rack-session 2.1.1 → 2.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 24dbcb8931b1a26d39b7165f872231e9ce7f9006e8495616416faeb4538ed8e6
-  data.tar.gz: c26f979218fb4ac3b626d8638ee7b0e00183ac1acffdc1fb393fd85919e1cf46
+  metadata.gz: 82ef73dda808550f0838e5fa7d75d90a15d1b524831c58a5e082349143637357
+  data.tar.gz: 4214302b0ec644f8b905d575d870a7fc4de5f4c8e1450a104e7193eb117b70f2
 SHA512:
-  metadata.gz: e345e1424c6092e771a16f15fee04c19128dacfa50b586fbd7795ce1699fe50cbf2b7028624dc945e60a055f20c99c0d88c7c1eec729b13d527f3c3bcc7d6e6e
-  data.tar.gz: 8da88daf469c01ebeef2bb75b5ee04efc42e836807b3000b028fa2eb73f11db3585410321297e7607bd0e9413f768dab2a55e54f08e5326697e1d472f9363e6c
+  metadata.gz: 17b3713d1ba66fd9c40f825826f05be73d60681b51b06e8df561efa4a146c537b323ff2fc436cc8ddf75314a26f5839e89d98bcc270746ad70e18af441e1a7ae
+  data.tar.gz: 5a06e7eec1398684eaca507d0c69063cfcfae2bb8478255d43c49ce01d9db5bc551e1cb593bed6872718ad925ea5145ea4acb95cf6f0eae26182b7af5d37a83a

data/lib/rack/session/cookie.rb

@@ -237,8 +237,10 @@ module Rack
               # Decode using legacy HMAC decoder
               session_data = @legacy_hmac_coder.decode(session_data)
 
-            elsif !session_data && coder
-              # Use the coder option, which has the potential to be very unsafe
+            elsif !session_data && encryptors.empty? && coder
+              # Use the coder option, which has the potential to be very unsafe.
+              # This path is only reached when no encryptors (secrets:) are configured;
+              # if encryptors are present but decryption failed, the cookie is rejected.
               session_data = coder.decode(cookie_data)
             end
           end

data/lib/rack/session/encryptor.rb

@@ -5,9 +5,9 @@
 # Copyright, 2022, by Philip Arndt.
 
 require 'base64'
+require 'json'
 require 'openssl'
 require 'securerandom'
-require 'zlib'
 
 require 'rack/utils'
 
@@ -23,169 +23,392 @@ module Rack
       class InvalidMessage < Error
       end
 
-      # The secret String must be at least 64 bytes in size. The first 32 bytes
-      # will be used for the encryption cipher key. The remainder will be used
-      # for an HMAC key.
-      #
-      # Options may include:
-      # * :serialize_json
-      #     Use JSON for message serialization instead of Marshal. This can be
-      #     viewed as a security enhancement.
-      # * :pad_size
-      #     Pad encrypted message data, to a multiple of this many bytes
-      #     (default: 32). This can be between 2-4096 bytes, or +nil+ to disable
-      #     padding.
-      # * :purpose
-      #     Limit messages to a specific purpose. This can be viewed as a
-      #     security enhancement to prevent message reuse from different contexts
-      #     if keys are reused.
-      #
-      # Cryptography and Output Format:
-      #
-      #   urlsafe_encode64(version + random_data + IV + encrypted data + HMAC)
-      #
-      #  Where:
-      #  * version - 1 byte and is currently always 0x01
-      #  * random_data - 32 bytes used for generating the per-message secret
-      #  * IV - 16 bytes random initialization vector
-      #  * HMAC - 32 bytes HMAC-SHA-256 of all preceding data, plus the purpose
-      #    value
-      def initialize(secret, opts = {})
-        raise ArgumentError, "secret must be a String" unless String === secret
-        raise ArgumentError, "invalid secret: #{secret.bytesize}, must be >=64" unless secret.bytesize >= 64
+      module Serializable
+        private
 
