cloudflare-rails 1.2.0 → 2.4.0.pre.beta.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.circleci/config.yml +6 -1
- data/Appraisals +4 -8
- data/CHANGELOG.md +20 -1
- data/Gemfile +4 -0
- data/README.md +7 -3
- data/cloudflare-rails.gemspec +8 -6
- data/gemfiles/rails_5.2.gemfile +4 -0
- data/gemfiles/rails_6.0.gemfile +4 -0
- data/gemfiles/rails_6.1.gemfile +4 -0
- data/gemfiles/rails_7.0.gemfile +11 -0
- data/lib/cloudflare/rails/railtie.rb +40 -10
- data/lib/cloudflare/rails/version.rb +1 -1
- data/lib/cloudflare/rails.rb +2 -1
- metadata +61 -23
- data/.travis.yml +0 -4
- data/gemfiles/rails_5.0.gemfile +0 -7
- data/gemfiles/rails_5.1.gemfile +0 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c1a2e44d7bd29c0dc2341b7faf87c656a21ddb96396a611076ba9ddfae79c65c
|
4
|
+
data.tar.gz: 34b4900fc88e75206feeed25e1e5e43c88343e4a655b8fd8a1f28b71389642d3
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 34575cf27372171d29709ae245d9527fd1a3fd0f7c696b3a1a759d55277708241b12270fe7d213c521648bd89779051d43729929d1d190bcda49c01ff5cada82
|
7
|
+
data.tar.gz: 3b85514ae3eed71fce038209c701044f2f003cd9d984f9e5fbe68ce11629660d5ef234793c8c88e69126a51a49b076e9f53364303db921897c7b6aa211ccc89c
|
data/.circleci/config.yml
CHANGED
@@ -7,7 +7,7 @@ jobs:
|
|
7
7
|
build:
|
8
8
|
docker:
|
9
9
|
# specify the version you desire here
|
10
|
-
- image: circleci/ruby:2.7.
|
10
|
+
- image: circleci/ruby:2.7.3
|
11
11
|
|
12
12
|
working_directory: ~/repo
|
13
13
|
|
@@ -21,6 +21,11 @@ jobs:
|
|
21
21
|
# fallback to using the latest cache if no exact match is found
|
22
22
|
- v1-dependencies-
|
23
23
|
|
24
|
+
- run:
|
25
|
+
name: install bundler
|
26
|
+
command: |
|
27
|
+
gem install bundler -v $(grep bundler cloudflare-rails.gemspec |awk {'print $4'}|sed 's/"//g')
|
28
|
+
|
24
29
|
- run:
|
25
30
|
name: install dependencies
|
26
31
|
command: |
|
data/Appraisals
CHANGED
@@ -1,11 +1,3 @@
|
|
1
|
-
appraise "rails-5.0" do
|
2
|
-
gem "rails", "~> 5.0.0"
|
3
|
-
end
|
4
|
-
|
5
|
-
appraise "rails-5.1" do
|
6
|
-
gem "rails", "~> 5.1.0"
|
7
|
-
end
|
8
|
-
|
9
1
|
appraise "rails-5.2" do
|
10
2
|
gem "rails", "~> 5.2.0"
|
11
3
|
end
|
@@ -17,3 +9,7 @@ end
|
|
17
9
|
appraise "rails-6.1" do
|
18
10
|
gem "rails", "~> 6.1.0"
|
19
11
|
end
|
12
|
+
|
13
|
+
appraise "rails-7.0" do
|
14
|
+
gem "rails", git: "https://github.com/rails/rails", branch: "main"
|
15
|
+
end
|
data/CHANGELOG.md
CHANGED
@@ -4,7 +4,26 @@ All notable changes to this project will be documented in this file.
