rack_csrf 2.4.0 → 2.7.0

data/features/support/fake_session.rb

@@ -4,8 +4,9 @@ class FakeSession
   def initialize(app)
     @app = app
   end
+
   def call(env)
-    env['rack.session'] ||= Hash.new
+    env['rack.session'] ||= {}
     @app.call(env)
   end
 end

data/lib/rack/csrf/version.rb

@@ -0,0 +1,5 @@
+module Rack
+  class Csrf
+    VERSION = '2.7.0'
+  end
+end

data/lib/rack/csrf.rb

@@ -1,12 +1,22 @@
-require 'rack'
 begin
-  require 'securerandom'
+  require 'rack/version'
 rescue LoadError
-  require File.dirname(__FILE__) + '/vendor/securerandom'
+  require 'rack'
+else
+  if Rack.release >= '2.3'
+    require 'rack/request'
+    require 'rack/utils'
+  else
+    require 'rack'
+  end
 end
+require 'securerandom'
 
 module Rack
   class Csrf
+    CONTENT_TYPE = (Rack.release >= '2.3' ? 'content-type' : 'Content-Type').freeze
+    CONTENT_LENGTH = (Rack.release >= '2.3' ? 'content-length' : 'Content-Length').freeze
+
     class SessionUnavailable < StandardError; end
     class InvalidCsrfToken < StandardError; end
 
@@ -17,34 +27,32 @@ module Rack
     def initialize(app, opts = {})
       @app = app
 
-      @raisable        = opts[:raise] || false
-      @skip_list       = (opts[:skip] || []).map {|r| /\A#{r}\Z/i}
-      @skip_if         = opts[:skip_if] if opts[:skip_if]
-      @check_only_list = (opts[:check_only] || []).map {|r| /\A#{r}\Z/i}
-      @@field          = opts[:field] if opts[:field]
-      @@header         = opts[:header] if opts[:header]
-      @@key            = opts[:key] if opts[:key]
+      @raise_if_invalid = opts.fetch(:raise, false)
+      @skip_list        = opts.fetch(:skip, []).map {|r| /\A#{r}\Z/i}
+      @skip_if          = opts[:skip_if]
+      @check_only_list  = opts.fetch(:check_only, []).map {|r| /\A#{r}\Z/i}
+      @@field           = opts[:field] if opts[:field]
+      @@header          = opts[:header] if opts[:header]
+      @@key             = opts[:key] if opts[:key]
 
       standard_http_methods = %w(POST PUT DELETE PATCH)
-      check_also            = opts[:check_also] || []
+      check_also            = opts.fetch(:check_also, [])
       @http_methods = (standard_http_methods + check_also).flatten.uniq
     end
 
     def call(env)
       unless env['rack.session']
-        raise SessionUnavailable.new('Rack::Csrf depends on session middleware')
+        fail SessionUnavailable, 'Rack::Csrf depends on session middleware'
       end
-      self.class.token(env)
       req = Rack::Request.new(env)
-      untouchable = skip_checking(req) ||
+      let_it_pass = skip_checking(req) ||
         !@http_methods.include?(req.request_method) ||
-        req.params[self.class.field] == env['rack.session'][self.class.key] ||
-        req.env[self.class.rackified_header] == env['rack.session'][self.class.key]
-      if untouchable
+        found_a_valid_token?(req)
+      if let_it_pass
         @app.call(env)
       else
-        raise InvalidCsrfToken if @raisable
-        [403, {'Content-Type' => 'text/html', 'Content-Length' => '0'}, []]
+        fail InvalidCsrfToken if @raise_if_invalid
+        [403, {CONTENT_TYPE => 'text/html', CONTENT_LENGTH => '0'}, []]
       end
     end
 
