lockup 1.4.3 → 1.4.4

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: eda412926fb80a7d44fb6b4ce68da4f748529b38
4
- data.tar.gz: fd9ace00edb3d443744fbdd1cb34a4cbb94bcc6d
3
+ metadata.gz: ee323e0b4451d7c45b4c45c887e02228205fd98b
4
+ data.tar.gz: 54bfb4dc3a8b0d7681f98cf37ed81ba3210e0989
5
5
  SHA512:
6
- metadata.gz: 9facda0b570077694acf7c37d5cf658af5cd88a0a4c0dab66477dce7d3cdb77f5cf513a3bdeb0e798ee172045d8c9fa9fd660058e265b473b82151ae7b21f219
7
- data.tar.gz: 356d724b46c5dceab61493b559b3f39774dcb1c1006e3083abb2308e946dadaa89e9540e78bae4cd799d1946a653c94960491245d59a24ad9ff06f39cb803178
6
+ metadata.gz: 2a3ccabab609ea1485b5ff502a9db5ea74e31eca642cd0b800e5d7514f6ae07bc95eb83ccc2008784f48a673527468ee3f2f2ea588cb799f3aecb29f1ef6431d
7
+ data.tar.gz: fc338ecdaaadf6a0d43146eab6a0b5da03c255f32df56e8f2554f7721440f36a8f8622ca645216046b43939e679b70ec6a0089b06f49322d410e07c9fd924324
@@ -1,23 +1,26 @@
1
1
  module Lockup
2
2
  class LockupController < Lockup::ApplicationController
3
+ CRAWLER_REGEX = /crawl|googlebot|slurp|spider|bingbot|tracker|click|parser|spider/
4
+
3
5
  if self.respond_to?(:skip_before_action)
4
6
  skip_before_action :check_for_lockup
5
7
  else
6
8
  skip_before_filter :check_for_lockup
7
9
  end
8
-
10
+
9
11
  def unlock
10
12
  if params[:lockup_codeword].present?
11
- user_agent = request.env['HTTP_USER_AGENT'].downcase
12
- unless user_agent.match(/crawl|googlebot|slurp|spider|bingbot|tracker|click|parser|spider/)
13
- @codeword = params[:lockup_codeword].to_s.downcase
14
- @return_to = params[:return_to]
15
- if @codeword == lockup_codeword
16
- set_cookie
17
- run_redirect
18
- end
19
- else
13
+ user_agent = request.env['HTTP_USER_AGENT'].presence
14
+ if user_agent && user_agent.downcase.match(CRAWLER_REGEX)
20
15
  head :ok
16
+ return
17
+ end
18
+
19
+ @codeword = params[:lockup_codeword].to_s.downcase
20
+ @return_to = params[:return_to]
21
+ if @codeword == lockup_codeword
22
+ set_cookie
23
+ run_redirect
21
24
  end
22
25
  elsif request.post?
23
26
  if params[:lockup].present? && params[:lockup].respond_to?(:'[]')
@@ -36,13 +39,13 @@ module Lockup
36
39
  respond_to :html
37
40
  end
38
41
  end
39
-
42
+
40
43
  private
41
-
44
+
42
45
  def set_cookie
43
46
  cookies[:lockup] = { value: @codeword.to_s.downcase, expires: (Time.now + cookie_lifetime) }
44
47
  end
45
-
48
+
46
49
  def run_redirect
47
50
  if @return_to.present?
48
51
  redirect_to "#{@return_to}"
@@ -17,11 +17,17 @@ module Lockup
17
17
  return unless respond_to?(:lockup) && lockup_codeword_present?
18
18
  return if cookies[:lockup].present? && cookies[:lockup] == lockup_codeword
19
19
 
20
- redirect_to lockup.unlock_path(return_to: request.fullpath.split('?lockup_codeword')[0], lockup_codeword: params[:lockup_codeword])
20
+ redirect_to lockup.unlock_path(
21
+ return_to: request.fullpath.split('?lockup_codeword')[0],
22
+ lockup_codeword: params[:lockup_codeword],
23
+ )
21
24
  end
22
25
 
23
26
  def lockup_codeword_present?
