subdomainbox 0.5.1 → 0.6.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. data/README.md +10 -6
  2. data/VERSION +1 -1
  3. data/lib/subdomainbox/secure_csrf_token.rb +3 -3
  4. data/lib/subdomainbox/subdomainbox.rb +3 -3
  5. data/spec/secure_csrf_token_spec.rb +11 -1
  6. data/subdomainbox.gemspec +2 -2
  7. metadata +15 -15
data/README.md CHANGED
@@ -3,6 +3,8 @@ subdomainbox
3
3
 
4
4
  Subdomain boxing was inspired by Egor Homakov's [post on pageboxing](http://homakov.blogspot.com/2013/02/pagebox-website-gatekeeper.html). Subdomain boxing limits the reach of any XSS attacks. If an attacker manages to insert javascript onto a page of your application, the javascript on that page will be unable to read data from or post data to any pages on different subdomains in your application. POST protection is achieved by creating a separate CSRF token for each subdomain. CSRF protection is also strengthened by changing the CSRF token based on session id (request.session_options[:id]).
5
5
 
6
+ Demo: http://app.subdomainbox.com
7
+
6
8
  The subdomainbox gem is simple to add even to existing Rails applications:
7
9
 
8
10
  class ApplicationController
@@ -17,20 +19,20 @@ The subdomainbox gem is simple to add even to existing Rails applications:
17
19
  end
18
20
 
19
21
 
20
- class PostsController < ApplicationController
21
-
22
- subdomainbox 'posts', :only => :index
23
- subdomainbox ['posts-%{id}', 'comments-%{pop_id}'], :except => :index
22
+ class DocsController < ApplicationController
24
23
 
24
+ subdomainbox 'posts', :except => [:edit, :update, :show]
25
+ subdomainbox 'edit-%{id}', :only => [:edit, :update]
26
+ subdomainbox 'preview-%{id}', :only => :show
25
27
  ...
26
28
 
27
29
  end
28
30
 
29
31
 
30
- class Admin::PostsController < ApplicationController
32
+ class Admin::DocsController < ApplicationController
31
33
 
32
34
  subdomainbox 'admin', :only => :index
33
- subdomainbox 'admin-%{post_id}', :except => :index
35
+ subdomainbox 'admin-%{doc_id}', :except => :index
34
36
 
35
37
  ...
36
38
 
@@ -69,6 +71,8 @@ Installation
69
71
  end
70
72
  MyApp::Application.config.session_store :cookie_store, key: '_myapp_session', :domain => cookie_domain
71
73
 
74
+ 1. If you use Google Analytics, set up (cross subdomain tracking)[https://developers.google.com/analytics/devguides/collection/gajs/gaTrackingSite#domainSubDomains]
75
+
72
76
  Development
73
77
  ===========
74
78
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.5.1
1
+ 0.6.0
data/lib/subdomainbox/secure_csrf_token.rb CHANGED
@@ -10,10 +10,10 @@ module ActionController #:nodoc:
10
10
  # Sets the token value for the current session.
11
11
  def form_authenticity_token
12
12
  raise 'CSRF token secret must be defined' if CSRF_TOKEN_SECRET.nil? || CSRF_TOKEN_SECRET.empty?
13
- if request.session_options[:id]
14
- Digest::SHA1.hexdigest("#{CSRF_TOKEN_SECRET}#{request.session_options[:id]}#{request.subdomain}")
15
- else
13
+ if @default_subdomainbox_removed || request.session_options[:id].nil?
16
14
  original_form_authenticity_token
15
+ else
16
+ Digest::SHA1.hexdigest("#{CSRF_TOKEN_SECRET}#{request.session_options[:id]}#{request.subdomain}")
17
17
  end
18
18
  end
19
19
 
data/lib/subdomainbox/subdomainbox.rb CHANGED
@@ -17,7 +17,7 @@ module ActionController
17
17
  end
18
18
 
19
19
  def subdomainbox(box_definitions)
20
- @remove_default_subdomainbox = true
20
+ @default_subdomainbox_removed = true
21
21
  subdomain_match = subdomainbox_find_subdomain_match(box_definitions)
22
22
  subdomainbox_no_subdomain_match!(box_definitions) if subdomain_match.nil?
23
23
  end
@@ -27,7 +27,7 @@ module ActionController
27
27
  # from any subdomain)
28
28
  #
29
29
  def remove_default_subdomainbox
30
- @remove_default_subdomainbox = true
30
+ @default_subdomainbox_removed = true
31
31
  end
32
32
 
33
33
  # set up a default subdomain box for all controllers that won't get an explicit subdomain box
@@ -35,7 +35,7 @@ module ActionController
35
35
  # from a subdomain boxed page
36
36
  #
37
37
  def default_subdomainbox(box_definitions)
38
- subdomainbox(box_definitions) unless @remove_default_subdomainbox
38
+ subdomainbox(box_definitions) unless @default_subdomainbox_removed
39
39
  end
40
40
 
41
41
  private
data/spec/secure_csrf_token_spec.rb CHANGED
@@ -22,13 +22,23 @@ describe "ActionController::RequestForgeryProtection" do
22
22
  end
23
23
 
