faraday-restrict-ip-addresses 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 62485d16c4a53ef8a30e2b940b858dc44e8077bd
+  data.tar.gz: 35a0b0937db1175f7d2eaaa0c4b16271b2f85283
+SHA512:
+  metadata.gz: 531fae725622bc033b69d27973ebfd4bc151f7626fe8c1da52c075bd5382323c081acc1dbd79e8e28c3c9729fe7fdd9f9d790286a8c975243cef5b903b7909d9
+  data.tar.gz: d38b0a07810abc7065bf0fe37e3643d0daa712af6630a9b9b911ac69b07a39ce1c83295ff3a2c646912b0cb5206ff3b1cafadcbd04cfda33dc2da5538065d5a4

data/README.md

@@ -0,0 +1,44 @@
+Faraday::RestrictIPAddresses
+============================
+
+Prevent Faraday from hitting an arbitrary list of IP addresses, with helpers
+for RFC 1918 networks and localhost.
+
+System DNS facilities are used, so lookups should be cached.
+
+Usage
+=====
+
+```ruby
+faraday = Faraday.new do |builder|
+  builder.request :url_encoded
+  builder.use     :restrict_ip_addresses, deny_rfc1918: true,
+                                          allow_localhost: true
+                                          deny: ['8.0.0.0/8',
+                                                 '224.0.0.0/7'],
+                                          allow: ['192.168.0.0/24']
+  builder.adapter Faraday.default_adapter
+end
+
+faraday.get 'http://www.badgerbadgerbadger.com' # 150.0.0.150 or something
+# => cool
+
+faraday.get 'http://malicious-callback.com      # 172.0.0.150, maybe a secret internal server? Maybe not?
+# => raises Faraday::RestrictIPAddresses::AddressNotAllowed
+```
+
+Permit/denied order is:
+
+ * All addresses are allowed, except
+ * Addresses that are denied, except
+ * Addresses that are allowed.
+
+#### Author
+
+Dat @bhuga with shoutouts to @mastahyeti's [gist.](https://gist.github.com/mastahyeti/8497793)
+
+#### UNLICENSE
+
+It's right there.
+
+

data/UNLICENSE

@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <http://unlicense.org/>

data/faraday-restrict-ip-addresses.gemspec

@@ -0,0 +1,20 @@
+require_relative 'lib/faraday/restrict_ip_addresses'
+
+Gem::Specification.new do |spec|
+  spec.add_dependency 'faraday', ['>= 0.8', '< 0.9']
+  spec.add_development_dependency 'bundler', '~> 1.0'
+  spec.authors = ["Ben Lavender"]
+  spec.description = %q{Restrict the IP addresses Faraday will connect to}
+  spec.email = ['bhuga@github.com']
+  spec.files = %w(UNLICENSE README.md faraday-restrict-ip-addresses.gemspec)
+  spec.files += Dir.glob("lib/**/*.rb")
+  spec.files += Dir.glob("spec/**/*")
+  spec.homepage = 'https://github.com/bhuga/faraday-restrict-ip-addresses'
+  spec.licenses = ['Unlicense']
+  spec.name = 'faraday-restrict-ip-addresses'
+  spec.require_paths = ['lib']
+  spec.required_rubygems_version = '>= 1.3.5'
+  spec.summary = spec.description
+  spec.test_files += Dir.glob("spec/**/*")
+  spec.version = Faraday::RestrictIPAddresses::VERSION
+end