@@ -61,7 +69,7 @@ module Rack
     end
 
     def self.token(env)
-      env['rack.session'][key] ||= SecureRandom.base64(32)
+      env['rack.session'][key] ||= SecureRandom.urlsafe_base64(32)
     end
 
     def self.tag(env)
@@ -69,7 +77,7 @@ module Rack
     end
 
     def self.metatag(env, options = {})
-      name = options.delete(:name) || '_csrf'
+      name = options.fetch(:name, '_csrf')
       %Q(<meta name="#{name}" content="#{token(env)}" />)
     end
 
@@ -86,7 +94,7 @@ module Rack
 
     # Returns the custom header's name adapted to current standards.
     def self.rackified_header
-      "HTTP_#{@@header.gsub('-','_').upcase}"
+      "HTTP_#{@@header.gsub('-', '_').upcase}"
     end
 
     # Returns +true+ if the given request appears in the <b>skip list</b> or
@@ -108,5 +116,11 @@ module Rack
         route =~ (request.request_method + ':' + pi)
       end
     end
+
+    def found_a_valid_token? request
+      token = self.class.token(request.env)
+      Rack::Utils.secure_compare(request.params[self.class.field].to_s, token) ||
+        Rack::Utils.secure_compare(request.env[self.class.rackified_header].to_s, token)
+    end
   end
 end

data/rack_csrf.gemspec

@@ -1,121 +1,48 @@
-# Generated by jeweler
-# DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
-# -*- encoding: utf-8 -*-
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'rack/csrf/version'
 
-Gem::Specification.new do |s|
-  s.name = "rack_csrf"
-  s.version = "2.4.0"
+Gem::Specification.new do |spec|
+  spec.name                  = 'rack_csrf'
+  spec.version               = Rack::Csrf::VERSION
+  spec.authors               = ['Emanuele Vicentini']
+  spec.email                 = ['emanuele.vicentini@gmail.com']
+  spec.description           = 'Anti-CSRF Rack middleware'
+  spec.summary               = 'Anti-CSRF Rack middleware'
+  spec.homepage              = 'https://github.com/baldowl/rack_csrf'
+  spec.license               = 'MIT'
 
