logstruct 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 77b4f5cd95c84bd5b418bb95b1856af146e70a64e6d39e3a303e33e083faa64d
-  data.tar.gz: 670c515b7eb8fbe5320c3bc52e2a68234aff31f8633fc071286a1b4a816132b6
+  metadata.gz: 01556306744df98d8548bd788dbaee74c29c976207289e7da9da69b7d5e443ca
+  data.tar.gz: 2f8d6b1becb62c66b139ca071871beccafb35d42396e7fc552b8ba4401a93363
 SHA512:
-  metadata.gz: f7b81a7d6893f7db9b51c71d5623beedfa75d81e5c9c1ec51003db37a5873018427e81a86aaa2de3a73741cb372bea2d859980b96695592ee9249ea0def0fe9d
-  data.tar.gz: e8fd117ec5795acebba1a996d2777f25f2ac89afdbb4fa76cb18ec1faa5fea11800b9cf452178412eb0fabe77ca4bcc223dd516d53b1217031f7433361bdc41c
+  metadata.gz: c4f6d5ad7c72bf84e59fcb97ecb70fd3829ff6b681c923104e821e817d085ccad33e7b489232ea86a2e02bfff64ff06be6d314e8dbdf0e01ae82c7c26189c361
+  data.tar.gz: d69f5b0bb706273f5096503f12b7b05519fae03f4ff8d3664794e89c1a6929f42b82dcf5798e782b317f18985ad85067e1c144f1b3739e54876eca163c2ad9bf

data/CHANGELOG.md

@@ -5,10 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [0.1.3] - 2025-10-11
-
 ### Changed
 
+## [0.1.4] - 2025-10-13
+
+- Improve rack spoof handling and split integration setup
+
+## [0.1.3] - 2025-10-11
+
 - **Fix**: Changed storage, queue name, and format fields from `String` to `Symbol` type to match Rails conventions
   - Affected log types: ActiveStorage, CarrierWave, Shrine (storage field), ActiveJob, GoodJob (queue_name field), Request (format field)
 - JSON logging now enabled for all test runs (both local and CI) to ensure tests catch production bugs

data/lib/log_struct/integrations/rack_error_handler/middleware.rb

@@ -55,8 +55,14 @@ module LogStruct
         def call(env)
           return @app.call(env) unless LogStruct.enabled?
 
-          # Try to process the request
+          request = ::ActionDispatch::Request.new(env)
+
           begin
+            # Trigger the same spoofing checks that ActionDispatch::RemoteIp performs after
+            # it is initialized in the middleware stack. We run this manually because we
+            # execute before that middleware and still want spoofing attacks to surface here.
+            perform_remote_ip_check!(request)
+
             @app.call(env)
           rescue ::ActionDispatch::RemoteIp::IpSpoofAttackError => ip_spoof_error
             # Create a security log for IP spoofing
@@ -65,7 +71,7 @@ module LogStruct
               http_method: env["REQUEST_METHOD"],
               user_agent: env["HTTP_USER_AGENT"],
               referer: env["HTTP_REFERER"],
-              request_id: env["action_dispatch.request_id"],
+              request_id: request.request_id,
               message: ip_spoof_error.message,
               client_ip: env["HTTP_CLIENT_IP"],
               x_forwarded_for: env["HTTP_X_FORWARDED_FOR"],
@@ -74,16 +80,9 @@ module LogStruct
 
             ::Rails.logger.warn(security_log)
 
-            # Report the error
-            context = extract_request_context(env)
-            LogStruct.handle_exception(ip_spoof_error, source: Source::Security, context: context)
-
-            # If handle_exception raised an exception then Rails will deal with it (e.g. config.exceptions_app)
-            # If we are only logging or reporting these security errors, then return a default response
-            [FORBIDDEN_STATUS, IP_SPOOF_HEADERS, [IP_SPOOF_HTML]]
+            [FORBIDDEN_STATUS, IP_SPOOF_HEADERS.dup, [IP_SPOOF_HTML]]
           rescue ::ActionController::InvalidAuthenticityToken => invalid_auth_token_error
             # Create a security log for CSRF error
-            request = ::ActionDispatch::Request.new(env)
             security_log = Log::Security::CSRFViolation.new(
               path: request.path,
               http_method: request.method,
@@ -97,15 +96,15 @@ module LogStruct
             LogStruct.error(security_log)
 
             # Report to error reporting service and/or re-raise
-            context = extract_request_context(env)
+            context = extract_request_context(env, request)
             LogStruct.handle_exception(invalid_auth_token_error, source: Source::Security, context: context)
 
             # If handle_exception raised an exception then Rails will deal with it (e.g. config.exceptions_app)
             # If we are only logging or reporting these security errors, then return a default response
-            [FORBIDDEN_STATUS, CSRF_HEADERS, [CSRF_HTML]]
+            [FORBIDDEN_STATUS, CSRF_HEADERS.dup, [CSRF_HTML]]
           rescue => error
             # Extract request context for error reporting
-            context = extract_request_context(env)
+            context = extract_request_context(env, request)
 
