rack_csrf 2.4.0 → 2.7.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 5063e661614ec782c33a22dc458d7f6a6d89be5a59c6c08297bc1cdc2f9675aa
+  data.tar.gz: 4b2b7c1208e605a314ddcb581268b32eb214bb791be52d7875bc37e2b1258abf
+SHA512:
+  metadata.gz: 21e09bf5ee433e1c9feea3ed29de30e7ff05c3a3c9d6bca35b2feeea8c0686e203c4c4f01fdff11eee8029b4094f32f26a9965b6918e03e5137b5db0eaafd61d
+  data.tar.gz: fa1aaa6fa9002de2519566b07aeb542fc91a1f0824030db83f384f182971a36c9b78fbf463a09230f17f116d6d7cd2e1347f97a65102c801cd557dfd404e59f0

data/.circleci/config.yml

@@ -0,0 +1,30 @@
+version: 2.1
+
+jobs:
+  run_tests:
+    parameters:
+      ruby_version:
+        description: "Version of Ruby to run tests in"
+        type: string
+      rack_version:
+        description: "More or less the Rack version we want to test against"
+        type: string
+    environment:
+      TEST_WITH_RACK: << parameters.rack_version >>
+    docker:
+      - image: ruby:<< parameters.ruby_version >>
+    steps:
+      - checkout
+      - run: bundle install
+      - run: bundle exec rake spec
+      - run: bundle exec rake features
+
+workflows:
+  version: 2
+  test:
+    jobs:
+      - run_tests:
+          matrix:
+            parameters:
+              ruby_version: ["2.7", "3.0", "3.1"]
+              rack_version: ["1.6.0", "2.1.0", "2.2.0", "3.0.0"]

data/.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+
+updates:
+  - package-ecosystem: "bundler"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

data/.github/workflows/ci.yml

@@ -0,0 +1,35 @@
+name: CI
+
+on:
+  - pull_request
+  - push
+  - workflow_dispatch
+
+permissions:
+  contents: read
+
+jobs:
+  tests:
+    strategy:
+      matrix:
+        ruby_version:
+          - "2.7"
+          - "3.0"
+          - "3.1"
+        rack_version:
+          - "1.6.0"
+          - "2.1.0"
+          - "2.2.0"
+          - "3.0.0"
+    name: Ruby ~> ${{ matrix.ruby_version }}; Rack ~> ${{ matrix.rack_version }}
+    runs-on: ubuntu-latest
+    env:
+      TEST_WITH_RACK: ${{ matrix.rack_version }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby_version }}
+          bundler-cache: true
+      - run: bundle exec rake spec
+      - run: bundle exec rake features

data/.gitignore

@@ -0,0 +1,5 @@
+.bundle
+.rvmrc
+Gemfile.lock
+doc
+pkg

data/Changelog.md

@@ -1,3 +1,31 @@
+# v2.7.0 (2022-09-10)
+
+Many little, negligible, changes, plus support for Rake 3 (courtesy of
+[jeremyevans](https://github.com/jeremyevans) :trophy:)
+
+# v2.6.0 (2016-12-31)
+
+Many little, internal, changes; the important ones are:
+
+* switched to use SecureRandom.urlsafe_base64 to make the token URL-friendly
+  (courtesy of [steved](https://github.com/steved));
+* code is tested against Rack 1.4, 1.5, 1.6 and 2.0;
+* code is tested only on Ruby 2.0.0 and later.
+
+
+
+# v2.5.0 (2014-06-15)
+
+* Fixed/improved the examples.
+* Added basic Travis setup.
+* Dropped support for Rack versions older than 1.1.0.
+* Lazy generation of the CSRF token.
+* Left Jeweler; totally embraced Bundler.
+* Dropped support for Ruby 1.8.6.
+* Fixed Cucumber's step for Ruby 1.8.*.
+
+
+
 # v2.4.0 (2012-02-28)
 
 * Updated examples' Gemfiles.

data/Gemfile

@@ -1,12 +1,2 @@
-source 'http://rubygems.org'
-
-gem 'rack', '>= 0.9'
-
-group :development do
-  gem 'bundler', '>= 1.0.0'
-  gem 'cucumber', '>= 1.1.1'
-  gem 'rack-test'
-  gem 'rspec', '>= 2.0.0'
-  gem 'rdoc', '>= 2.4.2'
-  gem 'jeweler'
-end
+source 'https://rubygems.org'
+gemspec

data/LICENSE.rdoc

@@ -2,7 +2,7 @@
 
 (The MIT License)
 
