faraday-restrict-ip-addresses 0.0.1 → 0.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +7 -7
- data/lib/faraday/restrict_ip_addresses.rb +21 -1
- data/spec/restrict_ip_addresses_spec.rb +28 -6
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9f59a971b3f267be404539a95d9b7feda50211b7
|
|
4
|
+
data.tar.gz: f85376e90f9fb7ff8b483e176afb2884a3010db3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9b97db3e5b0a806db906853175767c7a92c0c28e39af3a4606d4d0d6654bbff1d1479c38db8f87c2dab5e533e58b491219e6f9d4909db112e324700de2acfc6d
|
|
7
|
+
data.tar.gz: 46e04a74e074757bebbfef126d24deb0bcf05ee42467bbc0f66ac68ae381e4de84a85ed32763d6fea6a7eff78ffb5b2fceca51d907f76b10e30d4a140f4ab976
|
data/README.md
CHANGED
|
@@ -2,9 +2,11 @@ Faraday::RestrictIPAddresses
|
|
|
2
2
|
============================
|
|
3
3
|
|
|
4
4
|
Prevent Faraday from hitting an arbitrary list of IP addresses, with helpers
|
|
5
|
-
for RFC 1918 networks and localhost.
|
|
5
|
+
for RFC 1918 networks, RFC 6890 networks, and localhost.
|
|
6
6
|
|
|
7
|
-
System DNS facilities are used, so lookups should be cached
|
|
7
|
+
System DNS facilities are used, so lookups should be cached instead of making
|
|
8
|
+
another request. Addresses are invalid if a host has has at least one invalid
|
|
9
|
+
DNS entry.
|
|
8
10
|
|
|
9
11
|
Usage
|
|
10
12
|
=====
|
|
@@ -12,8 +14,8 @@ Usage
|
|
|
12
14
|
```ruby
|
|
13
15
|
faraday = Faraday.new do |builder|
|
|
14
16
|
builder.request :url_encoded
|
|
15
|
-
builder.use :restrict_ip_addresses,
|
|
16
|
-
allow_localhost: true
|
|
17
|
+
builder.use :restrict_ip_addresses, deny_rfc6890: true,
|
|
18
|
+
allow_localhost: true,
|
|
17
19
|
deny: ['8.0.0.0/8',
|
|
18
20
|
'224.0.0.0/7'],
|
|
19
21
|
allow: ['192.168.0.0/24']
|
|
@@ -23,7 +25,7 @@ end
|
|
|
23
25
|
faraday.get 'http://www.badgerbadgerbadger.com' # 150.0.0.150 or something
|
|
24
26
|
# => cool
|
|
25
27
|
|
|
26
|
-
faraday.get 'http://malicious-callback.com # 172.0.0.150, maybe a secret internal server? Maybe not?
|
|
28
|
+
faraday.get 'http://malicious-callback.com' # 172.0.0.150, maybe a secret internal server? Maybe not?
|
|
27
29
|
# => raises Faraday::RestrictIPAddresses::AddressNotAllowed
|
|
28
30
|
```
|
|
29
31
|
|
|
@@ -40,5 +42,3 @@ Dat @bhuga with shoutouts to @mastahyeti's [gist.](https://gist.github.com/masta
|
|
|
40
42
|
#### UNLICENSE
|
|
41
43
|
|
|
42
44
|
It's right there.
|
|
43
|
-
|
|
44
|
-
|
|
@@ -4,7 +4,7 @@ require 'ipaddr'
|
|
|
4
4
|
module Faraday
|
|
5
5
|
class RestrictIPAddresses < Faraday::Middleware
|
|
6
6
|
class AddressNotAllowed < Faraday::Error::ClientError ; end
|
|
7
|
-
VERSION = '0.0.
|
|
7
|
+
VERSION = '0.0.2'
|
|
8
8
|
|
|
9
9
|
RFC_1918_NETWORKS = %w(
|
|
10
10
|
127.0.0.0/8
|
|
@@ -13,12 +13,32 @@ module Faraday
|
|
|
13
13
|
192.168.0.0/16
|
|
14
14
|
).map { |net| IPAddr.new(net) }
|
|
15
15
|
|
|
16
|
+
RFC_6890_NETWORKS = RFC_1918_NETWORKS + [
|
|
17
|
+
'0.0.0.0/8', # "This" Network [RFC1700, page 4]
|
|
18
|
+
'100.64.0.0/10', # Shared address space [6598, 6890]
|
|
19
|
+
#'128.0.0.0/16', # Reserved in 3330, not in 6890, has been assigned
|
|
20
|
+
'169.254.0.0/16', # Link Local [3927, 6890]
|
|
21
|
+
# '191.255.0.0/16' # Reserved in 3330, not in 6890, has been assigned
|
|
22
|
+
'192.0.0.0/24', # Reserved but subject to allocation [6890]
|
|
23
|
+
'192.0.0.0/29', # DS-Lite [6333, 6890]. Redundant with above, included for completeness.
