[DRE-commits] [SCM] ruby-rack-protection.git branch, master, updated. upstream/1.3.2-5-g03f30e2
Youhei SASAKI
uwabami at gfd-dennou.org
Sun Mar 31 16:30:34 UTC 2013
The following commit has been merged in the master branch:
commit 09727240d2b6f518f53d3cd3f9506156f601fec2
Author: Youhei SASAKI <uwabami at gfd-dennou.org>
Date: Mon Apr 1 01:27:00 2013 +0900
Imported Upstream version 1.5.0
diff --git a/README.md b/README.md
index cba67a1..feaeff9 100644
--- a/README.md
+++ b/README.md
@@ -50,7 +50,7 @@ Prevented by:
Prevented by:
* `Rack::Protection::EscapedParams` (not included by `use Rack::Protection`)
-* `Rack::Protection::XssHeader` (Internet Explorer only)
+* `Rack::Protection::XSSHeader` (Internet Explorer only)
## Clickjacking
diff --git a/Rakefile b/Rakefile
index 78adeaf..b642a1a 100644
--- a/Rakefile
+++ b/Rakefile
@@ -14,15 +14,18 @@ task(:spec) { ruby '-S rspec spec' }
desc "generate gemspec"
task 'rack-protection.gemspec' do
require 'rack/protection/version'
- content = File.read 'rack-protection.gemspec'
+ content = File.binread 'rack-protection.gemspec'
# fetch data
fields = {
- :authors => `git shortlog -sn`.scan(/[^\d\s].*/),
- :email => `git shortlog -sne`.scan(/[^<]+@[^>]+/),
- :files => `git ls-files`.split("\n").reject { |f| f =~ /^(\.|Gemfile)/ }
+ :authors => `git shortlog -sn`.force_encoding('utf-8').scan(/[^\d\s].*/),
+ :email => `git shortlog -sne`.force_encoding('utf-8').scan(/[^<]+@[^>]+/),
+ :files => `git ls-files`.force_encoding('utf-8').split("\n").reject { |f| f =~ /^(\.|Gemfile)/ }
}
+ # double email :(
+ fields[:email].delete("konstantin.haase at gmail.com")
+
# insert data
fields.each do |field, values|
updated = " s.#{field} = ["
diff --git a/lib/rack/protection.rb b/lib/rack/protection.rb
index ff84265..604e749 100644
--- a/lib/rack/protection.rb
+++ b/lib/rack/protection.rb
@@ -20,7 +20,11 @@ module Rack
def self.new(app, options = {})
# does not include: RemoteReferrer, AuthenticityToken and FormToken
except = Array options[:except]
+ use_these = Array options[:use]
Rack::Builder.new do
+ use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer
+ use ::Rack::Protection::AuthenticityToken,options if use_these.include? :authenticity_token
+ use ::Rack::Protection::FormToken, options if use_these.include? :form_token
use ::Rack::Protection::FrameOptions, options unless except.include? :frame_options
use ::Rack::Protection::HttpOrigin, options unless except.include? :http_origin
use ::Rack::Protection::IPSpoofing, options unless except.include? :ip_spoofing
diff --git a/lib/rack/protection/base.rb b/lib/rack/protection/base.rb
index fb097ab..76e35c5 100755
--- a/lib/rack/protection/base.rb
+++ b/lib/rack/protection/base.rb
@@ -11,6 +11,7 @@ module Rack
:message => 'Forbidden', :encryptor => Digest::SHA1,
:session_key => 'rack.session', :status => 403,
:allow_empty_referrer => true,
+ :report_key => "protection.failed",
:html_types => %w[text/html application/xhtml]
}
@@ -63,6 +64,10 @@ module Rack
[options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
end
+ def report(env)
+ env[options[:report_key]] = true
+ end
+
def session?(env)
env.include? options[:session_key]
end
diff --git a/lib/rack/protection/frame_options.rb b/lib/rack/protection/frame_options.rb