24
24
  context "when the user has a session" do
25
+ before(:each) do
26
+ request.stub_chain(:session_options, :[]).and_return('abc')
27
+ end
25
28
 
26
29
  it "should be generated from the CSRF_TOKEN_SECRET salted with the session id and the subdomain" do
27
- request.stub_chain(:session_options, :[]).and_return('abc')
28
30
  CSRF_TOKEN_SECRET = 'xyz'
29
31
  form_authenticity_token.should == Digest::SHA1.hexdigest('xyzabcpets')
30
32
  end
31
33
 
34
+ context "when the default subdomainbox has been removed" do
35
+ it "should call the original form_authenticity_token" do
36
+ @default_subdomainbox_removed = true
37
+ self.should_receive(:original_form_authenticity_token)
38
+ form_authenticity_token
39
+ end
40
+ end
41
+
32
42
  end
33
43
 
34
44
  context "when there is no session id" do
data/subdomainbox.gemspec CHANGED
@@ -5,11 +5,11 @@
5
5
 
6
6
  Gem::Specification.new do |s|
7
7
  s.name = "subdomainbox"
8
- s.version = "0.5.1"
8
+ s.version = "0.6.0"
9
9
 
10
10
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
11
  s.authors = ["Daniel Nelson"]
12
- s.date = "2013-03-25"
12
+ s.date = "2013-05-02"
13
13
  s.description = "use subdomains to prevent XSS from accessing your entire application if it should happen to be injected into some page in your app"
14
14
  s.email = "dnelson@centresource.com"
15
15
  s.extra_rdoc_files = [
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: subdomainbox
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.1
4
+ version: 0.6.0
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,11 +9,11 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-03-25 00:00:00.000000000 Z
12
+ date: 2013-05-02 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: uuidtools
16
- requirement: &2152059740 !ruby/object:Gem::Requirement
16
+ requirement: &2164367660 !ruby/object:Gem::Requirement
17
17
  none: false
18
18
  requirements:
19
19
  - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
21
21
  version: '0'
22
22
  type: :runtime
23
23
  prerelease: false
24
- version_requirements: *2152059740
24
+ version_requirements: *2164367660
25
25
  - !ruby/object:Gem::Dependency
26
26
  name: rspec
27
- requirement: &2152058780 !ruby/object:Gem::Requirement
27
+ requirement: &2164365580 !ruby/object:Gem::Requirement
28
28
  none: false
29
29
  requirements:
30
30
  - - =
@@ -32,10 +32,10 @@ dependencies:
32
32
  version: 2.10.0
33
33
  type: :development
34
34
  prerelease: false
35
- version_requirements: *2152058780
35
+ version_requirements: *2164365580
36
36
  - !ruby/object:Gem::Dependency
37
37
  name: jeweler
38
- requirement: &2152112060 !ruby/object:Gem::Requirement
38
+ requirement: &2164355360 !ruby/object:Gem::Requirement
39
39
  none: false
40
40
  requirements:
41
41
  - - ~>
@@ -43,10 +43,10 @@ dependencies:
43
43
  version: 1.8.4
44
44
  type: :development
45
45
  prerelease: false
46
- version_requirements: *2152112060
46
+ version_requirements: *2164355360
47
47
  - !ruby/object:Gem::Dependency
48
48
  name: pry
49
- requirement: &2152110740 !ruby/object:Gem::Requirement
49
+ requirement: &2164354280 !ruby/object:Gem::Requirement
50
50
  none: false
51
51
  requirements:
52
52
  - - ! '>='
@@ -54,10 +54,10 @@ dependencies:
54
54
  version: '0'
55
55
  type: :development
56
56
  prerelease: false
57
- version_requirements: *2152110740
57
+ version_requirements: *2164354280
58
58
  - !ruby/object:Gem::Dependency
59
59
  name: pry-nav
60
- requirement: &2152108660 !ruby/object:Gem::Requirement
60
+ requirement: &2164352920 !ruby/object:Gem::Requirement
61
61
  none: false
62
62
  requirements:
63
63
  - - ! '>='
@@ -65,10 +65,10 @@ dependencies:
65
65
  version: '0'
66
66
  type: :development
67
67
  prerelease: false
68
- version_requirements: *2152108660
68
+ version_requirements: *2164352920
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: pry-stack_explorer
71
- requirement: &2152107320 !ruby/object:Gem::Requirement
71
+ requirement: &2164351700 !ruby/object:Gem::Requirement
72
72
  none: false
73
73
  requirements:
74
74
  - - ! '>='
@@ -76,7 +76,7 @@ dependencies:
76
76
  version: '0'
77
77
  type: :development
78
78
  prerelease: false
79
- version_requirements: *2152107320
79
+ version_requirements: *2164351700
80
80
  description: use subdomains to prevent XSS from accessing your entire application
81
81
  if it should happen to be injected into some page in your app
82
82
  email: dnelson@centresource.com
@@ -118,7 +118,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
118
118
  version: '0'
119
119
  segments:
120
120
  - 0
121
- hash: -1018777487133078925
121
+ hash: -3756000022176297036
122
122
  required_rubygems_version: !ruby/object:Gem::Requirement
123
123
  none: false
124
124
  requirements: