RubyGems - rack-webconsole - Versions diffs - 0.0.4 → 0.0.5 - Mend

rack-webconsole 0.0.4 → 0.0.5

Files changed (8) hide show

data/Gemfile.lock +1 -1
data/Readme.md +5 -1
data/lib/rack/webconsole/assets.rb +10 -1
data/lib/rack/webconsole/repl.rb +23 -1
data/lib/rack/webconsole/version.rb +1 -1
data/public/webconsole.js +1 -1
data/spec/rack/webconsole/repl_spec.rb +42 -4
metadata +19 -19

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rack-webconsole (0.0.4)
+    rack-webconsole (0.0.5)
       json
       rack

data/Readme.md CHANGED Viewed

@@ -14,11 +14,15 @@ works. Without any configuration.
 Tested with MRI versions 1.8.7, 1.9.2, ruby-head, and JRuby 1.6.3.
+**SECURITY NOTE**: From version v0.0.5 rack-webconsole uses a token system to
+protect against cross-site request forgery.
 ##Resources
 * [Example video](http://youtu.be/yKK5J01Dqts?hd=1)
 * [Documentation](http://rubydoc.info/github/codegram/rack-webconsole)
 ##Install
 In your Gemfile:
@@ -33,7 +37,6 @@ some configuration file):
     Rack::Webconsole.inject_jquery = true
 ##Usage with Rails 3
 If you are using Rails 3, you have no further steps to do. It works! To give
@@ -94,3 +97,4 @@ You can also build the documentation with the following command:
 Copyright (c) 2011 Codegram. See LICENSE for details.

data/lib/rack/webconsole/assets.rb CHANGED Viewed

@@ -32,8 +32,12 @@ module Rack
           response_body = response.first
         end
+        # Regenerate the security token
+        Webconsole::Repl.reset_token
         # Inject the html, css and js code to the view
         response_body.gsub!('</body>', "#{code}</body>")
         headers['Content-Length'] = (response_body.length + 2).to_s
         [status, headers, [response_body]]
@@ -42,9 +46,14 @@ module Rack
       # Returns a string with all the HTML, CSS and JavaScript code needed for
       # the view.
       #
+      # It puts the security token inside the JavaScript to make AJAX calls
+      # secure.
+      #
       # @return [String] the injectable code.
       def code
-        html_code << css_code << js_code
+        html_code <<
+          css_code <<
+          js_code.gsub('TOKEN', Webconsole::Repl.token)
       end
       private

data/lib/rack/webconsole/repl.rb CHANGED Viewed

@@ -9,6 +9,21 @@ module Rack
     # variables and stores them in an instance variable for further retrieval.
     #
     class Repl
+      @@token = nil
+      class << self
+        # Returns the autogenerated security token
+        #
+        # @return [String] the autogenerated token
+        def token
+          @@token
+        end
+        # Regenerates the token.
+        def reset_token
+          @@token = Digest::SHA1.hexdigest("#{rand(36**8)}#{Time.now}")[4..20]
+        end
+      end
       # Honor the Rack contract by saving the passed Rack application in an ivar.
       #
       # @param [Rack::Application] app the previous Rack application in the
@@ -30,9 +45,10 @@ module Rack
         status, headers, response = @app.call(env)
         req = Rack::Request.new(env)
         params = req.params
+        return [status, headers, response] unless check_legitimate(req)
         result = begin
           $sandbox ||= Sandbox.new
@@ -59,6 +75,12 @@ module Rack
         headers['Content-Length'] = response_body.length.to_s
         [200, headers, [response_body]]
       end
+      private
+      def check_legitimate(req)
+        req.post? && !Repl.token.nil? && req.params['token'] == Repl.token
+      end
     end
   end
 end

data/lib/rack/webconsole/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Rack
   class Webconsole
     # rack-webconsole version number.
-    VERSION = "0.0.4"
+    VERSION = "0.0.5"
   end
 end

data/public/webconsole.js CHANGED Viewed

@@ -33,7 +33,7 @@ $("#console form input").keyup(function(event) {
       url: '/webconsole',
       type: 'POST',
       dataType: 'json',
-      data: ({query: query}),
+      data: ({query: query, token: "TOKEN"}),
       success: function (data) {
         var q = "<div>>> " + query.escapeHTML() + "</div>";
         var r = "<div>=> " + data.result.escapeHTML() + "</div>";

