Class: Rack::Protection::CookieTossing

Inherits:

Base

• Object
• Base
• Rack::Protection::CookieTossing

Defined in:

lib/rack/protection/cookie_tossing.rb

Overview

Prevented attack

Cookie Tossing

Supported browsers

all

More infos

github.com/blog/1466-yummy-cookies-across-domains

Does not accept HTTP requests if the HTTP_COOKIE header contains more than one session cookie. This does not protect against a cookie overflow attack.

Options:

session_key

The name of the session cookie (default: ‘rack.session’)

Constant Summary

Constants inherited from Base

Base::DEFAULT_OPTIONS

Instance Attribute Summary

Attributes inherited from Base

#app, #options

Instance Method Summary

• #accepts?(env) ⇒ Boolean
• #bad_cookies ⇒ Object
• #call(env) ⇒ Object
• #cookie_paths(path) ⇒ Object
• #empty_cookie(host, path) ⇒ Object
• #redirect(env) ⇒ Object
• #remove_bad_cookies(request, response) ⇒ Object
• #session_key ⇒ Object

Methods inherited from Base

default_options, #default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #initialize, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#accepts?(env) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rack/protection/cookie_tossing.rb', line 30

def accepts?(env)
  cookie_header = env['HTTP_COOKIE']
  cookies = Rack::Utils.parse_query(cookie_header, ';,') { |s| s }
  cookies.each do |k, v|
    if (k == session_key && Array(v).size > 1) ||
       (k != session_key && Rack::Utils.unescape(k) == session_key)
      bad_cookies << k
    end
  end
  bad_cookies.empty?
end

#bad_cookies ⇒ Object

# File 'lib/rack/protection/cookie_tossing.rb', line 57

def bad_cookies
  @bad_cookies ||= []
end

#call(env) ⇒ Object

# File 'lib/rack/protection/cookie_tossing.rb', line 22

def call(env)
  status, headers, body = super
  response = Rack::Response.new(body, status, headers)
  request = Rack::Request.new(env)
  remove_bad_cookies(request, response)
  response.finish
end

#cookie_paths(path) ⇒ Object

# File 'lib/rack/protection/cookie_tossing.rb', line 61

def cookie_paths(path)
  path = '/' if path.to_s.empty?
  paths = []
  Pathname.new(path).descend { |p| paths << p.to_s }
  paths
end

#empty_cookie(host, path) ⇒ Object

# File 'lib/rack/protection/cookie_tossing.rb', line 68

def empty_cookie(host, path)
  { value: '', domain: host, path: path, expires: Time.at(0) }
end

#redirect(env) ⇒ Object

# File 'lib/rack/protection/cookie_tossing.rb', line 51

def redirect(env)
  request = Request.new(env)
  warn env, "attack prevented by #{self.class}"
  [302, { 'content-type' => 'text/html', 'location' => request.path }, []]
end

#remove_bad_cookies(request, response) ⇒ Object

# File 'lib/rack/protection/cookie_tossing.rb', line 42

def remove_bad_cookies(request, response)
  return if bad_cookies.empty?

  paths = cookie_paths(request.path)
  bad_cookies.each do |name|
    paths.each { |path| response.set_cookie name, empty_cookie(request.host, path) }
  end
end

#session_key ⇒ Object

# File 'lib/rack/protection/cookie_tossing.rb', line 72

def session_key
  @session_key ||= options[:session_key]
end