faraday-restrict-ip-addresses 0.0.1 → 0.0.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +7 -7
  3. data/lib/faraday/restrict_ip_addresses.rb +21 -1
  4. data/spec/restrict_ip_addresses_spec.rb +28 -6
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 62485d16c4a53ef8a30e2b940b858dc44e8077bd
4
- data.tar.gz: 35a0b0937db1175f7d2eaaa0c4b16271b2f85283
3
+ metadata.gz: 9f59a971b3f267be404539a95d9b7feda50211b7
4
+ data.tar.gz: f85376e90f9fb7ff8b483e176afb2884a3010db3
5
5
  SHA512:
6
- metadata.gz: 531fae725622bc033b69d27973ebfd4bc151f7626fe8c1da52c075bd5382323c081acc1dbd79e8e28c3c9729fe7fdd9f9d790286a8c975243cef5b903b7909d9
7
- data.tar.gz: d38b0a07810abc7065bf0fe37e3643d0daa712af6630a9b9b911ac69b07a39ce1c83295ff3a2c646912b0cb5206ff3b1cafadcbd04cfda33dc2da5538065d5a4
6
+ metadata.gz: 9b97db3e5b0a806db906853175767c7a92c0c28e39af3a4606d4d0d6654bbff1d1479c38db8f87c2dab5e533e58b491219e6f9d4909db112e324700de2acfc6d
7
+ data.tar.gz: 46e04a74e074757bebbfef126d24deb0bcf05ee42467bbc0f66ac68ae381e4de84a85ed32763d6fea6a7eff78ffb5b2fceca51d907f76b10e30d4a140f4ab976
data/README.md CHANGED
@@ -2,9 +2,11 @@ Faraday::RestrictIPAddresses
2
2
  ============================
3
3
 
4
4
  Prevent Faraday from hitting an arbitrary list of IP addresses, with helpers
5
- for RFC 1918 networks and localhost.
5
+ for RFC 1918 networks, RFC 6890 networks, and localhost.
6
6
 
7
- System DNS facilities are used, so lookups should be cached.
7
+ System DNS facilities are used, so lookups should be cached instead of making
8
+ another request. Addresses are invalid if a host has has at least one invalid
9
+ DNS entry.
8
10
 
9
11
  Usage
10
12
  =====
@@ -12,8 +14,8 @@ Usage
12
14
  ```ruby
13
15
  faraday = Faraday.new do |builder|
14
16
  builder.request :url_encoded
15
- builder.use :restrict_ip_addresses, deny_rfc1918: true,
16
- allow_localhost: true
17
+ builder.use :restrict_ip_addresses, deny_rfc6890: true,
18
+ allow_localhost: true,
17
19
  deny: ['8.0.0.0/8',
18
20
  '224.0.0.0/7'],
19
21
  allow: ['192.168.0.0/24']
@@ -23,7 +25,7 @@ end
23
25
  faraday.get 'http://www.badgerbadgerbadger.com' # 150.0.0.150 or something
24
26
  # => cool
25
27
 
26
- faraday.get 'http://malicious-callback.com # 172.0.0.150, maybe a secret internal server? Maybe not?
28
+ faraday.get 'http://malicious-callback.com' # 172.0.0.150, maybe a secret internal server? Maybe not?
27
29
  # => raises Faraday::RestrictIPAddresses::AddressNotAllowed
28
30
  ```
29
31
 
@@ -40,5 +42,3 @@ Dat @bhuga with shoutouts to @mastahyeti's [gist.](https://gist.github.com/masta
40
42
  #### UNLICENSE
41
43
 
42
44
  It's right there.
43
-
44
-
data/lib/faraday/restrict_ip_addresses.rb CHANGED
@@ -4,7 +4,7 @@ require 'ipaddr'
4
4
  module Faraday
5
5
  class RestrictIPAddresses < Faraday::Middleware
6
6
  class AddressNotAllowed < Faraday::Error::ClientError ; end
7
- VERSION = '0.0.1'
7
+ VERSION = '0.0.2'
8
8
 
9
9
  RFC_1918_NETWORKS = %w(
10
10
  127.0.0.0/8
@@ -13,12 +13,32 @@ module Faraday
13
13
  192.168.0.0/16
14
14
  ).map { |net| IPAddr.new(net) }
15
15
 
16
+ RFC_6890_NETWORKS = RFC_1918_NETWORKS + [
17
+ '0.0.0.0/8', # "This" Network [RFC1700, page 4]
18
+ '100.64.0.0/10', # Shared address space [6598, 6890]
19
+ #'128.0.0.0/16', # Reserved in 3330, not in 6890, has been assigned
20
+ '169.254.0.0/16', # Link Local [3927, 6890]
21
+ # '191.255.0.0/16' # Reserved in 3330, not in 6890, has been assigned
22
+ '192.0.0.0/24', # Reserved but subject to allocation [6890]
23
+ '192.0.0.0/29', # DS-Lite [6333, 6890]. Redundant with above, included for completeness.
24
+ '192.0.2.0/24', # Documentation [5737, 6890]
25
+ '192.88.99.0/24', # 6to4 Relay Anycast [3068, 6890]
26
+ '198.18.0.0/15', # Network Interconnect Device Benchmark Testing [2544, 6890]
27
+ '198.51.100.0/24', # Documentation [5737, 6890]
28
+ '203.0.113.0/24', # Documentation [5737, 6890]
29
+ '224.0.0.0/4', # Multicast [11112]
30
+ '240.0.0.0/4', # Reserved for Future Use [6890]
31
+ '255.255.255.255/32' # Reserved for Future Use [6890]
32
+ ].map { |net| IPAddr.new(net) }
33
+
16
34
  def initialize(app, options = {})
17
35
  super(app)
18
36
  @denied_networks = (options[:deny] || []).map { |n| IPAddr.new(n) }
19
37
  @allowed_networks = (options[:allow] || []).map { |n| IPAddr.new(n) }
20
38
 
21
39
  @denied_networks += RFC_1918_NETWORKS if options[:deny_rfc1918]
40
+ @denied_networks += RFC_6890_NETWORKS if options[:deny_rfc6890]
41
+ @denied_networks.uniq!
22
42
  @allowed_networks += [IPAddr.new('127.0.0.1')] if options[:allow_localhost]
23
43
  end
24
44
 
data/spec/restrict_ip_addresses_spec.rb CHANGED
@@ -6,18 +6,24 @@ describe Faraday::RestrictIPAddresses do
6
6
  @rip = described_class.new(lambda{|env| env}, opts)
7
7
  end
8
8
 
9
- def allowed(string_address)
9
+ def allowed(*addresses)
10
10
  url = URI.parse("http://test.com")
11
- ip = IPAddr.new(string_address).hton
11
+ ips = addresses.map { |add| IPAddr.new(add).hton }
12
12
 
13
- Socket.expects(:gethostbyname).with(url.host).returns(['garbage', [], 30, ip])
13
+ # Socket returns a bunch of other stuff with gethostbyname. ipv6 addresses,
14
+ # other socket information, whatever. We ignore it all internally and return
15
+ # only valid ipv4 addresses, so just append what we're checking to some
16
+ # garbage data like we expect.
17
+ return_addresses = ['garbage', [], 30]
18
+ return_addresses += ips
19
+ Socket.expects(:gethostbyname).with(url.host).returns(return_addresses)
14
20
 
15
21
  env = { url: url }
16
22
  @rip.call(env)
17
23
  end
18
24
 
19
- def denied(string_address)
20
- expect(-> { allowed(string_address) }).to raise_error(Faraday::RestrictIPAddresses::AddressNotAllowed)
25
+ def denied(*addresses)
26
+ expect(-> { allowed(*addresses) }).to raise_error(Faraday::RestrictIPAddresses::AddressNotAllowed)
21
27
  end
22
28
 
23
29
  it "defaults to allowing everything" do
@@ -34,6 +40,14 @@ describe Faraday::RestrictIPAddresses do
34
40
  denied '8.0.0.1'
35
41
  end
36
42
 
43
+ it "disallows addresses when any IP address is disallowed" do
44
+ middleware deny: ["8.0.0.0/8"]
45
+
46
+ denied '10.0.0.10', '8.8.8.8'
47
+ allowed '10.0.0.10'
48
+ denied '10.0.0.10', '8.8.8.8'
49
+ end
50
+
37
51
  it "blacklists RFC1918 addresses" do
38
52
  middleware deny_rfc1918: true
39
53
 
@@ -43,6 +57,15 @@ describe Faraday::RestrictIPAddresses do
43
57
  denied '10.0.0.252'
44
58
  end
45
59
 
60
+ it "blacklists RFC6890 addresses" do
61
+ middleware deny_rfc6890: true
62
+
63
+ allowed '5.5.5.5'
64
+ denied '240.15.15.15'
65
+ denied '192.168.15.55'
66
+ denied '10.0.0.252'
67
+ end
68
+
46
69
  it "allows exceptions to disallowed addresses" do
47
70
  middleware deny_rfc1918: true,
48
71
  allow: ["192.168.0.0/24"]
@@ -70,4 +93,3 @@ describe Faraday::RestrictIPAddresses do
70
93
  end
71
94
 
72
95
  end
73
-
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: faraday-restrict-ip-addresses
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.1
4
+ version: 0.0.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ben Lavender
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2014-01-24 00:00:00.000000000 Z
11
+ date: 2014-03-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: faraday