subdomainbox 0.5.1 → 0.6.0
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +10 -6
- data/VERSION +1 -1
- data/lib/subdomainbox/secure_csrf_token.rb +3 -3
- data/lib/subdomainbox/subdomainbox.rb +3 -3
- data/spec/secure_csrf_token_spec.rb +11 -1
- data/subdomainbox.gemspec +2 -2
- metadata +15 -15
data/README.md
CHANGED
@@ -3,6 +3,8 @@ subdomainbox
|
|
3
3
|
|
4
4
|
Subdomain boxing was inspired by Egor Homakov's [post on pageboxing](http://homakov.blogspot.com/2013/02/pagebox-website-gatekeeper.html). Subdomain boxing limits the reach of any XSS attacks. If an attacker manages to insert javascript onto a page of your application, the javascript on that page will be unable to read data from or post data to any pages on different subdomains in your application. POST protection is achieved by creating a separate CSRF token for each subdomain. CSRF protection is also strengthened by changing the CSRF token based on session id (request.session_options[:id]).
|
5
5
|
|
6
|
+
Demo: http://app.subdomainbox.com
|
7
|
+
|
6
8
|
The subdomainbox gem is simple to add even to existing Rails applications:
|
7
9
|
|
8
10
|
class ApplicationController
|
@@ -17,20 +19,20 @@ The subdomainbox gem is simple to add even to existing Rails applications:
|
|
17
19
|
end
|
18
20
|
|
19
21
|
|
20
|
-
class
|
21
|
-
|
22
|
-
subdomainbox 'posts', :only => :index
|
23
|
-
subdomainbox ['posts-%{id}', 'comments-%{pop_id}'], :except => :index
|
22
|
+
class DocsController < ApplicationController
|
24
23
|
|
24
|
+
subdomainbox 'posts', :except => [:edit, :update, :show]
|
25
|
+
subdomainbox 'edit-%{id}', :only => [:edit, :update]
|
26
|
+
subdomainbox 'preview-%{id}', :only => :show
|
25
27
|
...
|
26
28
|
|
27
29
|
end
|
28
30
|
|
29
31
|
|
30
|
-
class Admin::
|
32
|
+
class Admin::DocsController < ApplicationController
|
31
33
|
|
32
34
|
subdomainbox 'admin', :only => :index
|
33
|
-
subdomainbox 'admin-%{
|
35
|
+
subdomainbox 'admin-%{doc_id}', :except => :index
|
34
36
|
|
35
37
|
...
|
36
38
|
|
@@ -69,6 +71,8 @@ Installation
|
|
69
71
|
end
|
70
72
|
MyApp::Application.config.session_store :cookie_store, key: '_myapp_session', :domain => cookie_domain
|
71
73
|
|
74
|
+
1. If you use Google Analytics, set up (cross subdomain tracking)[https://developers.google.com/analytics/devguides/collection/gajs/gaTrackingSite#domainSubDomains]
|
75
|
+
|
72
76
|
Development
|
73
77
|
===========
|
74
78
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.
|
1
|
+
0.6.0
|
@@ -10,10 +10,10 @@ module ActionController #:nodoc:
|
|
10
10
|
# Sets the token value for the current session.
|
11
11
|
def form_authenticity_token
|
12
12
|
raise 'CSRF token secret must be defined' if CSRF_TOKEN_SECRET.nil? || CSRF_TOKEN_SECRET.empty?
|
13
|
-
if request.session_options[:id]
|
14
|
-
Digest::SHA1.hexdigest("#{CSRF_TOKEN_SECRET}#{request.session_options[:id]}#{request.subdomain}")
|
15
|
-
else
|
13
|
+
if @default_subdomainbox_removed || request.session_options[:id].nil?
|
16
14
|
original_form_authenticity_token
|
15
|
+
else
|
16
|
+
Digest::SHA1.hexdigest("#{CSRF_TOKEN_SECRET}#{request.session_options[:id]}#{request.subdomain}")
|
17
17
|
end
|
18
18
|
end
|
19
19
|
|
@@ -17,7 +17,7 @@ module ActionController
|
|
17
17
|
end
|
18
18
|
|
19
19
|
def subdomainbox(box_definitions)
|
20
|
-
@
|
20
|
+
@default_subdomainbox_removed = true
|
21
21
|
subdomain_match = subdomainbox_find_subdomain_match(box_definitions)
|
22
22
|
subdomainbox_no_subdomain_match!(box_definitions) if subdomain_match.nil?
|
23
23
|
end
|
@@ -27,7 +27,7 @@ module ActionController
|
|
27
27
|
# from any subdomain)
|
28
28
|
#
|
29
29
|
def remove_default_subdomainbox
|
30
|
-
@
|
30
|
+
@default_subdomainbox_removed = true
|
31
31
|
end
|
32
32
|
|
33
33
|
# set up a default subdomain box for all controllers that won't get an explicit subdomain box
|
@@ -35,7 +35,7 @@ module ActionController
|
|
35
35
|
# from a subdomain boxed page
|
36
36
|
#
|
37
37
|
def default_subdomainbox(box_definitions)
|
38
|
-
subdomainbox(box_definitions) unless @
|
38
|
+
subdomainbox(box_definitions) unless @default_subdomainbox_removed
|
39
39
|
end
|
40
40
|
|
41
41
|
private
|
@@ -22,13 +22,23 @@ describe "ActionController::RequestForgeryProtection" do
|
|
22
22
|
end
|
23
23
|
|
24
24
|
context "when the user has a session" do
|
25
|
+
before(:each) do
|
26
|
+
request.stub_chain(:session_options, :[]).and_return('abc')
|
27
|
+
end
|
25
28
|
|
26
29
|
it "should be generated from the CSRF_TOKEN_SECRET salted with the session id and the subdomain" do
|
27
|
-
request.stub_chain(:session_options, :[]).and_return('abc')
|
28
30
|
CSRF_TOKEN_SECRET = 'xyz'
|
29
31
|
form_authenticity_token.should == Digest::SHA1.hexdigest('xyzabcpets')
|
30
32
|
end
|
31
33
|
|
34
|
+
context "when the default subdomainbox has been removed" do
|
35
|
+
it "should call the original form_authenticity_token" do
|
36
|
+
@default_subdomainbox_removed = true
|
37
|
+
self.should_receive(:original_form_authenticity_token)
|
38
|
+
form_authenticity_token
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
32
42
|
end
|
33
43
|
|
34
44
|
context "when there is no session id" do
|
data/subdomainbox.gemspec
CHANGED
@@ -5,11 +5,11 @@
|
|
5
5
|
|
6
6
|
Gem::Specification.new do |s|
|
7
7
|
s.name = "subdomainbox"
|
8
|
-
s.version = "0.