             # Create and log a structured exception with request context
             exception_log = Log.from_exception(Source::Rails, error, context)
@@ -119,9 +118,22 @@ module LogStruct
 
         private
 
-        sig { params(env: T::Hash[String, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
-        def extract_request_context(env)
-          request = ::ActionDispatch::Request.new(env)
+        sig { params(request: ::ActionDispatch::Request).void }
+        def perform_remote_ip_check!(request)
+          action_dispatch_config = ::Rails.application.config.action_dispatch
+          check_ip = action_dispatch_config.ip_spoofing_check
+          return unless check_ip
+
+          proxies = normalized_trusted_proxies(action_dispatch_config.trusted_proxies)
+
+          ::ActionDispatch::RemoteIp::GetIp
+            .new(request, check_ip, proxies)
+            .to_s
+        end
+
+        sig { params(env: T::Hash[String, T.untyped], request: T.nilable(::ActionDispatch::Request)).returns(T::Hash[Symbol, T.untyped]) }
+        def extract_request_context(env, request = nil)
+          request ||= ::ActionDispatch::Request.new(env)
           {
             request_id: request.request_id,
             path: request.path,
@@ -133,6 +145,32 @@ module LogStruct
           # If we can't extract request context, return minimal info
           {error_extracting_context: error.message}
         end
+
+        sig { params(configured_proxies: T.untyped).returns(T.untyped) }
+        def normalized_trusted_proxies(configured_proxies)
+          if configured_proxies.nil? || (configured_proxies.respond_to?(:empty?) && configured_proxies.empty?)
+            return ::ActionDispatch::RemoteIp::TRUSTED_PROXIES
+          end
+
+          return configured_proxies if configured_proxies.respond_to?(:any?)
+
+          raise(
+            ArgumentError,
+            <<~EOM
+              Setting config.action_dispatch.trusted_proxies to a single value isn't
+              supported. Please set this to an enumerable instead. For
+              example, instead of:
+
+              config.action_dispatch.trusted_proxies = IPAddr.new("10.0.0.0/8")
+
+              Wrap the value in an Array:
+
+              config.action_dispatch.trusted_proxies = [IPAddr.new("10.0.0.0/8")]
+
+              Note that passing an enumerable will *replace* the default set of trusted proxies.
+            EOM
+          )
+        end
       end
     end
   end

data/lib/log_struct/integrations/rack_error_handler.rb

@@ -19,9 +19,9 @@ module LogStruct
         return nil unless config.integrations.enable_rack_error_handler
 
         # Add structured logging middleware for security violations and errors
-        # Need to insert after ShowExceptions to catch IP spoofing errors
-        ::Rails.application.middleware.insert_after(
-          ::ActionDispatch::ShowExceptions,
+        # Need to insert before RemoteIp to catch IP spoofing errors it raises
+        ::Rails.application.middleware.insert_before(
+          ::ActionDispatch::RemoteIp,
           Integrations::RackErrorHandler::Middleware
         )
 

data/lib/log_struct/integrations.rb

@@ -38,11 +38,25 @@ module LogStruct
       end
     end
 
-    sig { void }
-    def self.setup_integrations
+    sig { params(stage: Symbol).void }
+    def self.setup_integrations(stage: :all)
       config = LogStruct.config
 
-      # Set up each integration with consistent configuration pattern
+      case stage
+      when :non_middleware
+        setup_non_middleware_integrations(config)
+      when :middleware
+        setup_middleware_integrations(config)
+      when :all
+        setup_non_middleware_integrations(config)
+        setup_middleware_integrations(config)
+      else
+        raise ArgumentError, "Unknown integration stage: #{stage}"
+      end
+    end
+
+    sig { params(config: LogStruct::Configuration).void }
+    def self.setup_non_middleware_integrations(config)
       Integrations::Lograge.setup(config) if config.integrations.enable_lograge
       Integrations::ActionMailer.setup(config) if config.integrations.enable_actionmailer
       Integrations::ActiveJob.setup(config) if config.integrations.enable_activejob
@@ -51,8 +65,6 @@ module LogStruct
       Integrations::GoodJob.setup(config) if config.integrations.enable_goodjob
       Integrations::Ahoy.setup(config) if config.integrations.enable_ahoy
       Integrations::ActiveModelSerializers.setup(config) if config.integrations.enable_active_model_serializers
-      Integrations::HostAuthorization.setup(config) if config.integrations.enable_host_authorization
-      Integrations::RackErrorHandler.setup(config) if config.integrations.enable_rack_error_handler
       Integrations::Shrine.setup(config) if config.integrations.enable_shrine
       Integrations::ActiveStorage.setup(config) if config.integrations.enable_activestorage
       Integrations::CarrierWave.setup(config) if config.integrations.enable_carrierwave
@@ -62,5 +74,13 @@ module LogStruct
       end
       Integrations::Puma.setup(config) if config.integrations.enable_puma
     end
+
+    sig { params(config: LogStruct::Configuration).void }
+    def self.setup_middleware_integrations(config)
+      Integrations::HostAuthorization.setup(config) if config.integrations.enable_host_authorization
+      Integrations::RackErrorHandler.setup(config) if config.integrations.enable_rack_error_handler
+    end
+
+    private_class_method :setup_non_middleware_integrations, :setup_middleware_integrations
   end
 end

data/lib/log_struct/railtie.rb

@@ -25,12 +25,21 @@ module LogStruct
       # Merge Rails filter parameters into our filters
       LogStruct.merge_rails_filter_parameters!
 
-      # Set up all integrations
-      Integrations.setup_integrations
+      # Set up non-middleware integrations first
+      Integrations.setup_integrations(stage: :non_middleware)
 
       # Note: Host allowances are managed by the test app itself.
     end
 
+    # Setup middleware integrations during Rails configuration (before middleware stack is built)
+    # Must be done in the Railtie class body, not in an initializer
+    initializer "logstruct.configure_middleware", before: :build_middleware_stack do |app|
+      # This runs before middleware stack is frozen, so we can configure it
+      next unless LogStruct.enabled?
+
+      Integrations.setup_integrations(stage: :middleware)
+    end
+
     # Emit Puma lifecycle logs when running `rails server`
     initializer "logstruct.puma_lifecycle", after: "logstruct.configure_logger" do
       is_server = ::LogStruct.server_mode?

data/lib/log_struct/version.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module LogStruct
-  VERSION = "0.1.3"
+  VERSION = "0.1.4"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: logstruct
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - DocSpring