Warn on dropping sessions

Co-authored-by: Patrik Ragnarsson <patrik@starkast.net>
sinatra · Jul 26, 2023 · 56c669e · 56c669e
1 parent 3fe6297
commit 56c669e
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/rack-protection/lib/rack/protection/base.rb b/rack-protection/lib/rack/protection/base.rb
@@ -93,7 +93,13 @@ def session(env)
       end
 
       def drop_session(env)
-        session(env).clear if session? env
+        return unless session? env
+
+        session(env).clear
+
+        return if ["1", "true"].include?(ENV["RACK_PROTECTION_SILENCE_DROP_SESSION_WARNING"])
+
+        warn env, "session dropped by #{self.class}"
       end
 
       def referrer(env)

diff --git a/rack-protection/spec/lib/rack/protection/protection_spec.rb b/rack-protection/spec/lib/rack/protection/protection_spec.rb
@@ -52,6 +52,18 @@
       expect(io.string).not_to match(/prevented.*Origin/)
     end
 
+    it 'drops the session and warns if reaction is to drop_session' do
+      io = StringIO.new
+      mock_app do
+        use Rack::Protection, reaction: :drop_session, logger: Logger.new(io)
+        run DummyApp
+      end
+      session = { foo: :bar }
+      post('/', {}, 'rack.session' => session, 'HTTP_ORIGIN' => 'http://malicious.com')
+      expect(io.string).to match(/session dropped by Rack::Protection::HttpOrigin/)
+      expect(session).not_to have_key(:foo)
+    end
+
     it 'passes errors to reaction method if specified' do
       io = StringIO.new
       Rack::Protection::Base.send(:define_method, :special) { |*args| io << args.inspect }