cloudflare-rails 6.0.0 → 6.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f52bcf9825a5051914653aa8b471e173896ca7b0345c88b30512a7f5ca5792ca
-  data.tar.gz: ddfe50aa060ef4971b9722658ae75dee9580ce1b2c028973f5caa877e370e7a3
+  metadata.gz: 6744917646a84fbd4d06faabf47537911ebc59369ab4848c0a3e9979ee21116e
+  data.tar.gz: 7bf4fc1daee7eb7101056eb3ab18d765ccfccbe5b8c02608f65daced10d0f49b
 SHA512:
-  metadata.gz: ca4faedbdaf7f45af3212865abf420cdc1077bd9c0339f507425f3ce11a520101dedc9d8023b70bfe15d8c163fd6dd21d74a55f785255b95956bdb5fe6dbcc16
-  data.tar.gz: 1f7fe45788911c43bf9897e17b9a410615d8554e75cd0e6971dd81a398c0c1fa420ecb6c1c036a4b37d1604bdfcd5aa6d928c5a2ce07e7761c3628f3263c1360
+  metadata.gz: 49816d30c9ef0c1b59aac36eb59d4a30465d285e0426ed7a1c3b41439910acb2ab4c0f71c2d7f4fa90a5c02baba2ad58b23338b446120c6c4b078d691cede797
+  data.tar.gz: 2121fa3a384f1d3630cb0f87bd2a40bb6228ad2a5defa8fddad514c6b84c9cca37e19bc50bbdbf69e4fdee43966ba7cd8e7fb53f109176e8a45e1df3d63e0cf9

data/.rspec

@@ -1,4 +1,2 @@
 --format d
 --color
---format RspecJunitFormatter
---out tmp/rspec/rspec-<%= File.basename ENV['BUNDLE_GEMFILE'] %><%= ENV["RACK_ATTACK"]  ? "-rack-attack-#{ENV["RACK_ATTACK"]}" : '' %>.xml

data/.rubocop_todo.yml

@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2023-12-16 21:20:23 UTC using RuboCop version 1.59.0.
+# on 2024-06-13 00:13:47 UTC using RuboCop version 1.64.1.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -11,7 +11,7 @@
 # AllowedMethods: enums
 Lint/ConstantDefinitionInBlock:
   Exclude:
-    - 'spec/cloudflare/rails_spec.rb'
+    - "spec/cloudflare/rails_spec.rb"
 
 # Offense count: 1
 # This cop supports unsafe autocorrection (--autocorrect-all).
@@ -19,13 +19,13 @@ Lint/ConstantDefinitionInBlock:
 # AllowedMethods: instance_of?, kind_of?, is_a?, eql?, respond_to?, equal?, presence, present?
 Lint/RedundantSafeNavigation:
   Exclude:
-    - 'spec/cloudflare/rails_spec.rb'
+    - "spec/cloudflare/rails_spec.rb"
 
 # Offense count: 1
 # Configuration parameters: AllowComments, AllowNil.
 Lint/SuppressedException:
   Exclude:
-    - 'lib/cloudflare_rails/check_trusted_proxies.rb'
+    - "lib/cloudflare_rails/check_trusted_proxies.rb"
 
 # Offense count: 1
 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes.
@@ -43,26 +43,26 @@ Metrics/MethodLength:
 # AllowedAcronyms: CLI, DSL, ACL, API, ASCII, CPU, CSS, DNS, EOF, GUID, HTML, HTTP, HTTPS, ID, IP, JSON, LHS, QPS, RAM, RHS, RPC, SLA, SMTP, SQL, SSH, TCP, TLS, TTL, UDP, UI, UID, UUID, URI, URL, UTF8, VM, XML, XMPP, XSRF, XSS
 Naming/FileName:
   Exclude:
-    - 'lib/cloudflare-rails.rb'
+    - "lib/cloudflare-rails.rb"
 
 # Offense count: 2
 # Configuration parameters: ForbiddenDelimiters.
 # ForbiddenDelimiters: (?i-mx:(^|\s)(EO[A-Z]{1}|END)(\s|$))
 Naming/HeredocDelimiterNaming:
   Exclude:
-    - 'lib/cloudflare_rails/fallback_ips.rb'
+    - "lib/cloudflare_rails/fallback_ips.rb"
 
