faraday-restrict-ip-addresses 0.0.1 → 0.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +7 -7
- data/lib/faraday/restrict_ip_addresses.rb +21 -1
- data/spec/restrict_ip_addresses_spec.rb +28 -6
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9f59a971b3f267be404539a95d9b7feda50211b7
|
4
|
+
data.tar.gz: f85376e90f9fb7ff8b483e176afb2884a3010db3
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9b97db3e5b0a806db906853175767c7a92c0c28e39af3a4606d4d0d6654bbff1d1479c38db8f87c2dab5e533e58b491219e6f9d4909db112e324700de2acfc6d
|
7
|
+
data.tar.gz: 46e04a74e074757bebbfef126d24deb0bcf05ee42467bbc0f66ac68ae381e4de84a85ed32763d6fea6a7eff78ffb5b2fceca51d907f76b10e30d4a140f4ab976
|
data/README.md
CHANGED
@@ -2,9 +2,11 @@ Faraday::RestrictIPAddresses
|
|
2
2
|
============================
|
3
3
|
|
4
4
|
Prevent Faraday from hitting an arbitrary list of IP addresses, with helpers
|
5
|
-
for RFC 1918 networks and localhost.
|
5
|
+
for RFC 1918 networks, RFC 6890 networks, and localhost.
|
6
6
|
|
7
|
-
System DNS facilities are used, so lookups should be cached
|
7
|
+
System DNS facilities are used, so lookups should be cached instead of making
|
8
|
+
another request. Addresses are invalid if a host has has at least one invalid
|
9
|
+
DNS entry.
|
8
10
|
|
9
11
|
Usage
|
10
12
|
=====
|
@@ -12,8 +14,8 @@ Usage
|
|
12
14
|
```ruby
|
13
15
|
faraday = Faraday.new do |builder|
|
14
16
|
builder.request :url_encoded
|
15
|
-
builder.use :restrict_ip_addresses,
|
16
|
-
allow_localhost: true
|
17
|
+
builder.use :restrict_ip_addresses, deny_rfc6890: true,
|
18
|
+
allow_localhost: true,
|
17
19
|
deny: ['8.0.0.0/8',
|
18
20
|
'224.0.0.0/7'],
|
19
21
|
allow: ['192.168.0.0/24']
|
@@ -23,7 +25,7 @@ end
|
|
23
25
|
faraday.get 'http://www.badgerbadgerbadger.com' # 150.0.0.150 or something
|
24
26
|
# => cool
|
25
27
|
|
26
|
-
faraday.get 'http://malicious-callback.com # 172.0.0.150, maybe a secret internal server? Maybe not?
|
28
|
+
faraday.get 'http://malicious-callback.com' # 172.0.0.150, maybe a secret internal server? Maybe not?
|
27
29
|
# => raises Faraday::RestrictIPAddresses::AddressNotAllowed
|
28
30
|
```
|
29
31
|
|
@@ -40,5 +42,3 @@ Dat @bhuga with shoutouts to @mastahyeti's [gist.](https://gist.github.com/masta
|
|
40
42
|
#### UNLICENSE
|
41
43
|
|
42
44
|
It's right there.
|
43
|
-
|
44
|
-
|
@@ -4,7 +4,7 @@ require 'ipaddr'
|
|
4
4
|
module Faraday
|
5
5
|
class RestrictIPAddresses < Faraday::Middleware
|
6
6
|
class AddressNotAllowed < Faraday::Error::ClientError ; end
|
7
|
-
VERSION = '0.0.
|
7
|
+
VERSION = '0.0.2'
|
8
8
|
|
9
9
|
RFC_1918_NETWORKS = %w(
|
10
10
|
127.0.0.0/8
|
@@ -13,12 +13,32 @@ module Faraday
|
|
13
13
|
192.168.0.0/16
|
14
14
|
).map { |net| IPAddr.new(net) }
|
15
15
|
|
16
|
+
RFC_6890_NETWORKS = RFC_1918_NETWORKS + [
|
17
|
+
'0.0.0.0/8', # "This" Network [RFC1700, page 4]
|
18
|
+
'100.64.0.0/10', # Shared address space [6598, 6890]
|
19
|
+
#'128.0.0.0/16', # Reserved in 3330, not in 6890, has been assigned
|
20
|
+
'169.254.0.0/16', # Link Local [3927, 6890]
|
21
|
+
# '191.255.0.0/16' # Reserved in 3330, not in 6890, has been assigned
|
22
|
+
'192.0.0.0/24', # Reserved but subject to allocation [6890]
|
23
|
+
'192.0.0.0/29', # DS-Lite [6333, 6890]. Redundant with above, included for completeness.