|
|
4
4
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
5
5
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
6
6
|
|
7
|
-
## [
|
7
|
+
## [2.4.0-beta.0] - 12-10-24
|
8
|
+
- Skip fetching and caching of Cloudflare ip address when Rails::Console is defined or when ENV['DISABLE_CLOUDFLARE_RAILS] is set
|
9
|
+
|
10
|
+
## [2.3.0] - 2021-10-22
|
11
|
+
- Better handling of malformed IP addresses (https://github.com/modosc/cloudflare-rails/pull/49)
|
12
|
+
|
13
|
+
## [2.2.0] - 2021-06-11
|
14
|
+
- Fix typo in `actionpack` dependency
|
15
|
+
|
16
|
+
## [2.1.0] - 2021-06-11
|
17
|
+
### Breaking Changes
|
18
|
+
- Drop support for unsupported `rails` versions (`5.0.x` and `5.1.x`)
|
19
|
+
|
20
|
+
### Added
|
21
|
+
- use Net::HTTP instead of httparty ([pr](https://github.com/modosc/cloudflare-rails/pull/44))
|
22
|
+
- Add `rails 7.0.0.alpha` support
|
23
|
+
|
24
|
+
## [2.0.0] - 2021-02-17
|
25
|
+
### Breaking Changes
|
26
|
+
- Removed broad dependency on `rails`, replaced with explicit dependencies for `railties`, `activesupport`, and `actionpack` ( [issue](https://github.com/modosc/cloudflare-rails/issues/34) and [pr](https://github.com/modosc/cloudflare-rails/pull/35))
|
8
27
|
|
9
28
|
## [1.0.0] - 2020-09-29
|
10
29
|
### Added
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -1,9 +1,13 @@
|
|
1
|
-
# Cloudflare::Rails [![Gem Version](https://badge.fury.io/rb/cloudflare-rails.svg)](https://badge.fury.io/rb/cloudflare-rails) [![CircleCI](https://circleci.com/gh/modosc/cloudflare-rails/tree/
|
1
|
+
# Cloudflare::Rails [![Gem Version](https://badge.fury.io/rb/cloudflare-rails.svg)](https://badge.fury.io/rb/cloudflare-rails) [![CircleCI](https://circleci.com/gh/modosc/cloudflare-rails/tree/main.svg?style=shield)](https://circleci.com/gh/modosc/cloudflare-rails/tree/main)
|
2
2
|
This gem correctly configures Rails for [CloudFlare](https://www.cloudflare.com) so that `request.remote_ip` / `request.ip` both work correctly.
|
3
3
|
|
4
4
|
## Rails Compatibility
|
5
5
|
|
6
|
-
This gem requires
|
6
|
+
This gem requires `railties`, `activesupport`, and `actionpack` >= `5.2`.
|
7
|
+
|
8
|
+
For Rails `5.0` and `5.1` use `2.0.0`.
|
9
|
+
|
10
|
+
For Rails `4.2` use `0.1.x`.
|
7
11
|
|
8
12
|
## Installation
|
9
13
|
|
@@ -25,7 +29,7 @@ And then execute:
|
|
25
29
|
|
26
30
|
Using Cloudflare means it's hard to identify the IP address of incoming requests since all requests are proxied through Cloudflare's infrastructure. Cloudflare provides a [CF-Connecting-IP](https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-) header which can be used to identify the originating IP address of a request. However, this header alone doesn't verify a request is legitimate. If an attacker has found the actual IP address of your server they could spoof this header and masquerade as legitimate traffic.
|
27
31
|
|
28
|
-
`cloudflare-rails` mitigates this attack by checking that the originating ip address of any incoming
|
32
|
+
`cloudflare-rails` mitigates this attack by checking that the originating ip address of any incoming connection is from one of Cloudflare's ip address ranges. If so, the incoming `X-Forwarded-For` header is trusted and used as the ip address provided to `rack` and `rails` (via `request.ip` and `request.remote_ip`). If the incoming connection does not originate from a Cloudflare server then the `X-Forwarded-For` header is ignored and the actual remote ip address is used.
