Skip to content

Default rack-protection reaction drop_session harmful? #2012

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Default rack-protection reaction drop_session harmful?#2012
Labels
bug
@dentarg

Description

@dentarg
dentarg
opened on May 29, 2024

Sinatra has the some protections enabled by default

sinatra/rack-protection/lib/rack/protection.rb

Lines 46 to 53 in 5640495

# On by default, unless skipped
use ::Rack::Protection::FrameOptions, options unless except.include? :frame_options
use ::Rack::Protection::HttpOrigin, options unless except.include? :http_origin
use ::Rack::Protection::IPSpoofing, options unless except.include? :ip_spoofing
use ::Rack::Protection::JsonCsrf, options unless except.include? :json_csrf
use ::Rack::Protection::PathTraversal, options unless except.include? :path_traversal
use ::Rack::Protection::RemoteToken, options unless except.include? :remote_token
use ::Rack::Protection::XSSHeader, options unless except.include? :xss_header

but the reaction is set to drop_session

sinatra/lib/sinatra/base.rb

Line 1865 in 5640495

options[:reaction] ||= :drop_session

which renders many protections useless? If you want them to actually stop the request from reaching your application

sinatra/rack-protection/lib/rack/protection/base.rb

Lines 48 to 54 in 5640495

def call(env)
unless accepts? env
instrument env
result = react env
end
result or app.call(env)
end

sinatra/rack-protection/lib/rack/protection/base.rb

Lines 95 to 103 in 5640495

def drop_session(env)
return unless session? env
session(env).clear
return if ["1", "true"].include?(ENV["RACK_PROTECTION_SILENCE_DROP_SESSION_WARNING"])
warn env, "session dropped by #{self.class}"
end

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions