static-rails 0.0.4 → 0.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 14d31f3821438735e307f98dd5f4a48215d0b1d678915369a7abd459b3b40145
-  data.tar.gz: bc7b15c689693e533a75ac378db060396cde1839edb0acffc04c30e18872bf77
+  metadata.gz: 6745d74377412999963201634328706d263efcb29eb445a71c84cd427b618084
+  data.tar.gz: 9ffe84b1fc78ada36ab6699cb1826815e8da0fc0cdbe266c952f563a41c577a6
 SHA512:
-  metadata.gz: f645e5e515d712acd3c1a81935d560d3ef0f2be3a42e5fd42af4320cf6a4ae25e14843b0c076dfda4ec5b980a12cc436cfbef527768704f97c6e89ac2e7e17f6
-  data.tar.gz: 61600757a2e549dc5bff49b8fe01da9c0f45eac4a1fd6ba815ea4aafb5655270bfa457ac76c98a0927b98e61bcf741b40a0089f0cfb55f612ad0de386b0fa9d4
+  metadata.gz: 679620aed3269f571bbec98a28537a34e03240e7df57319e34e0c100b85332cdbbbc6a01cf34d62552edbbc971411a881da57a33b54ede1d64b4c0833b7fbc6a
+  data.tar.gz: a89bc51bded625662eb00666c0d3c2f1034f9d397a84e86d7e30136398d0e53e60d0e8287cce0cda3baea0dc5c7ef037bc629635e7c9854a58b5c8376ddafa2d

data/CHANGELOG.md

@@ -1,3 +1,31 @@
+## 0.0.9
+
+* When using CSRF protection, the artificial path info will now be
+  "__static_rails__" instead of a random string, to make logs appear cleaner
+* Attempt to guard against future internal changes to Rails' request forgery
+  protection by adding `method_missing` that calls through
+
+## 0.0.8
+
+* Add support for the [CSRF
+  changes](https://github.com/rails/rails/commit/358ff18975f26e820ea355ec113ffc5228e59af8) in Rails 6.0.3.1
+
+## 0.0.7
+
+* Ensure that CSRF tokens are valid, at the cost of some performance and
+  reliance on additional Rails internals. As a result CSRF cookie setting is now
+  disabled by default [#6](https://github.com/testdouble/static-rails/pull/6)
+
+## 0.0.6
+
+* Fix an issue where `ActionDispatch::FileHandler` won't be loaded in the event
+  that static-rails is serving compiled assets but Rails is not
+
+## 0.0.5
+
+* Add a site option `compile_404_file_path` to specify a file to be used as a
+  404 page when serving compiled assets and no file is found
+
 ## 0.0.4
 
 * Add a cookie named `_csrf_token` by default to all static site requests, so

data/Gemfile.lock

@@ -1,27 +1,27 @@
 PATH
   remote: .
   specs:
-    static-rails (0.0.4)
+    static-rails (0.0.9)
       rack-proxy (~> 0.6)
       railties (>= 5.0.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (6.0.3)
-      actionview (= 6.0.3)
-      activesupport (= 6.0.3)
+    actionpack (6.0.3.1)
+      actionview (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
       rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.0.3)
-      activesupport (= 6.0.3)
+    actionview (6.0.3.1)
+      activesupport (= 6.0.3.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activesupport (6.0.3)
+    activesupport (6.0.3.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -32,19 +32,18 @@ GEM
     concurrent-ruby (1.1.6)
     crass (1.0.6)
     erubi (1.9.0)
-    i18n (1.8.2)
+    i18n (1.8.3)
       concurrent-ruby (~> 1.0)
-    jaro_winkler (1.5.4)
     loofah (2.5.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     method_source (1.0.0)
     mini_portile2 (2.4.0)
-    minitest (5.14.0)
+    minitest (5.14.1)
     nokogiri (1.10.9)
       mini_portile2 (~> 2.4.0)
     parallel (1.19.1)
-    parser (2.7.1.1)
+    parser (2.7.1.3)
       ast (~> 2.4.0)
     rack (2.2.2)
     rack-proxy (0.6.5)
@@ -56,34 +55,38 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (6.0.3)
-      actionpack (= 6.0.3)
-      activesupport (= 6.0.3)
+    railties (6.0.3.1)
+      actionpack (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
     rainbow (3.0.0)
     rake (13.0.1)
+    regexp_parser (1.7.1)
     rexml (3.2.4)
-    rubocop (0.80.1)
-      jaro_winkler (~> 1.5.1)
+    rubocop (0.85.1)
       parallel (~> 1.10)
       parser (>= 2.7.0.1)
       rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.7)
       rexml
+      rubocop-ast (>= 0.0.3)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 1.7)
-    rubocop-performance (1.5.2)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (0.0.3)
+      parser (>= 2.7.0.1)
+    rubocop-performance (1.6.1)
       rubocop (>= 0.71.0)
     ruby-progressbar (1.10.1)
-    standard (0.2.5)
-      rubocop (~> 0.80.1)
-      rubocop-performance (~> 1.5.2)
+    standard (0.4.7)
+      rubocop (~> 0.85.0)
+      rubocop-performance (~> 1.6.0)
     thor (1.0.1)
     thread_safe (0.3.6)
     tzinfo (1.2.7)
       thread_safe (~> 0.1)
-    unicode-display_width (1.6.1)
+    unicode-display_width (1.7.0)
     zeitwerk (2.3.0)
 
