secure_cookies2 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 4142848af4035583bb4d06f0dd5cd2c389835536d386c68105a733ed06964b41
+  data.tar.gz: 682e0f46d1dc106765e4c99dd759c67deccd98039822e3e72c8944c6b694bd03
+SHA512:
+  metadata.gz: 22134aba7a75ac4f603a7d74355c8b019453608655701988aef7493ae9d03050e797e7e44d392fdf10a8100530fd986ea423f9839f5283652de1247ad755f5c8
+  data.tar.gz: 565616b86b7449080b5a4eb8293a1b27e819ea5c95c998dbd3dc4f2f757b9d5fb73a89dc24ddb3837f5e71a7f26ebcb8f34e74e7f13f9edef74ab4e9cc90790f

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+Gemfile.lock

data/.ruby-version

@@ -0,0 +1 @@
+2.6.1

data/.travis.yml

@@ -0,0 +1,28 @@
+language: ruby
+
+rvm:
+  - ruby-head
+  - 2.6.1
+  - 2.5.0
+  - 2.4.3
+  - jruby-head
+
+env:
+  - SUITE=rspec spec
+  - SUITE=rubocop
+
+script: bundle exec $SUITE
+
+matrix:
+  allow_failures:
+    - rvm: jruby-head
+    - rvm: ruby-head
+
+before_install:
+  - gem update --system
+  - gem --version
+  - gem update bundler
+bundler_args: --without guard -j 3
+
+sudo: false
+cache: bundler

data/Gemfile

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+source "https://rubygems.org"
+
+gemspec
+
+group :test do
+  gem "coveralls"
+  gem "json"
+  gem "pry-nav"
+  gem "rack"
+  gem "rspec"
+  gem "rubocop"
+  gem "rubocop-github"
+  gem "term-ansicolor"
+  gem "tins"
+end
+
+group :guard do
+  gem "growl"
+  gem "guard-rspec"
+  gem "rb-fsevent"
+  gem "terminal-notifier-guard"
+end

data/Guardfile

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+guard :rspec, cmd: "bundle exec rspec", all_on_start: true, all_after_pass: true do
+  require "guard/rspec/dsl"
+  dsl = Guard::RSpec::Dsl.new(self)
+
+  # RSpec files
+  rspec = dsl.rspec
+  watch(rspec.spec_helper) { rspec.spec_dir }
+  watch(rspec.spec_support) { rspec.spec_dir }
+  watch(rspec.spec_files)
+
+  watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
+end

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Neil Matatall
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,68 @@
+# SecureCookies
+
+SecureCookies is an extract of the cookie functionality from [secure_headers](https://github.com/twitter/secure_headers). Rails has good header support but the cookie support is still lacking. Maybe one day this functionality will be added to rails core.
+
+## Configuration
+
+These can be defined in the form of a boolean, or as a Hash for more refined configuration.
+
+__Note__: Regardless of the configuration specified, Secure cookies are only enabled for HTTPS requests.
+
+#### Defaults
+
+By default, all cookies will get both `Secure`, `HttpOnly`, and `SameSite=Lax`.
+
+```ruby
+config.cookies = {
+  secure: true, # defaults to true but will be a no op on non-HTTPS requests
+  httponly: true, # defaults to true
+  samesite: {  # defaults to set `SameSite=Lax`
+    lax: true
+  }
+}
+```
+
+#### Boolean-based configuration
+
+Boolean-based configuration is intended to globally enable or disable a specific cookie attribute. *Note: As of 4.0, you must use OPT_OUT rather than false to opt out of the defaults.*
+
+```ruby
+config.cookies = {
+  secure: true, # mark all cookies as Secure
+  httponly: OPT_OUT, # do not mark any cookies as HttpOnly
+}
+```
+
+#### Hash-based configuration
+
+Hash-based configuration allows for fine-grained control.
+
+```ruby
+config.cookies = {
+  secure: { except: ['_guest'] }, # mark all but the `_guest` cookie as Secure
+  httponly: { only: ['_rails_session'] }, # only mark the `_rails_session` cookie as HttpOnly
+}
+```
+
+#### SameSite cookie configuration
+
+SameSite cookies permit either `Strict` or `Lax` enforcement mode options.
+
+```ruby
+config.cookies = {
+  samesite: {
+    strict: true # mark all cookies as SameSite=Strict
+  }
+}
+```
+
+`Strict` and `Lax` enforcement modes can also be specified using a Hash.
+
+```ruby
+config.cookies = {
+  samesite: {
+    strict: { only: ['_rails_session'] },
+    lax: { only: ['_guest'] }
+  }
+}
+```

