mini_defender 0.6.4 → 0.6.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6fbf3b803c35e010240900c164e70d6ec251484671528bba2e7d58321c148ec0
-  data.tar.gz: 3e65db3a9d3a2b6c91d18bcf7eff25d3c7d4b9f9ef8156e2fcbad69bdd6afe20
+  metadata.gz: '0766463845ff12b982d3230cbd2d62a4506d5b470160256a2ec0684146f4e8bc'
+  data.tar.gz: d24329e0981cb6dabe1d42a85e2c0bec719610a829dc2eb6d2dab480faace668
 SHA512:
-  metadata.gz: 6aed1ac84487557a85a8374b578e8286baf2510e059d0a393c1da6014d89cfd21f33b2d94153e6e376be36ff8b0b45f6b5c10f1e9da4853e0366787179405b84
-  data.tar.gz: f6db95690153ba8ca3f5a2a142ee07349608bb0d2d060944760f1544f5d6d8eb47b7ec36b6eb0b09ebb83baa6a3548b230a0f47c438a9c796738a87e739de94d
+  metadata.gz: 3a232eba0c84024e5248cabcc3f324af4c86956eb494c5f8fb4c1531f76965a32de4b1b674584b1008d4f566b2752712498b600646bf1a1ed94770d5ddeacfa9
+  data.tar.gz: 5afafaa73bd774d094540de2db462f1b2d0c840bf8fda34a5ff9c9959b0d1d6a9dfd0999343ac14d1ce31f1c94de2ff4a255f6650611fbe4d02cee63eb89f8e8

data/lib/mini_defender/rules/image.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'action_dispatch'
+require 'marcel'
 
 class MiniDefender::Rules::Image < MiniDefender::Rule
   MIMES = %w[image/jpeg image/png image/gif image/bmp image/png image/svg+xml image/webp]
@@ -10,7 +11,10 @@ class MiniDefender::Rules::Image < MiniDefender::Rule
   end
 
   def passes?(attribute, value, validator)
-    value.is_a?(ActionDispatch::Http::UploadedFile) && MIMES.include?(value.content_type)
+    content_type = Marcel::MimeType.for(value.read)
+    value.rewind
+
+    value.is_a?(ActionDispatch::Http::UploadedFile) && MIMES.include?(content_type)
   end
 
   def message(attribute, value, validator)

data/lib/mini_defender/rules/integer.rb

@@ -54,9 +54,10 @@ class MiniDefender::Rules::Integer < MiniDefender::Rule
     end
 
     # Remove leading zero so Integer will not treat it as octal
+    # Handle leading zeros while preserving both + and - signs
     value = value
       .to_s
-      .gsub(/^0+/, '')
+      .gsub(/^([+-])?0+(?=\d)/, '\1')
 
     if @mode == 'relaxed'
       value = normalize_digits(value)

data/lib/mini_defender/rules/mime_types.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'action_dispatch'
+require 'marcel'
 
 class MiniDefender::Rules::MimeTypes < MiniDefender::Rule
   def initialize(types)
@@ -26,7 +27,10 @@ class MiniDefender::Rules::MimeTypes < MiniDefender::Rule
 
   def passes?(attribute, value, validator)
     @file = value.is_a?(ActionDispatch::Http::UploadedFile)
-    @file && @types.include?(@file.content_type)
+    content_type = Marcel::MimeType.for(value.read)
+    value.rewind
+
+    @file && @types.include?(content_type)
   end
 
   def message(attribute, value, validator)

data/lib/mini_defender/rules/not_local_url.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+class MiniDefender::Rules::NotLocalURL < MiniDefender::Rule
+  LOCALHOST_PATTERNS = [
+    /^localhost$/i,     # localhost, LOCALHOST
+    /^127\./,           # 127.x.x.x
+    /^::1$/,           # IPv6 localhost
+    /^0\.0\.0\.0$/,    # All interfaces IPv4
+    /^::$/,            # IPv6 unspecified
+    /\.local$/i,       # domain.local
+    /^local\./i,       # local.domain
+    /^localhost\./i,   # localhost.anything
+  ]
+
+  def self.signature
+    'not_local_url'
+  end
+
+  def passes?(attribute, value, validator)
+    uri = URI.parse(value.to_s)
+    host = uri.host.to_s.downcase
+
+    !LOCALHOST_PATTERNS.any? { |pattern| host.match?(pattern) }
+  rescue URI::InvalidURIError
+    false
+  end
+
+  def message(attribute, value, validator)
+    'URL cannot point to localhost or local domain.'
+  end
+end

data/lib/mini_defender/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MiniDefender
-  VERSION = "0.6.4"
+  VERSION = "0.6.7"
 end

data/mini_defender.gemspec

@@ -33,4 +33,5 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'actionpack', '>= 6.0'
   spec.add_runtime_dependency 'countries'
   spec.add_runtime_dependency 'money'
+  spec.add_runtime_dependency 'marcel'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mini_defender
 version: !ruby/object:Gem::Version
-  version: 0.6.4
+  version: 0.6.7
 platform: ruby
 authors:
 - Ali Alhoshaiyan
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-08-29 00:00:00.000000000 Z
+date: 2024-11-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -80,6 +80,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: marcel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A small and efficient validation library for Rails and anything that
   uses Ruby.
 email:
@@ -167,6 +181,7 @@ files:
 - lib/mini_defender/rules/national_id.rb
 - lib/mini_defender/rules/not_ending_with.rb
 - lib/mini_defender/rules/not_in.rb
+- lib/mini_defender/rules/not_local_url.rb
 - lib/mini_defender/rules/not_regex.rb
 - lib/mini_defender/rules/not_starting_with.rb
 - lib/mini_defender/rules/numeric.rb
@@ -219,7 +234,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.5.11
 signing_key:
 specification_version: 4
 summary: A small and efficient validation library for Rails and anything that uses