index 2939748..bce75c4 100644
--- a/lib/rack/protection/frame_options.rb
+++ b/lib/rack/protection/frame_options.rb
@@ -16,16 +16,22 @@ module Rack
# frame_options:: Defines who should be allowed to embed the page in a
# frame. Use :deny to forbid any embedding, :sameorigin
# to allow embedding from the same origin (default).
- class FrameOptions < XSSHeader
+ class FrameOptions < Base
default_options :frame_options => :sameorigin
- def header
- @header ||= begin
+ def frame_options
+ @frame_options ||= begin
frame_options = options[:frame_options]
frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str
- { 'X-Frame-Options' => frame_options.to_str }
+ frame_options.to_str
end
end
+
+ def call(env)
+ status, headers, body = @app.call(env)
+ headers['X-Frame-Options'] ||= frame_options if html? headers
+ [status, headers, body]
+ end
end
end
end
diff --git a/lib/rack/protection/json_csrf.rb b/lib/rack/protection/json_csrf.rb
index 6066345..752c467 100644
--- a/lib/rack/protection/json_csrf.rb
+++ b/lib/rack/protection/json_csrf.rb
@@ -14,14 +14,21 @@ module Rack
default_reaction :deny
def call(env)
+ request = Request.new(env)
status, headers, body = app.call(env)
- if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
- if origin(env).nil? and referrer(env) != Request.new(env).host
- result = react(env)
- warn env, "attack prevented by #{self.class}"
- end
+
+ if has_vector? request, headers
+ warn env, "attack prevented by #{self.class}"
+ react(env)
+ else
+ [status, headers, body]
end
- result or [status, headers, body]
+ end
+
+ def has_vector?(request, headers)
+ return false if request.xhr?
+ return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
+ origin(request.env).nil? and referrer(request.env) != request.host
end
end
end
diff --git a/lib/rack/protection/remote_referrer.rb b/lib/rack/protection/remote_referrer.rb
index ecb1622..5375ebc 100644
--- a/lib/rack/protection/remote_referrer.rb
+++ b/lib/rack/protection/remote_referrer.rb
@@ -9,9 +9,6 @@ module Rack
#
# Does not accept unsafe HTTP requests if the Referer [sic] header is set to
# a different host.
- #
- # Combine with NoReferrer to also block remote requests from non-HTTP pages
- # (FTP/HTTPS/...).
class RemoteReferrer < Base
default_reaction :deny
diff --git a/lib/rack/protection/version.rb b/lib/rack/protection/version.rb
index 040b095..971f3aa 100644
--- a/lib/rack/protection/version.rb
+++ b/lib/rack/protection/version.rb
@@ -4,7 +4,7 @@ module Rack
VERSION
end
- SIGNATURE = [1, 3, 2]
+ SIGNATURE = [1, 5, 0]
VERSION = SIGNATURE.join('.')
VERSION.extend Comparable
diff --git a/lib/rack/protection/xss_header.rb b/lib/rack/protection/xss_header.rb
index 54fd984..6bb1486 100644
--- a/lib/rack/protection/xss_header.rb
+++ b/lib/rack/protection/xss_header.rb
@@ -14,18 +14,10 @@ module Rack
class XSSHeader < Base
default_options :xss_mode => :block, :nosniff => true
- def header
- headers = {
- 'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}",
- 'X-Content-Type-Options' => "nosniff"
- }
- headers.delete("X-Content-Type-Options") unless options[:nosniff]
- headers
- end
-
def call(env)
status, headers, body = @app.call(env)
- headers = header.merge(headers) if options[:nosniff] and html?(headers)
+ headers['X-XSS-Protection'] ||= "1; mode=#{options[:xss_mode]}" if html? headers
+ headers['X-Content-Type-Options'] ||= 'nosniff' if options[:nosniff]
[status, headers, body]
end
end
diff --git a/metadata.yml b/metadata.yml
index e305611..1bc0d46 100644
--- a/metadata.yml
+++ b/metadata.yml
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: rack-protection
version: !ruby/object:Gem::Version
- version: 1.3.2
+ version: 1.5.0
prerelease:
platform: ruby
authors:
@@ -11,6 +11,8 @@ authors:
- Chris Mytton
- Corey Ward
- David Kellum
+- Egor Homakov
+- Florian Gilcher
- Fojas
- Mael Clerambault
- Martin Mauch
@@ -23,7 +25,7 @@ authors:
autorequire:
bindir: bin
cert_chain: []
-date: 2012-12-12 00:00:00.000000000 Z
+date: 2013-03-13 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: rack
@@ -77,10 +79,11 @@ description: You should use protection!