-Copyright (c) 2009, 2010, 2011, 2012 Emanuele Vicentini
+Copyright (c) 2009, 2010, 2011, 2012, 2014, 2016, 2022 Emanuele Vicentini
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the 'Software'), to deal

data/README.rdoc

@@ -1,4 +1,4 @@
-= Rack::Csrf
+= Rack::Csrf {<img src="https://circleci.com/gh/baldowl/rack_csrf.svg?style=svg" alt="CircleCI" />}[https://circleci.com/gh/baldowl/rack_csrf] {<img src="https://github.com/baldowl/rack_csrf/actions/workflows/ci.yml/badge.svg?branch=master" alt="Actions Status: CI" />}[https://github.com/baldowl/rack_csrf/actions?query=workflow%3ACI+branch%3Amaster] {<img src="https://badge.fury.io/rb/rack_csrf.svg" alt="Gem Version" />}[http://badge.fury.io/rb/rack_csrf]
 
 This is just a small Rack middleware whose only goal is to lessen the hazards
 posed by CSRF attacks by trying to ensure that all requests of particular
@@ -20,9 +20,6 @@ immediately replies with an empty response.
 
 The anti-forging token can be passed as a request parameter or a header.
 
-I have not tested Rack::Csrf with Rack 0.4.0 or earlier versions, but it could
-possibly work.
-
 == Options
 
 The following options allow you to tweak Rack::Csrf.
@@ -79,6 +76,9 @@ The following options allow you to tweak Rack::Csrf.
   This option is useful if a guarded resource can be accessed by clients who
   support CSRF token (e.g. browsers) and by ones who don't (e.g. API clients).
 
+  Don't try to check the CSRF token: it could exist or not at this stage and
+  you should always let it alone.
+
   Default value: empty.
 
 [<tt>:field</tt>]
@@ -154,6 +154,10 @@ token.
   Returns the name of the key used to store/retrieve the token from the Rack
   session.
 
+  Despite this class method, you should never try to retrieve the token with
+  code like <tt>env['rack.session'][Rack::Csrf.key]</tt>. See the `token`
+  method below.
+
 [<tt>Rack::Csrf.field</tt> (also <tt>Rack::Csrf.csrf_field</tt>)]
   Returns the name of the field that must be present in the request.
 
@@ -186,6 +190,14 @@ In the +examples+ directory there are some small, working web applications
 written with different Rack-based frameworks. They are named after the used
 framework; see the various README files for other details.
 
+== Supported Rubies and Racks
+
+The gemspec shows the minimum Ruby and Rack versions, but Rack::Csrf is
+tested only with the Rubies and Racks you can see in
+<tt>.circleci/config.yml</tt> and/or <tt>.github/workflows/ci.yml</tt>. It
+could work also with older versions, but I decided not to test it against
+unsupported Rubies and Racks.
+
 == Contributing
 
 If you want to help:
@@ -208,5 +220,5 @@ forgo responsibilities for keeping your application as safe as possible.
 
 == Copyright
 
-Copyright (c) 2009, 2010, 2011, 2012 Emanuele Vicentini. See LICENSE.rdoc for
-details.
+Copyright (c) 2009, 2010, 2011, 2012, 2014, 2016, 2022 Emanuele Vicentini. 
+See LICENSE.rdoc for details.

data/Rakefile

@@ -1,62 +1,40 @@
 require 'rubygems'
-require 'bundler'
-begin
-  Bundler.setup(:default, :development)
-rescue Bundler::BundlerError => e
-  $stderr.puts e.message
-  $stderr.puts "Run `bundle install` to install missing gems"
-  exit e.status_code
-end
+require 'bundler/setup'
 
 require 'rake/clean'
-require 'cucumber/rake/task'
-require 'rspec/core/rake_task'
-require 'rdoc/task'
-require 'jeweler'
 
+require 'cucumber/rake/task'
 Cucumber::Rake::Task.new :features
 task :default => :features
 
+require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new :spec
 task :default => :spec
 
-version = File.exists?('VERSION') ? File.read('VERSION').strip : ''
+require 'rack/csrf/version'
 
+require 'rdoc/task'
 RDoc::Task.new :doc do |rdoc|
   rdoc.rdoc_dir = 'doc'
-  rdoc.title = "Rack::Csrf #{version}"
+  rdoc.title = "Rack::Csrf #{Rack::Csrf::VERSION}"
   rdoc.main = 'README.rdoc'
   rdoc.rdoc_files.include('README.rdoc', 'LICENSE.rdoc')
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
 
