From 2c72ef1ad35d34ae0ed6489f80f8a85c1fea6551 Mon Sep 17 00:00:00 2001
From: Jason Lee <huacnlee@gmail.com>
Date: Mon, 2 Nov 2015 16:59:42 +0800
Subject: [PATCH] Add  expire time, for protect Rails CookieSession Replay
 Attack. version 0.2.4

---
 CHANGELOG.md                        |  5 +++++
 Gemfile.lock                        |  2 +-
 lib/rucaptcha/controller_helpers.rb | 10 +++++++++-
 lib/rucaptcha/version.rb            |  2 +-
 spec/controller_helpers_spec.rb     | 11 +++++++++++
 5 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3228984..ebba834 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,8 @@
+0.2.2
+-----
+
+- Add `session[:_rucaptcha]` expire time, for protect Rails CookieSession Replay Attack.
+
 0.2.3
 -----
 
diff --git a/Gemfile.lock b/Gemfile.lock
index 4cbba90..9bc0843 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rucaptcha (0.2.3)
+    rucaptcha (0.2.4)
       posix-spawn (>= 0.3.0)
 
 GEM
diff --git a/lib/rucaptcha/controller_helpers.rb b/lib/rucaptcha/controller_helpers.rb
index ac669c2..0844239 100644
--- a/lib/rucaptcha/controller_helpers.rb
+++ b/lib/rucaptcha/controller_helpers.rb
@@ -7,11 +7,19 @@ module RuCaptcha
     end
 
     def generate_rucaptcha
-      session[:_rucaptcha] = RuCaptcha::Captcha.random_chars
+      session[:_rucaptcha]   = RuCaptcha::Captcha.random_chars
+      session[:rucaptcha_at] = Time.now.to_i
+
       RuCaptcha::Captcha.create(session[:_rucaptcha])
     end
 
     def verify_rucaptcha?(resource = nil)
+      rucaptcha_at = session[:_rucaptcha_at].to_i
+      # Captcha chars in Session expire in 2 minutes
+      if rucaptcha_at.blank? || (Time.now.to_i - rucaptcha_at) > 120
+        return false
+      end
+
       right = params[:_rucaptcha].present? && session[:_rucaptcha].present? &&
               params[:_rucaptcha].downcase.strip == session[:_rucaptcha]
       if resource && resource.respond_to?(:errors)
diff --git a/lib/rucaptcha/version.rb b/lib/rucaptcha/version.rb
index e385031..79c1e9f 100644
--- a/lib/rucaptcha/version.rb
+++ b/lib/rucaptcha/version.rb
@@ -1,3 +1,3 @@
 module RuCaptcha
-  VERSION = '0.2.3'
+  VERSION = '0.2.4'
 end
diff --git a/spec/controller_helpers_spec.rb b/spec/controller_helpers_spec.rb
index 77beec9..1a3f2f9 100644
--- a/spec/controller_helpers_spec.rb
+++ b/spec/controller_helpers_spec.rb
@@ -24,6 +24,7 @@ describe RuCaptcha do
   describe '.verify_rucaptcha?' do
     context 'Correct chars in params' do
       it 'should work' do
+        simple.session[:_rucaptcha_at] = Time.now.to_i
         simple.session[:_rucaptcha] = 'abcd'
         simple.params[:_rucaptcha] = 'Abcd'
         expect(simple.verify_rucaptcha?).to eq(true)
@@ -34,10 +35,20 @@ describe RuCaptcha do
 
     describe 'Incorrect chars' do
       it "should work" do
+        simple.session[:_rucaptcha_at] = Time.now.to_i - 60
         simple.session[:_rucaptcha] = 'abcd'
         simple.params[:_rucaptcha] = 'd123'
         expect(simple.verify_rucaptcha?).to eq(false)
       end
     end
+
+    describe 'Expires Session key' do
+      it "should work" do
+        simple.session[:_rucaptcha_at] = Time.now.to_i - 121
+        simple.session[:_rucaptcha] = 'abcd'
+        simple.params[:_rucaptcha] = 'abcd'
+        expect(simple.verify_rucaptcha?).to eq(false)
+      end
+    end
   end
 end