# frozen-string-literal: true require 'openssl' begin OpenSSL::Cipher.new("aes-256-ctr") rescue OpenSSL::Cipher::CipherError # :nocov: raise LoadError, "Roda sessions plugin requires the aes-256-ctr cipher" # :nocov: end require 'base64' require 'json' require 'securerandom' require 'zlib' require 'rack/utils' class Roda module RodaPlugins # The sessions plugin adds support for sessions using cookies. It is the recommended # way to support sessions in Roda applications. # # The session cookies are encrypted with AES-256-CTR using a separate encryption key per cookie, # and then signed with HMAC-SHA-256. By default, session data is padded to reduce information # leaked based on the session size. # # Sessions are serialized via JSON, so session information should only store data that # allows roundtrips via JSON (String, Integer, Float, Array, Hash, true, false, and nil). # In particular, note that Symbol does not round trip via JSON, so symbols should not be # used in sessions when this plugin is used. This plugin sets the # +:sessions_convert_symbols+ application option to +true+ if it hasn't been set yet, # for better integration with plugins that can use either symbol or string session or # flash keys. Unlike Rack::Session::Cookie, the session is stored as a plain ruby hash, # and does not convert all keys to strings. # # All sessions are timestamped and session expiration is enabled by default, with sessions # being valid for 30 days maximum and 7 days since last use by default. Session creation time is # reset whenever the session is empty when serialized and also whenever +clear_session+ # is called while processing the request. # # Session secrets can be rotated. See options below. # # The sessions plugin can transparently upgrade sessions from Rack::Session::Cookie # if the default Rack::Session::Cookie coder and HMAC are used, see options below. # It is recommended to only enable transparent upgrades for a brief transition period, # and remove support for them once old sessions have converted or timed out. # # If the final cookie is too large (>=4096 bytes), a Roda::RodaPlugins::Sessions::CookieTooLarge # exception will be raised. # # = Required Options # # The session cookies this plugin uses are both encrypted and signed, so two separate # secrets are used internally. However, for ease of use, these secrets are combined into # a single +:secret+ option. The +:secret+ option must be a string of at least 64 bytes # and should be randomly generated. The first 32 bytes are used as the secret for the # cipher, any remaining bytes are used for the secret for the HMAC. # # = Other Options # # :cookie_options :: Any cookie options to set on the session cookie. By default, uses # httponly: true, path: '/', same_site: :lax so that the cookie is not accessible # to javascript, allowed for all paths, and will not be used for cross-site non-GET requests # that. If the +:secure+ option is not present in the hash, then # secure: true is also set if the request is made over HTTPS. If this option is # given, it will be merged into the default cookie options. # :gzip_over :: For session data over this many bytes, compress it with the deflate algorithm (default: nil, # so never compress). Note that compression should not be enabled if you are storing data in # the session derived from user input and also storing sensitive data in the session. # :key :: The cookie name to use (default: 'roda.session') # :max_seconds :: The maximum number of seconds to allow for total session lifetime, starting with when # the session was originally created. Default is 86400*30 (30 days). Can be set to # +nil+ to disable session lifetime checks. # :max_idle_seconds :: The maximum number of seconds to allow since the session was last updated. # Default is 86400*7 (7 days). Can be set to nil to disable session idleness # checks. # :old_secret :: The previous secret to use, allowing for secret rotation. Must be a string of at least 64 # bytes if given. # :pad_size :: Pad session data (after possible compression, before encryption), to a multiple of this # many bytes (default: 32). This can be between 2-4096 bytes, or +nil+ to disable padding. # :per_cookie_cipher_secret :: Uses a separate cipher key for every cookie, with the key used generated using # HMAC-SHA-256 of 32 bytes of random data with the default cipher secret. This # offers additional protection in case the random initialization vector used when # encrypting the session data has been reused. Odds of that are 1 in 2**64 if # initialization vector is truly random, but weaknesses in the random number # generator could make the odds much higher. Default is +true+. # :parser :: The parser for the serialized session data (default: JSON.method(:parse)). # :serializer :: The serializer for the session data (default +:to_json.to_proc+). # :skip_within :: If the last update time for the session cookie is less than this number of seconds from the # current time, and the session has not been modified, do not set a new session cookie # (default: 3600). # :upgrade_from_rack_session_cookie_key :: The cookie name to use for transparently upgrading from # Rack::Session:Cookie (defaults to 'rack.session'). # :upgrade_from_rack_session_cookie_secret :: The secret for the HMAC-SHA1 signature when allowing # transparent upgrades from Rack::Session::Cookie. Using this # option is only recommended during a short transition period, # and is not enabled by default as it lowers security. # :upgrade_from_rack_session_cookie_options :: Options to pass when deleting the cookie used by # Rack::Session::Cookie after converting it to use the session # cookies used by this plugin. # # = Not a Rack Middleware # # Unlike some other approaches to sessions, the sessions plugin does not use # a rack middleware, so session information is not available to other rack middleware, # only to the application itself, with the session not being loaded from the cookie # until the +session+ method is called. # # If you need rack middleware to access the session information, then # require 'roda/session_middleware' and use RodaSessionMiddleware. # RodaSessionMiddleware passes the options given to this plugin. # # = Session Cookie Cryptography/Format # # Session cookies created by this plugin by default use the following format: # # urlsafe_base64("\1" + random_data + IV + encrypted session data + HMAC) # # If +:per_cookie_cipher_secret+ option is set to +false+, an older format is used: # # urlsafe_base64("\0" + IV + encrypted session data + HMAC) # # where: # # version :: 1 byte, currently must be 1 or 0, other values reserved for future expansion. # random_data :: 32 bytes, used for generating the per-cookie secret # IV :: 16 bytes, initialization vector for AES-256-CTR cipher. # encrypted session data :: >=12 bytes of data encrypted with AES-256-CTR cipher, see below. # HMAC :: 32 bytes, HMAC-SHA-256 of all preceding data plus cookie key (so that a cookie value # for a different key cannot be used even if the secret is the same). # # The encrypted session data uses the following format: # # bitmap + creation time + update time + padding + serialized data # # where: # # bitmap :: 2 bytes in little endian format, lower 12 bits storing number of padding # bytes, 13th bit storing whether serialized data is compressed with deflate. # Bits 14-16 reserved for future expansion. # creation time :: 4 byte integer in unsigned little endian format, storing unix timestamp # since session initially created. # update time :: 4 byte integer in unsigned little endian format, storing unix timestamp # since session last updated. # padding :: >=0 padding bytes specified in bitmap, filled with random data, can be ignored. # serialized data :: >=2 bytes of serialized data in JSON format. If the bitmap indicates # deflate compression, this contains the deflate compressed data. module Sessions DEFAULT_COOKIE_OPTIONS = {:httponly=>true, :path=>'/'.freeze, :same_site=>:lax}.freeze DEFAULT_OPTIONS = {:key => 'roda.session'.freeze, :max_seconds=>86400*30, :max_idle_seconds=>86400*7, :pad_size=>32, :gzip_over=>nil, :skip_within=>3600}.freeze DEFLATE_BIT = 0x1000 PADDING_MASK = 0x0fff SESSION_CREATED_AT = 'roda.session.created_at'.freeze SESSION_UPDATED_AT = 'roda.session.updated_at'.freeze SESSION_SERIALIZED = 'roda.session.serialized'.freeze SESSION_VERSION_NUM = 'roda.session.version'.freeze SESSION_DELETE_RACK_COOKIE = 'roda.session.delete_rack_session_cookie'.freeze # Exception class used when creating a session cookie that would exceed the # allowable cookie size limit. class CookieTooLarge < RodaError end # Split given secret into a cipher secret and an hmac secret. def self.split_secret(name, secret) raise RodaError, "sessions plugin :#{name} option must be a String" unless secret.is_a?(String) raise RodaError, "invalid sessions plugin :#{name} option length: #{secret.bytesize}, must be >=64" unless secret.bytesize >= 64 hmac_secret = secret = secret.dup.force_encoding('BINARY') cipher_secret = secret.slice!(0, 32) [cipher_secret.freeze, hmac_secret.freeze] end # Configure the plugin, see Sessions for details on options. def self.configure(app, opts=OPTS) opts = (app.opts[:sessions] || DEFAULT_OPTIONS).merge(opts) co = opts[:cookie_options] = DEFAULT_COOKIE_OPTIONS.merge(opts[:cookie_options] || OPTS).freeze opts[:remove_cookie_options] = co.merge(:max_age=>'0', :expires=>Time.at(0)) opts[:parser] ||= app.opts[:json_parser] || JSON.method(:parse) opts[:serializer] ||= app.opts[:json_serializer] || :to_json.to_proc opts[:per_cookie_cipher_secret] = true unless opts.has_key?(:per_cookie_cipher_secret) opts[:session_version_num] = opts[:per_cookie_cipher_secret] ? 