# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true require 'contrast/components/interface' module Contrast module Framework module Rack module Patch # Our patch into the Rack::Session::Cookie Class, allowing for the # runtime detection of insecure configurations on individual cookies # within the application class SessionCookie include Contrast::Components::Interface access_component :agent, :analysis, :logging, :scope CS__SECURE_RULE_NAME = 'secure-flag-missing' CS__HTTPONLY_NAME = 'rails-http-only-disabled' CS__SESSION_TIMEOUT_NAME = 'session-timeout' SAFE_SESSION_TIMEOUT = (30 * 60 * 60) class << self include Contrast::Utils::InvalidConfigurationUtil def instrument @_instrument ||= begin ::Rack::Session::Cookie.class_eval do alias_method :cs__patched_initialize, :initialize def initialize app, options = {} Contrast::Framework::Rack::Patch::SessionCookie.analyze(options) cs__patched_initialize(app, options) end end true end end def analyze options return unless AGENT.enabled? return if PROTECT.enabled? apply_session_timeout(options) apply_httponly(options) apply_secure_session(options) end private def vulnerable_setting?(setting_key, safe_settings_value, options, safe_default: true, comparison_type: nil) # In most cases, Rack is pretty nice and the default value is safe return !safe_default unless options&.key?(setting_key) value = options[setting_key] return value.to_i > safe_settings_value.to_i if comparison_type&.to_sym == :greater_than value != safe_settings_value end def apply_secure_session options return unless vulnerable_setting?( :secure, true, options, safe_default: false) cs__report_finding( CS__SECURE_RULE_NAME, options, caller_locations(10, 9)[0]) rescue StandardError => e begin logger.error('Unable to track call to secure session', e) rescue StandardError nil end end def apply_session_timeout options return unless vulnerable_setting?(:expire_after, SAFE_SESSION_TIMEOUT, options, safe_default: false, comparison_type: :greater_than) cs__report_finding( CS__SESSION_TIMEOUT_NAME, options, caller_locations(10, 9)[0]) rescue StandardError => e begin logger.error('Unable to track call to set session timeout', e) rescue StandardError nil end end def apply_httponly options return unless vulnerable_setting?(:httponly, true, options) cs__report_finding( CS__HTTPONLY_NAME, options, caller_locations(10, 9)[0]) rescue StandardError => e begin logger.error('Unable to track call to httponly', e) rescue StandardError nil end end end end end end end end