Mitigate BREACH attack

2023-03-27 23:18:01 -04:00 · 2016-08-15 14:35:47 -04:00 · 2016-08-15 14:35:47 -04:00 · aac8e3bce4
commit aac8e3bce4
parent aa1f6f952e
4 changed files with 186 additions and 18 deletions
--- a/rack-protection/spec/lib/rack/protection/authenticity_token_spec.rb
+++ b/rack-protection/spec/lib/rack/protection/authenticity_token_spec.rb
@ -1,4 +1,8 @@
 describe Rack::Protection::AuthenticityToken do
+  let(:token) { described_class.random_token }
+  let(:bad_token) { described_class.random_token }
+  let(:session) { {:csrf => token} }
+
  it_behaves_like "any rack application"

  it "denies post requests without any token" do
@ -6,22 +10,32 @@ describe Rack::Protection::AuthenticityToken do
  end

  it "accepts post requests with correct X-CSRF-Token header" do
-    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
+    post('/', {}, 'rack.session' => session, 'HTTP_X_CSRF_TOKEN' => token)
+    expect(last_response).to be_ok
+  end
+
+  it "accepts post requests with masked X-CSRF-Token header" do
+    post('/', {}, 'rack.session' => session, 'HTTP_X_CSRF_TOKEN' => Rack::Protection::AuthenticityToken.token(session))
    expect(last_response).to be_ok
  end

  it "denies post requests with wrong X-CSRF-Token header" do
-    post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
+    post('/', {}, 'rack.session' => session, 'HTTP_X_CSRF_TOKEN' => bad_token)
    expect(last_response).not_to be_ok
  end

  it "accepts post form requests with correct authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"})
+    post('/', {"authenticity_token" => token}, 'rack.session' => session)
+    expect(last_response).to be_ok
+  end
+
+  it "accepts post form requests with masked authenticity_token field" do
+    post('/', {"authenticity_token" => Rack::Protection::AuthenticityToken.token(session)}, 'rack.session' => session)
    expect(last_response).to be_ok
  end

  it "denies post form requests with wrong authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"})
+    post('/', {"authenticity_token" => bad_token}, 'rack.session' => session)
    expect(last_response).not_to be_ok
  end

@ -35,7 +49,7 @@ describe Rack::Protection::AuthenticityToken do
      run proc { |e| [200, {'Content-Type' => 'text/plain'}, ['hi']] }
    end

-    post('/', {"csrf_param" => "a"}, 'rack.session' => {:csrf => "a"})
+    post('/', {"csrf_param" => token}, 'rack.session' => {:csrf => token})
    expect(last_response).to be_ok
  end

@ -43,4 +57,31 @@ describe Rack::Protection::AuthenticityToken do
    get('/', {}, {})
    expect(env['rack.session'][:csrf]).not_to be_nil
  end
+
+  describe ".random_token" do
+    it "outputs a base64 encoded 32 character string by default" do
+      expect(Base64.strict_decode64(token).length).to eq(32)
+    end
+
+    it "outputs a base64 encoded string of the specified length" do
+      token = described_class.random_token(64)
+      expect(Base64.strict_decode64(token).length).to eq(64)
+    end
+  end
+
+  describe ".mask_token" do
+    it "generates unique masked values for a token" do
+      first_masked_token =  described_class.mask_token(token)
+      second_masked_token = described_class.mask_token(token)
+      expect(first_masked_token).not_to eq(second_masked_token)
+    end
+  end
+
+  describe ".unmask_decoded_token" do
+    it "unmasks a token to its original decoded value" do
+      masked_token = described_class.decode_token(described_class.mask_token(token))
+      unmasked_token = described_class.unmask_decoded_token(masked_token)
+      expect(unmasked_token).to eq(described_class.decode_token(token))
+    end
+  end
 end