subdomainbox 0.3.5 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/VERSION +1 -1
- data/lib/generators/subdomainbox_generator.rb +1 -1
- data/lib/subdomainbox/{secure_xsrf_token.rb → secure_csrf_token.rb} +2 -2
- data/lib/subdomainbox.rb +1 -1
- data/spec/{secure_xsrf_token_spec.rb → secure_csrf_token_spec.rb} +4 -4
- data/spec/spec_helper.rb +0 -1
- data/subdomainbox.gemspec +4 -4
- metadata +17 -17
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.
|
|
1
|
+
0.5.0
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
class SubdomainboxGenerator < Rails::Generators::Base
|
|
2
2
|
|
|
3
3
|
def create_initializer_file
|
|
4
|
-
create_file "config/initializers/
|
|
4
|
+
create_file "config/initializers/csrf_token_secret.rb", "CSRF_TOKEN_SECRET = '#{SecureRandom.base64(48)}'"
|
|
5
5
|
end
|
|
6
6
|
|
|
7
7
|
end
|
|
@@ -9,9 +9,9 @@ module ActionController #:nodoc:
|
|
|
9
9
|
alias_method :original_form_authenticity_token, :form_authenticity_token
|
|
10
10
|
# Sets the token value for the current session.
|
|
11
11
|
def form_authenticity_token
|
|
12
|
-
raise '
|
|
12
|
+
raise 'CSRF token secret must be defined' if CSRF_TOKEN_SECRET.nil? || CSRF_TOKEN_SECRET.empty?
|
|
13
13
|
if request.session_options[:id]
|
|
14
|
-
Digest::SHA1.hexdigest("#{
|
|
14
|
+
Digest::SHA1.hexdigest("#{CSRF_TOKEN_SECRET}#{request.session_options[:id]}#{request.subdomain}")
|
|
15
15
|
else
|
|
16
16
|
original_form_authenticity_token
|
|
17
17
|
end
|
data/lib/subdomainbox.rb
CHANGED
|
@@ -1,2 +1,2 @@
|
|
|
1
1
|
require 'subdomainbox/subdomainbox.rb'
|
|
2
|
-
require 'subdomainbox/
|
|
2
|
+
require 'subdomainbox/secure_csrf_token.rb'
|
|
@@ -12,9 +12,9 @@ describe "ActionController::RequestForgeryProtection" do
|
|
|
12
12
|
|
|
13
13
|
describe "#form_authenticity_token" do
|
|
14
14
|
|
|
15
|
-
context "when
|
|
15
|
+
context "when CSRF_TOKEN_SECRET is blank" do
|
|
16
16
|
it "should raise an exception" do
|
|
17
|
-
|
|
17
|
+
CSRF_TOKEN_SECRET = ''
|
|
18
18
|
lambda {
|
|
19
19
|
form_authenticity_token
|
|
20
20
|
}.should raise_error
|
|
@@ -23,9 +23,9 @@ describe "ActionController::RequestForgeryProtection" do
|
|
|
23
23
|
|
|
24
24
|
context "when the user has a session" do
|
|
25
25
|
|
|
26
|
-
it "should be generated from the
|
|
26
|
+
it "should be generated from the CSRF_TOKEN_SECRET salted with the session id and the subdomain" do
|
|
27
27
|
request.stub_chain(:session_options, :[]).and_return('abc')
|
|
28
|
-
|
|
28
|
+
CSRF_TOKEN_SECRET = 'xyz'
|
|
29
29
|
form_authenticity_token.should == Digest::SHA1.hexdigest('xyzabcpets')
|
|
30
30
|
end
|
|
31
31
|
|
data/spec/spec_helper.rb
CHANGED
data/subdomainbox.gemspec
CHANGED
|
@@ -5,11 +5,11 @@
|
|
|
5
5
|
|
|
6
6
|
Gem::Specification.new do |s|
|
|
7
7
|
s.name = "subdomainbox"
|
|
8
|
-
s.version = "0.
