mini_defender 0.6.5 → 0.6.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 12e38770ec94ea06cf7c9a6f40af0cc37fc2017deb30161c2804c9e3024d7ad4
-  data.tar.gz: 36738ff2ca0ad2316dbb0f68fee90ad921690fab463cf4050103789edb975212
+  metadata.gz: 3bae6fdb0faacfd54fe463d30f80710e40d383bd868d64e65da7243bae0c5b1c
+  data.tar.gz: f9cf13d8acbc654b9c647c33b322937722b97f0a99b8d389d4311002a3a5a65e
 SHA512:
-  metadata.gz: 94d2291d0f17296b246ae67f96685f20dd7c7316d7ed329d89fc2141d76af57c538ca3909b52be177b9d08663448c2941669668861ba0408d40bdb10f75ad462
-  data.tar.gz: d5f5aab2a675b44ce991573938eea9ca9782e954971365d71102ba6e8081b802d76cffa4f3382354bbf04695028e88cede5686146c28003ef1c1ee4f8f33e30a
+  metadata.gz: 2c50350da6f341f0487357cf63cad4dbf070c5c8f89614344619182dffd9b7f345b3015466e185fe4114cadcd2a3f7159bbf87e7413bd0d887327cdb13cebbce
+  data.tar.gz: 8bb5e5e2702c985a7c3933147d0db5f59abde4e566f8747aa6158d21fb5bd440dcf6f1d8706ae0846e0532a14d918d2b36d04673f519d98c72412b480c25fef4

data/lib/mini_defender/data/private_network_patterns.txt

@@ -0,0 +1,64 @@
+# RFC 2606 - Reserved Domain Names
+# https://datatracker.ietf.org/doc/html/rfc2606
+*.test
+*.example
+*.invalid
+localhost
+*.localhost
+example.com
+example.net
+example.org
+
+# RFC 6761 - Special-Use Domain Names
+# https://datatracker.ietf.org/doc/html/rfc6761
+*.local
+*.onion
+*.home.arpa
+
+# RFC 1918 - Private Address Space
+# https://datatracker.ietf.org/doc/html/rfc1918
+10.*
+172.(1[6-9]|2[0-9]|3[0-1]).*
+192.168.*
+
+# RFC 3330 - Special-Use IPv4 Addresses
+# https://datatracker.ietf.org/doc/html/rfc3330
+127.*
+169.254.*
+0.0.0.0
+
+# RFC 4291 - IPv6 Addressing Architecture
+# https://datatracker.ietf.org/doc/html/rfc4291
+::1
+fe80:*
+::
+::ffff:*
+
+# RFC 4193 - Unique Local IPv6 Unicast Addresses
+# https://datatracker.ietf.org/doc/html/rfc4193
+fc00:*
+fd00:*
+
+# Common Internal Network Patterns (based on RFC 2606 and 6761)
+*.intranet
+*.internal
+*.corp
+*.lan
+intranet.*
+internal.*
+corp.*
+lan.*
+
+# Development Environments (based on RFC 2606)
+*.dev.test
+*.staging.test
+*.qa.test
+dev.example.*
+staging.example.*
+qa.example.*
+
+# RFC 6052 - IPv6 Translation
+64:ff9b::*
+
+# RFC 3986 - URI Encoded Forms
+%6C%6F%63%61%6C%68%6F%73%74

data/lib/mini_defender/rules/image.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'action_dispatch'
+require 'marcel'
 
 class MiniDefender::Rules::Image < MiniDefender::Rule
   MIMES = %w[image/jpeg image/png image/gif image/bmp image/png image/svg+xml image/webp]
@@ -10,7 +11,10 @@ class MiniDefender::Rules::Image < MiniDefender::Rule
   end
 
   def passes?(attribute, value, validator)
-    value.is_a?(ActionDispatch::Http::UploadedFile) && MIMES.include?(value.content_type)
+    content_type = Marcel::MimeType.for(value.read)
+    value.rewind
+
+    value.is_a?(ActionDispatch::Http::UploadedFile) && MIMES.include?(content_type)
   end
 
   def message(attribute, value, validator)

data/lib/mini_defender/rules/integer.rb

@@ -54,9 +54,10 @@ class MiniDefender::Rules::Integer < MiniDefender::Rule
     end
 
     # Remove leading zero so Integer will not treat it as octal
+    # Handle leading zeros while preserving both + and - signs
     value = value
       .to_s
-      .gsub(/^0+/, '')
+      .gsub(/^([+-])?0+(?=\d)/, '\1')
 
     if @mode == 'relaxed'
       value = normalize_digits(value)

data/lib/mini_defender/rules/mime_types.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'action_dispatch'
+require 'marcel'
 
 class MiniDefender::Rules::MimeTypes < MiniDefender::Rule
   def initialize(types)
@@ -26,7 +27,10 @@ class MiniDefender::Rules::MimeTypes < MiniDefender::Rule
 
   def passes?(attribute, value, validator)
     @file = value.is_a?(ActionDispatch::Http::UploadedFile)
-    @file && @types.include?(value.content_type)
+    content_type = Marcel::MimeType.for(value.read)
+    value.rewind
+
+    @file && @types.include?(content_type)
   end
 
   def message(attribute, value, validator)

data/lib/mini_defender/rules/url.rb

@@ -1,17 +1,140 @@
 # frozen_string_literal: true
 
 require 'uri'
+require 'ipaddr'
+require 'public_suffix'
 
 class MiniDefender::Rules::Url < MiniDefender::Rule
+  ALLOWED_MODIFIERS = %w[https public not_ip not_private]
+
+  def initialize(modifiers = [])
+    @modifiers = Array(modifiers).map(&:to_s)
+
+    unless @modifiers.empty?
+      validate_modifiers!
+    end
+
+    @validation_error = nil
+  end
+
   def self.signature
     'url'
   end
 