-  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["Emanuele Vicentini"]
-  s.date = "2012-02-28"
-  s.description = "Anti-CSRF Rack middleware"
-  s.email = "emanuele.vicentini@gmail.com"
-  s.extra_rdoc_files = [
-    "LICENSE.rdoc",
-    "README.rdoc"
+  spec.files                 = `git ls-files -z`.split("\x0")
+  spec.test_files            = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths         = ['lib']
+
+  spec.rdoc_options          = [
+    '--line-numbers',
+    '--inline-source',
+    '--title',
+    "Rack::Csrf #{Rack::Csrf::VERSION}",
+    '--main',
+    'README.rdoc'
   ]
-  s.files = [
-    ".rspec",
-    "Changelog.md",
-    "Gemfile",
-    "LICENSE.rdoc",
-    "README.rdoc",
-    "Rakefile",
-    "VERSION",
-    "cucumber.yml",
-    "examples/camping/Gemfile",
-    "examples/camping/README.rdoc",
-    "examples/camping/app.rb",
-    "examples/camping/config.ru",
-    "examples/cuba/Gemfile",
-    "examples/cuba/README.rdoc",
-    "examples/cuba/app.rb",
-    "examples/cuba/config-with-raise.ru",
-    "examples/cuba/config.ru",
-    "examples/cuba/views/form.erb",
-    "examples/cuba/views/form_not_working.erb",
-    "examples/cuba/views/response.erb",
-    "examples/innate/Gemfile",
-    "examples/innate/README.rdoc",
-    "examples/innate/app.rb",
-    "examples/innate/start-with-raise.rb",
-    "examples/innate/start.rb",
-    "examples/innate/view/index.erb",
-    "examples/innate/view/notworking.erb",
-    "examples/innate/view/response.erb",
-    "examples/rack/Gemfile",
-    "examples/rack/README.rdoc",
-    "examples/rack/app.rb",
-    "examples/rack/config-with-raise.ru",
-    "examples/rack/config.ru",
-    "examples/sinatra/Gemfile",
-    "examples/sinatra/README.rdoc",
-    "examples/sinatra/app.rb",
-    "examples/sinatra/config-with-raise.ru",
-    "examples/sinatra/config.ru",
-    "examples/sinatra/views/form.erb",
-    "examples/sinatra/views/form_not_working.erb",
-    "examples/sinatra/views/response.erb",
-    "features/check_only_some_specific_requests.feature",
-    "features/custom_http_methods.feature",
-    "features/empty_responses.feature",
-    "features/inspecting_also_get_requests.feature",
-    "features/raising_exception.feature",
-    "features/setup.feature",
-    "features/skip_if_block_passes.feature",
-    "features/skip_some_routes.feature",
-    "features/step_definitions/request_steps.rb",
-    "features/step_definitions/response_steps.rb",
-    "features/step_definitions/setup_steps.rb",
-    "features/support/env.rb",
-    "features/support/fake_session.rb",
-    "features/variation_on_field_name.feature",
-    "features/variation_on_header_name.feature",
-    "features/variation_on_key_name.feature",
-    "lib/rack/csrf.rb",
-    "lib/rack/vendor/securerandom.rb",
-    "rack_csrf.gemspec",
-    "spec/csrf_spec.rb",
-    "spec/spec_helper.rb"
+  spec.extra_rdoc_files      = [
+    'LICENSE.rdoc',
+    'README.rdoc'
   ]
-  s.homepage = "https://github.com/baldowl/rack_csrf"
-  s.licenses = ["MIT"]
-  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Rack::Csrf 2.4.0", "--main", "README.rdoc"]
-  s.require_paths = ["lib"]
-  s.rubyforge_project = "rackcsrf"
-  s.rubygems_version = "1.8.17"
-  s.summary = "Anti-CSRF Rack middleware"
 
-  if s.respond_to? :specification_version then
-    s.specification_version = 3
+  spec.required_ruby_version = '>= 1.9.2'
 
-    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<rack>, [">= 0.9"])
-      s.add_development_dependency(%q<bundler>, [">= 1.0.0"])
-      s.add_development_dependency(%q<cucumber>, [">= 1.1.1"])
-      s.add_development_dependency(%q<rack-test>, [">= 0"])
-      s.add_development_dependency(%q<rspec>, [">= 2.0.0"])
-      s.add_development_dependency(%q<rdoc>, [">= 2.4.2"])
-      s.add_development_dependency(%q<jeweler>, [">= 0"])
-    else
-      s.add_dependency(%q<rack>, [">= 0.9"])
-      s.add_dependency(%q<bundler>, [">= 1.0.0"])
-      s.add_dependency(%q<cucumber>, [">= 1.1.1"])
-      s.add_dependency(%q<rack-test>, [">= 0"])
-      s.add_dependency(%q<rspec>, [">= 2.0.0"])
-      s.add_dependency(%q<rdoc>, [">= 2.4.2"])
-      s.add_dependency(%q<jeweler>, [">= 0"])
-    end
+  if ENV['TEST_WITH_RACK']
+    spec.add_runtime_dependency 'rack', "~> #{ENV['TEST_WITH_RACK']}"
   else
-    s.add_dependency(%q<rack>, [">= 0.9"])
-    s.add_dependency(%q<bundler>, [">= 1.0.0"])
-    s.add_dependency(%q<cucumber>, [">= 1.1.1"])
-    s.add_dependency(%q<rack-test>, [">= 0"])
-    s.add_dependency(%q<rspec>, [">= 2.0.0"])
-    s.add_dependency(%q<rdoc>, [">= 2.4.2"])
-    s.add_dependency(%q<jeweler>, [">= 0"])
+    spec.add_runtime_dependency 'rack', '>= 1.1.0'
   end
-end
 