|
|
24
|
+
'192.0.2.0/24', # Documentation [5737, 6890]
|
|
25
|
+
'192.88.99.0/24', # 6to4 Relay Anycast [3068, 6890]
|
|
26
|
+
'198.18.0.0/15', # Network Interconnect Device Benchmark Testing [2544, 6890]
|
|
27
|
+
'198.51.100.0/24', # Documentation [5737, 6890]
|
|
28
|
+
'203.0.113.0/24', # Documentation [5737, 6890]
|
|
29
|
+
'224.0.0.0/4', # Multicast [11112]
|
|
30
|
+
'240.0.0.0/4', # Reserved for Future Use [6890]
|
|
31
|
+
'255.255.255.255/32' # Reserved for Future Use [6890]
|
|
32
|
+
].map { |net| IPAddr.new(net) }
|
|
33
|
+
|
|
16
34
|
def initialize(app, options = {})
|
|
17
35
|
super(app)
|
|
18
36
|
@denied_networks = (options[:deny] || []).map { |n| IPAddr.new(n) }
|
|
19
37
|
@allowed_networks = (options[:allow] || []).map { |n| IPAddr.new(n) }
|
|
20
38
|
|
|
21
39
|
@denied_networks += RFC_1918_NETWORKS if options[:deny_rfc1918]
|
|
40
|
+
@denied_networks += RFC_6890_NETWORKS if options[:deny_rfc6890]
|
|
41
|
+
@denied_networks.uniq!
|
|
22
42
|
@allowed_networks += [IPAddr.new('127.0.0.1')] if options[:allow_localhost]
|
|
23
43
|
end
|
|
24
44
|
|
|
@@ -6,18 +6,24 @@ describe Faraday::RestrictIPAddresses do
|
|
|
6
6
|
@rip = described_class.new(lambda{|env| env}, opts)
|
|
7
7
|
end
|
|
8
8
|
|
|
9
|
-
def allowed(
|
|
9
|
+
def allowed(*addresses)
|
|
10
10
|
url = URI.parse("http://test.com")
|
|
11
|
-
|
|
11
|
+
ips = addresses.map { |add| IPAddr.new(add).hton }
|
|
12
12
|
|
|
13
|
-
Socket
|
|
13
|
+
# Socket returns a bunch of other stuff with gethostbyname. ipv6 addresses,
|
|
14
|
+
# other socket information, whatever. We ignore it all internally and return
|
|
15
|
+
# only valid ipv4 addresses, so just append what we're checking to some
|
|
16
|
+
# garbage data like we expect.
|
|
17
|
+
return_addresses = ['garbage', [], 30]
|
|
18
|
+
return_addresses += ips
|
|
19
|
+
Socket.expects(:gethostbyname).with(url.host).returns(return_addresses)
|
|
14
20
|
|
|
15
21
|
env = { url: url }
|
|
16
22
|
@rip.call(env)
|
|
17
23
|
end
|
|
18
24
|
|
|
19
|
-
def denied(
|
|
20
|
-
expect(-> { allowed(
|
|
25
|
+
def denied(*addresses)
|
|
26
|
+
expect(-> { allowed(*addresses) }).to raise_error(Faraday::RestrictIPAddresses::AddressNotAllowed)
|
|
21
27
|
end
|
|
22
28
|
|
|
23
29
|
it "defaults to allowing everything" do
|
|
@@ -34,6 +40,14 @@ describe Faraday::RestrictIPAddresses do
|
|
|
34
40
|
denied '8.0.0.1'
|
|
35
41
|
end
|
|
36
42
|
|
|
43
|
+
it "disallows addresses when any IP address is disallowed" do
|
|
44
|
+
middleware deny: ["8.0.0.0/8"]
|
|
45
|
+
|
|
46
|
+
denied '10.0.0.10', '8.8.8.8'
|
|
47
|
+
allowed '10.0.0.10'
|
|
48
|
+
denied '10.0.0.10', '8.8.8.8'
|
|
49
|
+
end
|
|
50
|
+
|
|
37
51
|
it "blacklists RFC1918 addresses" do
|
|
38
52
|
middleware deny_rfc1918: true
|
|
39
53
|
|
|
@@ -43,6 +57,15 @@ describe Faraday::RestrictIPAddresses do
|
|
|
43
57
|
denied '10.0.0.252'
|
|
44
58
|
end
|
|
45
59
|
|
|
60
|
+
it "blacklists RFC6890 addresses" do
|
|
61
|
+
middleware deny_rfc6890: true
|
|
62
|
+
|
|
63
|
+
allowed '5.5.5.5'
|
|
64
|
+
denied '240.15.15.15'
|
|
65
|
+
denied '192.168.15.55'
|
|
66
|
+
denied '10.0.0.252'
|
|
67
|
+
end
|
|
68
|
+
|
|
46
69
|
it "allows exceptions to disallowed addresses" do
|
|
47
70
|
middleware deny_rfc1918: true,
|
|
48
71
|
allow: ["192.168.0.0/24"]
|
|
@@ -70,4 +93,3 @@ describe Faraday::RestrictIPAddresses do
|
|
|
70
93
|
end
|
|
71
94
|
|
|
72
95
|
end
|
|
73
|
-
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: faraday-restrict-ip-addresses
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ben Lavender
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2014-
|
|
11
|
+
date: 2014-03-24 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: faraday
|