data/lib/faraday/restrict_ip_addresses.rb

@@ -0,0 +1,48 @@
+require 'faraday'
+require 'ipaddr'
+
+module Faraday
+  class RestrictIPAddresses < Faraday::Middleware
+    class AddressNotAllowed < Faraday::Error::ClientError ; end
+    VERSION = '0.0.1'
+
+    RFC_1918_NETWORKS = %w(
+      127.0.0.0/8
+      10.0.0.0/8
+      172.16.0.0/12
+      192.168.0.0/16
+    ).map { |net| IPAddr.new(net) }
+
+    def initialize(app, options = {})
+      super(app)
+      @denied_networks   = (options[:deny] || []).map  { |n| IPAddr.new(n) }
+      @allowed_networks  = (options[:allow] || []).map { |n| IPAddr.new(n) }
+
+      @denied_networks += RFC_1918_NETWORKS if options[:deny_rfc1918]
+      @allowed_networks += [IPAddr.new('127.0.0.1')] if options[:allow_localhost]
+    end
+
+    def call(env)
+      raise AddressNotAllowed.new "Address not allowed for #{env[:url]}" if denied?(env)
+      @app.call(env)
+    end
+
+    def denied?(env)
+      addresses(env[:url].host).any? { |a| denied_ip?(a) }
+    end
+
+    def denied_ip?(address)
+      @denied_networks.any? { |net| net.include?(address) and !allowed_ip?(address) }
+    end
+
+    def allowed_ip?(address)
+      @allowed_networks.any? { |net| net.include? address }
+    end
+
+    def addresses(hostname)
+      Socket.gethostbyname(hostname).map { |a| IPAddr.new_ntoh(a) rescue nil }.compact
+    end
+  end
+
+  register_middleware restrict_ip_addresses: lambda { RestrictIPAddresses }
+end

data/spec/restrict_ip_addresses_spec.rb

@@ -0,0 +1,73 @@
+require 'faraday/restrict_ip_addresses'
+require 'spec_helper'
+
+describe Faraday::RestrictIPAddresses do
+  def middleware(opts = {})
+    @rip = described_class.new(lambda{|env| env}, opts)
+  end
+
+  def allowed(string_address)
+    url = URI.parse("http://test.com")
+    ip  = IPAddr.new(string_address).hton
+
+    Socket.expects(:gethostbyname).with(url.host).returns(['garbage', [], 30, ip])
+
+    env = { url: url }
+    @rip.call(env)
+  end
+
+  def denied(string_address)
+    expect(-> { allowed(string_address) }).to raise_error(Faraday::RestrictIPAddresses::AddressNotAllowed)
+  end
+
+    it "defaults to allowing everything" do
+      middleware
+
+      allowed '10.0.0.10'
+      allowed '255.255.255.255'
+    end
+
+    it "allows disallowing addresses" do
+      middleware deny: ["8.0.0.0/8"]
+
+      allowed '7.255.255.255'
+      denied  '8.0.0.1'
+    end
+
+    it "blacklists RFC1918 addresses" do
+      middleware deny_rfc1918: true
+
+      allowed '5.5.5.5'
+      denied  '127.0.0.1'
+      denied  '192.168.15.55'
+      denied  '10.0.0.252'
+    end
+
+    it "allows exceptions to disallowed addresses" do
+      middleware deny_rfc1918: true,
+                 allow: ["192.168.0.0/24"]
+
+      allowed '192.168.0.15'
+      denied  '192.168.1.0'
+    end
+
+    it "has an allow_localhost exception" do
+      middleware deny_rfc1918: true,
+                 allow_localhost: true
+      denied  '192.168.0.15'
+      allowed '127.0.0.1'
+      denied  '127.0.0.5'
+    end
+
+    it "lets you mix and match your denied networks" do
+      middleware deny_rfc1918: true,
+                 deny: ['8.0.0.0/8'],
+                 allow: ['8.5.0.0/24', '192.168.14.0/24']
+      allowed '8.5.0.15'
+      allowed '192.168.14.14'
+      denied  '8.8.8.8'
+      denied  '192.168.13.14'
+    end
+
+end
+

data/spec/spec_helper.rb

@@ -0,0 +1,5 @@
+Bundler.require
+$:.unshift 'lib'
+require 'faraday/restrict_ip_addresses'
+require 'pry'
+require 'mocha/mini_test'

metadata

@@ -0,0 +1,86 @@
+--- !ruby/object:Gem::Specification
+name: faraday-restrict-ip-addresses
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Ben Lavender
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-01-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+description: Restrict the IP addresses Faraday will connect to
+email:
+- bhuga@github.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- UNLICENSE
+- faraday-restrict-ip-addresses.gemspec
+- lib/faraday/restrict_ip_addresses.rb
+- spec/restrict_ip_addresses_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/bhuga/faraday-restrict-ip-addresses
+licenses:
+- Unlicense
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 1.3.5
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.0
+signing_key: 
+specification_version: 4
+summary: Restrict the IP addresses Faraday will connect to
+test_files:
+- spec/restrict_ip_addresses_spec.rb
+- spec/spec_helper.rb