+  spec.add_development_dependency 'bundler', '>= 1.0.0'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'cucumber', '~> 3.0'
+  spec.add_development_dependency 'rack-test', '>= 0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rdoc', '>= 2.4.2'
+  spec.add_development_dependency 'git', '>= 1.2.5'
+end

data/spec/csrf_spec.rb

@@ -3,58 +3,67 @@ require 'spec_helper'
 describe Rack::Csrf do
   describe 'key' do
     it "should be 'csrf.token' by default" do
-      Rack::Csrf.key.should == 'csrf.token'
+      expect(Rack::Csrf.key).to eq('csrf.token')
     end
 
-    it "should be the value of the :key option" do
+    it 'should be the value of the :key option' do
       Rack::Csrf.new nil, :key => 'whatever'
-      Rack::Csrf.key.should == 'whatever'
+      expect(Rack::Csrf.key).to eq('whatever')
     end
   end
 
   describe 'csrf_key' do
     it 'should be the same as method key' do
-      Rack::Csrf.method(:csrf_key).should == Rack::Csrf.method(:key)
+      expect(Rack::Csrf.method(:csrf_key)).to eq(Rack::Csrf.method(:key))
     end
   end
 
   describe 'field' do
     it "should be '_csrf' by default" do
-      Rack::Csrf.field.should == '_csrf'
+      expect(Rack::Csrf.field).to eq('_csrf')
     end
 
-    it "should be the value of :field option" do
+    it 'should be the value of :field option' do
       Rack::Csrf.new nil, :field => 'whatever'
-      Rack::Csrf.field.should == 'whatever'
+      expect(Rack::Csrf.field).to eq('whatever')
     end
   end
 
   describe 'csrf_field' do
     it 'should be the same as method field' do
-      Rack::Csrf.method(:csrf_field).should == Rack::Csrf.method(:field)
+      expect(Rack::Csrf.method(:csrf_field)).to eq(Rack::Csrf.method(:field))
     end
   end
 
   describe 'header' do
     subject { Rack::Csrf.header }
-    it      { should == 'X_CSRF_TOKEN' }
+    it      { is_expected.to be == 'X_CSRF_TOKEN' }
 
-    context "when set to something" do
+    context 'when set to something' do
       before  { Rack::Csrf.new nil, :header => 'something' }
       subject { Rack::Csrf.header }
-      it      { should == 'something' }
+      it      { is_expected.to be == 'something' }
     end
   end
 
   describe 'csrf_header' do
-    subject { Rack::Csrf.method(:csrf_header) }
-    it      { should == Rack::Csrf.method(:header) }
+    it 'should be the same as method header' do
+      expect(Rack::Csrf.method(:csrf_header)).to eq(Rack::Csrf.method(:header))
+    end
   end
 
   describe 'token(env)' do
     let(:env) { {'rack.session' => {}} }
 
-    specify {Rack::Csrf.token(env).should have_at_least(32).characters}
+    context 'should produce a token' do
+      specify 'with at least 32 characters' do
+        expect(Rack::Csrf.token(env).length).to be >= 32
+      end
+
+      specify 'without +, / or =' do
+        expect(Rack::Csrf.token(env)).not_to match(/\+|\/|=/)
+      end
+    end
 
     context 'when accessing/manipulating the session' do
       before do
@@ -62,17 +71,17 @@ describe Rack::Csrf do
       end
 
       it 'should use the key provided by method key' do
-        env['rack.session'].should be_empty
+        expect(env['rack.session']).to be_empty
         Rack::Csrf.token env
-        env['rack.session'][Rack::Csrf.key].should_not be_nil
+        expect(env['rack.session'][Rack::Csrf.key]).not_to be_nil
       end
     end
 
     context 'when the session does not already contain the token' do
       it 'should store the token inside the session' do
-        env['rack.session'].should be_empty
+        expect(env['rack.session']).to be_empty
         token = Rack::Csrf.token(env)
-        token.should == env['rack.session'][Rack::Csrf.key]
+        expect(token).to eq(env['rack.session'][Rack::Csrf.key])
       end
     end
 