+  def self.make(modifiers) # no need to raise an error when no modifier is entered; as 'url' rule checks URL structure on its own
+    new(modifiers)
+  end
+
   def passes?(attribute, value, validator)
-    value.is_a?(String) && URI.regexp(%w[http https]).match?(value)
+    unless value.is_a?(String)
+      return false
+    end
+
+    begin
+      uri = URI.parse(value)
+
+      if uri.host.blank? || uri.scheme.blank?
+        return false
+      end
+
+      unless %w[http https].include?(uri.scheme)
+        @validation_error = 'URL protocol must be HTTP or HTTPS.'
+        return false
+      end
+
+      if @modifiers.empty?
+        return true
+      end
+
+      if @modifiers.include?('https') && uri.scheme != 'https'
+        @validation_error = 'The URL must use HTTPS.'
+        return false
+      end
+
+      if @modifiers.include?('public') && (!PublicSuffix.valid?(uri.host) || private_network?(uri.host))
+        @validation_error = 'The URL must use a valid public domain.'
+        return false
+      end
+
+      if @modifiers.include?('not_ip') && ip_address?(uri.host)
+        @validation_error = 'IP addresses are not allowed in URLs.'
+        return false
+      end
+
+      if @modifiers.include?('not_private') && private_network?(uri.host)
+        @validation_error = 'Private or reserved resources are not allowed.'
+        return false
+      end
+
+      true
+    rescue URI::InvalidURIError
+      @validation_error = 'The field must contain a valid URL.'
+      false
+    rescue PublicSuffix::Error
+      false
+    end
   end
 
   def message(attribute, value, validator)
-    'The field must contain a valid URL.'
+    @validation_error || 'The field must contain a valid URL.'
+  end
+
+  def private_network?(host)
+    unless host
+      return false
+    end
+
+    host = host.downcase
+
+    private_patterns.any? { |pattern| pattern.match?(host) }
+  end
+
+  private
+
+  def validate_modifiers!
+    invalid_modifiers = @modifiers - ALLOWED_MODIFIERS
+    if invalid_modifiers.empty?
+      return
+    end
+
+    raise ArgumentError, "Invalid URL modifiers: #{invalid_modifiers.join(', ')}"
+  end
+
+  def ip_address?(host)
+    unless host
+      return false
+    end
+
+    begin
+      IPAddr.new(host)
+      true
+    rescue IPAddr::InvalidAddressError
+      false
+    end
+  end
+
+  def private_patterns
+    # Cache the result in class variable to avoid loading again
+    # across multiple instances
+    @@private_patterns ||= begin
+      pattern_file = File.expand_path('../data/private_network_patterns.txt', __dir__)
+
+      File.readlines(pattern_file).filter_map do |line|
+        line = line.strip
+
+        if line.empty? || line.start_with?('#')
+          next
+        end
+
+        # Pattern => regex (once)
+        pattern = line
+          .gsub('.', '\.')           # escape dots
+          .gsub('*', '.*')           # wildcards => regex
+          .gsub('[0-9]+', '\d+')     # convert number ranges
+          .gsub(/\[(.+?)\]/, '(\1)') # convert chars classes
+
+        Regexp.new("^#{pattern}$", Regexp::IGNORECASE)
+      end
+    end
   end
 end

data/lib/mini_defender/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MiniDefender
-  VERSION = "0.6.5"
+  VERSION = "0.6.8"
 end

data/mini_defender.gemspec

@@ -33,4 +33,6 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'actionpack', '>= 6.0'
   spec.add_runtime_dependency 'countries'
   spec.add_runtime_dependency 'money'
+  spec.add_runtime_dependency 'marcel'
+  spec.add_runtime_dependency 'public_suffix'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mini_defender
 version: !ruby/object:Gem::Version
-  version: 0.6.5
+  version: 0.6.8
 platform: ruby
 authors:
 - Ali Alhoshaiyan
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-08-29 00:00:00.000000000 Z
+date: 2024-11-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -80,6 +80,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: marcel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: public_suffix
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A small and efficient validation library for Rails and anything that
   uses Ruby.
 email:
@@ -96,6 +124,7 @@ files:
 - RULES.md
 - Rakefile
 - lib/mini_defender.rb
+- lib/mini_defender/data/private_network_patterns.txt
 - lib/mini_defender/extensions/enumerable.rb
 - lib/mini_defender/handles_validation_errors.rb
 - lib/mini_defender/rule.rb
@@ -219,7 +248,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.5.3
 signing_key:
 specification_version: 4
 summary: A small and efficient validation library for Rails and anything that uses