Add expire time, for protect Rails CookieSession Replay Attack. version 0.2.4

This commit is contained in:
Jason Lee 2015-11-02 16:59:42 +08:00
parent 62f589e9fc
commit 2c72ef1ad3
5 changed files with 27 additions and 3 deletions

View File

@ -1,3 +1,8 @@
0.2.2
-----
- Add `session[:_rucaptcha]` expire time, for protect Rails CookieSession Replay Attack.
0.2.3 0.2.3
----- -----

View File

@ -1,7 +1,7 @@
PATH PATH
remote: . remote: .
specs: specs:
rucaptcha (0.2.3) rucaptcha (0.2.4)
posix-spawn (>= 0.3.0) posix-spawn (>= 0.3.0)
GEM GEM

View File

@ -8,10 +8,18 @@ module RuCaptcha
def generate_rucaptcha def generate_rucaptcha
session[:_rucaptcha] = RuCaptcha::Captcha.random_chars session[:_rucaptcha] = RuCaptcha::Captcha.random_chars
session[:rucaptcha_at] = Time.now.to_i
RuCaptcha::Captcha.create(session[:_rucaptcha]) RuCaptcha::Captcha.create(session[:_rucaptcha])
end end
def verify_rucaptcha?(resource = nil) def verify_rucaptcha?(resource = nil)
rucaptcha_at = session[:_rucaptcha_at].to_i
# Captcha chars in Session expire in 2 minutes
if rucaptcha_at.blank? || (Time.now.to_i - rucaptcha_at) > 120
return false
end
right = params[:_rucaptcha].present? && session[:_rucaptcha].present? && right = params[:_rucaptcha].present? && session[:_rucaptcha].present? &&
params[:_rucaptcha].downcase.strip == session[:_rucaptcha] params[:_rucaptcha].downcase.strip == session[:_rucaptcha]
if resource && resource.respond_to?(:errors) if resource && resource.respond_to?(:errors)

View File

@ -1,3 +1,3 @@
module RuCaptcha module RuCaptcha
VERSION = '0.2.3' VERSION = '0.2.4'
end end

View File

@ -24,6 +24,7 @@ describe RuCaptcha do
describe '.verify_rucaptcha?' do describe '.verify_rucaptcha?' do
context 'Correct chars in params' do context 'Correct chars in params' do
it 'should work' do it 'should work' do
simple.session[:_rucaptcha_at] = Time.now.to_i
simple.session[:_rucaptcha] = 'abcd' simple.session[:_rucaptcha] = 'abcd'
simple.params[:_rucaptcha] = 'Abcd' simple.params[:_rucaptcha] = 'Abcd'
expect(simple.verify_rucaptcha?).to eq(true) expect(simple.verify_rucaptcha?).to eq(true)
@ -34,10 +35,20 @@ describe RuCaptcha do
describe 'Incorrect chars' do describe 'Incorrect chars' do
it "should work" do it "should work" do
simple.session[:_rucaptcha_at] = Time.now.to_i - 60
simple.session[:_rucaptcha] = 'abcd' simple.session[:_rucaptcha] = 'abcd'
simple.params[:_rucaptcha] = 'd123' simple.params[:_rucaptcha] = 'd123'
expect(simple.verify_rucaptcha?).to eq(false) expect(simple.verify_rucaptcha?).to eq(false)
end end
end end
describe 'Expires Session key' do
it "should work" do
simple.session[:_rucaptcha_at] = Time.now.to_i - 121
simple.session[:_rucaptcha] = 'abcd'
simple.params[:_rucaptcha] = 'abcd'
expect(simple.verify_rucaptcha?).to eq(false)
end
end
end end
end end