@@ -82,14 +91,14 @@ describe Rack::Csrf do
       end
 
       it 'should get the token from the session' do
-        env['rack.session'][Rack::Csrf.key].should == Rack::Csrf.token(env)
+        expect(env['rack.session'][Rack::Csrf.key]).to eq(Rack::Csrf.token(env))
       end
     end
   end
 
   describe 'csrf_token(env)' do
     it 'should be the same as method token(env)' do
-      Rack::Csrf.method(:csrf_token).should == Rack::Csrf.method(:token)
+      expect(Rack::Csrf.method(:csrf_token)).to eq(Rack::Csrf.method(:token))
     end
   end
 
@@ -102,26 +111,26 @@ describe Rack::Csrf do
     end
 
     it 'should be an input field' do
-      tag.should =~ /^<input/
+      expect(tag).to match(/^<input/)
     end
 
     it 'should be an hidden input field' do
-      tag.should =~ /type="hidden"/
+      expect(tag).to match(/type="hidden"/)
     end
 
-    it "should have the name provided by method field" do
-      tag.should =~ /name="#{Rack::Csrf.field}"/
+    it 'should have the name provided by method field' do
+      expect(tag).to match(/name="#{Rack::Csrf.field}"/)
     end
 
-    it "should have the value provided by method token(env)" do
+    it 'should have the value provided by method token(env)' do
       quoted_value = Regexp.quote %Q(value="#{Rack::Csrf.token(env)}")
-      tag.should =~ /#{quoted_value}/
+      expect(tag).to match(/#{quoted_value}/)
     end
   end
 
   describe 'csrf_tag(env)' do
     it 'should be the same as method tag(env)' do
-      Rack::Csrf.method(:csrf_tag).should == Rack::Csrf.method(:tag)
+      expect(Rack::Csrf.method(:csrf_tag)).to eq(Rack::Csrf.method(:tag))
     end
   end
 
@@ -135,11 +144,11 @@ describe Rack::Csrf do
       end
 
       subject { metatag }
-      it { should =~ /^<meta/ }
-      it { should =~ /name="_csrf"/ }
-      it "should have the content provided by method token(env)" do
+      it { is_expected.to match(/^<meta/) }
+      it { is_expected.to match(/name="_csrf"/) }
+      it 'should have the content provided by method token(env)' do
         quoted_value = Regexp.quote %Q(content="#{Rack::Csrf.token(env)}")
-        metatag.should =~ /#{quoted_value}/
+        expect(metatag).to match(/#{quoted_value}/)
       end
     end
 
@@ -150,18 +159,18 @@ describe Rack::Csrf do
       end
 
       subject { metatag }
-      it { should =~ /^<meta/ }
-      it { should =~ /name="custom_name"/ }
-      it "should have the content provided by method token(env)" do
+      it { is_expected.to match(/^<meta/) }
+      it { is_expected.to match(/name="custom_name"/) }
+      it 'should have the content provided by method token(env)' do
         quoted_value = Regexp.quote %Q(content="#{Rack::Csrf.token(env)}")
-        metatag.should =~ /#{quoted_value}/
+        expect(metatag).to match(/#{quoted_value}/)
       end
     end
   end
 
   describe 'csrf_metatag(env)' do
     it 'should be the same as method metatag(env)' do
-      Rack::Csrf.method(:csrf_metatag).should == Rack::Csrf.method(:metatag)
+      expect(Rack::Csrf.method(:csrf_metatag)).to eq(Rack::Csrf.method(:metatag))
     end
   end
 