-        case opts[:pad_size]
-        when nil
-          # padding is disabled
-        when Integer
-          raise ArgumentError, "invalid pad_size: #{opts[:pad_size]}" unless (2..4096).include? opts[:pad_size]
-        else
-          raise ArgumentError, "invalid pad_size: #{opts[:pad_size]}; must be Integer or nil"
+        # Returns a serialized payload of the message. If a :pad_size is supplied,
+        # the message will be padded. The first 2 bytes of the returned string will
+        # indicating the amount of padding.
+        def serialize_payload(message)
+          serialized_data = serializer.dump(message)
+
+          return "#{[0].pack('v')}#{serialized_data.force_encoding(Encoding::BINARY)}" if @options[:pad_size].nil?
+
+          padding_bytes = @options[:pad_size] - (2 + serialized_data.size) % @options[:pad_size]
+          padding_data = SecureRandom.random_bytes(padding_bytes)
+
+          "#{[padding_bytes].pack('v')}#{padding_data}#{serialized_data.force_encoding(Encoding::BINARY)}"
         end
 
-        @options = {
-          serialize_json: false, pad_size: 32, purpose: nil
-        }.update(opts)
+        # Return the deserialized message. The first 2 bytes will be read as the
+        # amount of padding.
+        def deserialized_message(data)
+          # Read the first 2 bytes as the padding_bytes size
+          padding_bytes, = data.unpack('v')
 
-        @hmac_secret = secret.dup.force_encoding('BINARY')
-        @cipher_secret = @hmac_secret.slice!(0, 32)
+          # Slice out the serialized_data and deserialize it
+          serialized_data = data.slice(2 + padding_bytes, data.bytesize)
+          serializer.load serialized_data
+        end
 
-        @hmac_secret.freeze
-        @cipher_secret.freeze
+        def serializer
+          @serializer ||= @options[:serialize_json] ? JSON : Marshal
+        end
       end
 
-      def decrypt(base64_data)
-        data = Base64.urlsafe_decode64(base64_data)
+      class V1
+        include Serializable
+
+        # The secret String must be at least 64 bytes in size. The first 32 bytes
+        # will be used for the encryption cipher key. The remainder will be used
+        # for an HMAC key.
+        #
+        # Options may include:
+        # * :serialize_json
+        #     Use JSON for message serialization instead of Marshal. This can be
+        #     viewed as a security enhancement.
+        # * :pad_size
+        #     Pad encrypted message data, to a multiple of this many bytes
+        #     (default: 32). This can be between 2-4096 bytes, or +nil+ to disable
+        #     padding.
+        # * :purpose
+        #     Limit messages to a specific purpose. This can be viewed as a
+        #     security enhancement to prevent message reuse from different contexts
+        #     if keys are reused.
+        #
+        # Cryptography and Output Format:
+        #
+        #   urlsafe_encode64(version + random_data + IV + encrypted data + HMAC)
+        #
+        #  Where:
+        #  * version - 1 byte with value 0x01
+        #  * random_data - 32 bytes used for generating the per-message secret
+        #  * IV - 16 bytes random initialization vector
+        #  * HMAC - 32 bytes HMAC-SHA-256 of all preceding data, plus the purpose
+        #    value
+        def initialize(secret, opts = {})
+          raise ArgumentError, 'secret must be a String' unless secret.is_a?(String)
+          raise ArgumentError, "invalid secret: #{secret.bytesize}, must be >=64" unless secret.bytesize >= 64
+
+          case opts[:pad_size]
+          when nil
+          # padding is disabled
+          when Integer
+            raise ArgumentError, "invalid pad_size: #{opts[:pad_size]}" unless (2..4096).include? opts[:pad_size]
+          else
+            raise ArgumentError, "invalid pad_size: #{opts[:pad_size]}; must be Integer or nil"
+          end
 
-        signature = data.slice!(-32..-1)
+          @options = {
+            serialize_json: false, pad_size: 32, purpose: nil
+          }.update(opts)
 
-        verify_authenticity! data, signature
+          @hmac_secret = secret.dup.force_encoding(Encoding::BINARY)
+          @cipher_secret = @hmac_secret.slice!(0, 32)
 
-        # The version is reserved for future
-        _version = data.slice!(0, 1)
-        message_secret = data.slice!(0, 32)
-        cipher_iv = data.slice!(0, 16)
+          @hmac_secret.freeze
+          @cipher_secret.freeze
+        end
 
-        cipher = new_cipher
-        cipher.decrypt
+        def decrypt(base64_data)
+          data = Base64.urlsafe_decode64(base64_data)
 
-        set_cipher_key(cipher, cipher_secret_from_message_secret(message_secret))
+          signature = data.slice!(-32..-1)
+          verify_authenticity!(data, signature)
 
-        cipher.iv = cipher_iv
-        data = cipher.update(data) << cipher.final
+          version = data.slice!(0, 1)
+          raise InvalidMessage, 'wrong version' unless version == "\1"
 