-Jeweler::Tasks.new do |gem|
-  gem.name = 'rack_csrf'
-  gem.summary = 'Anti-CSRF Rack middleware'
-  gem.description = 'Anti-CSRF Rack middleware'
-  gem.license = 'MIT'
-  gem.authors = 'Emanuele Vicentini'
-  gem.email = 'emanuele.vicentini@gmail.com'
-  gem.homepage = 'https://github.com/baldowl/rack_csrf'
-  gem.rubyforge_project = 'rackcsrf'
-  # dependencies defined in Gemfile
-  gem.rdoc_options << '--line-numbers' << '--inline-source' << '--title' <<
-    "Rack::Csrf #{version}" << '--main' << 'README.rdoc'
-  gem.test_files.clear
-end
-
-Jeweler::GemcutterTasks.new
+require 'bundler/gem_tasks'
 
+require 'git'
 desc <<-EOD
 Shows the changelog in Git between the given points.
 
 start -- defaults to the current version tag
 end   -- defaults to HEAD
 EOD
-task :changes, [:start, :end] do |t, args|
-  args.with_defaults :start => "v#{Rake.application.jeweler.version}",
+task :changes, [:start, :end] do |_, args|
+  args.with_defaults :start => "v#{Rack::Csrf::VERSION}",
     :end => 'HEAD'
-  repo = Git.open Rake.application.jeweler.git_base_dir
+  repo = Git.open Dir.pwd
   repo.log(nil).between(args.start, args.end).each do |c|
     puts c.message.split($/).first
   end

data/examples/camping/Gemfile

@@ -1,4 +1,6 @@
 source 'http://rubygems.org'
 
+gem 'rack_csrf', :path => File.expand_path('../../..', __FILE__)
+gem 'rack', '~> 1.4.0'
 gem 'camping', '>= 2.1', '<= 2.1.467'
 gem 'markaby', '>= 0.7.1', '<= 0.7.2'

data/examples/camping/app.rb

@@ -1,14 +1,12 @@
 require 'camping'
 require 'camping/session'
-
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
 Camping.goes :LittleApp
 
 module LittleApp
   use Rack::Csrf # This has to come BEFORE 'include Camping::Session',
-                 # otherwise you get the 'Rack::Csrf depends on session 
+                 # otherwise you get the 'Rack::Csrf depends on session
                  # middleware' exception. Weird...
   include Camping::Session
 

data/examples/cuba/Gemfile

@@ -1,3 +1,4 @@
 source 'http://rubygems.org'
 
+gem 'rack_csrf', :path => File.expand_path('../../..', __FILE__)
 gem 'cuba', '>= 2.1.0', '<= 2.2.1'

data/examples/cuba/app.rb

@@ -1,5 +1,7 @@
 Cuba.define do
   on get do
+    res['Content-Type'] = 'text/html'
+
     on '' do
       res.write render('views/form.erb')
     end

data/examples/cuba/config-with-raise.ru

@@ -1,11 +1,10 @@
 require 'cuba'
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
 Cuba.use Rack::ShowExceptions
 Cuba.use Rack::Session::Cookie
 Cuba.use Rack::Csrf, :raise => true
 
-require 'app'
+require './app'
 
 run Cuba

data/examples/cuba/config.ru

@@ -1,10 +1,9 @@
 require 'cuba'
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
 Cuba.use Rack::Session::Cookie
 Cuba.use Rack::Csrf
 
-require 'app'
+require './app'
 
 run Cuba

data/examples/innate/Gemfile

@@ -1,3 +1,4 @@
 source 'http://rubygems.org'
 
+gem 'rack_csrf', :path => File.expand_path('../../..', __FILE__)
 gem 'innate', '>= 2009.07', '<= 2011.12'

data/examples/innate/start-with-raise.rb

@@ -1,10 +1,8 @@
 require 'rubygems'
 require 'innate'
-
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
-require 'app'
+require './app'
 
 Innate.start do |m|
   m.use Rack::ShowExceptions

data/examples/innate/start.rb

@@ -1,10 +1,8 @@
 require 'rubygems'
 require 'innate'
-
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
-require 'app'
+require './app'
 
 Innate.start do |m|
   m.use Rack::Session::Cookie

data/examples/rack/Gemfile

@@ -1,3 +1,4 @@
 source 'http://rubygems.org'
 
