diff --git a/CHANGELOG.md b/CHANGELOG.md index 3228984..ebba834 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +0.2.2 +----- + +- Add `session[:_rucaptcha]` expire time, for protect Rails CookieSession Replay Attack. + 0.2.3 ----- diff --git a/Gemfile.lock b/Gemfile.lock index 4cbba90..9bc0843 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - rucaptcha (0.2.3) + rucaptcha (0.2.4) posix-spawn (>= 0.3.0) GEM diff --git a/lib/rucaptcha/controller_helpers.rb b/lib/rucaptcha/controller_helpers.rb index ac669c2..0844239 100644 --- a/lib/rucaptcha/controller_helpers.rb +++ b/lib/rucaptcha/controller_helpers.rb @@ -7,11 +7,19 @@ module RuCaptcha end def generate_rucaptcha - session[:_rucaptcha] = RuCaptcha::Captcha.random_chars + session[:_rucaptcha] = RuCaptcha::Captcha.random_chars + session[:rucaptcha_at] = Time.now.to_i + RuCaptcha::Captcha.create(session[:_rucaptcha]) end def verify_rucaptcha?(resource = nil) + rucaptcha_at = session[:_rucaptcha_at].to_i + # Captcha chars in Session expire in 2 minutes + if rucaptcha_at.blank? || (Time.now.to_i - rucaptcha_at) > 120 + return false + end + right = params[:_rucaptcha].present? && session[:_rucaptcha].present? && params[:_rucaptcha].downcase.strip == session[:_rucaptcha] if resource && resource.respond_to?(:errors) diff --git a/lib/rucaptcha/version.rb b/lib/rucaptcha/version.rb index e385031..79c1e9f 100644 --- a/lib/rucaptcha/version.rb +++ b/lib/rucaptcha/version.rb @@ -1,3 +1,3 @@ module RuCaptcha - VERSION = '0.2.3' + VERSION = '0.2.4' end diff --git a/spec/controller_helpers_spec.rb b/spec/controller_helpers_spec.rb index 77beec9..1a3f2f9 100644 --- a/spec/controller_helpers_spec.rb +++ b/spec/controller_helpers_spec.rb @@ -24,6 +24,7 @@ describe RuCaptcha do describe '.verify_rucaptcha?' do context 'Correct chars in params' do it 'should work' do + simple.session[:_rucaptcha_at] = Time.now.to_i simple.session[:_rucaptcha] = 'abcd' simple.params[:_rucaptcha] = 'Abcd' expect(simple.verify_rucaptcha?).to eq(true) @@ -34,10 +35,20 @@ describe RuCaptcha do describe 'Incorrect chars' do it "should work" do + simple.session[:_rucaptcha_at] = Time.now.to_i - 60 simple.session[:_rucaptcha] = 'abcd' simple.params[:_rucaptcha] = 'd123' expect(simple.verify_rucaptcha?).to eq(false) end end + + describe 'Expires Session key' do + it "should work" do + simple.session[:_rucaptcha_at] = Time.now.to_i - 121 + simple.session[:_rucaptcha] = 'abcd' + simple.params[:_rucaptcha] = 'abcd' + expect(simple.verify_rucaptcha?).to eq(false) + end + end end end