|
29
33
|
|
30
34
|
## Usage
|
31
35
|
This code will fetch CloudFlare's current [IPv4](https://www.cloudflare.com/ips-v4) and [IPv6](https://www.cloudflare.com/ips-v6) lists, store them in `Rails.cache`, and add them to `config.cloudflare.ips`. The `X-Forwarded-For` header will then be trusted only from those ip addresses.
|
data/cloudflare-rails.gemspec
CHANGED
@@ -20,19 +20,21 @@ Gem::Specification.new do |spec|
|
|
20
20
|
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
21
21
|
spec.require_paths = ["lib"]
|
22
22
|
|
23
|
-
spec.add_development_dependency "bundler", "
|
23
|
+
spec.add_development_dependency "bundler", ">= 2.1.2"
|
24
24
|
spec.add_development_dependency "rake", "~> 13.0.1"
|
25
25
|
spec.add_development_dependency "rspec_junit_formatter", "~> 0.4.1"
|
26
|
-
spec.add_development_dependency "rspec-rails", "~>
|
26
|
+
spec.add_development_dependency "rspec-rails", "~> 5.0.1"
|
27
27
|
spec.add_development_dependency "rspec", "~> 3.10.0"
|
28
28
|
spec.add_development_dependency "rubocop-airbnb", "~> 3.0.2"
|
29
|
-
spec.add_development_dependency "webmock", "~> 3.
|
30
|
-
spec.add_development_dependency "rack-attack", "~> 6.
|
29
|
+
spec.add_development_dependency "webmock", "~> 3.13.0"
|
30
|
+
spec.add_development_dependency "rack-attack", "~> 6.5.0"
|
31
31
|
spec.add_development_dependency "pry-byebug"
|
32
32
|
spec.add_development_dependency "appraisal"
|
33
|
+
spec.add_development_dependency "climate_control"
|
33
34
|
|
34
|
-
spec.add_dependency "
|
35
|
-
spec.add_dependency "
|
35
|
+
spec.add_dependency "railties", ">= 5.2", "< 7.1.0"
|
36
|
+
spec.add_dependency "activesupport", ">= 5.2", "< 7.1.0"
|
37
|
+
spec.add_dependency "actionpack", ">= 5.2", "< 7.1.0"
|
36
38
|
|
37
39
|
# we need Module#prepend
|
38
40
|
spec.required_ruby_version = '>= 2.0'
|
data/gemfiles/rails_5.2.gemfile
CHANGED
data/gemfiles/rails_6.0.gemfile
CHANGED
data/gemfiles/rails_6.1.gemfile
CHANGED
@@ -0,0 +1,11 @@
|
|
1
|
+
# This file was generated by Appraisal
|
2
|
+
|
3
|
+
source "https://rubygems.org"
|
4
|
+
|
5
|
+
gem "rails", git: "https://github.com/rails/rails", branch: "main"
|
6
|
+
|
7
|
+
group :development do
|
8
|
+
gem "rspec-isolation", git: "https://github.com/modosc/rspec-isolation"
|
9
|
+
end
|
10
|
+
|
11
|
+
gemspec path: "../"
|
@@ -1,5 +1,4 @@
|
|
1
1
|
require "active_support/core_ext/integer/time"
|
2
|
-
require "httparty"
|
3
2
|
|
4
3
|
module Cloudflare
|
5
4
|
module Rails
|
@@ -8,7 +7,13 @@ module Cloudflare
|
|
8
7
|
# correct inside of rack and rails
|
9
8
|
module CheckTrustedProxies
|
10
9
|
def trusted_proxy?(ip)
|
11
|
-
::Rails.application.config.cloudflare.ips.any?