24
- ENV["LOCKUP_CODEWORD"].present? || ENV["lockup_codeword"].present? || (Rails.application.respond_to?(:secrets) && Rails.application.secrets.lockup_codeword.present?)
27
+ ENV["LOCKUP_CODEWORD"].present? ||
28
+ ENV["lockup_codeword"].present? ||
29
+ (Rails.application.respond_to?(:secrets) && Rails.application.secrets.lockup_codeword.present?) ||
30
+ (Rails.application.respond_to?(:credentials) && Rails.application.credentials.lockup_codeword.present?)
25
31
  end
26
32
 
27
33
  def lockup_codeword
@@ -31,6 +37,8 @@ module Lockup
31
37
  ENV["lockup_codeword"].to_s.downcase
32
38
  elsif Rails.application.respond_to?(:secrets) && Rails.application.secrets.lockup_codeword.present?
33
39
  Rails.application.secrets.lockup_codeword.to_s.downcase
40
+ elsif Rails.application.respond_to?(:credentials) && Rails.application.credentials.lockup_codeword.present?
41
+ Rails.application.credentials.lockup_codeword.to_s.downcase
34
42
  end
35
43
  end
36
44
 
@@ -1,3 +1,3 @@
1
1
  module Lockup
2
- VERSION = "1.4.3"
2
+ VERSION = "1.4.4"
3
3
  end
@@ -9,6 +9,7 @@ describe Lockup::LockupController do
9
9
  post 'unlock', params: {foo: 'bar'}
10
10
  end
11
11
  end
12
+
12
13
  describe 'a malicious user requests a format that is not HTML' do
13
14
  it 'throws an unknown format error' do
14
15
  lambda { get 'unlock', format: 'text' }.should raise_error(ActionController::UnknownFormat)
@@ -5185,3 +5185,162 @@ Processing by Lockup::LockupController#unlock as HTML
5185
5185
  Completed 200 OK in 0ms
5186
5186
  Processing by Lockup::LockupController#unlock as TEXT
5187
5187
  Completed 406 Not Acceptable in 0ms
5188
+ Processing by Lockup::LockupController#unlock as HTML
5189
+ Parameters: {"foo"=>"bar"}
5190
+ Completed 200 OK in 0ms
5191
+ Processing by Lockup::LockupController#unlock as TEXT
5192
+ Completed 406 Not Acceptable in 0ms
5193
+ Started GET "/posts" for 127.0.0.1 at 2018-10-01 13:54:08 -0700
5194
+ Processing by PostsController#index as HTML
5195
+ Redirected to http://www.example.com/lockup/unlock?return_to=%2Fposts
5196
+ Filter chain halted as :check_for_lockup rendered or redirected
5197
+ Completed 302 Found in 5ms
5198
+ Started GET "/lockup/unlock?return_to=%2Fposts" for 127.0.0.1 at 2018-10-01 13:54:08 -0700
5199
+ Processing by Lockup::LockupController#unlock as HTML
5200
+ Parameters: {"return_to"=>"/posts"}
5201
+ Rendering /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/lockup/lockup/unlock.html.erb within layouts/lockup/application
5202
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/lockup/lockup/unlock.html.erb within layouts/lockup/application (10.1ms)
5203
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/layouts/lockup/_inline_css.html.erb (0.3ms)
5204
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/layouts/lockup/_inline_js.html.erb (0.2ms)
5205
+ Completed 200 OK in 32ms (Views: 28.0ms)
5206
+ Started GET "/this-does-not-exist?lockup_codeword=omgponies" for 127.0.0.1 at 2018-10-01 13:54:08 -0700
5207
+ Processing by ApplicationController#render_404 as HTML
5208
+ Parameters: {"lockup_codeword"=>"omgponies", "path"=>"this-does-not-exist"}
5209
+ Redirected to http://www.example.com/lockup/unlock?lockup_codeword=omgponies&return_to=%2Fthis-does-not-exist
5210
+ Filter chain halted as :check_for_lockup rendered or redirected
5211
+ Completed 302 Found in 0ms
5212
+ Started GET "/lockup/unlock?lockup_codeword=omgponies&return_to=%2Fthis-does-not-exist" for 127.0.0.1 at 2018-10-01 13:54:08 -0700
