ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
canvas-lms/gems/canvas_breach_mitigation
History
Shawn Meredith 26090c0298 spec: simple_cov vendored_gems report merging 
Change-Id: I2421119792dcd6f8b02618c9ecfb050e00a104bd
Reviewed-on: https://gerrit.instructure.com/31013
Reviewed-by: Bryan Madsen <bryan@instructure.com>
Product-Review: Bryan Madsen <bryan@instructure.com>
QA-Review: Bryan Madsen <bryan@instructure.com>
Tested-by: Shawn Meredith <shawn@instructure.com>
 		2014-02-28 09:04:50 +00:00
..
lib convert breach migration plugin to proper gem and fix name 2014-01-30 22:55:31 +00:00
spec spec: simple_cov vendored_gems report merging 2014-02-28 09:04:50 +00:00
.rspec convert breach migration plugin to proper gem and fix name 2014-01-30 22:55:31 +00:00
Gemfile spec: canvas rspec rake task for vendored_gems 2014-02-24 05:47:34 +00:00
LICENSE.txt convert breach migration plugin to proper gem and fix name 2014-01-30 22:55:31 +00:00
README.md convert breach migration plugin to proper gem and fix name 2014-01-30 22:55:31 +00:00
canvas_breach_mitigation.gemspec don't use git to build vendored gem specification file list 2014-02-12 22:58:25 +00:00
test.sh spec: vendor_gems test.sh result determination tweak 2014-02-24 19:54:21 +00:00

README.md

Canvas Breach Mitigation

This is a fork of the breach-mitigation-rails gem: http://rubygems.org/gems/breach-mitigation-rails

TODO: Ideally this should be replaced with the gem

Makes Rails applications less susceptible to the BREACH / CRIME attacks. See breachattack.com for details.

How it works

This implements one of the suggestion mitigation strategies from the paper:

Masking Secrets: The Rails CSRF token is 'masked' by encrypting it with a 32-byte one-time pad, and the pad and encrypted token are returned to the browser, instead of the "real" CSRF token. This only protects the CSRF token from an attacker; it does not protect other data on your pages (see the paper for details on this).

Warning!

BREACH and CRIME are complicated and wide-ranging attacks, and this gem offers only partial protection for Rails applications. If you're concerned about the security of your web app, you should review the BREACH paper and look for other, application-specific things you can do to prevent or mitigate this class of attacks.

Gotchas

  • If you have overridden the verified_request? method in your application (likely in ApplicationController) you may need to update it to be compatible with the secret masking code.