|
10
|
+
matching = ::Rails.application.config.cloudflare.ips.any? do |proxy|
|
11
|
+
begin
|
12
|
+
proxy === ip
|
13
|
+
rescue IPAddr::InvalidAddressError
|
14
|
+
end
|
15
|
+
end
|
16
|
+
matching || super
|
12
17
|
end
|
13
18
|
end
|
14
19
|
|
@@ -21,13 +26,23 @@ module Cloudflare
|
|
21
26
|
end
|
22
27
|
|
23
28
|
class Importer
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
29
|
+
# Exceptions contain the Net::HTTP
|
30
|
+
# response object accessible via the {#response} method.
|
31
|
+
class ResponseError < StandardError
|
32
|
+
# Returns the response of the last request
|
33
|
+
# @return [Net::HTTPResponse] A subclass of Net::HTTPResponse, e.g.
|
34
|
+
# Net::HTTPOK
|
35
|
+
attr_reader :response
|
28
36
|
|
29
|
-
|
37
|
+
# Instantiate an instance of ResponseError with a Net::HTTPResponse object
|
38
|
+
# @param [Net::HTTPResponse]
|
39
|
+
def initialize(response)
|
40
|
+
@response = response
|
41
|
+
super(response)
|
42
|
+
end
|
43
|
+
end
|
30
44
|
|
45
|
+
BASE_URL = 'https://www.cloudflare.com'.freeze
|
31
46
|
IPS_V4_URL = '/ips-v4'.freeze
|
32
47
|
IPS_V6_URL = '/ips-v6'.freeze
|
33
48
|
|
@@ -40,16 +55,31 @@ module Cloudflare
|
|
40
55
|
fetch IPS_V4_URL
|
41
56
|
end
|
42
57
|
|
58
|
+
def should_skip?
|
59
|
+
defined?(::Rails::Console) || ENV.key?('DISABLE_CLOUDFLARE_RAILS')
|
60
|
+
end
|
61
|
+
|
43
62
|
def fetch(url)
|
44
|
-
|
45
|
-
|
63
|
+
uri = URI("#{BASE_URL}#{url}")
|
64
|
+
|
65
|
+
resp = Net::HTTP.start(uri.host,
|
66
|
+
uri.port,
|
67
|
+
use_ssl: true,
|
68
|
+
read_timeout: ::Rails.application.config.cloudflare.timeout) do |http|
|
69
|
+
req = Net::HTTP::Get.new(uri)
|
70
|
+
|
71
|
+
http.request(req)
|
72
|
+
end
|
73
|
+
|
74
|
+
if resp.is_a?(Net::HTTPSuccess)
|
46
75
|
resp.body.split("\n").reject(&:blank?).map { |ip| IPAddr.new ip }
|
47
76
|
else
|
48
|
-
raise ResponseError, resp
|
77
|
+
raise ResponseError, resp
|
49
78
|
end
|
50
79
|
end
|
51
80
|
|
52
81
|
def fetch_with_cache(type)
|
82
|
+
return if should_skip?
|
53
83
|
::Rails.cache.fetch("cloudflare-rails:#{type}", expires_in: ::Rails.application.config.cloudflare.expires_in) do
|
54
84
|
send type
|
55
85
|
end
|
data/lib/cloudflare/rails.rb
CHANGED
metadata
CHANGED
@@ -1,27 +1,27 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cloudflare-rails
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 2.4.0.pre.beta.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- jonathan schatz
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-10-24 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|
16
16
|
requirements:
|
17
|
-
- - "
|
17
|
+
- - ">="
|
18
18
|
- !ruby/object:Gem::Version
|
19
19
|
version: 2.1.2
|
20
20
|
type: :development
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
|
-
- - "
|
24
|
+
- - ">="
|
25
25
|
- !ruby/object:Gem::Version
|
26
26
|
version: 2.1.2
|
27
27
|
- !ruby/object:Gem::Dependency
|
@@ -58,14 +58,14 @@ dependencies:
|
|
58
58
|
requirements:
|
59
59
|
- - "~>"
|
60
60
|
- !ruby/object:Gem::Version
|
61
|
-
version:
|
61
|
+
version: 5.0.1
|
62
62
|
type: :development
|
63
63
|
prerelease: false
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
65
65
|
requirements:
|
66
66
|
- - "~>"
|
67
67
|
- !ruby/object:Gem::Version
|
68
|
-
version:
|
68
|
+
version: 5.0.1
|
69
69
|
- !ruby/object:Gem::Dependency
|
70
70
|
name: rspec
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
@@ -100,28 +100,28 @@ dependencies:
|
|
100
100
|
requirements:
|
101
101
|
- - "~>"
|
102
102
|
- !ruby/object:Gem::Version
|
103
|
-
version: 3.
