safe_cookies 0.1.0

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in safe_cookies.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Dominik Schöler
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,44 @@
+# SafeCookies
+
+This Gem brings a Middleware that will make all cookies secure. In detail, it will
+
+* set all new cookies 'HttpOnly', unless specified otherwise
+* set all new cookies 'secure', if the request came via HTTPS and not specified otherwise
+* rewrite existing cookies, setting both flags as above
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'safe_cookies'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install safe_cookies
+
+## Usage
+
+In config/environment.rb:
+
+    config.middleware.use SafeCookies::Middleware,
+      :remember_token => 1.year,
+      :last_action => 30.days,
+      :non_secure => %w[default_language],
+      :non_http_only => %w[javascript_data]
+
+This will have the `default_language` cookie not made secure, the `javascript_data` cookie
+not made HttpOnly. It will update the `remember_token` with an expiry of one year and the
+`last_action` cookie with an expiry of 30 days, making both of them secure and HttpOnly.
+
+## About Rails and Cookies
+
+Cookie syntax example:
+
+    Set-Cookie: cookie1=value; secure,cookie2=value; path=/
+
+Actually, there should be one cookie per Set-Cookie header, but since Rails headers
+are implemented as Hash, it is not possible to have several Set-Cookie fields.

data/Rakefile

@@ -0,0 +1,10 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+
+desc 'Default: Run all tests.'
+task :default => 'specs' # now you can run the tests by just typing "rake" into your console
+
+desc 'Run specs'
+task :specs do
+  system('rspec')
+end

data/lib/safe_cookies/version.rb

@@ -0,0 +1,3 @@
+module SafeCookies
+  VERSION = "0.1.0"
+end

data/lib/safe_cookies.rb

@@ -0,0 +1,122 @@
+# -*- encoding: utf-8 -*-
+require "safe_cookies/version"
+require "rack"
+
+module SafeCookies
+  class Middleware
+
+
+    def initialize(app, options = {})
+      # Pass a hash for `cookies_to_update` with name as key and lifetime as value.
+      # Use this to update existing cookies that you expect to receive.
+      #
+      # Unfortunately, the client won't ever tell us if the cookie was originally
+      # sent with flags such as "secure" or which expiry date it currently has:
+      # http://tools.ietf.org/html/rfc6265#section-4.2.2
+      #
+      # The :non_secure option specifies cookies that will not be made secure. Use
+      # this for storing site usage settings like filters etc. that need to be available
+      # when not on HTTPS (this should rarely be the case).
+      #
+      # The :non_http_only option is analog, use it for storing data you want to access
+      # with javascript.
+
+      @app = app
+      @non_secure = (options.delete(:non_secure) || []).map(&:to_s)
+      @non_http_only = (options.delete(:non_http_only) || []).map(&:to_s)
+      @cookies_to_update = options
+    end
+
+    def call(env)
+      @env = env
+      status, headers, body = @app.call(@env)
+
+      secure_old_cookies!(headers) if @cookies_to_update.any?
+      secure_new_cookies!(headers)
+
+      [ status, headers, body ]
+    end
+
+    private
+
+    def secure(cookie)
+      # Regexp from https://github.com/tobmatth/rack-ssl-enforcer/
+      if secure?(cookie) and cookie !~ /(^|;\s)secure($|;)/
+        "#{cookie}; secure"
+      else
+        cookie
+      end
+    end
+
+    def http_only(cookie)
+      if http_only?(cookie) and cookie !~ /(^|;\s)HttpOnly($|;)/
+        "#{cookie}; HttpOnly"
+      else
+        cookie
+      end
+    end
+
+    def secure_old_cookies!(headers)
+      request = Rack::Request.new(@env)
+      return if request.cookies['secured_old_cookies']
+
+      @cookies_to_update.each do |key, expiry|
+        key = key.to_s
+        if request.cookies.has_key?(key)
+          value = request.cookies[key]
+          set_secure_cookie!(headers, key, value, expiry)
+        end
+      end
+      set_secure_cookie!(headers, 'secured_old_cookies', Rack::Utils.rfc2822(Time.now.gmtime))
+    end
+
+    def set_secure_cookie!(headers, key, value, expire_after = 365 * 24 * 60 * 60) # one year
+      options = {
+        :value => value,
+        :secure => secure?(key),
+        :httponly => http_only?(key),
+        :expires => Time.now + expire_after # This is what Rails does
+      }
+      Rack::Utils.set_cookie_header!(headers, key, options)
+    end
+
+    def secure_new_cookies!(headers)
+      cookies = headers['Set-Cookie']
+      if cookies
+        # Rails 2.3 / Rack 1.1 offers an array which is actually nice.
+        cookies = cookies.split("\n") unless cookies.is_a?(Array)
+
+        # On Rack 1.1, cookie values sometimes contain trailing newlines.
+        # Example => ["foo=1; path=/\n", "bar=2; path=/"]
+        # Note that they also mess up browsers, when this array is merged
+        # again and the "Set-Cookie" header then contains double newlines.
+        cookies = cookies.
+          map(&:strip).
+          select{ |c| c.length > 0}.
+          map(&method(:secure)).
+          map(&method(:http_only))
+
+        # Unfortunately there is no pretty way to touch a "Set-Cookie" header.
+        # It contains more information than the "HTTP_COOKIE" header from the
+        # browser's request contained, so a `Rack::Request` can't parse it for
+        # us. A `Rack::Response` doesn't offer a way either.
+        headers['Set-Cookie'] = cookies.join(",") # cookies are comma-separated
+      end
+    end
+    
+    def secure?(cookie)
+      name = cookie.split('=').first.strip
+      ssl_request? and not @non_secure.include?(name)
+    end
+    
+    def http_only?(cookie)
+      name = cookie.split('=').first.strip
+      not @non_http_only.include?(name)
+    end
+    
+    def ssl_request?
+      @env['HTTPS'] == 'on' || @env['HTTP_X_FORWARDED_PROTO'] == 'https' # this is how Rails does it
+    end
+
+  end
+end

data/safe_cookies.gemspec

@@ -0,0 +1,21 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/safe_cookies/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Dominik Schöler"]
+  gem.email         = ["dominik.schoeler@makandra.de"]
+  gem.description   = %q{Make cookies as `secure` and `HttpOnly` as possible.}
+  gem.summary       = %q{Make cookies as `secure` and `HttpOnly` as possible.}
+  gem.homepage      = "http://www.makandra.de"
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "safe_cookies"
+  gem.require_paths = ["lib"]
+  gem.version       = SafeCookies::VERSION
+  
+  gem.add_dependency('rack')
+  gem.add_development_dependency('rspec')
+  gem.add_development_dependency('timecop')
+end

metadata

@@ -0,0 +1,101 @@
+--- !ruby/object:Gem::Specification
+name: safe_cookies
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Dominik Schöler
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-06-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Make cookies as `secure` and `HttpOnly` as possible.
+email:
+- dominik.schoeler@makandra.de
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- lib/safe_cookies.rb
+- lib/safe_cookies/version.rb
+- safe_cookies.gemspec
+homepage: http://www.makandra.de
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Make cookies as `secure` and `HttpOnly` as possible.
+test_files: []