-gem 'rack', '>= 1.0.0', '<= 1.4.1'
+gem 'rack_csrf', :path => File.expand_path('../../..', __FILE__)
+gem 'rack', '<= 1.5.2'

data/examples/rack/app.rb

@@ -30,16 +30,21 @@ class LittleApp
 
   def self.call env
     req = Rack::Request.new env
+    res = Rack::Response.new
+
     if req.get?
       if req.path_info == '/notworking'
-        Rack::Response.new(@form_not_working.result(binding)).finish
+        res.write @form_not_working.result(binding)
       else
-        Rack::Response.new(@form.result(binding)).finish
+        res.write @form.result(binding)
       end
     elsif req.post?
       utterance = req['utterance']
       csrf = req[Rack::Csrf.field]
-      Rack::Response.new(@response.result(binding)).finish
+      res.write @response.result(binding)
     end
+
+    res['Content-Type'] = 'text/html'
+    res.finish
   end
 end

data/examples/rack/config-with-raise.ru

@@ -1,8 +1,7 @@
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
 require 'erb'
-require 'app'
+require './app'
 
 use Rack::ShowExceptions
 use Rack::Session::Cookie

data/examples/rack/config.ru

@@ -1,8 +1,7 @@
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
 require 'erb'
-require 'app'
+require './app'
 
 use Rack::Session::Cookie
 use Rack::Csrf

data/examples/sinatra/Gemfile

@@ -1,3 +1,4 @@
 source 'http://rubygems.org'
 
-gem 'sinatra', '>= 0.9.4', '<= 1.3.2'
+gem 'rack_csrf', :path => File.expand_path('../../..', __FILE__)
+gem 'sinatra', '>= 0.9.4', '<= 1.4.4'

data/examples/sinatra/app.rb

@@ -7,6 +7,8 @@ get '/notworking' do
 end
 
 post '/response' do
-  erb :response, :locals => {:utterance => params[:utterance],
-    :csrf => params[Rack::Csrf.field]}
+  erb :response, :locals => {
+    :utterance => params[:utterance],
+    :csrf => params[Rack::Csrf.field]
+  }
 end

data/examples/sinatra/config-with-raise.ru

@@ -1,14 +1,11 @@
 require 'sinatra'
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
 require 'erb'
-require 'app'
+require './app'
 
 use Rack::ShowExceptions
 use Rack::Session::Cookie
 use Rack::Csrf, :raise => true
 
-set :app_file, 'app.rb'
-
 run Sinatra::Application

data/examples/sinatra/config.ru

@@ -1,13 +1,10 @@
 require 'sinatra'
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
 require 'erb'
-require 'app'
+require './app'
 
 use Rack::Session::Cookie
 use Rack::Csrf
 
-set :app_file, 'app.rb'
-
 run Sinatra::Application

data/features/step_definitions/request_steps.rb

@@ -4,7 +4,7 @@
 When /^it receives a (.*) request without the CSRF (?:token|header)$/ do |http_method|
   begin
     @browser.request '/', :method => http_method
-  rescue Exception => e
+  rescue StandardError => e
     @exception = e
   end
 end
@@ -12,7 +12,7 @@ end
 When /^it receives a (.*) request for (.+) without the CSRF (?:token|header|token or header)$/ do |http_method, path|
   begin
     @browser.request path, :method => http_method
-  rescue Exception => e
+  rescue StandardError => e
     @exception = e
   end
 end
@@ -34,7 +34,7 @@ When /^it receives a (.*) request with the wrong CSRF token$/ do |http_method|
     @browser.request '/', :method        => http_method,
                           'rack.session' => {Rack::Csrf.key   => 'right_token'},
                           :params        => {Rack::Csrf.field => 'wrong_token'}
-  rescue Exception => e
+  rescue StandardError => e
     @exception = e
   end
 end
@@ -43,7 +43,7 @@ When /^it receives a (.*) request with the wrong CSRF header/ do |http_method|
   begin
     @browser.request '/', :method => http_method,
                           Rack::Csrf.rackified_header => 'right_token'
-  rescue Exception => e
+  rescue StandardError => e
     @exception = e
   end
 end
@@ -51,7 +51,7 @@ end
 When /^it receives a (.*) request with neither PATH_INFO nor CSRF token or header$/ do |http_method|
   begin
     @browser.request '/doesntmatter', :method => http_method, 'PATH_INFO' => ''
-  rescue Exception => e
+  rescue StandardError => e
     @exception = e
   end
 end
@@ -59,7 +59,7 @@ end
 When /^it receives a request with headers (.+) = ([^ ]+) without the CSRF token or header$/ do |name, value|
   begin
     @browser.request '/', Hash[:method, 'POST', name, value]
-  rescue Exception => e
+  rescue StandardError => e
     @exception = e
   end
 end
@@ -67,7 +67,7 @@ end
 When /^it receives a request with headers (.+) = ([^,]+), (.+), and without the CSRF token or header$/ do |name, value, method|
   begin
     @browser.request '/', Hash[:method, method, name, value]
-  rescue Exception => e
+  rescue StandardError => e
     @exception = e
   end
 end

data/features/step_definitions/response_steps.rb

@@ -1,14 +1,14 @@
 Then /^it lets it pass untouched$/ do
-  @browser.last_response.should be_ok
-  @browser.last_response.should =~ /Hello world!/
+  expect(@browser.last_response).to be_ok
+  expect(@browser.last_response).to match(/Hello world!/)
 end
 