|
103
|
+
version: 3.13.0
|
104
104
|
type: :development
|
105
105
|
prerelease: false
|
106
106
|
version_requirements: !ruby/object:Gem::Requirement
|
107
107
|
requirements:
|
108
108
|
- - "~>"
|
109
109
|
- !ruby/object:Gem::Version
|
110
|
-
version: 3.
|
110
|
+
version: 3.13.0
|
111
111
|
- !ruby/object:Gem::Dependency
|
112
112
|
name: rack-attack
|
113
113
|
requirement: !ruby/object:Gem::Requirement
|
114
114
|
requirements:
|
115
115
|
- - "~>"
|
116
116
|
- !ruby/object:Gem::Version
|
117
|
-
version: 6.
|
117
|
+
version: 6.5.0
|
118
118
|
type: :development
|
119
119
|
prerelease: false
|
120
120
|
version_requirements: !ruby/object:Gem::Requirement
|
121
121
|
requirements:
|
122
122
|
- - "~>"
|
123
123
|
- !ruby/object:Gem::Version
|
124
|
-
version: 6.
|
124
|
+
version: 6.5.0
|
125
125
|
- !ruby/object:Gem::Dependency
|
126
126
|
name: pry-byebug
|
127
127
|
requirement: !ruby/object:Gem::Requirement
|
@@ -151,13 +151,13 @@ dependencies:
|
|
151
151
|
- !ruby/object:Gem::Version
|
152
152
|
version: '0'
|
153
153
|
- !ruby/object:Gem::Dependency
|
154
|
-
name:
|
154
|
+
name: climate_control
|
155
155
|
requirement: !ruby/object:Gem::Requirement
|
156
156
|
requirements:
|
157
157
|
- - ">="
|
158
158
|
- !ruby/object:Gem::Version
|
159
159
|
version: '0'
|
160
|
-
type: :
|
160
|
+
type: :development
|
161
161
|
prerelease: false
|
162
162
|
version_requirements: !ruby/object:Gem::Requirement
|
163
163
|
requirements:
|
@@ -165,25 +165,65 @@ dependencies:
|
|
165
165
|
- !ruby/object:Gem::Version
|
166
166
|
version: '0'
|
167
167
|
- !ruby/object:Gem::Dependency
|
168
|
-
name:
|
168
|
+
name: railties
|
169
169
|
requirement: !ruby/object:Gem::Requirement
|
170
170
|
requirements:
|
171
171
|
- - ">="
|
172
172
|
- !ruby/object:Gem::Version
|
173
|
-
version: '5.
|
173
|
+
version: '5.2'
|
174
174
|
- - "<"
|
175
175
|
- !ruby/object:Gem::Version
|
176
|
-
version:
|
176
|
+
version: 7.1.0
|
177
177
|
type: :runtime
|
178
178
|
prerelease: false
|
179
179
|
version_requirements: !ruby/object:Gem::Requirement
|
180
180
|
requirements:
|
181
181
|
- - ">="
|
182
182
|
- !ruby/object:Gem::Version
|
183
|
-
version: '5.