-        deserialized_message data
-      rescue ArgumentError
-        raise InvalidSignature, 'Message invalid'
-      end
+          message_secret = data.slice!(0, 32)
+          cipher_iv = data.slice!(0, 16)
 
-      def encrypt(message)
-        version = "\1"
+          cipher = new_cipher
+          cipher.decrypt
 
-        serialized_payload = serialize_payload(message)
-        message_secret, cipher_secret = new_message_and_cipher_secret
+          set_cipher_key(cipher, cipher_secret_from_message_secret(message_secret))
 
-        cipher = new_cipher
-        cipher.encrypt
+          cipher.iv = cipher_iv
+          data = cipher.update(data) << cipher.final
 
-        set_cipher_key(cipher, cipher_secret)
+          deserialized_message data
+        rescue ArgumentError
+          raise InvalidSignature, 'Message invalid'
+        end
 
-        cipher_iv = cipher.random_iv
+        def encrypt(message)
+          version = "\1"
 
-        encrypted_data = cipher.update(serialized_payload) << cipher.final
+          serialized_payload = serialize_payload(message)
+          message_secret, cipher_secret = new_message_and_cipher_secret
 
-        data = String.new
-        data << version
-        data << message_secret
-        data << cipher_iv
-        data << encrypted_data
-        data << compute_signature(data)
+          cipher = new_cipher
+          cipher.encrypt
 
-        Base64.urlsafe_encode64(data)
-      end
+          set_cipher_key(cipher, cipher_secret)
 
-      private
+          cipher_iv = cipher.random_iv
 
-      def new_cipher
-        OpenSSL::Cipher.new('aes-256-ctr')
-      end
+          encrypted_data = cipher.update(serialized_payload) << cipher.final
 
-      def new_message_and_cipher_secret
-        message_secret = SecureRandom.random_bytes(32)
+          data = String.new
+          data << version
+          data << message_secret
+          data << cipher_iv
+          data << encrypted_data
+          data << compute_signature(data)
 
-        [message_secret, cipher_secret_from_message_secret(message_secret)]
-      end
+          Base64.urlsafe_encode64(data)
+        end
 
-      def cipher_secret_from_message_secret(message_secret)
-        OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, @cipher_secret, message_secret)
-      end
+        private
 
-      def set_cipher_key(cipher, key)
-        cipher.key = key
-      end
+        def new_cipher
+          OpenSSL::Cipher.new('aes-256-ctr')
+        end
 
-      def serializer
-        @serializer ||= @options[:serialize_json] ? JSON : Marshal
-      end
+        def new_message_and_cipher_secret
+          message_secret = SecureRandom.random_bytes(32)
+
+          [message_secret, cipher_secret_from_message_secret(message_secret)]
+        end
 
-      def compute_signature(data)
-        signing_data = data
-        signing_data += @options[:purpose] if @options[:purpose]
+        def cipher_secret_from_message_secret(message_secret)
+          OpenSSL::HMAC.digest(OpenSSL::Digest.new('SHA256'), @cipher_secret, message_secret)
+        end
 
-        OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, @hmac_secret, signing_data)
-      end
+        def set_cipher_key(cipher, key)
+          cipher.key = key
+        end
 
-      def verify_authenticity!(data, signature)
-        raise InvalidMessage, 'Message is invalid' if data.nil? || signature.nil?
+        def compute_signature(data)
+          signing_data = data
+          signing_data += @options[:purpose] if @options[:purpose]
 
-        unless Rack::Utils.secure_compare(signature, compute_signature(data))
-          raise InvalidSignature, 'HMAC is invalid'
+          OpenSSL::HMAC.digest(OpenSSL::Digest.new('SHA256'), @hmac_secret, signing_data)
+        end
+
+        def verify_authenticity!(data, signature)
+          raise InvalidMessage, 'Message is invalid' if data.nil? || signature.nil?
+
+          unless Rack::Utils.secure_compare(signature, compute_signature(data))
+            raise InvalidSignature, 'HMAC is invalid'
+          end
         end
       end
 