email:
- konstantin.mailinglists at googlemail.com
- p0deje at gmail.com
-- cheald at gmail.com
- self at hecticjeff.net
- coreyward at me.com
- dek-oss at gravitext.com
+- homakov at gmail.com
+- florian.gilcher at asquera.de
- developer at fojasaur.us
- mael at clerambault.fr
- martin.mauch at gmail.com
@@ -90,6 +93,7 @@ email:
- akzhan.abdulin at gmail.com
- toby.net.info.mail+git at gmail.com
- bjoerge at bengler.no
+- cheald at gmail.com
executables: []
extensions: []
extra_rdoc_files: []
diff --git a/rack-protection.gemspec b/rack-protection.gemspec
index 0d5567c..ee2ad12 100644
--- a/rack-protection.gemspec
+++ b/rack-protection.gemspec
@@ -2,7 +2,7 @@
Gem::Specification.new do |s|
# general infos
s.name = "rack-protection"
- s.version = "1.3.2"
+ s.version = "1.5.0"
s.description = "You should use protection!"
s.homepage = "http://github.com/rkh/rack-protection"
s.summary = s.description
@@ -15,6 +15,8 @@ Gem::Specification.new do |s|
"Chris Mytton",
"Corey Ward",
"David Kellum",
+ "Egor Homakov",
+ "Florian Gilcher",
"Fojas",
"Mael Clerambault",
"Martin Mauch",
@@ -23,17 +25,18 @@ Gem::Specification.new do |s|
"Steve Agalloco",
"Akzhan Abdulin",
"TOBY",
- "Bj\u{f8}rge N\u{e6}ss"
+ "Bj\u00F8rge N\u00E6ss"
]
# generated from git shortlog -sne
s.email = [
"konstantin.mailinglists at googlemail.com",
"p0deje at gmail.com",
- "cheald at gmail.com",
"self at hecticjeff.net",
"coreyward at me.com",
"dek-oss at gravitext.com",
+ "homakov at gmail.com",
+ "florian.gilcher at asquera.de",
"developer at fojasaur.us",
"mael at clerambault.fr",
"martin.mauch at gmail.com",
@@ -42,7 +45,8 @@ Gem::Specification.new do |s|
"steve.agalloco at gmail.com",
"akzhan.abdulin at gmail.com",
"toby.net.info.mail+git at gmail.com",
- "bjoerge at bengler.no"
+ "bjoerge at bengler.no",
+ "cheald at gmail.com"
]
# generated from git ls-files
diff --git a/spec/json_csrf_spec.rb b/spec/json_csrf_spec.rb
index b5a9355..1abb4c0 100644
--- a/spec/json_csrf_spec.rb
+++ b/spec/json_csrf_spec.rb
@@ -27,6 +27,10 @@ describe Rack::Protection::JsonCsrf do
it "accepts get requests with json responses with no referrer" do
get('/', {}).should be_ok
end
+
+ it "accepts XHR requests" do
+ get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest').should be_ok
+ end
end
describe 'not json response' do
diff --git a/spec/protection_spec.rb b/spec/protection_spec.rb
index 4e682fc..8ed6d3e 100755
--- a/spec/protection_spec.rb
+++ b/spec/protection_spec.rb
@@ -18,6 +18,18 @@ describe Rack::Protection do
session.should be_empty
end
+ it 'passes errors through if :reaction => :report is used' do
+ mock_app do
+ use Rack::Protection, :reaction => :report
+ run proc { |e| [200, {'Content-Type' => 'text/plain'}, [e["protection.failed"].to_s]] }
+ end
+
+ session = {:foo => :bar}
+ post('/', {}, 'rack.session' => session, 'HTTP_ORIGIN' => 'http://malicious.com')
+ last_response.should be_ok
+ body.should == "true"
+ end
+
describe "#html?" do
context "given an appropriate content-type header" do
subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/html" }
diff --git a/spec/xss_header_spec.rb b/spec/xss_header_spec.rb
index cf62e55..05c9469 100644
--- a/spec/xss_header_spec.rb
+++ b/spec/xss_header_spec.rb
@@ -34,6 +34,12 @@ describe Rack::Protection::XSSHeader do
get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"].should == "nosniff"
end
+
+ it 'should set the X-Content-Type-Options for other content types' do
+ get('/', {}, 'wants' => 'application/foo').header["X-Content-Type-Options"].should == "nosniff"
+ end
+
+
it 'should allow changing the nosniff-mode off' do
mock_app do
use Rack::Protection::XSSHeader, :nosniff => false
--
ruby-rack-protection.git
More information about the Pkg-ruby-extras-commits
mailing list