 Then /^it responds with (\d\d\d)$/ do |code|
-  @browser.last_response.status.should == code.to_i
+  expect(@browser.last_response.status).to eq(code.to_i)
 end
 
 Then /^the response body is empty$/ do
-  @browser.last_response.body.should be_empty
+  expect(@browser.last_response.body).to be_empty
 end
 
 Then /^there is no response$/ do
@@ -16,5 +16,5 @@ Then /^there is no response$/ do
 end
 
 Then /^an exception is climbing up the stack$/ do
-  @exception.should be_an_instance_of(Rack::Csrf::InvalidCsrfToken)
+  expect(@exception).to be_an_instance_of(Rack::Csrf::InvalidCsrfToken)
 end

data/features/step_definitions/setup_steps.rb

@@ -73,29 +73,35 @@ When /^I insert the anti\-CSRF middleware with the :raise option$/ do
 end
 
 When /^I insert the anti\-CSRF middleware with the :skip option$/ do |table|
-  skippable = table.hashes.collect {|t| t.values}.flatten
+  skippable = table.hashes.collect(&:values).flatten
   @rack_builder.use Rack::Csrf, :skip => skippable
   @app = toy_app
   @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
 end
 
 When /^I insert the anti\-CSRF middleware with the :skip_if option$/ do |table|
-  skippable = table.hashes.collect {|t| t.values}
-  @rack_builder.use Rack:: Csrf, :skip_if => Proc.new { |request|
+  skippable = {}
+  table.hashes.each {|row| skippable[row['name']] = row['value']}
+  skip_logic = Proc.new do |request|
     skippable.any? { |name, value| request.env[name] == value }
-  }
+  end
+  @rack_builder.use Rack:: Csrf, :skip_if => skip_logic
   @app = toy_app
   @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
 end
 
 When /^I insert the anti\-CSRF middleware with the :skip and :skip_if options$/ do |table|
-  data = table.hashes.collect {|t| t.values}[0]
-  headers = data[0..1]
-  skippable = data[2]
-
-  @rack_builder.use Rack:: Csrf, :skip => [skippable], :skip_if => Proc.new { |request|
-    skippable.any? { |name, value| request.env[name] == value }
-  }
+  skip_option_arguments = []
+  skip_if_option_arguments = {}
+  table.hashes.each do |row|
+    skip_option_arguments << row['path']
+    skip_if_option_arguments[row['name']] = row['value']
+  end
+  skip_if_logic = Proc.new do |request|
+    skip_if_option_arguments.any? { |name, value| request.env[name] == value }
+  end
+  @rack_builder.use Rack::Csrf, :skip => skip_option_arguments,
+    :skip_if => skip_if_logic
   @app = toy_app
   @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
 end
@@ -119,14 +125,14 @@ When /^I insert the anti\-CSRF middleware with the :header option$/ do
 end
 
 When /^I insert the anti\-CSRF middleware with the :check_also option$/ do |table|
-  check_also = table.hashes.collect {|t| t.values}.flatten
+  check_also = table.hashes.collect(&:values).flatten
   @rack_builder.use Rack::Csrf, :check_also => check_also
   @app = toy_app
   @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
 end
 
 When /^I insert the anti\-CSRF middleware with the :check_only option$/ do |table|
-  must_be_checked = table.hashes.collect {|t| t.values}.flatten
+  must_be_checked = table.hashes.collect(&:values).flatten
   @rack_builder.use Rack::Csrf, :check_only => must_be_checked
   @app = toy_app
   @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
@@ -143,6 +149,6 @@ Then /^I get an error message$/ do
 end
 
 def toy_app
-  @rack_builder.run(lambda {|env| Rack::Response.new('Hello world!').finish})
+  @rack_builder.run(lambda {|_| Rack::Response.new('Hello world!').finish})
   @rack_builder.to_app
 end

data/features/support/env.rb

@@ -3,3 +3,5 @@ require 'rspec'
 require 'rack/test'
 
 require 'rack/csrf'
+require 'rack/builder'
+require 'rack/lint'