add docs to all middleware

2011-05-24 13:23:57 +02:00 · 2011-05-24 13:23:57 +02:00 · d92302670f
parent f341cf7024
commit d92302670f
9 changed files with 88 additions and 8 deletions
--- a/rack-protection/lib/rack/protection/access_control.rb
+++ b/rack-protection/lib/rack/protection/access_control.rb
@ -1,8 +0,0 @@
-require 'rack/protection'
-
-module Rack
-  module Protection
-    class AccessControl < Base
-    end
-  end
-end
--- a/rack-protection/lib/rack/protection/authenticity_token.rb
+++ b/rack-protection/lib/rack/protection/authenticity_token.rb
@ -2,6 +2,17 @@ require 'rack/protection'

 module Rack
  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Only accepts unsafe HTTP requests if a given access token matches the token
+    # included in the session.
+    #
+    # Compatible with Rails and rack-csrf.
+    #
+    # Not Yet Implemented!
    class AuthenticityToken < Base
    end
  end
--- a/rack-protection/lib/rack/protection/escaped_params.rb
+++ b/rack-protection/lib/rack/protection/escaped_params.rb
@ -2,6 +2,16 @@ require 'rack/protection'

 module Rack
  module Protection
+    ##
+    # Prevented attack::   XSS
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_scripting
+    #
+    # Automatically escapes Rack::Request#params so they can be embedded in HTML
+    # or JavaScript without any further issues. Calls +html_safe+ on the escaped
+    # strings if defined, to avoid double-escaping in Rails.
+    #
+    # Not Yet Implemented!
    class EscapedParams < Base
    end
  end
--- a/rack-protection/lib/rack/protection/form_token.rb
+++ b/rack-protection/lib/rack/protection/form_token.rb
@ -2,6 +2,20 @@ require 'rack/protection'

 module Rack
  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Only accepts submitted forms if a given access token matches the token
+    # included in the session. Does not expect such a token from Ajax request.
+    #
+    # This middleware is not used when using the Rack::Protection collection,
+    # since it might be a security issue, depending on your application
+    #
+    # Compatible with Rails and rack-csrf.
+    #
+    # Not Yet Implemented!
    class FormToken < AuthenticityToken
    end
  end
--- a/rack-protection/lib/rack/protection/no_referrer.rb
+++ b/rack-protection/lib/rack/protection/no_referrer.rb
@ -2,6 +2,18 @@ require 'rack/protection'

 module Rack
  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Only accepts unsafe HTTP requests if the Referer [sic] header is set.
+    # Combine with RemoteRefferer for optimal security.
+    #
+    # This middleware is not used when using the Rack::Protection collection,
+    # since it renders web services unusable.
+    #
+    # Not Yet Implemented!
    class NoReferrer < Base
    end
  end
--- a/rack-protection/lib/rack/protection/path_traversal.rb
+++ b/rack-protection/lib/rack/protection/path_traversal.rb
@ -2,6 +2,15 @@ require 'rack/protection'

 module Rack
  module Protection
+    ##
+    # Prevented attack::   Directory traversal
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Directory_traversal
+    #
+    # Unescapes '/' and '.', expands +path_info+.
+    # Thus <tt>GET /foo/%2e%2e%2fbar</tt> becomes <tt>GET /bar</tt>.
+    #
+    # Not Yet Implemented!
    class PathTraversal < Base
    end
  end
--- a/rack-protection/lib/rack/protection/remote_referrer.rb
+++ b/rack-protection/lib/rack/protection/remote_referrer.rb
@ -2,6 +2,18 @@ require 'rack/protection'

 module Rack
  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Does not accept unsafe HTTP requests if the Referer [sic] header is set to
+    # a different host.
+    #
+    # Combine with NoReferrer to also block remote requests from non-HTTP pages
+    # (FTP/HTTPS/...).
+    #
+    # Not Yet Implemented!
    class RemoteReferrer < Base
    end
  end
--- a/rack-protection/lib/rack/protection/remote_token.rb
+++ b/rack-protection/lib/rack/protection/remote_token.rb
@ -2,6 +2,17 @@ require 'rack/protection'

 module Rack
  module Protection
+    ##
+    # Prevented attack::   CSRF
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Only accepts unsafe HTTP requests if a given access token matches the token
+    # included in the session *or* the request comes from the same origin.
+    #
+    # Compatible with Rails and rack-csrf.
+    #
+    # Not Yet Implemented!
    class RemoteToken < AuthenticityToken
    end
  end
--- a/rack-protection/lib/rack/protection/session_hihacking.rb
+++ b/rack-protection/lib/rack/protection/session_hihacking.rb
@ -2,6 +2,15 @@ require 'rack/protection'

 module Rack
  module Protection
+    ##
+    # Prevented attack::   Session Hijacking
+    # Supported browsers:: all
+    # More infos::         http://en.wikipedia.org/wiki/Session_hijacking
+    #
+    # Tracks request properties like the user agent in the session and empties
+    # the session if those properties change.
+    #
+    # Not Yet Implemented!
    class SessionHijacking < Base
    end
  end