Add expire time, for protect Rails CookieSession Replay Attack. version 0.2.4

2015-11-02 16:59:42 +08:00 · 2015-11-02 16:59:42 +08:00 · 2c72ef1ad3
parent 62f589e9fc
commit 2c72ef1ad3
5 changed files with 27 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,8 @@
+0.2.2
+-----
+
+- Add `session[:_rucaptcha]` expire time, for protect Rails CookieSession Replay Attack.
+
 0.2.3
 -----

--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    rucaptcha (0.2.3)
+    rucaptcha (0.2.4)
      posix-spawn (>= 0.3.0)

 GEM
--- a/lib/rucaptcha/controller_helpers.rb
+++ b/lib/rucaptcha/controller_helpers.rb
@ -7,11 +7,19 @@ module RuCaptcha
    end

    def generate_rucaptcha
-      session[:_rucaptcha] = RuCaptcha::Captcha.random_chars
+      session[:_rucaptcha]   = RuCaptcha::Captcha.random_chars
+      session[:rucaptcha_at] = Time.now.to_i
+
      RuCaptcha::Captcha.create(session[:_rucaptcha])
    end

    def verify_rucaptcha?(resource = nil)
+      rucaptcha_at = session[:_rucaptcha_at].to_i
+      # Captcha chars in Session expire in 2 minutes
+      if rucaptcha_at.blank? || (Time.now.to_i - rucaptcha_at) > 120
+        return false
+      end
+
      right = params[:_rucaptcha].present? && session[:_rucaptcha].present? &&
              params[:_rucaptcha].downcase.strip == session[:_rucaptcha]
      if resource && resource.respond_to?(:errors)
--- a/lib/rucaptcha/version.rb
+++ b/lib/rucaptcha/version.rb
@ -1,3 +1,3 @@
 module RuCaptcha
-  VERSION = '0.2.3'
+  VERSION = '0.2.4'
 end
--- a/spec/controller_helpers_spec.rb
+++ b/spec/controller_helpers_spec.rb
@ -24,6 +24,7 @@ describe RuCaptcha do
  describe '.verify_rucaptcha?' do
    context 'Correct chars in params' do
      it 'should work' do
+        simple.session[:_rucaptcha_at] = Time.now.to_i
        simple.session[:_rucaptcha] = 'abcd'
        simple.params[:_rucaptcha] = 'Abcd'
        expect(simple.verify_rucaptcha?).to eq(true)
@ -34,10 +35,20 @@ describe RuCaptcha do

    describe 'Incorrect chars' do
      it "should work" do
+        simple.session[:_rucaptcha_at] = Time.now.to_i - 60
        simple.session[:_rucaptcha] = 'abcd'
        simple.params[:_rucaptcha] = 'd123'
        expect(simple.verify_rucaptcha?).to eq(false)
      end
    end
+
+    describe 'Expires Session key' do
+      it "should work" do
+        simple.session[:_rucaptcha_at] = Time.now.to_i - 121
+        simple.session[:_rucaptcha] = 'abcd'
+        simple.params[:_rucaptcha] = 'abcd'
+        expect(simple.verify_rucaptcha?).to eq(false)
+      end
+    end
  end
 end