|
8
|
+
s.version = "0.6.0"
|
9
9
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
11
11
|
s.authors = ["Daniel Nelson"]
|
12
|
-
s.date = "2013-
|
12
|
+
s.date = "2013-05-02"
|
13
13
|
s.description = "use subdomains to prevent XSS from accessing your entire application if it should happen to be injected into some page in your app"
|
14
14
|
s.email = "dnelson@centresource.com"
|
15
15
|
s.extra_rdoc_files = [
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: subdomainbox
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.6.0
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,11 +9,11 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2013-
|
12
|
+
date: 2013-05-02 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: uuidtools
|
16
|
-
requirement: &
|
16
|
+
requirement: &2164367660 !ruby/object:Gem::Requirement
|
17
17
|
none: false
|
18
18
|
requirements:
|
19
19
|
- - ! '>='
|
@@ -21,10 +21,10 @@ dependencies:
|
|
21
21
|
version: '0'
|
22
22
|
type: :runtime
|
23
23
|
prerelease: false
|
24
|
-
version_requirements: *
|
24
|
+
version_requirements: *2164367660
|
25
25
|
- !ruby/object:Gem::Dependency
|
26
26
|
name: rspec
|
27
|
-
requirement: &
|
27
|
+
requirement: &2164365580 !ruby/object:Gem::Requirement
|
28
28
|
none: false
|
29
29
|
requirements:
|
30
30
|
- - =
|
@@ -32,10 +32,10 @@ dependencies:
|
|
32
32
|
version: 2.10.0
|
33
33
|
type: :development
|
34
34
|
prerelease: false
|
35
|
-
version_requirements: *
|
35
|
+
version_requirements: *2164365580
|
36
36
|
- !ruby/object:Gem::Dependency
|
37
37
|
name: jeweler
|
38
|
-
requirement: &
|
38
|
+
requirement: &2164355360 !ruby/object:Gem::Requirement
|
39
39
|
none: false
|
40
40
|
requirements:
|
41
41
|
- - ~>
|
@@ -43,10 +43,10 @@ dependencies:
|
|
43
43
|
version: 1.8.4
|
44
44
|
type: :development
|
45
45
|
prerelease: false
|
46
|
-
version_requirements: *
|
46
|
+
version_requirements: *2164355360
|
47
47
|
- !ruby/object:Gem::Dependency
|
48
48
|
name: pry
|
49
|
-
requirement: &
|
49
|
+
requirement: &2164354280 !ruby/object:Gem::Requirement
|
50
50
|
none: false
|
51
51
|
requirements:
|
52
52
|
- - ! '>='
|
@@ -54,10 +54,10 @@ dependencies:
|
|
54
54
|
version: '0'
|
55
55
|
type: :development
|
56
56
|
prerelease: false
|
57
|
-
version_requirements: *
|
57
|
+
version_requirements: *2164354280
|
58
58
|
- !ruby/object:Gem::Dependency
|
59
59
|
name: pry-nav
|
60
|
-
requirement: &
|
60
|
+
requirement: &2164352920 !ruby/object:Gem::Requirement
|
61
61
|
none: false
|
62
62
|
requirements:
|
63
63
|
- - ! '>='
|
@@ -65,10 +65,10 @@ dependencies:
|
|
65
65
|
version: '0'
|
66
66
|
type: :development
|
67
67
|
prerelease: false
|
68
|
-
version_requirements: *
|
68
|
+
version_requirements: *2164352920
|
69
69
|
- !ruby/object:Gem::Dependency
|
70
70
|
name: pry-stack_explorer
|
71
|
-
requirement: &
|
71
|
+
requirement: &2164351700 !ruby/object:Gem::Requirement
|
72
72
|
none: false
|
73
73
|
requirements:
|
74
74
|
- - ! '>='
|
@@ -76,7 +76,7 @@ dependencies:
|
|
76
76
|
version: '0'
|
77
77
|
type: :development
|
78
78
|
prerelease: false
|
79
|
-
version_requirements: *
|
79
|
+
version_requirements: *2164351700
|
80
80
|
description: use subdomains to prevent XSS from accessing your entire application
|
81
81
|
if it should happen to be injected into some page in your app
|
82
82
|
email: dnelson@centresource.com
|
@@ -118,7 +118,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
118
118
|
version: '0'
|
119
119
|
segments:
|
120
120
|
- 0
|
121
|
-
hash: -
|
121
|
+
hash: -3756000022176297036
|
122
122
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
123
123
|
none: false
|
124
124
|
requirements:
|