 # Offense count: 3
 RSpec/AnyInstance:
   Exclude:
-    - 'spec/cloudflare/rails_spec.rb'
+    - "spec/cloudflare/rails_spec.rb"
 
 # Offense count: 1
 # Configuration parameters: Prefixes, AllowedPatterns.
 # Prefixes: when, with, without
 RSpec/ContextWording:
   Exclude:
-    - 'spec/cloudflare/rails_spec.rb'
+    - "spec/cloudflare/rails_spec.rb"
 
 # Offense count: 2
 # This cop supports safe autocorrection (--autocorrect).
@@ -70,19 +70,12 @@ RSpec/ContextWording:
 # DisallowedExamples: works
 RSpec/ExampleWording:
   Exclude:
-    - 'spec/cloudflare/rails_spec.rb'
-
-# Offense count: 1
-# Configuration parameters: Include, CustomTransform, IgnoreMethods, SpecSuffixOnly.
-# Include: **/*_spec*rb*, **/spec/**/*
-RSpec/FilePath:
-  Exclude:
-    - 'spec/cloudflare/rails_spec.rb'
+    - "spec/cloudflare/rails_spec.rb"
 
 # Offense count: 1
 RSpec/LeakyConstantDeclaration:
   Exclude:
-    - 'spec/cloudflare/rails_spec.rb'
+    - "spec/cloudflare/rails_spec.rb"
 
 # Offense count: 5
 RSpec/MultipleExpectations:
@@ -98,7 +91,7 @@ RSpec/MultipleMemoizedHelpers:
 # SupportedStyles: always, named_only
 RSpec/NamedSubject:
   Exclude:
-    - 'spec/cloudflare/rails_spec.rb'
+    - "spec/cloudflare/rails_spec.rb"
 
 # Offense count: 16
 # Configuration parameters: AllowedGroups.
@@ -110,19 +103,19 @@ RSpec/NestedGroups:
 # Include: **/*_spec.rb
 RSpec/SpecFilePathFormat:
   Exclude:
-    - 'spec/cloudflare/rails_spec.rb'
+    - "spec/cloudflare/rails_spec.rb"
 
 # Offense count: 1
 # This cop supports unsafe autocorrection (--autocorrect-all).
 Rails/ApplicationController:
   Exclude:
-    - 'spec/cloudflare/rails_spec.rb'
+    - "spec/cloudflare/rails_spec.rb"
 
 # Offense count: 1
 # This cop supports unsafe autocorrection (--autocorrect-all).
 Rails/CompactBlank:
   Exclude:
-    - 'lib/cloudflare_rails/importer.rb'
+    - "lib/cloudflare_rails/importer.rb"
 
 # Offense count: 3
 # This cop supports unsafe autocorrection (--autocorrect-all).
@@ -130,14 +123,14 @@ Rails/CompactBlank:
 # Include: **/Rakefile, **/*.rake
 Rails/RakeEnvironment:
   Exclude:
-    - 'Rakefile'
+    - "Rakefile"
 
 # Offense count: 1
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowOnConstant, AllowOnSelfClass.
 Style/CaseEquality:
   Exclude:
-    - 'lib/cloudflare_rails/check_trusted_proxies.rb'
+    - "lib/cloudflare_rails/check_trusted_proxies.rb"
 
 # Offense count: 2
 # This cop supports safe autocorrection (--autocorrect).
@@ -147,32 +140,22 @@ Style/CaseEquality:
 Style/FormatStringToken:
   EnforcedStyle: unannotated
 