 PLATFORMS

data/README.md

@@ -84,13 +84,14 @@ overall behavior of the gem itself, across all your static sites:
   `proxy_requests` is true, that the gem will wait for a response from a static
   site's server on any given request before timing out and raising an error
 
-* **config.set_csrf_token_cookie** (Default: `true`) when true, the gem's
+* **config.set_csrf_token_cookie** (Default: `false`) when true, the gem's
   middleware will set a cookie named `_csrf_token` with each request of your
   static site. You can use this to set the `'x-csrf-token'` header on any
   requests from your site back to routes hosted by the Rails app that are
   [protected from CSRF
   forgery](https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf)
-  (if you're not using Rails' cookie store for sessions, turn this off)
+  (if you're not using Rails' cookie store for sessions or you're okay with API
+  calls bypassing Rails CSRF, leave this off)
 
 ### Configuring your static sites themselves
 
@@ -153,6 +154,10 @@ To tell the gem about your static sites, assign an array of hashes as `sites`
   path to which production assets are compiled, relative to the site's
   `source_dir`
 
+* **compile_404_file_path** (Optional) When `serve_compiled_assets` is true,
+  this file (relative to the `compile_dir`) will be served whenever the
+  request's path does not match a file on disk
+
 ## Configuring your static site generators
 
 Assuming you won't be mounting your static site to your app's root `/` path,

data/lib/generators/templates/static.rb

@@ -12,7 +12,7 @@ StaticRails.config do |config|
   # When true, both the proxy & static asset middleware will set a cookie
   #   named "_csrf_token" to the Rails CSRF token, allowing any client-side
   #   API requests to take advantage of Rails' request forgery protection
-  # config.set_csrf_token_cookie = true
+  # config.set_csrf_token_cookie = false
 
   # The list of static sites you are hosting with static-rails.
   # Note that order matters! Request will be forwarded to the first site that
@@ -66,6 +66,9 @@ StaticRails.config do |config|
     #
     #   # The destination of production-compiled assets, relative to Rails root
     #   compile_dir: "static/blog/dist"
+    #
+    #   # A 404 page to be sent when serving compiled assets and no file matches
+    #   compile_404_file_path: "404.html"
     # },
   ]
 end

data/lib/static-rails/configuration.rb

@@ -13,10 +13,10 @@ module StaticRails
     # When Rails invokes our Railtie, we'll save off a reference to the Rails app
     attr_accessor :app
 
-    # When true, the ProxyMiddleware will be added
+    # When true, our middleware will proxy requests to static site servers
     attr_accessor :proxy_requests
 
-    # When true, the StaticMiddleware will be added
+    # When true, our middleware will serve sites' compiled asset files
     attr_accessor :serve_compiled_assets
 
     # Number of seconds to wait on sites to confirm servers are ready
@@ -30,7 +30,7 @@ module StaticRails
       @proxy_requests = !Rails.env.production?
       @serve_compiled_assets = Rails.env.production?
       @ping_server_timeout = 5
-      @set_csrf_token_cookie = true
+      @set_csrf_token_cookie = false
     end
 
     attr_reader :sites

data/lib/static-rails/gets_csrf_token.rb

@@ -1,15 +1,31 @@
+require_relative "request_forgery_protection_fallback"
+
 module StaticRails
   class GetsCsrfToken
+    include RequestForgeryProtectionFallback
+
     def call(req)
       masked_authenticity_token(req.session)
     end
 
     private
 
+    def csrf_token_hmac(session, identifier)
+      ActionController::RequestForgeryProtection.instance_method(:csrf_token_hmac).bind(self).call(session, identifier)
+    end
+
+    def mask_token(raw_token)
+      ActionController::RequestForgeryProtection.instance_method(:mask_token).bind(self).call(raw_token)
+    end
+
     def masked_authenticity_token(session, form_options: {})
       ActionController::RequestForgeryProtection.instance_method(:masked_authenticity_token).bind(self).call(session, form_options)
     end
 