1 : 0 if opts[:upgrade_from_rack_session_cookie_secret] opts[:upgrade_from_rack_session_cookie_key] ||= 'rack.session' rsco = opts[:upgrade_from_rack_session_cookie_options] = Hash[opts[:upgrade_from_rack_session_cookie_options] || OPTS] rsco[:path] ||= co[:path] rsco[:domain] ||= co[:domain] end opts[:cipher_secret], opts[:hmac_secret] = split_secret(:secret, opts[:secret]) opts[:old_cipher_secret], opts[:old_hmac_secret] = (split_secret(:old_secret, opts[:old_secret]) if opts[:old_secret]) case opts[:pad_size] when nil # no changes when Integer raise RodaError, "invalid :pad_size: #{opts[:pad_size]}, must be >=2, < 4096" unless opts[:pad_size] >= 2 && opts[:pad_size] < 4096 else raise RodaError, "invalid :pad_size option: #{opts[:pad_size].inspect}, must be Integer or nil" end app.opts[:sessions] = opts.freeze app.opts[:sessions_convert_symbols] = true unless app.opts.has_key?(:sessions_convert_symbols) end module InstanceMethods # Clear data from the session, and update the request environment # so that the session cookie will use a new creation timestamp # instead of the previous creation timestamp. def clear_session session.clear env.delete(SESSION_CREATED_AT) env.delete(SESSION_UPDATED_AT) nil end private # If session information has been set in the request environment, # update the rack response headers to set the session cookie in # the response. def _roda_after_50__sessions(res) if res && (session = env['rack.session']) @_request.persist_session(res[1], session) end end end module RequestMethods # Load the session information from the cookie. With the sessions # plugin, you must call this method to get the session, instead of # trying to access the session directly through the request environment. # For maximum compatibility with other software that uses rack sessions, # this method stores the session in 'rack.session' in the request environment, # but that does not happen until this method is called. def session @env['rack.session'] ||= _load_session end # The time the session was originally created. nil if there is no active session. def session_created_at session Time.at(@env[SESSION_CREATED_AT]) if @env[SESSION_SERIALIZED] end # The time the session was last updated. nil if there is no active session. def session_updated_at session Time.at(@env[SESSION_UPDATED_AT]) if @env[SESSION_SERIALIZED] end # Persist the session data as a cookie. If transparently upgrading from # Rack::Session::Cookie, mark the related cookie for expiration so it isn't # sent in the future. def persist_session(headers, session) opts = roda_class.opts[:sessions] if session.empty? if env[SESSION_SERIALIZED] # If session was submitted and is now empty, remove the cookie Rack::Utils.delete_cookie_header!(headers, opts[:key], opts[:remove_cookie_options]) # else # If no session was submitted, and the session is empty # then there is no need to do anything end elsif cookie_value = _serialize_session(session) cookie = Hash[opts[:cookie_options]] cookie[:value] = cookie_value cookie[:secure] = true if !cookie.has_key?(:secure) && ssl? Rack::Utils.set_cookie_header!(headers, opts[:key], cookie) end if env[SESSION_DELETE_RACK_COOKIE] Rack::Utils.delete_cookie_header!(headers, opts[:upgrade_from_rack_session_cookie_key], opts[:upgrade_from_rack_session_cookie_options]) end nil end private # Load the session by looking for the appropriate cookie, or falling # back to the rack session cookie if configured. def _load_session opts = roda_class.opts[:sessions] cs = cookies if data = cs[opts[:key]] _deserialize_session(data) elsif (key = opts[:upgrade_from_rack_session_cookie_key]) && (data = cs[key]) _deserialize_rack_session(data) end || {} end # If 'rack.errors' is set, write the error message to it. # This is used for errors that shouldn't be raised as exceptions, # such as improper session cookies. def _session_serialization_error(msg) return unless error_stream = @env['rack.errors'] error_stream.puts(msg) nil end # Interpret given cookie data as a Rack::Session::Cookie # serialized session using the default Rack::Session::Cookie # hmac and coder. def _deserialize_rack_session(data) opts = roda_class.opts[:sessions] data, digest = data.split("--", 2) unless digest return _session_serialization_error("Not decoding Rack::Session::Cookie session: invalid format") end unless Rack::Utils.secure_compare(digest, OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, opts[:upgrade_from_rack_session_cookie_secret], data)) return _session_serialization_error("Not decoding Rack::Session::Cookie session: HMAC invalid") end begin session = Marshal.load(data.unpack('m').first) rescue return _session_serialization_error("Error decoding Rack::Session::Cookie session: not base64 encoded marshal dump") end # Mark rack session cookie for deletion on success env[SESSION_DELETE_RACK_COOKIE] = true # Delete the session id before serializing it. Starting in rack 2.0.8, # this is an object and not just a string, and calling to_s on it raises # a RuntimeError. session.delete("session_id") # Convert the rack session by roundtripping it through # the parser and serializer, so that you would get the # same result as you would if the session was handled # by this plugin. env[SESSION_SERIALIZED] = data = opts[:serializer].call(session) env[SESSION_CREATED_AT] = Time.now.to_i opts[:parser].call(data) end # Interpret given cookie data as a Rack::Session::Cookie def _deserialize_session(data) opts = roda_class.opts[:sessions] begin data = Base64.urlsafe_decode64(data) rescue ArgumentError return _session_serialization_error("Unable to decode session: invalid base64") end case version = data.getbyte(0) when 1 per_cookie_secret = true # minimum length (1+32+16+12+32) (version+random_data+cipher_iv+minimum session+hmac) # 1 : version # 32 : random_data (if per_cookie_cipher_secret) # 16 : cipher_iv # 12 : minimum_session # 2 : bitmap for gzip + padding info # 4 : creation time # 4 : update time # 2 : data # 32 : HMAC-SHA-256 min_data_length = 93 when 0 per_cookie_secret = false # minimum length (1+16+12+32) (version+cipher_iv+minimum session+hmac) min_data_length = 61 when nil return _session_serialization_error("Unable to decode session: no data") else return _session_serialization_error("Unable to decode session: version marker unsupported") end length = data.bytesize if data.length < min_data_length return _session_serialization_error("Unable to decode session: data too short") end encrypted_data = data.slice!(0, length-32) unless Rack::Utils.secure_compare(data, OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, opts[:hmac_secret], encrypted_data+opts[:key])) if opts[:old_hmac_secret] && Rack::Utils.secure_compare(data, OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, opts[:old_hmac_secret], encrypted_data+opts[:key])) use_old_cipher_secret = true else return _session_serialization_error("Not decoding session: HMAC invalid") end end # Remove version encrypted_data.slice!(0) cipher_secret = opts[use_old_cipher_secret ? :old_cipher_secret : :cipher_secret] if per_cookie_secret cipher_secret = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, cipher_secret, encrypted_data.slice!(0, 32)) end cipher_iv = encrypted_data.slice!(0, 16) cipher = OpenSSL::Cipher.new("aes-256-ctr") # Not rescuing cipher errors. If there is an error in the decryption, that's # either a bug in the plugin that needs to be fixed, or an attacker is already # able to forge a valid HMAC, in which case the error should be raised to # alert the application owner about the problem. cipher.decrypt cipher.key = cipher_secret cipher.iv = cipher_iv data = cipher.update(encrypted_data) << cipher.final bitmap, created_at, updated_at = data.unpack('vVV') padding_bytes = bitmap & PADDING_MASK now = Time.now.to_i if (max = opts[:max_seconds]) && now > created_at + max return _session_serialization_error("Not returning session: maximum session time expired") end if (max = opts[:max_idle_seconds]) && now > updated_at + max return _session_serialization_error("Not returning session: maximum session idle time expired") end data = data.slice(10+padding_bytes, data.bytesize) if bitmap & DEFLATE_BIT > 0 data = Zlib::Inflate.inflate(data) end env = @env env[SESSION_CREATED_AT] = created_at env[SESSION_UPDATED_AT] = updated_at env[SESSION_SERIALIZED] = data env[SESSION_VERSION_NUM] = version opts[:parser].call(data) end def _serialize_session(session) opts = roda_class.opts[:sessions] env = @env now = Time.now.to_i json_data = opts[:serializer].call(session).force_encoding('BINARY') if (serialized_session = env[SESSION_SERIALIZED]) && (opts[:session_version_num] == env[SESSION_VERSION_NUM]) && (updated_at = env[SESSION_UPDATED_AT]) && (now - updated_at < opts[:skip_within]) && (serialized_session == json_data) return end bitmap = 0 json_length = json_data.bytesize gzip_over = opts[:gzip_over] if gzip_over && json_length > gzip_over json_data = Zlib.deflate(json_data) json_length = json_data.bytesize bitmap |= DEFLATE_BIT end # When calculating padding bytes to use, include 10 bytes for bitmap and # session create/update times, so total size of encrypted data is a # multiple of pad_size. if (pad_size = opts[:pad_size]) && (padding_bytes = (json_length+10) % pad_size) != 0 padding_bytes = pad_size - padding_bytes bitmap |= padding_bytes padding_data = SecureRandom.random_bytes(padding_bytes) end session_create_time = env[SESSION_CREATED_AT] serialized_data = [bitmap, session_create_time||now, now].pack('vVV') serialized_data << padding_data if padding_data serialized_data << json_data cipher_secret = opts[:cipher_secret] if per_cookie_secret = opts[:per_cookie_cipher_secret] version = "\1" per_cookie_secret_base = SecureRandom.random_bytes(32) cipher_secret = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, cipher_secret, per_cookie_secret_base) else version = "\0" end cipher = OpenSSL::Cipher.new("aes-256-ctr") cipher.encrypt cipher.key = cipher_secret cipher_iv = cipher.random_iv encrypted_data = cipher.update(serialized_data) << cipher.final data = String.new data << version data << per_cookie_secret_base if per_cookie_secret_base data << cipher_iv data << encrypted_data data << OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, opts[:hmac_secret], data+opts[:key]) data = Base64.urlsafe_encode64(data) if data.bytesize >= 4096 raise CookieTooLarge, "attempted to create cookie larger than 4096 bytes" end data end end end register_plugin(:sessions, Sessions) end end