5213
+ Processing by Lockup::LockupController#unlock as HTML
5214
+ Parameters: {"lockup_codeword"=>"omgponies", "return_to"=>"/this-does-not-exist"}
5215
+ Redirected to http://www.example.com/this-does-not-exist
5216
+ Completed 302 Found in 2ms
5217
+ Started GET "/this-does-not-exist" for 127.0.0.1 at 2018-10-01 13:54:08 -0700
5218
+ Processing by ApplicationController#render_404 as HTML
5219
+ Parameters: {"path"=>"this-does-not-exist"}
5220
+ Rendering public/404.html within layouts/application
5221
+ Rendered public/404.html within layouts/application (0.2ms)
5222
+ Completed 404 Not Found in 131ms (Views: 130.4ms)
5223
+ Started GET "/posts" for 127.0.0.1 at 2018-10-01 13:54:08 -0700
5224
+ Processing by PostsController#index as HTML
5225
+ Redirected to http://www.example.com/lockup/unlock?return_to=%2Fposts
5226
+ Filter chain halted as :check_for_lockup rendered or redirected
5227
+ Completed 302 Found in 0ms
5228
+ Started GET "/lockup/unlock?return_to=%2Fposts" for 127.0.0.1 at 2018-10-01 13:54:08 -0700
5229
+ Processing by Lockup::LockupController#unlock as HTML
5230
+ Parameters: {"return_to"=>"/posts"}
5231
+ Rendering /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/lockup/lockup/unlock.html.erb within layouts/lockup/application
5232
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/lockup/lockup/unlock.html.erb within layouts/lockup/application (0.9ms)
5233
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/layouts/lockup/_inline_css.html.erb (0.3ms)
5234
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/layouts/lockup/_inline_js.html.erb (0.3ms)
5235
+ Completed 200 OK in 19ms (Views: 15.6ms)
5236
+ Started POST "/lockup/unlock" for 127.0.0.1 at 2018-10-01 13:54:08 -0700
5237
+ Processing by Lockup::LockupController#unlock as HTML
5238
+ Parameters: {"utf8"=>"✓", "lockup"=>{"codeword"=>"lolwut", "return_to"=>"/posts"}, "button"=>""}
5239
+ Rendering /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/lockup/lockup/unlock.html.erb within layouts/lockup/application
5240
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/lockup/lockup/unlock.html.erb within layouts/lockup/application (1.2ms)
5241
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/layouts/lockup/_inline_css.html.erb (1.0ms)
5242
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/layouts/lockup/_inline_js.html.erb (0.3ms)
5243
+ Completed 200 OK in 24ms (Views: 19.8ms)
5244
+ Started GET "/posts?lockup_codeword=omgponies" for 127.0.0.1 at 2018-10-01 13:54:08 -0700
5245
+ Processing by PostsController#index as HTML
5246
+ Parameters: {"lockup_codeword"=>"omgponies"}
5247
+ Redirected to http://www.example.com/lockup/unlock?lockup_codeword=omgponies&return_to=%2Fposts
5248
+ Filter chain halted as :check_for_lockup rendered or redirected
5249
+ Completed 302 Found in 1ms
5250
+ Started GET "/lockup/unlock?lockup_codeword=omgponies&return_to=%2Fposts" for 127.0.0.1 at 2018-10-01 13:54:08 -0700
5251
+ Processing by Lockup::LockupController#unlock as HTML
5252
+ Parameters: {"lockup_codeword"=>"omgponies", "return_to"=>"/posts"}
5253
+ Redirected to http://www.example.com/posts
5254
+ Completed 302 Found in 0ms
5255
+ Started GET "/posts" for 127.0.0.1 at 2018-10-01 13:54:08 -0700
5256
+ Processing by PostsController#index as HTML
5257
+ Rendering posts/index.html.erb within layouts/application
5258
+ Rendered posts/index.html.erb within layouts/application (0.6ms)
5259
+ Completed 200 OK in 34ms (Views: 8.3ms)
5260