-# Offense count: 15
+# Offense count: 13
 # This cop supports unsafe autocorrection (--autocorrect-all).
 # Configuration parameters: EnforcedStyle.
 # SupportedStyles: always, always_true, never
 Style/FrozenStringLiteralComment:
   Exclude:
-    - 'Appraisals'
-    - 'Gemfile'
-    - 'Rakefile'
-    - 'cloudflare-rails.gemspec'
-    - 'gemfiles/rails_6.1.gemfile'
-    - 'gemfiles/rails_7.0.gemfile'
-    - 'gemfiles/rails_7.1.gemfile'
-    - 'lib/cloudflare_rails.rb'
-    - 'lib/cloudflare_rails/check_trusted_proxies.rb'
-    - 'lib/cloudflare_rails/importer.rb'
-    - 'lib/cloudflare_rails/railtie.rb'
-    - 'lib/cloudflare_rails/remote_ip_proxies.rb'
-    - 'lib/cloudflare_rails/version.rb'
-    - 'spec/cloudflare/rails_spec.rb'
-    - 'spec/spec_helper.rb'
+    - "Appraisals"
+    - "Gemfile"
+    - "Rakefile"
+    - "cloudflare-rails.gemspec"
+    - "gemfiles/rails_7.1.gemfile"
 
 # Offense count: 1
 Style/MultilineBlockChain:
   Exclude:
-    - 'lib/cloudflare_rails/railtie.rb'
+    - "lib/cloudflare_rails/railtie.rb"
 
 # Offense count: 2
 # This cop supports safe autocorrection (--autocorrect).

data/Appraisals

@@ -3,7 +3,7 @@ appraise 'rails-7.1' do
 end
 
 appraise 'rails-7.2' do
-  gem 'rails', github: 'rails/rails', branch: '7-2-stable'
+  gem 'rails', '~> 7.2.0'
 end
 
 appraise 'rails-8.0' do

data/CHANGELOG.md

@@ -3,6 +3,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [6.2.0]
+- Trust X-Forwarded-For from the right to the left (https://github.com/modosc/cloudflare-rails/pull/162)
+
+## [6.1.0]
+- Add cloudflare? method to determine if request passed through CF (https://github.com/modosc/cloudflare-rails/pull/149)
+
 ## [6.0.0] - 2024-06-12
 - Drop support for `rails` version `6.1` and `7.0`, new minimum version is `7.1.0` (https://github.com/modosc/cloudflare-rails/pull/142)
 - Bump minimum ruby version to `3.1.0` in preparation for `rails` version `7.2` (https://github.com/modosc/cloudflare-rails/pull/142)

data/README.md

@@ -1,5 +1,6 @@
 # CloudflareRails [![Gem Version](https://badge.fury.io/rb/cloudflare-rails.svg)](https://badge.fury.io/rb/cloudflare-rails)
-This gem correctly configures Rails for [CloudFlare](https://www.cloudflare.com) so that `request.remote_ip` / `request.ip` both work correctly.
+
+This gem correctly configures Rails for [CloudFlare](https://www.cloudflare.com) so that `request.remote_ip` / `request.ip` both work correctly. It also exposes a `#cloudflare?` method on `Rack::Request`.
 
 ## Rails Compatibility
 
@@ -14,7 +15,6 @@ This gem requires `railties`, `activesupport`, and `actionpack` >= `7.1`. For ol
 | 5.1             | 2.0.0                      |
 | 5.0             | 2.0.0                      |
 | 4.2             | 0.1.0                      |
-| -----           | -------                    |
 
 ## Installation
 
@@ -39,25 +39,48 @@ Using Cloudflare means it's hard to identify the IP address of incoming requests
 `cloudflare-rails` mitigates this attack by checking that the originating ip address of any incoming connection is from one of Cloudflare's ip address ranges. If so, the incoming `X-Forwarded-For` header is trusted and used as the ip address provided to `rack` and `rails` (via `request.ip` and `request.remote_ip`). If the incoming connection does not originate from a Cloudflare server then the `X-Forwarded-For` header is ignored and the actual remote ip address is used.
 
 ## How it works
+
 This code fetches and caches CloudFlare's current [IPv4](https://www.cloudflare.com/ips-v4) and [IPv6](https://www.cloudflare.com/ips-v6) lists. It then patches `Rack::Request::Helpers` and `ActionDispatch::RemoteIP` to treat these addresses as trusted proxies. The `X-Forwarded-For` header will then be trusted only from those ip addresses.
 