+    def global_csrf_token(session)
+      ActionController::RequestForgeryProtection.instance_method(:global_csrf_token).bind(self).call(session)
+    end
+
     def real_csrf_token(session)
       ActionController::RequestForgeryProtection.instance_method(:real_csrf_token).bind(self).call(session)
     end

data/lib/static-rails/request_forgery_protection_fallback.rb

@@ -0,0 +1,19 @@
+module StaticRails
+  module RequestForgeryProtectionFallback
+    def method_missing(method_name, *args, **kwargs, &blk)
+      if respond_to?(method_name)
+        ActionController::RequestForgeryProtection.instance_method(method_name).bind(self).call(*args, **kwargs, &blk)
+      else
+        super
+      end
+    end
+
+    def respond_to?(method_name, *args)
+      ActionController::RequestForgeryProtection.instance_method(method_name) || super
+    end
+
+    def respond_to_missing?(method_name, *args)
+      ActionController::RequestForgeryProtection.instance_method(method_name) || super
+    end
+  end
+end

data/lib/static-rails/site.rb

@@ -14,6 +14,7 @@ module StaticRails
     :server_path,
     :compile_command,
     :compile_dir,
+    :compile_404_file_path,
     keyword_init: true
   )
 

data/lib/static-rails/site_middleware.rb

@@ -1,11 +1,10 @@
 require_relative "proxy_middleware"
 require_relative "static_middleware"
 require_relative "determines_whether_to_handle_request"
-require_relative "gets_csrf_token"
 
 module StaticRails
   class SiteMiddleware
-    PATH_INFO_OBFUSCATION = "JujJVj31M3SpzTjIGBJ2-3iE0lKXOIOlbLuk9Lxwe-Ll2uLuwH5KD8dmt1MqyZ"
+    PATH_INFO_OBFUSCATION = "__static-rails__"
 
     def initialize(app)
       @app = app
@@ -17,7 +16,7 @@ module StaticRails
     def call(env)
       return @app.call(env) unless @determines_whether_to_handle_request.call(env)
 
-      if require_csrf_before_processing_request? && !csrf_token_is_set?(env)
+      if require_csrf_before_processing_request?
         # You might be asking yourself what the hell is going on here. In short,
         # This middleware sits at the top of the stack, which is too early to
         # set a CSRF token in a cookie. Therefore, we've placed a subclass of
@@ -41,7 +40,7 @@ module StaticRails
         #
         # (By the way, this was all Matthew Draper's bright idea. You can
         # compliment him here: https://github.com/matthewd )
-        @app.call(env.merge("PATH_INFO" => env["PATH_INFO"] + PATH_INFO_OBFUSCATION))
+        @app.call(env.merge("PATH_INFO" => PATH_INFO_OBFUSCATION + env["PATH_INFO"]))
       elsif StaticRails.config.proxy_requests
         @proxy_middleware.call(env)
       elsif StaticRails.config.serve_compiled_assets
@@ -55,9 +54,5 @@ module StaticRails
     def require_csrf_before_processing_request?
       StaticRails.config.set_csrf_token_cookie
     end
-
-    def csrf_token_is_set?(env)
-      Rack::Request.new(env).cookies.has_key?("_csrf_token")
-    end
   end
 end

data/lib/static-rails/site_plus_csrf_middleware.rb

@@ -1,30 +1,34 @@
 require_relative "site_middleware"
 require_relative "determines_whether_to_handle_request"
+require_relative "validates_csrf_token"
 require_relative "gets_csrf_token"
 
 module StaticRails
   class SitePlusCsrfMiddleware < SiteMiddleware
     def initialize(app)
       @determines_whether_to_handle_request = DeterminesWhetherToHandleRequest.new
+      @validates_csrf_token = ValidatesCsrfToken.new
       @gets_csrf_token = GetsCsrfToken.new
       super
     end
 
     def call(env)
-      return @app.call(env) unless @determines_whether_to_handle_request.call(env)
+      return @app.call(env) unless env["PATH_INFO"]&.start_with?(PATH_INFO_OBFUSCATION) || @determines_whether_to_handle_request.call(env)
 
       env = env.merge(
-        "PATH_INFO" => env["PATH_INFO"].gsub(/#{PATH_INFO_OBFUSCATION}/, "")
+        "PATH_INFO" => env["PATH_INFO"].gsub(/^#{PATH_INFO_OBFUSCATION}/, "")
       )
       status, headers, body = super(env)
 
