cloudflare-rails 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4af88462102fa96a7026865456538d3273dbed25b27571be2a1ff35d85a571d0
-  data.tar.gz: d0822418ace7ea370d89465cfae344ee03915bde1cd1fa6509474608f2262c30
+  metadata.gz: 947c819ded7dcefcfabf3ce7d6b81dd24d55e39dfbe710b4135b796b44a37f04
+  data.tar.gz: f893a0c8a4d9bcc50f4008414a48cbf8d3180bb99d000a9b47dd800ba63c28b8
 SHA512:
-  metadata.gz: cb376a89e2afe44c37d7dcacfa983ed7654d9be50aab5a110527003d3433a75935ed0988cea31a4b90dd6c9bbef99ee6ff080de548fe40ad511c422e1972684e
-  data.tar.gz: 16fed68fb3b86e05da7317208544bb26b51271848e93b159db064ec220264f2e8efae9de0e1fd6ad9063ed572364155e73f26860586738abb66c243a5d55dfbc
+  metadata.gz: 74931a1f34f4501b5935d749d7965a3b3d95f1448d9869143674f14898cb4cc4616354ae350d1f81a0476682a6b6195a80115e9977bb39bf66d57ca06b0ec3bc
+  data.tar.gz: 7d8bd03f0cf4d724159261fab46fe0054f1b57ea0036071abc62e0de8c1e0ce04a44101d4b8e3730a512329795ecad6195996dd1d2e75a48bd8aff3b56763679

data/.circleci/config.yml

@@ -7,12 +7,7 @@ jobs:
   build:
     docker:
       # specify the version you desire here
-       - image: circleci/ruby:2.5.1
-
-      # Specify service dependencies here if necessary
-      # CircleCI maintains a library of pre-built images
-      # documented at https://circleci.com/docs/2.0/circleci-images/
-      # - image: circleci/postgres:9.4
+      - image: circleci/ruby:2.6.3
 
     working_directory: ~/repo
 
@@ -40,18 +35,10 @@ jobs:
       - run:
           name: run tests
           command: |
-            mkdir /tmp/test-results
-            TEST_FILES="$(circleci tests glob "spec/**/*_spec.rb" | circleci tests split --split-by=timings)"
-
-            bundle exec rspec --format progress \
-                            --format RspecJunitFormatter \
-                            --out /tmp/test-results/rspec.xml \
-                            --format progress \
-                            $TEST_FILES
-
+            bundle exec rake
       # collect reports
       - store_test_results:
-          path: /tmp/test-results
+          path: tmp/rspec
       - store_artifacts:
-          path: /tmp/test-results
+          path: tmp/rspec
           destination: test-results

data/.gitignore

@@ -10,3 +10,4 @@
 /log/
 .ruby-gemset
 .ruby-version
+.DS_Store

data/.rspec

@@ -1,2 +1,4 @@
---format p
+--format d
 --color
+--format RspecJunitFormatter
+--out tmp/rspec/rspec<%= ENV["RACK_ATTACK"]  ? '-rack-attack' : '' %>.xml

data/README.md

@@ -23,9 +23,14 @@ And then execute:
 
     $ bundle
 
-## Usage
+## Problem
+
+Using Cloudflare means it's hard to identify the IP address of incoming requests since all requests are proxied through Cloudflare's infrastructure. Cloudflare provides a [CF-Connecting-IP](https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-) header which can be used to identify the originating IP address of a request. However, this header alone doesn't verify a request is legitimate. If an attacker has found the actual IP address of your server they could spoof this header and masquerade as legitimate traffic. 
 
-This code will fetch CloudFlare's current [IPv4](https://www.cloudflare.com/ips-v4) and [IPv6](https://www.cloudflare.com/ips-v6) lists, store them in `Rails.cache`, and add them to `config.cloudflare.ips`.
+`cloudflare-rails` mitigates this attack by checking that the originating ip address of any incoming connecting is from one of Cloudflare's ip address ranges. If so, the incoming `X-Forwarded-For` header is trusted and used as the ip address provided to `rack` and `rails` (via `request.ip` and `request.remote_ip`). If the incoming connection does not originate from a Cloudflare server then the `X-Forwarded-For` header is ignored and the actual remote ip address is used.
+
+## Usage
+This code will fetch CloudFlare's current [IPv4](https://www.cloudflare.com/ips-v4) and [IPv6](https://www.cloudflare.com/ips-v6) lists, store them in `Rails.cache`, and add them to `config.cloudflare.ips`. The `X-Forwarded-For` header will then be trusted only from those ip addresses. 
 
