sinatra/rack-protection/lib/rack/protection/base.rb

require 'rack/protection'
require 'digest'
require 'logger'
require 'uri'

module Rack
  module Protection
    class Base
      DEFAULT_OPTIONS = {
        :reaction    => :default_reaction, :logging   => true,
        :message     => 'Forbidden',       :encryptor => Digest::SHA1,
        :session_key => 'rack.session',    :status    => 403,
        :allow_empty_referrer => true
      }

      attr_reader :app, :options

      def self.default_options(options)
        define_method(:default_options) { super().merge(options) }
      end

      def self.default_reaction(reaction)
        alias_method(:default_reaction, reaction)
      end

      def default_options
        DEFAULT_OPTIONS
      end

      def initialize(app, options = {})
        @app, @options = app, default_options.merge(options)
      end

      def safe?(env)
        %w[GET HEAD OPTIONS TRACE].include? env['REQUEST_METHOD']
      end

      def accepts?(env)
        raise NotImplementedError, "#{self.class} implementation pending"
      end

      def call(env)
        unless accepts? env
          warn env, "attack prevented by #{self.class}"
          result = react env
        end
        result or app.call(env)
      end

      def react(env)
        result = send(options[:reaction], env)
        result if Array === result and result.size == 3
      end

      def warn(env, message)
        return unless options[:logging]
        l = options[:logger] || env['rack.logger'] || ::Logger.new(env['rack.errors'])
        l.warn(message)
      end

      def deny(env)
        [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
      end

      def session?(env)
        env.include? options[:session_key]
      end

      def session(env)
        return env[options[:session_key]] if session? env
        fail "you need to set up a session middleware *before* #{self.class}"
      end

      def drop_session(env)
        session(env).clear if session? env
      end

      def referrer(env)
        ref = env['HTTP_REFERER'].to_s
        return if !options[:allow_empty_referrer] and ref.empty?
        URI.parse(ref).host || Request.new(env).host
      end

      def origin(env)
        env['HTTP_ORIGIN'] || env['HTTP_X_ORIGIN']
      end

      def random_string(secure = defined? SecureRandom)
        secure ? SecureRandom.hex(32) : "%032x" % rand(2**128-1)
      rescue NotImplementedError
        random_string false
      end

      def encrypt(value)
        options[:encryptor].hexdigest value.to_s
      end

      alias default_reaction deny
    end
  end
end
initial commit 2011-05-23 04:07:54 -04:00			`require 'rack/protection'`
implement session hijacking prevention 2011-05-29 07:01:47 -04:00			`require 'digest'`
implement NoReferrer 2011-05-25 06:27:18 -04:00			`require 'logger'`
move stuff around, add remote_token protection 2011-05-29 05:45:27 -04:00			`require 'uri'`
initial commit 2011-05-23 04:07:54 -04:00
			`module Rack`
			`module Protection`
			`class Base`
implement NoReferrer 2011-05-25 06:27:18 -04:00			`DEFAULT_OPTIONS = {`
implement session hijacking prevention 2011-05-29 07:01:47 -04:00			`:reaction => :default_reaction, :logging => true,`
			`:message => 'Forbidden', :encryptor => Digest::SHA1,`
remove NoReferrer, instead, take an option for that 2011-06-20 07:08:39 -04:00			`:session_key => 'rack.session', :status => 403,`
			`:allow_empty_referrer => true`
implement NoReferrer 2011-05-25 06:27:18 -04:00			`}`

initial commit 2011-05-23 04:07:54 -04:00			`attr_reader :app, :options`

			`def self.default_options(options)`
			`define_method(:default_options) { super().merge(options) }`
			`end`

implement NoReferrer 2011-05-25 06:27:18 -04:00			`def self.default_reaction(reaction)`
			`alias_method(:default_reaction, reaction)`
			`end`

initial commit 2011-05-23 04:07:54 -04:00			`def default_options`
			`DEFAULT_OPTIONS`
			`end`

			`def initialize(app, options = {})`
fix default options not overriding options 2011-05-24 04:56:19 -04:00			`@app, @options = app, default_options.merge(options)`
initial commit 2011-05-23 04:07:54 -04:00			`end`

implement NoReferrer 2011-05-25 06:27:18 -04:00			`def safe?(env)`
			`%w[GET HEAD OPTIONS TRACE].include? env['REQUEST_METHOD']`
			`end`

initial commit 2011-05-23 04:07:54 -04:00			`def accepts?(env)`
			`raise NotImplementedError, "#{self.class} implementation pending"`
			`end`

			`def call(env)`
			`unless accepts? env`
implement NoReferrer 2011-05-25 06:27:18 -04:00			`warn env, "attack prevented by #{self.class}"`
add JSON CSRF protection 2011-06-19 09:26:39 -04:00			`result = react env`
initial commit 2011-05-23 04:07:54 -04:00			`end`
add JSON CSRF protection 2011-06-19 09:26:39 -04:00			`result or app.call(env)`
			`end`

			`def react(env)`
			`result = send(options[:reaction], env)`
			`result if Array === result and result.size == 3`
initial commit 2011-05-23 04:07:54 -04:00			`end`

			`def warn(env, message)`
			`return unless options[:logging]`
			`l = options[:logger] \|\| env['rack.logger'] \|\| ::Logger.new(env['rack.errors'])`
			`l.warn(message)`
			`end`

implement NoReferrer 2011-05-25 06:27:18 -04:00			`def deny(env)`
			`[options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]`
			`end`

implement session hijacking prevention 2011-05-29 07:01:47 -04:00			`def session?(env)`
			`env.include? options[:session_key]`
			`end`

import authenticity token implementation 2011-05-28 11:51:54 -04:00			`def session(env)`
implement session hijacking prevention 2011-05-29 07:01:47 -04:00			`return env[options[:session_key]] if session? env`
			`fail "you need to set up a session middleware before #{self.class}"`
			`end`

			`def drop_session(env)`
			`session(env).clear if session? env`
import authenticity token implementation 2011-05-28 11:51:54 -04:00			`end`

move stuff around, add remote_token protection 2011-05-29 05:45:27 -04:00			`def referrer(env)`
remove NoReferrer, instead, take an option for that 2011-06-20 07:08:39 -04:00			`ref = env['HTTP_REFERER'].to_s`
			`return if !options[:allow_empty_referrer] and ref.empty?`
			`URI.parse(ref).host \|\| Request.new(env).host`
move stuff around, add remote_token protection 2011-05-29 05:45:27 -04:00			`end`

Bypass referer check if Origin header is given 2012-09-05 04:08:09 -04:00			`def origin(env)`
			`env['HTTP_ORIGIN'] \|\| env['HTTP_X_ORIGIN']`
			`end`

import authenticity token implementation 2011-05-28 11:51:54 -04:00			`def random_string(secure = defined? SecureRandom)`
			`secure ? SecureRandom.hex(32) : "%032x" % rand(2**128-1)`
NotImpelentedError typo fix 2011-11-08 09:44:32 -05:00			`rescue NotImplementedError`
import authenticity token implementation 2011-05-28 11:51:54 -04:00			`random_string false`
			`end`

implement session hijacking prevention 2011-05-29 07:01:47 -04:00			`def encrypt(value)`
			`options[:encryptor].hexdigest value.to_s`
			`end`
default reaction to deny 2011-06-20 03:16:15 -04:00
			`alias default_reaction deny`
initial commit 2011-05-23 04:07:54 -04:00			`end`
			`end`
			`end`