|
183
|
+
version: '5.2'
|
184
184
|
- - "<"
|
185
185
|
- !ruby/object:Gem::Version
|
186
|
-
version:
|
186
|
+
version: 7.1.0
|
187
|
+
- !ruby/object:Gem::Dependency
|
188
|
+
name: activesupport
|
189
|
+
requirement: !ruby/object:Gem::Requirement
|
190
|
+
requirements:
|
191
|
+
- - ">="
|
192
|
+
- !ruby/object:Gem::Version
|
193
|
+
version: '5.2'
|
194
|
+
- - "<"
|
195
|
+
- !ruby/object:Gem::Version
|
196
|
+
version: 7.1.0
|
197
|
+
type: :runtime
|
198
|
+
prerelease: false
|
199
|
+
version_requirements: !ruby/object:Gem::Requirement
|
200
|
+
requirements:
|
201
|
+
- - ">="
|
202
|
+
- !ruby/object:Gem::Version
|
203
|
+
version: '5.2'
|
204
|
+
- - "<"
|
205
|
+
- !ruby/object:Gem::Version
|
206
|
+
version: 7.1.0
|
207
|
+
- !ruby/object:Gem::Dependency
|
208
|
+
name: actionpack
|
209
|
+
requirement: !ruby/object:Gem::Requirement
|
210
|
+
requirements:
|
211
|
+
- - ">="
|
212
|
+
- !ruby/object:Gem::Version
|
213
|
+
version: '5.2'
|
214
|
+
- - "<"
|
215
|
+
- !ruby/object:Gem::Version
|
216
|
+
version: 7.1.0
|
217
|
+
type: :runtime
|
218
|
+
prerelease: false
|
219
|
+
version_requirements: !ruby/object:Gem::Requirement
|
220
|
+
requirements:
|
221
|
+
- - ">="
|
222
|
+
- !ruby/object:Gem::Version
|
223
|
+
version: '5.2'
|
224
|
+
- - "<"
|
225
|
+
- !ruby/object:Gem::Version
|
226
|
+
version: 7.1.0
|
187
227
|
description: ''
|
188
228
|
email:
|
189
229
|
- modosc@users.noreply.github.com
|
@@ -198,7 +238,6 @@ files:
|
|
198
238
|
- ".rubocop.yml"
|
199
239
|
- ".rubocop_airbnb.yml"
|
200
240
|
- ".rubocop_todo.yml"
|
201
|
-
- ".travis.yml"
|
202
241
|
- Appraisals
|
203
242
|
- CHANGELOG.md
|
204
243
|
- Gemfile
|
@@ -209,11 +248,10 @@ files:
|
|
209
248
|
- bin/setup
|
210
249
|
- cloudflare-rails.gemspec
|
211
250
|
- gemfiles/.bundle/config
|
212
|
-
- gemfiles/rails_5.0.gemfile
|
213
|
-
- gemfiles/rails_5.1.gemfile
|
214
251
|
- gemfiles/rails_5.2.gemfile
|
215
252
|
- gemfiles/rails_6.0.gemfile
|
216
253
|
- gemfiles/rails_6.1.gemfile
|
254
|
+
- gemfiles/rails_7.0.gemfile
|
217
255
|
- lib/cloudflare/rails.rb
|
218
256
|
- lib/cloudflare/rails/railtie.rb
|
219
257
|
- lib/cloudflare/rails/version.rb
|
@@ -232,11 +270,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
232
270
|
version: '2.0'
|
233
271
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
234
272
|
requirements:
|
235
|
-
- - "
|
273
|
+
- - ">"
|
236
274
|
- !ruby/object:Gem::Version
|
237
|
-
version:
|
275
|
+
version: 1.3.1
|
238
276
|
requirements: []
|
239
|
-
rubygems_version: 3.
|
277
|
+
rubygems_version: 3.2.18
|
240
278
|
signing_key:
|
241
279
|
specification_version: 4
|
242
280
|
summary: This gem configures Rails for CloudFlare so that request.ip and request.remote_ip
|
data/.travis.yml
DELETED
data/gemfiles/rails_5.0.gemfile
DELETED