|
|
8
|
+
s.version = "0.5.0"
|
|
9
9
|
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
|
11
11
|
s.authors = ["Daniel Nelson"]
|
|
12
|
-
s.date = "2013-03-
|
|
12
|
+
s.date = "2013-03-23"
|
|
13
13
|
s.description = "use subdomains to prevent XSS from accessing your entire application if it should happen to be injected into some page in your app"
|
|
14
14
|
s.email = "dnelson@centresource.com"
|
|
15
15
|
s.extra_rdoc_files = [
|
|
@@ -28,9 +28,9 @@ Gem::Specification.new do |s|
|
|
|
28
28
|
"VERSION",
|
|
29
29
|
"lib/generators/subdomainbox_generator.rb",
|
|
30
30
|
"lib/subdomainbox.rb",
|
|
31
|
-
"lib/subdomainbox/
|
|
31
|
+
"lib/subdomainbox/secure_csrf_token.rb",
|
|
32
32
|
"lib/subdomainbox/subdomainbox.rb",
|
|
33
|
-
"spec/
|
|
33
|
+
"spec/secure_csrf_token_spec.rb",
|
|
34
34
|
"spec/spec_helper.rb",
|
|
35
35
|
"spec/subdomainbox_spec.rb",
|
|
36
36
|
"subdomainbox.gemspec"
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: subdomainbox
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.5.0
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,11 +9,11 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2013-03-
|
|
12
|
+
date: 2013-03-23 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: uuidtools
|
|
16
|
-
requirement: &
|
|
16
|
+
requirement: &2160194360 !ruby/object:Gem::Requirement
|
|
17
17
|
none: false
|
|
18
18
|
requirements:
|
|
19
19
|
- - ! '>='
|
|
@@ -21,10 +21,10 @@ dependencies:
|
|
|
21
21
|
version: '0'
|
|
22
22
|
type: :runtime
|
|
23
23
|
prerelease: false
|
|
24
|
-
version_requirements: *
|
|
24
|
+
version_requirements: *2160194360
|
|
25
25
|
- !ruby/object:Gem::Dependency
|
|
26
26
|
name: rspec
|
|
27
|
-
requirement: &
|
|
27
|
+
requirement: &2160212440 !ruby/object:Gem::Requirement
|
|
28
28
|
none: false
|
|
29
29
|
requirements:
|
|
30
30
|
- - =
|
|
@@ -32,10 +32,10 @@ dependencies:
|
|
|
32
32
|
version: 2.10.0
|
|
33
33
|
type: :development
|
|
34
34
|
prerelease: false
|
|
35
|
-
version_requirements: *
|
|
35
|
+
version_requirements: *2160212440
|
|
36
36
|
- !ruby/object:Gem::Dependency
|
|
37
37
|
name: jeweler
|
|
38
|
-
requirement: &
|
|
38
|
+
requirement: &2160210200 !ruby/object:Gem::Requirement
|
|
39
39
|
none: false
|
|
40
40
|
requirements:
|
|
41
41
|
- - ~>
|
|
@@ -43,10 +43,10 @@ dependencies:
|
|
|
43
43
|
version: 1.8.4
|
|
44
44
|
type: :development
|
|
45
45
|
prerelease: false
|
|
46
|
-
version_requirements: *
|
|
46
|
+
version_requirements: *2160210200
|
|
47
47
|
- !ruby/object:Gem::Dependency
|
|
48
48
|
name: pry
|
|
49
|
-
requirement: &
|
|
49
|
+
requirement: &2160208380 !ruby/object:Gem::Requirement
|
|
50
50
|
none: false
|
|
51
51
|
requirements:
|
|
52
52
|
- - ! '>='
|
|
@@ -54,10 +54,10 @@ dependencies:
|
|
|
54
54
|
version: '0'
|
|
55
55
|
type: :development
|
|
56
56
|
prerelease: false
|
|
57
|
-
version_requirements: *
|
|
57
|
+
version_requirements: *2160208380
|
|
58
58
|
- !ruby/object:Gem::Dependency
|
|
59
59
|
name: pry-nav
|
|
60
|
-
requirement: &
|
|
60
|
+
requirement: &2160207140 !ruby/object:Gem::Requirement
|
|
61
61
|
none: false
|
|
62
62
|
requirements:
|
|
63
63
|
- - ! '>='
|
|
@@ -65,10 +65,10 @@ dependencies:
|
|
|
65
65
|
version: '0'
|
|
66
66
|
type: :development
|
|
67
67
|
prerelease: false
|
|
68
|
-
version_requirements: *
|
|
68
|
+
version_requirements: *2160207140
|
|
69
69
|
- !ruby/object:Gem::Dependency
|
|
70
70
|
name: pry-stack_explorer
|
|
71
|
-
requirement: &
|
|
71
|
+
requirement: &2160221580 !ruby/object:Gem::Requirement
|
|
72
72
|
none: false
|
|
73
73
|
requirements:
|
|
74
74
|
- - ! '>='
|
|
@@ -76,7 +76,7 @@ dependencies:
|
|
|
76
76
|
version: '0'
|
|
77
77
|
type: :development
|
|
78
78
|
prerelease: false
|
|
79
|
-
version_requirements: *
|
|
79
|
+
version_requirements: *2160221580
|
|
80
80
|
description: use subdomains to prevent XSS from accessing your entire application
|
|
81
81
|
if it should happen to be injected into some page in your app
|
|
82
82
|
email: dnelson@centresource.com
|
|
@@ -97,9 +97,9 @@ files:
|
|
|
97
97
|
- VERSION
|
|
98
98
|
- lib/generators/subdomainbox_generator.rb
|
|
99
99
|
- lib/subdomainbox.rb
|
|
100
|
-
- lib/subdomainbox/
|
|
100
|
+
- lib/subdomainbox/secure_csrf_token.rb
|
|
101
101
|
- lib/subdomainbox/subdomainbox.rb
|
|
102
|
-
- spec/
|
|
102
|
+
- spec/secure_csrf_token_spec.rb
|
|
103
103
|
- spec/spec_helper.rb
|
|
104
104
|
- spec/subdomainbox_spec.rb
|
|
105
105
|
- subdomainbox.gemspec
|
|
@@ -118,7 +118,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
118
118
|
version: '0'
|
|
119
119
|
segments:
|
|
120
120
|
- 0
|
|
121
|
-
hash:
|
|
121
|
+
hash: 3040467631251113131
|
|
122
122
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
123
123
|
none: false
|
|
124
124
|
requirements:
|