       if StaticRails.config.set_csrf_token_cookie
         req = Rack::Request.new(env)
         res = Rack::Response.new(body, status, headers)
-        res.set_cookie("_csrf_token", {
-          value: @gets_csrf_token.call(req),
-          path: "/"
-        })
+        if needs_new_csrf_token?(req)
+          res.set_cookie("_csrf_token", {
+            value: @gets_csrf_token.call(req),
+            path: "/"
+          })
+        end
         res.finish
       else
         [status, headers, body]
@@ -36,5 +40,11 @@ module StaticRails
     def require_csrf_before_processing_request?
       false
     end
+
+    private
+
+    def needs_new_csrf_token?(req)
+      !req.cookies.has_key?("_csrf_token") || !@validates_csrf_token.call(req)
+    end
   end
 end

data/lib/static-rails/static_middleware.rb

@@ -1,4 +1,5 @@
 require "rack-proxy"
+require "action_dispatch/middleware/static"
 
 require_relative "matches_request_to_static_site"
 
@@ -17,7 +18,7 @@ module StaticRails
       if (req.get? || req.head?) && (site = @matches_request_to_static_site.call(req))
         file_handler = file_handler_for(site)
         path = req.path_info.gsub(/^#{site.url_root_path}/, "").chomp("/")
-        if (match = file_handler.match?(path))
+        if (match = matching_file_for(file_handler, site, path))
           req.path_info = match
           return file_handler.serve(req)
         end
@@ -35,5 +36,13 @@ module StaticRails
         StaticRails.config.app.root.join(site.compile_dir).to_s
       )
     end
+
+    def matching_file_for(file_handler, site, path)
+      if (match = file_handler.match?(path))
+        match
+      elsif site.compile_404_file_path.present?
+        file_handler.match?(site.compile_404_file_path)
+      end
+    end
   end
 end

data/lib/static-rails/validates_csrf_token.rb

@@ -0,0 +1,33 @@
+require_relative "request_forgery_protection_fallback"
+
+module StaticRails
+  class ValidatesCsrfToken
+    include RequestForgeryProtectionFallback
+
+    def call(req)
+      valid_authenticity_token?(req.session, req.cookies["_csrf_token"])
+    end
+
+    private
+
+    [
+      :compare_with_global_token,
+      :global_csrf_token,
+      :csrf_token_hmac,
+      :valid_authenticity_token?,
+      :unmask_token,
+      :compare_with_real_token,
+      :valid_per_form_csrf_token?,
+      :xor_byte_strings,
+      :real_csrf_token
+    ].each do |method|
+      define_method method do |*args, **kwargs, &blk|
+        ActionController::RequestForgeryProtection.instance_method(method).bind(self).call(*args, **kwargs, &blk)
+      end
+    end
+
+    def per_form_csrf_tokens
+      false
+    end
+  end
+end

data/lib/static-rails/version.rb

@@ -1,3 +1,3 @@
 module StaticRails
-  VERSION = "0.0.4"
+  VERSION = "0.0.9"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: static-rails
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.9
 platform: ruby
 authors:
 - Justin Searls
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-05-13 00:00:00.000000000 Z
+date: 2020-06-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -62,7 +62,6 @@ files:
 - lib/static-rails.rb
 - lib/static-rails/compile.rb
 - lib/static-rails/configuration.rb
-- lib/static-rails/csrf_middleware.rb
 - lib/static-rails/determines_whether_to_handle_request.rb
 - lib/static-rails/error.rb
 - lib/static-rails/gets_csrf_token.rb
@@ -70,12 +69,14 @@ files:
 - lib/static-rails/proxy_middleware.rb
 - lib/static-rails/rack_server_check.rb
 - lib/static-rails/railtie.rb
+- lib/static-rails/request_forgery_protection_fallback.rb
 - lib/static-rails/server.rb
 - lib/static-rails/server_store.rb
 - lib/static-rails/site.rb
 - lib/static-rails/site_middleware.rb
 - lib/static-rails/site_plus_csrf_middleware.rb
 - lib/static-rails/static_middleware.rb
+- lib/static-rails/validates_csrf_token.rb
 - lib/static-rails/version.rb
 - lib/static-rails/waits_for_connection.rb
 - lib/tasks/static-rails.rake

data/lib/static-rails/csrf_middleware.rb

@@ -1,20 +0,0 @@
-require_relative "gets_csrf_token"
-
-module StaticRails
-  class CsrfMiddleware
-    def initialize(app)
-      @app = app
-      @gets_csrf_token = GetsCsrfToken.new
-    end
-
-    def call(env)
-      if env["__static_rails_evil_request_for_csrf_token"]
-        req = Rack::Request.new(env)
-        [200, {}, [@gets_csrf_token.call(req)]].tap do
-        end
-      else
-        @app.call(env)
-      end
-    end
-  end
-end