 You can configure the HTTP `timeout` and `expires_in` cache parameters inside of your rails config:
 ```

data/Rakefile

@@ -3,4 +3,16 @@ require "rspec/core/rake_task"
 
 RSpec::Core::RakeTask.new(:spec)
 
-task :default => :spec
+task :without_rack_attack do
+  ENV.delete 'RACK_ATTACK'
+  Rake::Task["spec"].reenable
+  Rake::Task["spec"].invoke
+end
+
+task :with_rack_attack do
+  ENV['RACK_ATTACK'] = '1'
+  Rake::Task["spec"].reenable
+  Rake::Task["spec"].invoke
+end
+
+task :default => [:without_rack_attack, :with_rack_attack]

data/cloudflare-rails.gemspec

@@ -23,15 +23,16 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler", "~> 1.10"
   spec.add_development_dependency "rake", "~> 12.3.1"
   spec.add_development_dependency "rspec_junit_formatter", "~> 0.4.1"
-  spec.add_development_dependency "rspec-rails", "~> 3.7.2"
-  spec.add_development_dependency "rspec", "~> 3.7.0"
-  spec.add_development_dependency "rubocop-airbnb", "~> 1.0.0"
-  spec.add_development_dependency "webmock", "~> 3.4.2"
+  spec.add_development_dependency "rspec-rails", "~> 3.8.2"
+  spec.add_development_dependency "rspec", "~> 3.8.0"
+  spec.add_development_dependency "rubocop-airbnb", "~> 2.0.0"
+  spec.add_development_dependency "webmock", "~> 3.6.0"
+  spec.add_development_dependency "rack-attack", "~> 6.1.0"
+  spec.add_development_dependency "pry-byebug"
 
   spec.add_dependency "httparty"
   spec.add_dependency "rails", "~> 5.0"
 
-
   # we need Module#prepend
   spec.required_ruby_version = '>= 2.0'
 end

data/lib/cloudflare/rails/railtie.rb

@@ -13,6 +13,13 @@ module Cloudflare
 
       Rack::Request::Helpers.prepend CheckTrustedProxies
 
+      # rack-attack Rack::Request before the above is run, so if rack-attack is loaded we need to
+      # prepend our module there as well, see:
+      # https://github.com/kickstarter/rack-attack/blob/4fc4d79c9d2697ec21263109af23f11ea93a23ce/lib/rack/attack/request.rb
+      if defined? Rack::Attack::Request
+        Rack::Attack::Request.prepend CheckTrustedProxies
+      end
+
       # patch ActionDispatch::RemoteIP to use our cloudflare ips - this way
       # request.remote_ip is correct inside of rails
       module RemoteIpProxies
@@ -81,7 +88,7 @@ module Cloudflare
             ::Rails.application.config.cloudflare.ips += Importer.fetch_with_cache(type)
           rescue Importer::ResponseError => e
             ::Rails.logger.error "Cloudflare::Rails: Couldn't import #{type} blocks from CloudFlare: #{e.response}"
-          rescue => e
+          rescue StandardError => e
             ::Rails.logger.error "Cloudflare::Rails: Got exception: #{e} for type:#{type}"
           end
         end

data/lib/cloudflare/rails/version.rb

@@ -1,5 +1,5 @@
 module Cloudflare
   module Rails
-    VERSION = "0.4.0".freeze
+    VERSION = "0.5.0".freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cloudflare-rails
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - jonathan schatz
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-06-05 00:00:00.000000000 Z
+date: 2019-08-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -58,56 +58,84 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.2
+        version: 3.8.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.2
+        version: 3.8.2
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 3.8.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 3.8.0
 - !ruby/object:Gem::Dependency
   name: rubocop-airbnb
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 2.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.4.2
+        version: 3.6.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.4.2
+        version: 3.6.0
+- !ruby/object:Gem::Dependency
+  name: rack-attack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 6.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 6.1.0
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: httparty
   requirement: !ruby/object:Gem::Requirement
@@ -179,8 +207,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.0.4
 signing_key: 
 specification_version: 4
 summary: This gem configures Rails for CloudFlare so that request.ip and request.remote_ip