mirror of
https://github.com/sinatra/sinatra
synced 2023-03-27 23:18:01 -04:00
Add cookie tossing protection
Mitigate malicious session cookies set on a subdomain from being read by the parent domain.
This commit is contained in:
parent
3c69609543
commit
cd5028b5c9
4 changed files with 154 additions and 0 deletions
|
@ -73,6 +73,11 @@ Prevented by:
|
||||||
|
|
||||||
* `Rack::Protection::SessionHijacking`
|
* `Rack::Protection::SessionHijacking`
|
||||||
|
|
||||||
|
## Cookie Tossing
|
||||||
|
|
||||||
|
Prevented by:
|
||||||
|
* `Rack::Protection::CookieTossing` (not included by `use Rack::Protection`)
|
||||||
|
|
||||||
## IP Spoofing
|
## IP Spoofing
|
||||||
|
|
||||||
Prevented by:
|
Prevented by:
|
||||||
|
|
|
@ -5,6 +5,7 @@ module Rack
|
||||||
module Protection
|
module Protection
|
||||||
autoload :AuthenticityToken, 'rack/protection/authenticity_token'
|
autoload :AuthenticityToken, 'rack/protection/authenticity_token'
|
||||||
autoload :Base, 'rack/protection/base'
|
autoload :Base, 'rack/protection/base'
|
||||||
|
autoload :CookieTossing, 'rack/protection/cookie_tossing'
|
||||||
autoload :ContentSecurityPolicy, 'rack/protection/content_security_policy'
|
autoload :ContentSecurityPolicy, 'rack/protection/content_security_policy'
|
||||||
autoload :EscapedParams, 'rack/protection/escaped_params'
|
autoload :EscapedParams, 'rack/protection/escaped_params'
|
||||||
autoload :FormToken, 'rack/protection/form_token'
|
autoload :FormToken, 'rack/protection/form_token'
|
||||||
|
@ -31,6 +32,7 @@ module Rack
|
||||||
Rack::Builder.new do
|
Rack::Builder.new do
|
||||||
# Off by default, unless added
|
# Off by default, unless added
|
||||||
use ::Rack::Protection::AuthenticityToken, options if use_these.include? :authenticity_token
|
use ::Rack::Protection::AuthenticityToken, options if use_these.include? :authenticity_token
|
||||||
|
use ::Rack::Protection::CookieTossing, options if use_these.include? :cookie_tossing
|
||||||
use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
|
use ::Rack::Protection::ContentSecurityPolicy, options if use_these.include? :content_security_policy
|
||||||
use ::Rack::Protection::FormToken, options if use_these.include? :form_token
|
use ::Rack::Protection::FormToken, options if use_these.include? :form_token
|
||||||
use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer
|
use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer
|
||||||
|
|
73
rack-protection/lib/rack/protection/cookie_tossing.rb
Normal file
73
rack-protection/lib/rack/protection/cookie_tossing.rb
Normal file
|
@ -0,0 +1,73 @@
|
||||||
|
require 'rack/protection'
|
||||||
|
require 'pathname'
|
||||||
|
|
||||||
|
module Rack
|
||||||
|
module Protection
|
||||||
|
##
|
||||||
|
# Prevented attack:: Cookie Tossing
|
||||||
|
# Supported browsers:: all
|
||||||
|
# More infos:: https://github.com/blog/1466-yummy-cookies-across-domains
|
||||||
|
#
|
||||||
|
# Does not accept HTTP requests if the HTTP_COOKIE header contains more than one
|
||||||
|
# session cookie. This does not protect against a cookie overflow attack.
|
||||||
|
#
|
||||||
|
# Options:
|
||||||
|
#
|
||||||
|
# session_key:: The name of the session cookie (default: 'rack.session')
|
||||||
|
class CookieTossing < Base
|
||||||
|
default_reaction :deny
|
||||||
|
|
||||||
|
def call(env)
|
||||||
|
status, headers, body = super
|
||||||
|
response = Rack::Response.new(body, status, headers)
|
||||||
|
request = Rack::Request.new(env)
|
||||||
|
remove_bad_cookies(request, response)
|
||||||
|
response.finish
|
||||||
|
end
|
||||||
|
|
||||||
|
def accepts?(env)
|
||||||
|
cookie_header = env['HTTP_COOKIE']
|
||||||
|
cookies = Rack::Utils.parse_query(cookie_header, ';,') { |s| s }
|
||||||
|
cookies.each do |k, v|
|
||||||
|
if k == session_key && Array(v).size > 1
|
||||||
|
bad_cookies << k
|
||||||
|
elsif k != session_key && Rack::Utils.unescape(k) == session_key
|
||||||
|
bad_cookies << k
|
||||||
|
end
|
||||||
|
end
|
||||||
|
bad_cookies.empty?