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "secure_cookies"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/secure_cookies.rb

@@ -0,0 +1,111 @@
+require "secure_cookies/cookie"
+require "secure_cookies/middleware"
+require "secure_cookies/railtie"
+require "secure_cookies/version"
+
+module SecureCookies
+  OPT_OUT = Object.new
+
+  DEFAULT_CONFIG = {
+    secure: true, # defaults to true but will be a no op on non-HTTPS requests
+    httponly: true, # defaults to true
+    samesite: {  # defaults to set `SameSite=Lax`
+      lax: true
+    }
+  }
+
+  class << self
+    def config
+      @config || DEFAULT_CONFIG
+    end
+    def config=(configuration)
+      raise RuntimeError, "Already configured" if @config
+      @config = configuration
+      @config.freeze
+      validate!
+    end
+
+    def validate!
+      return if config == OPT_OUT
+      validate_config!
+      validate_secure_config! unless config[:secure].nil?
+      validate_httponly_config! unless config[:httponly].nil?
+      validate_samesite_config! unless config[:samesite].nil?
+    end
+
+    private
+
+    def validate_config!
+      raise CookiesConfigError.new("config must be a hash.") unless is_hash?(config)
+    end
+
+    def validate_secure_config!
+      validate_hash_or_true_or_opt_out!(:secure)
+      validate_exclusive_use_of_hash_constraints!(config[:secure], :secure)
+    end
+
+    def validate_httponly_config!
+      validate_hash_or_true_or_opt_out!(:httponly)
+      validate_exclusive_use_of_hash_constraints!(config[:httponly], :httponly)
+    end
+
+    def validate_samesite_config!
+      return if config[:samesite] == OPT_OUT
+      raise CookiesConfigError.new("samesite cookie config must be a hash") unless is_hash?(config[:samesite])
+
+      validate_samesite_boolean_config!
+      validate_samesite_hash_config!
+    end
+
+    # when configuring with booleans, only one enforcement is permitted
+    def validate_samesite_boolean_config!
+      if config[:samesite].key?(:lax) && config[:samesite][:lax].is_a?(TrueClass) && config[:samesite].key?(:strict)
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
+      elsif config[:samesite].key?(:strict) && config[:samesite][:strict].is_a?(TrueClass) && config[:samesite].key?(:lax)
+        raise CookiesConfigError.new("samesite cookie config is invalid, combination use of booleans and Hash to configure lax and strict enforcement is not permitted.")
+      end
+    end
+
+    def validate_samesite_hash_config!
+      # validate Hash-based samesite configuration
+      if is_hash?(config[:samesite][:lax])
+        validate_exclusive_use_of_hash_constraints!(config[:samesite][:lax], "samesite lax")
+
+        if is_hash?(config[:samesite][:strict])
+          validate_exclusive_use_of_hash_constraints!(config[:samesite][:strict], "samesite strict")
+          validate_exclusive_use_of_samesite_enforcement!(:only)
+          validate_exclusive_use_of_samesite_enforcement!(:except)
+        end
+      end
+    end
+
+    def validate_hash_or_true_or_opt_out!(attribute)
+      if !(is_hash?(config[attribute]) || is_true_or_opt_out?(config[attribute]))
+        raise CookiesConfigError.new("#{attribute} cookie config must be a hash, true, or SecureCookies::OPT_OUT")
+      end
+    end
+
+    # validate exclusive use of only or except but not both at the same time
+    def validate_exclusive_use_of_hash_constraints!(conf, attribute)
+      return unless is_hash?(conf)
+      if conf.key?(:only) && conf.key?(:except)
+        raise CookiesConfigError.new("#{attribute} cookie config is invalid, simultaneous use of conditional arguments `only` and `except` is not permitted.")
+      end
+    end
+
+    # validate exclusivity of only and except members within strict and lax
+    def validate_exclusive_use_of_samesite_enforcement!(attribute)
+      if (intersection = (config[:samesite][:lax].fetch(attribute, []) & config[:samesite][:strict].fetch(attribute, []))).any?
+        raise CookiesConfigError.new("samesite cookie config is invalid, cookie(s) #{intersection.join(', ')} cannot be enforced as lax and strict")
+      end
+    end
+
+    def is_hash?(obj)
+      obj && obj.is_a?(Hash)
+    end
+
+    def is_true_or_opt_out?(obj)
+      obj && (obj.is_a?(TrueClass) || obj == OPT_OUT)
+    end
+  end
+end