-      # Returns a serialized payload of the message. If a :pad_size is supplied,
-      # the message will be padded. The first 2 bytes of the returned string will
-      # indicating the amount of padding.
-      def serialize_payload(message)
-        serialized_data = serializer.dump(message)
+      class V2
+        include Serializable
+
+        # The secret String must be at least 32 bytes in size.
+        #
+        # Options may include:
+        # * :pad_size
+        #     Pad encrypted message data, to a multiple of this many bytes
+        #     (default: 32). This can be between 2-4096 bytes, or +nil+ to disable
+        #     padding.
+        # * :purpose
+        #     Limit messages to a specific purpose. This can be viewed as a
+        #     security enhancement to prevent message reuse from different contexts
+        #     if keys are reused.
+        #
+        # Cryptography and Output Format:
+        #
+        #   strict_encode64(version + salt + IV + authentication tag + ciphertext)
+        #
+        #  Where:
+        #  * version - 1 byte with value 0x02
+        #  * salt - 32 bytes used for generating the per-message secret
+        #  * IV - 12 bytes random initialization vector
+        #  * authentication tag - 16 bytes authentication tag generated by the GCM mode, covering version and salt
+        #
+        # Considerations about V2:
+        #
+        # 1) It uses non URL-safe Base64 encoding as it's faster than its
+        #    URL-safe counterpart - as of Ruby 3.2, Base64.urlsafe_encode64 is
+        #    roughly equivalent to
+        #
+        #    Base64.strict_encode64(data).tr("-_", "+/")
+        #
+        #    - and cookie values don't need to be URL-safe.
+        def initialize(secret, opts = {})
+          raise ArgumentError, 'secret must be a String' unless secret.is_a?(String)
+
+          unless secret.bytesize >= 32
+            raise ArgumentError, "invalid secret: it's #{secret.bytesize}-byte long, must be >=32"
+          end
+
+          case opts[:pad_size]
+          when nil
+          # padding is disabled
+          when Integer
+            raise ArgumentError, "invalid pad_size: #{opts[:pad_size]}" unless (2..4096).include? opts[:pad_size]
+          else
+            raise ArgumentError, "invalid pad_size: #{opts[:pad_size]}; must be Integer or nil"
+          end
+
+          @options = {
+            serialize_json: false, pad_size: 32, purpose: nil
+          }.update(opts)
+
+          @cipher_secret = secret.dup.force_encoding(Encoding::BINARY).slice!(0, 32)
+          @cipher_secret.freeze
+        end
+
+        def decrypt(base64_data)
+          data = Base64.strict_decode64(base64_data)
+          if data.bytesize <= 61 # version + salt + iv + auth_tag = 61 byte (and we also need some ciphertext :)
+            raise InvalidMessage, 'invalid message'
+          end
+
+          version = data[0]
+          raise InvalidMessage, 'invalid message' unless version == "\2"
+
+          ciphertext = data.slice!(61..-1)
+          auth_tag = data.slice!(45, 16)
+          cipher_iv = data.slice!(33, 12)
+
+          cipher = new_cipher
+          cipher.decrypt
+          salt = data.slice(1, 32)
+          set_cipher_key(cipher, message_secret_from_salt(salt))
+          cipher.iv = cipher_iv
+          cipher.auth_tag = auth_tag
+          cipher.auth_data = (purpose = @options[:purpose]) ? data + purpose : data
+
+          plaintext = cipher.update(ciphertext) << cipher.final
 
-        return "#{[0].pack('v')}#{serialized_data}" if @options[:pad_size].nil?
+          deserialized_message plaintext
+        rescue ArgumentError, OpenSSL::Cipher::CipherError
+          raise InvalidSignature, 'invalid message'
+        end
+
+        def encrypt(message)
+          version = "\2"
+
+          serialized_payload = serialize_payload(message)
+
+          cipher = new_cipher
+          cipher.encrypt
+          salt, message_secret = new_salt_and_message_secret
+          set_cipher_key(cipher, message_secret)
+          cipher.iv_len = 12
+          cipher_iv = cipher.random_iv
+
+          data = String.new
+          data << version
+          data << salt
+
+          cipher.auth_data = (purpose = @options[:purpose]) ? data + purpose : data
+          encrypted_data = cipher.update(serialized_payload) << cipher.final
+
+          data << cipher_iv
+          data << auth_tag_from(cipher)
+          data << encrypted_data
+
+          Base64.strict_encode64(data)
+        end
+
+        private
 
-        padding_bytes = @options[:pad_size] - (2 + serialized_data.size) % @options[:pad_size]
-        padding_data = SecureRandom.random_bytes(padding_bytes)
+        def new_cipher
+          OpenSSL::Cipher.new('aes-256-gcm')
+        end
+
+        def new_salt_and_message_secret
+          salt = SecureRandom.random_bytes(32)
+
+          [salt, message_secret_from_salt(salt)]
+        end
+
+        def message_secret_from_salt(salt)
+          OpenSSL::HMAC.digest(OpenSSL::Digest.new('SHA256'), @cipher_secret, salt)
+        end
+
+        def set_cipher_key(cipher, key)
+          cipher.key = key
+        end
 