|
24
|
+
'192.0.2.0/24', # Documentation [5737, 6890]
|
25
|
+
'192.88.99.0/24', # 6to4 Relay Anycast [3068, 6890]
|
26
|
+
'198.18.0.0/15', # Network Interconnect Device Benchmark Testing [2544, 6890]
|
27
|
+
'198.51.100.0/24', # Documentation [5737, 6890]
|
28
|
+
'203.0.113.0/24', # Documentation [5737, 6890]
|
29
|
+
'224.0.0.0/4', # Multicast [11112]
|
30
|
+
'240.0.0.0/4', # Reserved for Future Use [6890]
|
31
|
+
'255.255.255.255/32' # Reserved for Future Use [6890]
|
32
|
+
].map { |net| IPAddr.new(net) }
|
33
|
+
|
16
34
|
def initialize(app, options = {})
|
17
35
|
super(app)
|
18
36
|
@denied_networks = (options[:deny] || []).map { |n| IPAddr.new(n) }
|
19
37
|
@allowed_networks = (options[:allow] || []).map { |n| IPAddr.new(n) }
|
20
38
|
|
21
39
|
@denied_networks += RFC_1918_NETWORKS if options[:deny_rfc1918]
|
40
|
+
@denied_networks += RFC_6890_NETWORKS if options[:deny_rfc6890]
|
41
|
+
@denied_networks.uniq!
|
22
42
|
@allowed_networks += [IPAddr.new('127.0.0.1')] if options[:allow_localhost]
|
23
43
|
end
|
24
44
|
|
@@ -6,18 +6,24 @@ describe Faraday::RestrictIPAddresses do
|
|
6
6
|
@rip = described_class.new(lambda{|env| env}, opts)
|
7
7
|
end
|
8
8
|
|
9
|
-
def allowed(
|
9
|
+
def allowed(*addresses)
|
10
10
|
url = URI.parse("http://test.com")
|
11
|
-
|
11
|
+
ips = addresses.map { |add| IPAddr.new(add).hton }
|
12
12
|
|
13
|
-
Socket
|
13
|
+
# Socket returns a bunch of other stuff with gethostbyname. ipv6 addresses,
|
14
|
+
# other socket information, whatever. We ignore it all internally and return
|
15
|
+
# only valid ipv4 addresses, so just append what we're checking to some
|
16
|
+
# garbage data like we expect.
|
17
|
+
return_addresses = ['garbage', [], 30]
|
18
|
+
return_addresses += ips
|
19
|
+
Socket.expects(:gethostbyname).with(url.host).returns(return_addresses)
|
14
20
|
|
15
21
|
env = { url: url }
|
16
22
|
@rip.call(env)
|
17
23
|
end
|
18
24
|
|
19
|
-
def denied(
|
20
|
-
expect(-> { allowed(
|
25
|
+
def denied(*addresses)
|
26
|
+
expect(-> { allowed(*addresses) }).to raise_error(Faraday::RestrictIPAddresses::AddressNotAllowed)
|
21
27
|
end
|
22
28
|
|
23
29
|
it "defaults to allowing everything" do
|
@@ -34,6 +40,14 @@ describe Faraday::RestrictIPAddresses do
|
|
34
40
|
denied '8.0.0.1'
|
35
41
|
end
|
36
42
|
|
43
|
+
it "disallows addresses when any IP address is disallowed" do
|
44
|
+
middleware deny: ["8.0.0.0/8"]
|
45
|
+
|
46
|
+
denied '10.0.0.10', '8.8.8.8'
|
47
|
+
allowed '10.0.0.10'
|
48
|
+
denied '10.0.0.10', '8.8.8.8'
|
49
|
+
end
|
50
|
+
|
37
51
|
it "blacklists RFC1918 addresses" do
|
38
52
|
middleware deny_rfc1918: true
|
39
53
|
|
@@ -43,6 +57,15 @@ describe Faraday::RestrictIPAddresses do
|
|
43
57
|
denied '10.0.0.252'
|
44
58
|
end
|
45
59
|
|
60
|
+
it "blacklists RFC6890 addresses" do
|
61
|
+
middleware deny_rfc6890: true
|
62
|
+
|
63
|
+
allowed '5.5.5.5'
|
64
|
+
denied '240.15.15.15'
|
65
|
+
denied '192.168.15.55'
|
66
|
+
denied '10.0.0.252'
|
67
|
+
end
|
68
|
+
|
46
69
|
it "allows exceptions to disallowed addresses" do
|
47
70
|
middleware deny_rfc1918: true,
|
48
71
|
allow: ["192.168.0.0/24"]
|
@@ -70,4 +93,3 @@ describe Faraday::RestrictIPAddresses do
|
|
70
93
|
end
|
71
94
|
|
72
95
|
end
|
73
|
-
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: faraday-restrict-ip-addresses
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ben Lavender
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2014-
|
11
|
+
date: 2014-03-24 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: faraday
|