 ### Why not use `config.action_dispatch.trusted_proxies` or `Rack::Request.ip_filter?`
+
 By default Rails includes the [ActionDispatch::RemoteIp](https://api.rubyonrails.org/classes/ActionDispatch/RemoteIp.html) middleware. This middleware uses a default list of [trusted proxies](https://github.com/rails/rails/blob/6b93fff8af32ef5e91f4ec3cfffb081d0553faf0/actionpack/lib/action_dispatch/middleware/remote_ip.rb#L36C5-L42). Any values from `config.action_dispatch.trusted_proxies` are appended to this list. If you were to set `config.action_dispatch.trusted_proxies` to the current list of Cloudflare IP addresses `request.remote_ip` would work correctly.
 
 Unfortunately this does not fix `request.ip`. This method comes from the [Rack::Request](https://github.com/rack/rack/blob/main/lib/rack/request.rb) middleware. It has a separate implementation of [trusted proxies](https://github.com/rack/rack/blob/main/lib/rack/request.rb#L48-L56) and [ip filtering](https://github.com/rack/rack/blob/main/lib/rack/request.rb#L58C1-L59C1). The only way to use a different implementation is to set `Rack::Request.ip_filter` which expects a callable value. Providing a new one will override the old one so you'd lose the default values (all of which should be there). Those values aren't exported anywhere so your callable would now have to maintain _that_ list on top of the Cloudflare IPs.
 
 These issues are why this gem patches both `Rack::Request::Helpers` and `ActionDispatch::RemoteIP` rather than using the built-in configuration methods.
 
+## Prerequisites
+
+You must have a [`cache_store`](https://guides.rubyonrails.org/caching_with_rails.html#configuration) configured in your `rails` application.
+
 ## Usage
-You can configure the HTTP `timeout` and `expires_in` cache parameters inside of your rails config:
+
+You can configure the HTTP `timeout` and `expires_in` cache parameters inside of your `rails` config:
+
 ```ruby
 config.cloudflare.expires_in = 12.hours # default value
 config.cloudflare.timeout = 5.seconds # default value
 ```
 
-## Alternatives
+## Blocking non-Cloudflare traffic
+
+You can use the `#cloudflare?` method from this gem to block all non-Cloudflare traffic to your application. Here's an example of doing this with [`Rack::Attack`](https://github.com/rack/rack-attack):
+
+```ruby
+  Rack::Attack.blocklist('CloudFlare WAF bypass') do |req|
+    !req.cloudflare?
+  end
+```
+
+Note that the request may optionally pass through additional trusted proxies, so it will return `true` for any of these scenarios:
+
+-   `REMOTE_ADDR: CloudFlare`
+-   `REMOTE_ADDR: trusted_proxy`, `X_HTTP_FORWARDED_FOR: CloudFlare`
+-   `REMOTE_ADDR: trusted_proxy`, `X_HTTP_FORWARDED_FOR: CloudFlare,trusted_proxy2`
+-   `REMOTE_ADDR: trusted_proxy`, `X_HTTP_FORWARDED_FOR: untrusted,CloudFlare`
 
-[actionpack-cloudflare](https://github.com/customink/actionpack-cloudflare) simpler approach using the `CF-Connecting-IP` header.
+but it will return `false` if CloudFlare comes to the left of an untrusted IP in `X-Forwarded-For`.
 
 ## Development
 

data/cloudflare-rails.gemspec

@@ -23,14 +23,12 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rack-attack', '~> 6.7.0'
   spec.add_development_dependency 'rake', '~> 13.2.1'
   spec.add_development_dependency 'rspec', '~> 3.13.0'
-  spec.add_development_dependency 'rspec_junit_formatter', '~> 0.6.0'
-  spec.add_development_dependency 'rspec-rails', '~> 6.1.2'
-  spec.add_development_dependency 'rubocop', '~> 1.64.1'
-  spec.add_development_dependency 'rubocop-performance', '~> 1.21.0'
-  spec.add_development_dependency 'rubocop-rails', '~> 2.25.0'
-  spec.add_development_dependency 'rubocop-rspec', '~> 2.26.1'
-  spec.add_development_dependency 'webmock', '~> 3.23.1'
-
+  spec.add_development_dependency 'rspec-rails', '~> 7.0.1'
+  spec.add_development_dependency 'rubocop', '~> 1.66.1'
+  spec.add_development_dependency 'rubocop-performance', '~> 1.22.1'
+  spec.add_development_dependency 'rubocop-rails', '~> 2.26.1'
+  spec.add_development_dependency 'rubocop-rspec', '~> 3.1.0'
+  spec.add_development_dependency 'webmock', '~> 3.24.0'
   spec.add_dependency 'actionpack', '>= 7.1.0', '< 8.1.0'
   spec.add_dependency 'activesupport', '>= 7.1.0', '< 8.1.0'
   spec.add_dependency 'railties', '>= 7.1.0', '< 8.1.0'

data/gemfiles/rails_7.2.gemfile

@@ -4,6 +4,6 @@
 
 source 'https://rubygems.org'
 