-        "#{[padding_bytes].pack('v')}#{padding_data}#{serialized_data}"
+        if RUBY_ENGINE == 'jruby'
+          # JRuby's OpenSSL implementation doesn't currently support passing
+          # an argument to #auth_tag. Here we work around that.
+          def auth_tag_from(cipher)
+            tag = cipher.auth_tag
+            raise Error, 'the auth tag must be 16 bytes long' if tag.bytesize != 16
+
+            tag
+          end
+        else
+          def auth_tag_from(cipher)
+            cipher.auth_tag(16)
+          end
+        end
+      end
+
+      def initialize(secret, opts = {})
+        opts = opts.dup
+
+        @mode = opts.delete(:mode)&.to_sym || :guess_version
+        case @mode
+        when :v1
+          @v1 = V1.new(secret, opts)
+        when :v2
+          @v2 = V2.new(secret, opts)
+        else
+          @v1 = V1.new(secret, opts)
+          @v2 = V2.new(secret, opts)
+        end
       end
 
-      # Return the deserialized message. The first 2 bytes will be read as the
-      # amount of padding.
-      def deserialized_message(data)
-        # Read the first 2 bytes as the padding_bytes size
-        padding_bytes, = data.unpack('v')
+      def decrypt(base64_data)
+        decryptor =
+          case @mode
+          when :v2
+            v2
+          when :v1
+            v1
+          else
+            guess_decryptor(base64_data)
+          end
+
+        decryptor.decrypt(base64_data)
+      end
 
-        # Slice out the serialized_data and deserialize it
-        serialized_data = data.slice(2 + padding_bytes, data.bytesize)
-        serializer.load serialized_data
+      def encrypt(message)
+        encryptor =
+          case @mode
+          when :v1
+            v1
+          else
+            v2
+          end
+
+        encryptor.encrypt(message)
+      end
+
+      private
+
+      attr_reader :v1, :v2
+
+      def guess_decryptor(base64_data)
+        raise InvalidMessage, 'invalid message' if base64_data.nil? || base64_data.bytesize < 4
+
+        first_encoded_4_bytes = base64_data.slice(0, 4)
+        # Transform the 4 bytes into non-URL-safe base64-encoded data. Nothing
+        # happens if the data is already non-URL-safe base64.
+        first_encoded_4_bytes.tr!('-_', '+/')
+        first_decoded_3_bytes = Base64.strict_decode64(first_encoded_4_bytes)
+
+        version = first_decoded_3_bytes[0]
+        case version
+        when "\2"
+          v2
+        when "\1"
+          v1
+        else
+          raise InvalidMessage, 'invalid message'
+        end
+      rescue ArgumentError
+        raise InvalidMessage, 'invalid message'
       end
     end
   end

data/lib/rack/session/version.rb

@@ -5,6 +5,6 @@
 
 module Rack
   module Session
-    VERSION = "2.1.1"
+    VERSION = "2.1.2"
   end
 end

data/lib/rack/session.rb

@@ -8,6 +8,5 @@ module Rack
   module Session
     autoload :Cookie, "rack/session/cookie"
     autoload :Pool, "rack/session/pool"
-    autoload :Memcache, "rack/session/memcache"
   end
 end

data/releases.md

@@ -1,5 +1,9 @@
 # Releases
 
+## v2.1.2
+
+  - [CVE-2026-39324](https://github.com/advisories/GHSA-33qg-7wpp-89cq) Don't fall back to unencrypted coder if encryptors are present.
+
 ## v2.1.1
 
   - Prevent `Rack::Session::Pool` from recreating deleted sessions [CVE-2025-46336](https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj).

metadata

@@ -1,17 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: rack-session
 version: !ruby/object:Gem::Version
-  version: 2.1.1
+  version: 2.1.2
 platform: ruby
 authors:
 - Samuel Williams
 - Jeremy Evans
 - Jon Dufresne
 - Philip Arndt
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-05-06 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -111,8 +110,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description:
-email:
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -133,7 +130,6 @@ licenses:
 - MIT
 metadata:
   rubygems_mfa_required: 'true'
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -148,8 +144,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: A session implementation for Rack.
 test_files: []