+ Started GET "/posts/1" for 127.0.0.1 at 2018-10-01 13:54:09 -0700
5261
+ Processing by PostsController#show as HTML
5262
+ Parameters: {"id"=>"1"}
5263
+ Rendering posts/show.html.erb within layouts/application
5264
+ Rendered posts/show.html.erb within layouts/application (0.3ms)
5265
+ Completed 200 OK in 10ms (Views: 7.1ms)
5266
+ Started GET "/posts" for 127.0.0.1 at 2018-10-01 13:54:09 -0700
5267
+ Processing by PostsController#index as HTML
5268
+ Redirected to http://www.example.com/lockup/unlock?return_to=%2Fposts
5269
+ Filter chain halted as :check_for_lockup rendered or redirected
5270
+ Completed 302 Found in 0ms
5271
+ Started GET "/lockup/unlock?return_to=%2Fposts" for 127.0.0.1 at 2018-10-01 13:54:09 -0700
5272
+ Processing by Lockup::LockupController#unlock as HTML
5273
+ Parameters: {"return_to"=>"/posts"}
5274
+ Rendering /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/lockup/lockup/unlock.html.erb within layouts/lockup/application
5275
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/lockup/lockup/unlock.html.erb within layouts/lockup/application (0.9ms)
5276
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/layouts/lockup/_inline_css.html.erb (0.3ms)
5277
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/layouts/lockup/_inline_js.html.erb (0.2ms)
5278
+ Completed 200 OK in 18ms (Views: 15.1ms)
5279
+ Started POST "/lockup/unlock" for 127.0.0.1 at 2018-10-01 13:54:09 -0700
5280
+ Processing by Lockup::LockupController#unlock as HTML
5281
+ Parameters: {"utf8"=>"✓", "lockup"=>{"codeword"=>"omgponies", "return_to"=>"/posts"}, "button"=>""}
5282
+ Redirected to http://www.example.com/posts
5283
+ Completed 302 Found in 0ms
5284
+ Started GET "/posts" for 127.0.0.1 at 2018-10-01 13:54:09 -0700
5285
+ Processing by PostsController#index as HTML
5286
+ Rendering posts/index.html.erb within layouts/application
5287
+ Rendered posts/index.html.erb within layouts/application (0.5ms)
5288
+ Completed 200 OK in 10ms (Views: 7.5ms)
5289
+ Started GET "/posts?lockup_codeword=omgponies" for 127.0.0.1 at 2018-10-01 13:54:09 -0700
5290
+ Processing by PostsController#index as HTML
5291
+ Parameters: {"lockup_codeword"=>"omgponies"}
5292
+ Redirected to http://www.example.com/lockup/unlock?lockup_codeword=omgponies&return_to=%2Fposts
5293
+ Filter chain halted as :check_for_lockup rendered or redirected
5294
+ Completed 302 Found in 1ms
5295
+ Started GET "/lockup/unlock?lockup_codeword=omgponies&return_to=%2Fposts" for 127.0.0.1 at 2018-10-01 13:54:09 -0700
5296
+ Processing by Lockup::LockupController#unlock as HTML
5297
+ Parameters: {"lockup_codeword"=>"omgponies", "return_to"=>"/posts"}
5298
+ Completed 200 OK in 0ms
5299
+ Started GET "/posts?lookup_codeword=lolwut" for 127.0.0.1 at 2018-10-01 13:54:09 -0700
5300
+ Processing by PostsController#index as HTML
5301
+ Parameters: {"lookup_codeword"=>"lolwut"}
5302
+ Redirected to http://www.example.com/lockup/unlock?return_to=%2Fposts%3Flookup_codeword%3Dlolwut
5303
+ Filter chain halted as :check_for_lockup rendered or redirected
5304
+ Completed 302 Found in 0ms
5305
+ Started GET "/lockup/unlock?return_to=%2Fposts%3Flookup_codeword%3Dlolwut" for 127.0.0.1 at 2018-10-01 13:54:09 -0700
5306
+ Processing by Lockup::LockupController#unlock as HTML
5307
+ Parameters: {"return_to"=>"/posts?lookup_codeword=lolwut"}
5308
+ Rendering /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/lockup/lockup/unlock.html.erb within layouts/lockup/application
5309