@@ -170,7 +179,7 @@ describe Rack::Csrf do
   describe 'rackified_header' do
     before  { Rack::Csrf.new nil, :header => 'my-header' }
     subject { Rack::Csrf.rackified_header }
-    it      { should == 'HTTP_MY_HEADER'}
+    it      { is_expected.to be == 'HTTP_MY_HEADER'}
   end
 
   describe 'skip_checking' do
@@ -185,7 +194,7 @@ describe Rack::Csrf do
       let(:csrf) { Rack::Csrf.new nil }
 
       it 'should run the check' do
-        csrf.send(:skip_checking, request).should be_false
+        expect(csrf.send(:skip_checking, request)).to be false
       end
     end
 
@@ -193,7 +202,7 @@ describe Rack::Csrf do
       let(:csrf) { Rack::Csrf.new nil, :skip => ['POST:/hello'] }
 
       it 'should not run the check' do
-        csrf.send(:skip_checking, request).should be_true
+        expect(csrf.send(:skip_checking, request)).to be true
       end
     end
 
@@ -202,7 +211,7 @@ describe Rack::Csrf do
         let(:csrf) { Rack::Csrf.new nil, :skip_if => lambda { |req| req.env.key?('HTTP_X_VERY_SPECIAL_HEADER') } }
 
         it 'should not run the check' do
-          csrf.send(:skip_checking, request).should be_true
+          expect(csrf.send(:skip_checking, request)).to be true
         end
       end
 
@@ -211,7 +220,7 @@ describe Rack::Csrf do
           let(:csrf) { Rack::Csrf.new nil, :check_only => [] }
 
           it 'should run the check' do
-            csrf.send(:skip_checking, request).should be_false
+            expect(csrf.send(:skip_checking, request)).to be false
           end
         end
 
@@ -220,7 +229,7 @@ describe Rack::Csrf do
             let(:csrf) { Rack::Csrf.new nil, :check_only => ['POST:/hello'] }
 
             it 'should run the check' do
-              csrf.send(:skip_checking, request).should be_false
+              expect(csrf.send(:skip_checking, request)).to be false
             end
           end
 
@@ -228,11 +237,49 @@ describe Rack::Csrf do
             let(:csrf) { Rack::Csrf.new nil, :check_only => ['POST:/ciao'] }
 
             it 'should not run the check' do
-              csrf.send(:skip_checking, request).should be_true
+              expect(csrf.send(:skip_checking, request)).to be true
             end
           end
         end
       end
     end
   end
+
+  describe 'found_a_valid_token?' do
+    let(:env) { {'rack.session' => {}} }
+
+    let(:csrf) { Rack::Csrf.new nil }
+
+    let(:mock_request_env) do
+      Rack::MockRequest.env_for '/hello',
+        :method => 'POST',
+        :input => 'foo=bar'
+    end
+
+    before do
+      Rack::Csrf.token env
+      mock_request_env['rack.session'] = env['rack.session']
+    end
+
+    context 'should be true' do
+      specify "if a valid token can be found in the request's paramaters" do
+        mock_request_env['rack.input'] = StringIO.new("#{Rack::Csrf.field}=#{Rack::Csrf.token(env)}")
+        request = Rack::Request.new(mock_request_env)
+        expect(csrf.send(:found_a_valid_token?, request)).to be true
+      end
+
+      specify "if a valid token can be found in the request's headers" do
+        mock_request_env[Rack::Csrf.rackified_header] = Rack::Csrf.token(env)
+        request = Rack::Request.new(mock_request_env)
+        expect(csrf.send(:found_a_valid_token?, request)).to be true
+      end
+    end
+
+    context 'should be false' do
+      specify 'if no valid token can be found anywhere' do
+        request = Rack::Request.new(mock_request_env)
+        expect(csrf.send(:found_a_valid_token?, request)).to be false
+      end
+    end
+  end
 end

data/spec/spec_helper.rb

@@ -2,3 +2,4 @@ require 'rubygems'
 require 'rspec'
 
 require 'rack/csrf'
+require 'rack/mock'