data/lib/secure_cookies/cookie.rb

@@ -0,0 +1,135 @@
+# frozen_string_literal: true
+require "cgi"
+
+module SecureCookies
+  class CookiesConfigError < StandardError; end
+  class Cookie
+    attr_reader :raw_cookie, :config
+
+    COOKIE_DEFAULTS = {
+      httponly: true,
+      secure: true,
+      samesite: { lax: true },
+    }.freeze
+
+    def initialize(cookie, config)
+      @raw_cookie = cookie
+      unless config == OPT_OUT
+        config ||= {}
+        config = COOKIE_DEFAULTS.merge(config)
+      end
+      @config = config
+      @attributes = {
+        httponly: nil,
+        samesite: nil,
+        secure: nil,
+      }
+
+      parse(cookie)
+    end
+
+    def to_s
+      @raw_cookie.dup.tap do |c|
+        c << "; secure" if secure?
+        c << "; HttpOnly" if httponly?
+        c << "; #{samesite_cookie}" if samesite?
+      end
+    end
+
+    def secure?
+      flag_cookie?(:secure) && !already_flagged?(:secure)
+    end
+
+    def httponly?
+      flag_cookie?(:httponly) && !already_flagged?(:httponly)
+    end
+
+    def samesite?
+      flag_samesite? && !already_flagged?(:samesite)
+    end
+
+    private
+
+    def parsed_cookie
+      @parsed_cookie ||= CGI::Cookie.parse(raw_cookie)
+    end
+
+    def already_flagged?(attribute)
+      @attributes[attribute]
+    end
+
+    def flag_cookie?(attribute)
+      return false if config == OPT_OUT
+      case config[attribute]
+      when TrueClass
+        true
+      when Hash
+        conditionally_flag?(config[attribute])
+      else
+        false
+      end
+    end
+
+    def conditionally_flag?(configuration)
+      if(Array(configuration[:only]).any? && (Array(configuration[:only]) & parsed_cookie.keys).any?)
+        true
+      elsif(Array(configuration[:except]).any? && (Array(configuration[:except]) & parsed_cookie.keys).none?)
+        true
+      else
+        false
+      end
+    end
+
+    def samesite_cookie
+      if flag_samesite_lax?
+        "SameSite=Lax"
+      elsif flag_samesite_strict?
+        "SameSite=Strict"
+      end
+    end
+
+    def flag_samesite?
+      return false if config == OPT_OUT || config[:samesite] == OPT_OUT
+      flag_samesite_lax? || flag_samesite_strict?
+    end
+
+    def flag_samesite_lax?
+      flag_samesite_enforcement?(:lax)
+    end
+
+    def flag_samesite_strict?
+      flag_samesite_enforcement?(:strict)
+    end
+
+    def flag_samesite_enforcement?(mode)
+      return unless config[:samesite]
+
+      if config[:samesite].is_a?(TrueClass) && mode == :lax
+        return true
+      end
+
+      case config[:samesite][mode]
+      when Hash
+        conditionally_flag?(config[:samesite][mode])
+      when TrueClass
+        true
+      else
+        false
+      end
+    end
+
+    def parse(cookie)
+      return unless cookie
+
+      cookie.split(/[;,]\s?/).each do |pairs|
+        name, values = pairs.split("=", 2)
+        name = CGI.unescape(name)
+
+        attribute = name.downcase.to_sym
+        if @attributes.has_key?(attribute)
+          @attributes[attribute] = values || true
+        end
+      end
+    end
+  end
+end