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/lockup/lockup/unlock.html.erb within layouts/lockup/application (1.2ms)
5310
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/layouts/lockup/_inline_css.html.erb (0.4ms)
5311
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/layouts/lockup/_inline_js.html.erb (0.3ms)
5312
+ Completed 200 OK in 19ms (Views: 16.0ms)
5313
+ Started GET "/posts?lockup_codeword=omgponies" for 127.0.0.1 at 2018-10-01 13:54:09 -0700
5314
+ Processing by PostsController#index as HTML
5315
+ Parameters: {"lockup_codeword"=>"omgponies"}
5316
+ Redirected to http://www.example.com/lockup/unlock?lockup_codeword=omgponies&return_to=%2Fposts
5317
+ Filter chain halted as :check_for_lockup rendered or redirected
5318
+ Completed 302 Found in 1ms
5319
+ Started GET "/lockup/unlock?lockup_codeword=omgponies&return_to=%2Fposts" for 127.0.0.1 at 2018-10-01 13:54:09 -0700
5320
+ Processing by Lockup::LockupController#unlock as HTML
5321
+ Parameters: {"lockup_codeword"=>"omgponies", "return_to"=>"/posts"}
5322
+ Redirected to http://www.example.com/posts
5323
+ Completed 302 Found in 0ms
5324
+ Started GET "/posts" for 127.0.0.1 at 2018-10-01 13:54:09 -0700
5325
+ Processing by PostsController#index as HTML
5326
+ Rendering posts/index.html.erb within layouts/application
5327
+ Rendered posts/index.html.erb within layouts/application (0.7ms)
5328
+ Completed 200 OK in 12ms (Views: 9.7ms)
5329
+ Started GET "/posts" for 127.0.0.1 at 2018-10-01 13:54:09 -0700
5330
+ Processing by PostsController#index as HTML
5331
+ Redirected to http://www.example.com/lockup/unlock?return_to=%2Fposts
5332
+ Filter chain halted as :check_for_lockup rendered or redirected
5333
+ Completed 302 Found in 1ms
5334
+ Started GET "/lockup/unlock?return_to=%2Fposts" for 127.0.0.1 at 2018-10-01 13:54:09 -0700
5335
+ Processing by Lockup::LockupController#unlock as HTML
5336
+ Parameters: {"return_to"=>"/posts"}
5337
+ Rendering /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/lockup/lockup/unlock.html.erb within layouts/lockup/application
5338
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/lockup/lockup/unlock.html.erb within layouts/lockup/application (1.7ms)
5339
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/layouts/lockup/_inline_css.html.erb (0.5ms)
5340
+ Rendered /Users/grantblakeman/Dropbox/-Projects/Lockup/Build/Gem/lockup_gem/app/views/layouts/lockup/_inline_js.html.erb (0.3ms)
5341
+ Completed 200 OK in 32ms (Views: 21.6ms)
5342
+ Started GET "/posts" for 127.0.0.1 at 2018-10-01 13:54:09 -0700
5343
+ Processing by PostsController#index as HTML
5344
+ Rendering posts/index.html.erb within layouts/application
5345
+ Rendered posts/index.html.erb within layouts/application (0.5ms)
5346
+ Completed 200 OK in 9ms (Views: 6.8ms)
@@ -112,6 +112,14 @@ describe "Accessing a page in the application" do
112
112
  end
113
113
  end
114
114
 
115
- end
115
+ context "without a user agent" do
116
+ before(:each) do
117
+ set_user_agent_to(nil)
118
+ end
116
119
 
120
+ it "doesn't blow up" do
121
+ visit '/posts?lockup_codeword=omgponies'
122
+ end
123
+ end
124
+ end
117
125
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: lockup
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.4.3
4
+ version: 1.4.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - gb Studio
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-08-29 00:00:00.000000000 Z
11
+ date: 2018-10-01 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rails