-gem 'rails', github: 'rails/rails', branch: '7-2-stable'
+gem 'rails', '~> 7.2.0'
 
 gemspec path: '../'

data/lib/cloudflare_rails/check_trusted_proxies.rb

@@ -1,13 +1,32 @@
+# frozen_string_literal: true
+
 module CloudflareRails
   # patch rack::request::helpers to use our cloudflare ips - this way request.ip is
   # correct inside of rack and rails
   module CheckTrustedProxies
-    def trusted_proxy?(ip)
-      matching = Importer.cloudflare_ips.any? do |proxy|
+    def cloudflare_ip?(ip)
+      Importer.cloudflare_ips.any? do |proxy|
         proxy === ip
       rescue IPAddr::InvalidAddressError
       end
-      matching || super
+    end
+
+    def trusted_proxy?(ip)
+      cloudflare_ip?(ip) || super
+    end
+
+    def cloudflare?
+      remote_addresses = split_header(get_header('REMOTE_ADDR'))
+      forwarded_for = self.forwarded_for || []
+
+      # Select only the trusted prefix of REMOTE_ADDR + X_HTTP_FORWARDED_FOR
+      trusted_proxies = (remote_addresses + forwarded_for.reverse).take_while do |ip|
+        trusted_proxy?(ip)
+      end
+
+      trusted_proxies.any? do |ip|
+        cloudflare_ip?(ip)
+      end
     end
   end
 end

data/lib/cloudflare_rails/importer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'net/http'
 require 'uri'
 
@@ -19,9 +21,9 @@ module CloudflareRails
       end
     end
 
-    BASE_URL = 'https://www.cloudflare.com'.freeze
-    IPS_V4_URL = '/ips-v4/'.freeze
-    IPS_V6_URL = '/ips-v6/'.freeze
+    BASE_URL = 'https://www.cloudflare.com'
+    IPS_V4_URL = '/ips-v4/'
+    IPS_V6_URL = '/ips-v6/'
 
     class << self
       def ips_v6

data/lib/cloudflare_rails/railtie.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'active_support/core_ext/integer/time'
 
 module CloudflareRails

data/lib/cloudflare_rails/remote_ip_proxies.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CloudflareRails
   # patch ActionDispatch::RemoteIP to use our cloudflare ips - this way
   # request.remote_ip is correct inside of rails

data/lib/cloudflare_rails/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CloudflareRails
-  VERSION = '6.0.0'.freeze
+  VERSION = '6.2.0'
 end

data/lib/cloudflare_rails.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'zeitwerk'
 loader = Zeitwerk::Loader.for_gem
 loader.ignore("#{__dir__}/cloudflare-rails.rb")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cloudflare-rails
 version: !ruby/object:Gem::Version
-  version: 6.0.0
+  version: 6.2.0
 platform: ruby
 authors:
 - jonathan schatz
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-06-13 00:00:00.000000000 Z
+date: 2024-10-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -94,104 +94,90 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 3.13.0
-- !ruby/object:Gem::Dependency
-  name: rspec_junit_formatter
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.6.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.6.0
 - !ruby/object:Gem::Dependency
   name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.2
+        version: 7.0.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.2
+        version: 7.0.1
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.64.1
+        version: 1.66.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.64.1
+        version: 1.66.1
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.21.0
+        version: 1.22.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.21.0
+        version: 1.22.1
 - !ruby/object:Gem::Dependency
   name: rubocop-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.25.0
+        version: 2.26.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.25.0
+        version: 2.26.1
 - !ruby/object:Gem::Dependency
   name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.26.1
+        version: 3.1.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.26.1
+        version: 3.1.0
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.23.1
+        version: 3.24.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.23.1
+        version: 3.24.0
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement