rails3_csrf_patcher 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: b6aa8eb909ef56c03cc3c13417f51e40eeb23431
+  data.tar.gz: aabff52582e4e1d72e91e48d9b20fa675029f08b
+SHA512:
+  metadata.gz: 2280e8e23f1dfc50f9809dcff439d77e75e6b1965572fc925a6a9e1e22919ef5de59948bce2c595d7c76a48fd3062dd58cf1a9a73724097c4f6819569bb87547
+  data.tar.gz: 3f7724ecce38a3ccafc583e423adf8815c50297da6f5b8c7a752dcf698b1b42b7c4aea8f31f0850a4b7ea88f18d28f0e67881237b74584d4f8c1c586c833a322

data/.gitignore

@@ -0,0 +1,22 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in rails3_csrf_patcher.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2015 Maxim Abramchuk
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,29 @@
+# Rails3CsrfPatcher
+
+TODO: Write a gem description
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'rails3_csrf_patcher'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install rails3_csrf_patcher
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it ( https://github.com/[my-github-username]/rails3_csrf_patcher/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+

data/lib/rails3_csrf_patcher.rb

@@ -0,0 +1,5 @@
+require "rails3_csrf_patcher/version"
+
+module Rails3CsrfPatcher
+  # Your code goes here...
+end

data/lib/rails3_csrf_patcher/patch.rb

@@ -0,0 +1,56 @@
+module ActionController
+  class InvalidCrossOriginRequest < ActionControllerError
+  end
+
+  module RequestForgeryProtection
+    module ClassMethods
+      def protect_from_forgery(options = {})
+        self.request_forgery_protection_token ||= :authenticity_token
+        prepend_before_filter :verify_authenticity_token, options
+        append_after_filter :verify_same_origin_request
+      end
+    end
+
+    protected
+
+    def verify_authenticity_token
+      @marked_for_same_origin_verification = true
+
+      unless verified_request?
+        logger.warn "WARNING: Can't verify CSRF token authenticity" if logger
+        handle_unverified_request
+      end
+    end
+
+    CROSS_ORIGIN_JAVASCRIPT_WARNING = "Security warning: an embedded " \
+      "<script> tag on another site requested protected JavaScript. " \
+      "If you know what you're doing, go ahead and disable forgery " \
+      "protection on this action to permit cross-origin JavaScript embedding."
+    private_constant :CROSS_ORIGIN_JAVASCRIPT_WARNING
+
+    # If `verify_authenticity_token` was run (indicating that we have
+    # forgery protection enabled for this request) then also verify that
+    # we aren't serving an unauthorized cross-origin response.
+    def verify_same_origin_request
+      if marked_for_same_origin_verification? && non_xhr_javascript_response?
+        logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING if logger
+        raise ActionController::InvalidCrossOriginRequest, CROSS_ORIGIN_JAVASCRIPT_WARNING
+      end
+    end
+
+    # If the `verify_authenticity_token` before_action ran, verify that
+    # JavaScript responses are only served to same-origin GET requests.
+    def marked_for_same_origin_verification?
+      defined? @marked_for_same_origin_verification
+    end
+
+    # Check for cross-origin JavaScript responses.
+    def non_xhr_javascript_response?
+      content_type =~ %r(\Atext/javascript) && !request.xhr?
+    end
+
+    def handle_unverified_request
+      raise(ActionController::InvalidAuthenticityToken)
+    end
+  end
+end

data/lib/rails3_csrf_patcher/version.rb

@@ -0,0 +1,3 @@
+module Rails3CsrfPatcher
+  VERSION = "0.0.1"
+end

data/lib/tasks/patcher.rake

@@ -0,0 +1,18 @@
+namespace :patcher do
+  desc 'Patch your rails app to protect from the CSRF vulnerability' do
+    task :install do
+      source = File.join(Gem.loaded_specs['rails3_csrf_patcher'].full_gem_path, 'lib/rail3_csrf_patcher/patch.rb')
+      target = File.join(Rails.root, 'config/initializers/')
+
+      FileUtils.cp source, target
+    end
+  end
+
+  desc 'Unpatch your rails app from the CSRF vulnerability protection' do
+    task :uninstall do
+      patch_file = File.join(Gem.loaded_specs['rails3_csrf_patcher'].full_gem_path, 'lib/rail3_csrf_patcher/patch.rb')
+
+      FileUtils.rm patch_file if patch_file.present?
+    end
+  end
+end

data/rails3_csrf_patcher.gemspec

@@ -0,0 +1,23 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'rails3_csrf_patcher/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "rails3_csrf_patcher"
+  spec.version       = Rails3CsrfPatcher::VERSION
+  spec.authors       = ["Maxim Abramchuk"]
+  spec.email         = ["maximabramchuck@gmail.com"]
+  spec.summary       = %q{Patch your rails app due to protect from the CSRF vulnerability.}
+  spec.description   = %q{Patch your rails app due to protect from the CSRF vulnerability.}
+  spec.homepage      = "https://github.com/MaximAbramchuck/rails3_csrf_patcher"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.6"
+  spec.add_development_dependency "rake"
+end

metadata

@@ -0,0 +1,82 @@
+--- !ruby/object:Gem::Specification
+name: rails3_csrf_patcher
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Maxim Abramchuk
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-03-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Patch your rails app due to protect from the CSRF vulnerability.
+email:
+- maximabramchuck@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/rails3_csrf_patcher.rb
+- lib/rails3_csrf_patcher/patch.rb
+- lib/rails3_csrf_patcher/version.rb
+- lib/tasks/patcher.rake
+- rails3_csrf_patcher.gemspec
+homepage: https://github.com/MaximAbramchuck/rails3_csrf_patcher
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Patch your rails app due to protect from the CSRF vulnerability.
+test_files: []