data/lib/secure_cookies/middleware.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+module SecureCookies
+  class Middleware
+    def initialize(app)
+      @app = app
+    end
+
+    # merges the hash of headers into the current header set.
+    def call(env)
+      req = Rack::Request.new(env)
+      status, headers, response = @app.call(env)
+
+      unless SecureCookies.config == OPT_OUT
+        flag_cookies!(headers, override_secure(env, SecureCookies.config))
+      end
+
+      [status, headers, response]
+    end
+
+    private
+
+    # inspired by https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L183-L194
+    def flag_cookies!(headers, config)
+      if cookies = headers["Set-Cookie"]
+        # Support Rails 2.3 / Rack 1.1 arrays as headers
+        cookies = cookies.split("\n") unless cookies.is_a?(Array)
+
+        headers["Set-Cookie"] = cookies.map do |cookie|
+          SecureCookies::Cookie.new(cookie, config).to_s
+        end.join("\n")
+      end
+    end
+
+    # disable Secure cookies for non-https requests
+    def override_secure(env, config = {})
+      if scheme(env) != "https" && config != OPT_OUT
+        config = config.dup
+        config[:secure] = OPT_OUT
+      end
+
+      config
+    end
+
+    # derived from https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L119
+    def scheme(env)
+      if env["HTTPS"] == "on" || env["HTTP_X_SSL_REQUEST"] == "on"
+        "https"
+      elsif env["HTTP_X_FORWARDED_PROTO"]
+        env["HTTP_X_FORWARDED_PROTO"].split(",")[0]
+      else
+        env["rack.url_scheme"]
+      end
+    end
+  end
+end

data/lib/secure_cookies/railtie.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+# rails 3.1+
+if defined?(Rails::Railtie)
+  module SecureCookies
+    class Railtie < Rails::Railtie
+      isolate_namespace SecureCookies if defined? isolate_namespace # rails 3.0
+
+      initializer "secure_cookies.middleware" do
+        Rails.application.config.middleware.insert_before 0, SecureCookies::Middleware
+      end
+    end
+  end
+end

data/lib/secure_cookies/version.rb

@@ -0,0 +1,3 @@
+module SecureCookies
+  VERSION = "0.1.0"
+end

data/secure_cookies.gemspec

@@ -0,0 +1,38 @@
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "secure_cookies/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "secure_cookies2"
+  spec.version       = SecureCookies::VERSION
+  spec.authors       = ["Neil Matatall"]
+  spec.email         = ["oreoshake@users.noreply.github.com"]
+
+  spec.summary       = %q{Automatically marks all cookies as secure, httponly, and samesite=lax}
+  spec.description   = %q{Secure your cookies with an API for opting out}
+  spec.homepage      = "https://github.com/oreoshake/secure_cookies"
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata["homepage_uri"] = spec.homepage
+    spec.metadata["source_code_uri"] = "https://github.com/oreoshake/secure_cookies"
+    spec.metadata["changelog_uri"] = "https://github.com/oreoshake/secure_cookies/CHANGELOG"
+  else
+    raise "RubyGems 2.0 or newer is required to protect against " \
+      "public gem pushes."
+  end
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 10.0"
+end

metadata

@@ -0,0 +1,89 @@
+--- !ruby/object:Gem::Specification
+name: secure_cookies2
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Neil Matatall
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2019-02-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: Secure your cookies with an API for opting out
+email:
+- oreoshake@users.noreply.github.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".ruby-version"
+- ".travis.yml"
+- Gemfile
+- Guardfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/secure_cookies.rb
+- lib/secure_cookies/cookie.rb
+- lib/secure_cookies/middleware.rb
+- lib/secure_cookies/railtie.rb
+- lib/secure_cookies/version.rb
+- secure_cookies.gemspec
+homepage: https://github.com/oreoshake/secure_cookies
+licenses: []
+metadata:
+  homepage_uri: https://github.com/oreoshake/secure_cookies
+  source_code_uri: https://github.com/oreoshake/secure_cookies
+  changelog_uri: https://github.com/oreoshake/secure_cookies/CHANGELOG
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.1
+signing_key: 
+specification_version: 4
+summary: Automatically marks all cookies as secure, httponly, and samesite=lax
+test_files: []