|
||||||
|
end
|
||||||
|
|
||||||
|
def remove_bad_cookies(request, response)
|
||||||
|
bad_cookies.each do |name|
|
||||||
|
cookie_paths(request.path).each { |path| response.set_cookie name, empty_cookie(request.host, path) }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def redirect(env)
|
||||||
|
request = Request.new(env)
|
||||||
|
warn env, "attack prevented by #{self.class}"
|
||||||
|
[302, {'Content-Type' => 'text/html', 'Location' => request.path}, []]
|
||||||
|
end
|
||||||
|
|
||||||
|
def bad_cookies
|
||||||
|
@bad_cookies ||= []
|
||||||
|
end
|
||||||
|
|
||||||
|
def cookie_paths(path)
|
||||||
|
path = '/' if path.to_s.empty?
|
||||||
|
paths = []
|
||||||
|
Pathname.new(path).descend { |p| paths << p.to_s }
|
||||||
|
paths
|
||||||
|
end
|
||||||
|
|
||||||
|
def empty_cookie(host, path)
|
||||||
|
{:value => '', :domain => host, :path => path, :expires => Time.at(0)}
|
||||||
|
end
|
||||||
|
|
||||||
|
def session_key
|
||||||
|
@session_key ||= options[:session_key]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,74 @@
|
||||||
|
describe Rack::Protection::CookieTossing do
|
||||||
|
it_behaves_like "any rack application"
|
||||||
|
|
||||||
|
context 'with default reaction' do
|
||||||
|
before(:each) do
|
||||||
|
mock_app do
|
||||||
|
use Rack::Protection::CookieTossing
|
||||||
|
run DummyApp
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'accepts requests with a single session cookie' do
|
||||||
|
get '/', {}, 'HTTP_COOKIE' => 'rack.session=SESSION_TOKEN'
|
||||||
|
expect(last_response).to be_ok
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'denies requests with duplicate session cookies' do
|
||||||
|
get '/', {}, 'HTTP_COOKIE' => 'rack.session=EVIL_SESSION_TOKEN; rack.session=SESSION_TOKEN'
|
||||||
|
expect(last_response).not_to be_ok
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'denies requests with sneaky encoded session cookies' do
|
||||||
|
get '/', {}, 'HTTP_COOKIE' => 'rack.session=EVIL_SESSION_TOKEN; rack.%73ession=SESSION_TOKEN'
|
||||||
|
expect(last_response).not_to be_ok
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'adds the correct Set-Cookie header' do
|
||||||
|
get '/some/path', {}, 'HTTP_COOKIE' => 'rack.%73ession=EVIL_SESSION_TOKEN; rack.session=EVIL_SESSION_TOKEN; rack.session=SESSION_TOKEN'
|
||||||
|
|
||||||
|
expected_header = <<-END.chomp
|
||||||
|
rack.%2573ession=; domain=example.org; path=/; expires=Thu, 01 Jan 1970 00:00:00 -0000
|
||||||
|
rack.%2573ession=; domain=example.org; path=/some; expires=Thu, 01 Jan 1970 00:00:00 -0000
|
||||||
|
rack.%2573ession=; domain=example.org; path=/some/path; expires=Thu, 01 Jan 1970 00:00:00 -0000
|
||||||
|
rack.session=; domain=example.org; path=/; expires=Thu, 01 Jan 1970 00:00:00 -0000
|
||||||
|
rack.session=; domain=example.org; path=/some; expires=Thu, 01 Jan 1970 00:00:00 -0000
|
||||||
|
rack.session=; domain=example.org; path=/some/path; expires=Thu, 01 Jan 1970 00:00:00 -0000
|
||||||
|
END
|
||||||
|
expect(last_response.headers['Set-Cookie']).to eq(expected_header)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with redirect reaction' do
|
||||||
|
before(:each) do
|
||||||
|
mock_app do
|
||||||
|
use Rack::Protection::CookieTossing, :reaction => :redirect
|
||||||
|
run DummyApp
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'redirects requests with duplicate session cookies' do
|
||||||
|
get '/', {}, 'HTTP_COOKIE' => 'rack.session=EVIL_SESSION_TOKEN; rack.session=SESSION_TOKEN'
|
||||||
|
expect(last_response).to be_redirect
|
||||||
|
expect(last_response.location).to eq('/')
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'redirects requests with sneaky encoded session cookies' do
|
||||||
|
get '/path', {}, 'HTTP_COOKIE' => 'rack.%73ession=EVIL_SESSION_TOKEN; rack.session=SESSION_TOKEN'
|
||||||
|
expect(last_response).to be_redirect
|
||||||
|
expect(last_response.location).to eq('/path')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with custom session key' do
|
||||||
|
it 'denies requests with duplicate session cookies' do
|
||||||
|
mock_app do
|
||||||
|
use Rack::Protection::CookieTossing, :session_key => '_session'
|
||||||
|
run DummyApp
|
||||||
|
end
|
||||||
|
|
||||||
|
get '/', {}, 'HTTP_COOKIE' => '_session=EVIL_SESSION_TOKEN; _session=SESSION_TOKEN'
|
||||||
|
expect(last_response).not_to be_ok
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in a new issue