION = "2.1.2"
   end
 end

data/lib/rack/session.rb

@@ -1,5 +1,12 @@
-# Intentional NO-OP require target!
-#
-# See:
-# - https://github.com/rack/rack-session/issues/15
-# - https://github.com/rack/rack-session/issues/26
+# frozen_string_literal: true
+
+# Released under the MIT License.
+# Copyright, 2022-2023, by Samuel Williams.
+# Copyright, 2022, by Jeremy Evans.
+
+module Rack
+  module Session
+    autoload :Cookie, "rack/session/cookie"
+    autoload :Pool, "rack/session/pool"
+  end
+end

data/license.md

@@ -1,7 +1,55 @@
 # MIT License
 
-Copyright, 2022-2023, by Samuel Williams.  
-Copyright, 2022, by Jeremy Evans.  
+Copyright, 2007-2008, by Leah Neukirchen.  
+Copyright, 2007-2009, by Scytrin dai Kinthra.  
+Copyright, 2008, by Daniel Roethlisberger.  
+Copyright, 2009, by Joshua Peek.  
+Copyright, 2009, by Mickaël Riga.  
+Copyright, 2010, by Simon Chiang.  
+Copyright, 2010-2011, by José Valim.  
+Copyright, 2010-2013, by James Tucker.  
+Copyright, 2010-2019, by Aaron Patterson.  
+Copyright, 2011, by Max Cantor.  
+Copyright, 2011-2012, by Konstantin Haase.  
+Copyright, 2011, by Will Leinweber.  
+Copyright, 2011, by John Manoogian III.  
+Copyright, 2012, by Yun Huang Yong.  
+Copyright, 2012, by Ravil Bayramgalin.  
+Copyright, 2012, by Timothy Elliott.  
+Copyright, 2012, by Jamie Macey.  
+Copyright, 2012-2015, by Santiago Pastorino.  
+Copyright, 2013, by Andrew Cole.  
+Copyright, 2013, by Postmodern.  
+Copyright, 2013, by Vipul A M.  
+Copyright, 2013, by Charles Hornberger.  
+Copyright, 2014, by Michal Bryxí.  
+Copyright, 2015, by deepj.  
+Copyright, 2015, by Doug McInnes.  
+Copyright, 2015, by David Runger.  
+Copyright, 2015, by Francesco Rodríguez.  
+Copyright, 2015, by Yuichiro Kaneko.  
+Copyright, 2015, by Michael Sauter.  
+Copyright, 2016, by Kir Shatrov.  
+Copyright, 2016, by Yann Vanhalewyn.  
+Copyright, 2016, by Jian Weihang.  
+Copyright, 2017, by Jordan Raine.  
+Copyright, 2018, by Dillon Welch.  
+Copyright, 2018, by Yoshiyuki Hirano.  
+Copyright, 2019, by Krzysztof Rybka.  
+Copyright, 2019, by Frederick Cheung.  
+Copyright, 2019, by Adrian Setyadi.  
+Copyright, 2019, by Rafael Mendonça França.  
+Copyright, 2019-2020, by Pavel Rosicky.  
+Copyright, 2019, by Dima Fatko.  
+Copyright, 2019, by Oleh Demianiuk.  
+Copyright, 2020-2023, by Samuel Williams.  
+Copyright, 2020-2022, by Jeremy Evans.  
+Copyright, 2020, by Alex Speller.  
+Copyright, 2020, by Ryuta Kamizono.  
+Copyright, 2020, by Yudai Suzuki.  
+Copyright, 2020, by Bart de Water.  
+Copyright, 2020, by Alec Clarke.  
+Copyright, 2021, by Michael Coyne.  
 Copyright, 2022, by Philip Arndt.  
 Copyright, 2022, by Jon Dufresne.  
 

data/releases.md

@@ -0,0 +1,31 @@
+# Releases
+
+## v2.1.2
+
+  - [CVE-2026-39324](https://github.com/advisories/GHSA-33qg-7wpp-89cq) Don't fall back to unencrypted coder if encryptors are present.
+
+## v2.1.1
+
+  - Prevent `Rack::Session::Pool` from recreating deleted sessions [CVE-2025-46336](https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj).
+
+## v2.1.0
+
+  - Improved compatibility with Ruby 3.3+ and Rack 3+.
+  - Add support for cookie option `partitioned`.
+  - Introduce `assume_ssl` option to allow secure session cookies through insecure proxy.
+
+## v2.0.0
+
+  - Initial migration of code from Rack 2, for Rack 3 release.
+
+## v1.0.2
+
+  - Fix missing `rack/session.rb` file.
+
+## v1.0.1
+
+  - Pin to `rack < 3`.
+
+## v1.0.0
+
+  - Empty shim release for Rack 2.