data/spec/rack/webconsole/repl_spec.rb CHANGED Viewed

@@ -15,7 +15,8 @@ module Rack
       it 'evaluates the :query param in a sandbox and returns the result' do
         @app = lambda { |env| [200, {'Content-Type' => 'text/plain'}, ['hello world']] }
         env = {}
-        request = OpenStruct.new(:params => {'query' => 'a = 4; a * 2'})
+        Webconsole::Repl.stubs(:token).returns('abc')
+        request = OpenStruct.new(:params => {'query' => 'a = 4; a * 2', 'token' => 'abc'}, :post? => true)
         Rack::Request.stubs(:new).returns request
         @repl = Webconsole::Repl.new(@app)
@@ -28,13 +29,14 @@ module Rack
       it 'maintains local state in subsequent calls thanks to an evil global variable' do
         @app = lambda { |env| [200, {'Content-Type' => 'text/plain'}, ['hello world']] }
         env = {}
-        request = OpenStruct.new(:params => {'query' => 'a = 4'})
+        Webconsole::Repl.stubs(:token).returns('abc')
+        request = OpenStruct.new(:params => {'query' => 'a = 4', 'token' => 'abc'}, :post? => true)
         Rack::Request.stubs(:new).returns request
         @repl = Webconsole::Repl.new(@app)
         @repl.call(env) # call 1 sets a to 4
-        request = OpenStruct.new(:params => {'query' => 'a * 8'})
+        request = OpenStruct.new(:params => {'query' => 'a * 8', 'token' => 'abc'}, :post? => true)
         Rack::Request.stubs(:new).returns request
         response = @repl.call(env).last.first # call 2 retrieves a and multiplies it by 8
@@ -46,7 +48,8 @@ module Rack
       it "returns any found errors prepended with 'Error:'" do
         @app = lambda { |env| [200, {'Content-Type' => 'text/plain'}, ['hello world']] }
         env = {}
-        request = OpenStruct.new(:params => {'query' => 'unknown_method'})
+        Webconsole::Repl.stubs(:token).returns('abc')
+        request = OpenStruct.new(:params => {'query' => 'unknown_method', 'token' => 'abc'}, :post? => true)
         Rack::Request.stubs(:new).returns request
         @repl = Webconsole::Repl.new(@app)
@@ -54,6 +57,41 @@ module Rack
         JSON.parse(response)['result'].must_match /Error:/
       end
+      it 'rejects non-post requests' do
+        @app = lambda { |env| [200, {'Content-Type' => 'text/plain'}, ['hello world']] }
+        env = {}
+        Webconsole::Repl.stubs(:token).returns('abc')
+        request = OpenStruct.new(:params => {'query' => 'unknown_method', 'token' => 'abc'}, :post? => false)
+        Rack::Request.stubs(:new).returns request
+        @repl = Webconsole::Repl.new(@app)
+        $sandbox.expects(:instance_eval).never
+        @repl.call(env).must_equal @app.call(env)
+      end
+      it 'rejects requests with invalid token' do
+        @app = lambda { |env| [200, {'Content-Type' => 'text/plain'}, ['hello world']] }
+        env = {}
+        Webconsole::Repl.stubs(:token).returns('abc')
+        request = OpenStruct.new(:params => {'query' => 'unknown_method', 'token' => 'cba'}, :post? => true)
+        Rack::Request.stubs(:new).returns request
+        @repl = Webconsole::Repl.new(@app)
+        $sandbox.expects(:instance_eval).never
+        @repl.call(env).must_equal @app.call(env)
+      end
+    end
+    describe 'class methods' do
+      describe '#reset_token and #token' do
+        it 'returns the security token' do
+          Webconsole::Repl.reset_token
+          Webconsole::Repl.token.must_be_kind_of String
+        end
+      end
     end
   end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-webconsole
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
   prerelease:
 platform: ruby
 authors:
@@ -16,7 +16,7 @@ default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
-  requirement: &2151839200 !ruby/object:Gem::Requirement
+  requirement: &2151839300 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -24,10 +24,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *2151839200
+  version_requirements: *2151839300
 - !ruby/object:Gem::Dependency
   name: json
-  requirement: &2151838520 !ruby/object:Gem::Requirement
+  requirement: &2151838600 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -35,10 +35,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *2151838520
+  version_requirements: *2151838600
 - !ruby/object:Gem::Dependency
   name: minitest
-  requirement: &2151837980 !ruby/object:Gem::Requirement
+  requirement: &2151838060 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -46,10 +46,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2151837980
+  version_requirements: *2151838060
 - !ruby/object:Gem::Dependency
   name: purdytest
-  requirement: &2151837320 !ruby/object:Gem::Requirement
+  requirement: &2151837520 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -57,10 +57,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2151837320
+  version_requirements: *2151837520
 - !ruby/object:Gem::Dependency
   name: mocha
-  requirement: &2151836600 !ruby/object:Gem::Requirement
+  requirement: &2151836720 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -68,10 +68,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2151836600
+  version_requirements: *2151836720
 - !ruby/object:Gem::Dependency
   name: yard
-  requirement: &2151835980 !ruby/object:Gem::Requirement
+  requirement: &2151836080 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -79,10 +79,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2151835980
+  version_requirements: *2151836080
 - !ruby/object:Gem::Dependency
   name: bluecloth
-  requirement: &2151835360 !ruby/object:Gem::Requirement
+  requirement: &2151835520 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -90,10 +90,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2151835360
+  version_requirements: *2151835520
 - !ruby/object:Gem::Dependency
   name: rake
-  requirement: &2151834480 !ruby/object:Gem::Requirement
+  requirement: &2151834600 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -101,7 +101,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2151834480
+  version_requirements: *2151834600
 description: Rack-based console inside your web applications
 email:
 - info@codegram.com
@@ -150,7 +150,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 1299359098189414051
+      hash: -1999695551081588916
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -159,7 +159,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 1299359098189414051
+      hash: -1999695551081588916
 requirements: []
 rubyforge_project: rack-webconsole
 rubygems_version: 1.6.2