mini_defender 0.6.7 → 0.6.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '0766463845ff12b982d3230cbd2d62a4506d5b470160256a2ec0684146f4e8bc'
-  data.tar.gz: d24329e0981cb6dabe1d42a85e2c0bec719610a829dc2eb6d2dab480faace668
+  metadata.gz: 3bae6fdb0faacfd54fe463d30f80710e40d383bd868d64e65da7243bae0c5b1c
+  data.tar.gz: f9cf13d8acbc654b9c647c33b322937722b97f0a99b8d389d4311002a3a5a65e
 SHA512:
-  metadata.gz: 3a232eba0c84024e5248cabcc3f324af4c86956eb494c5f8fb4c1531f76965a32de4b1b674584b1008d4f566b2752712498b600646bf1a1ed94770d5ddeacfa9
-  data.tar.gz: 5afafaa73bd774d094540de2db462f1b2d0c840bf8fda34a5ff9c9959b0d1d6a9dfd0999343ac14d1ce31f1c94de2ff4a255f6650611fbe4d02cee63eb89f8e8
+  metadata.gz: 2c50350da6f341f0487357cf63cad4dbf070c5c8f89614344619182dffd9b7f345b3015466e185fe4114cadcd2a3f7159bbf87e7413bd0d887327cdb13cebbce
+  data.tar.gz: 8bb5e5e2702c985a7c3933147d0db5f59abde4e566f8747aa6158d21fb5bd440dcf6f1d8706ae0846e0532a14d918d2b36d04673f519d98c72412b480c25fef4

data/lib/mini_defender/data/private_network_patterns.txt

@@ -0,0 +1,64 @@
+# RFC 2606 - Reserved Domain Names
+# https://datatracker.ietf.org/doc/html/rfc2606
+*.test
+*.example
+*.invalid
+localhost
+*.localhost
+example.com
+example.net
+example.org
+
+# RFC 6761 - Special-Use Domain Names
+# https://datatracker.ietf.org/doc/html/rfc6761
+*.local
+*.onion
+*.home.arpa
+
+# RFC 1918 - Private Address Space
+# https://datatracker.ietf.org/doc/html/rfc1918
+10.*
+172.(1[6-9]|2[0-9]|3[0-1]).*
+192.168.*
+
+# RFC 3330 - Special-Use IPv4 Addresses
+# https://datatracker.ietf.org/doc/html/rfc3330
+127.*
+169.254.*
+0.0.0.0
+
+# RFC 4291 - IPv6 Addressing Architecture
+# https://datatracker.ietf.org/doc/html/rfc4291
+::1
+fe80:*
+::
+::ffff:*
+
+# RFC 4193 - Unique Local IPv6 Unicast Addresses
+# https://datatracker.ietf.org/doc/html/rfc4193
+fc00:*
+fd00:*
+
+# Common Internal Network Patterns (based on RFC 2606 and 6761)
+*.intranet
+*.internal
+*.corp
+*.lan
+intranet.*
+internal.*
+corp.*
+lan.*
+
+# Development Environments (based on RFC 2606)
+*.dev.test
+*.staging.test
+*.qa.test
+dev.example.*
+staging.example.*
+qa.example.*
+
+# RFC 6052 - IPv6 Translation
+64:ff9b::*
+
+# RFC 3986 - URI Encoded Forms
+%6C%6F%63%61%6C%68%6F%73%74

data/lib/mini_defender/rules/url.rb

@@ -1,17 +1,140 @@
 # frozen_string_literal: true
 
 require 'uri'
+require 'ipaddr'
+require 'public_suffix'
 
 class MiniDefender::Rules::Url < MiniDefender::Rule
+  ALLOWED_MODIFIERS = %w[https public not_ip not_private]
+
+  def initialize(modifiers = [])
+    @modifiers = Array(modifiers).map(&:to_s)
+
+    unless @modifiers.empty?
+      validate_modifiers!
+    end
+
+    @validation_error = nil
+  end
+
   def self.signature
     'url'
   end
 
+  def self.make(modifiers) # no need to raise an error when no modifier is entered; as 'url' rule checks URL structure on its own
+    new(modifiers)
+  end
+
   def passes?(attribute, value, validator)
-    value.is_a?(String) && URI.regexp(%w[http https]).match?(value)
+    unless value.is_a?(String)
+      return false
+    end
+
+    begin
+      uri = URI.parse(value)
+
+      if uri.host.blank? || uri.scheme.blank?
+        return false
+      end
+
+      unless %w[http https].include?(uri.scheme)
+        @validation_error = 'URL protocol must be HTTP or HTTPS.'
+        return false
+      end
+
+      if @modifiers.empty?
+        return true
+      end
+
+      if @modifiers.include?('https') && uri.scheme != 'https'
+        @validation_error = 'The URL must use HTTPS.'
+        return false
+      end
+
+      if @modifiers.include?('public') && (!PublicSuffix.valid?(uri.host) || private_network?(uri.host))
+        @validation_error = 'The URL must use a valid public domain.'
+        return false
+      end
+
+      if @modifiers.include?('not_ip') && ip_address?(uri.host)
+        @validation_error = 'IP addresses are not allowed in URLs.'
+        return false
+      end
+
+      if @modifiers.include?('not_private') && private_network?(uri.host)
+        @validation_error = 'Private or reserved resources are not allowed.'
+        return false
+      end
+
+      true
+    rescue URI::InvalidURIError
+      @validation_error = 'The field must contain a valid URL.'
+      false
+    rescue PublicSuffix::Error
+      false
+    end
   end
 
   def message(attribute, value, validator)
-    'The field must contain a valid URL.'
+    @validation_error || 'The field must contain a valid URL.'
+  end
+
+  def private_network?(host)
+    unless host
+      return false
+    end
+
+    host = host.downcase
+
+    private_patterns.any? { |pattern| pattern.match?(host) }
+  end
+
+  private
+
+  def validate_modifiers!
+    invalid_modifiers = @modifiers - ALLOWED_MODIFIERS
+    if invalid_modifiers.empty?
+      return
+    end
+
+    raise ArgumentError, "Invalid URL modifiers: #{invalid_modifiers.join(', ')}"
+  end
+
+  def ip_address?(host)
+    unless host
+      return false
+    end
+
+    begin
+      IPAddr.new(host)
+      true
+    rescue IPAddr::InvalidAddressError
+      false
+    end
+  end
+
+  def private_patterns
+    # Cache the result in class variable to avoid loading again
+    # across multiple instances
+    @@private_patterns ||= begin
+      pattern_file = File.expand_path('../data/private_network_patterns.txt', __dir__)
+
+      File.readlines(pattern_file).filter_map do |line|
+        line = line.strip
+
+        if line.empty? || line.start_with?('#')
+          next
+        end
+
+        # Pattern => regex (once)
+        pattern = line
+          .gsub('.', '\.')           # escape dots
+          .gsub('*', '.*')           # wildcards => regex
+          .gsub('[0-9]+', '\d+')     # convert number ranges
+          .gsub(/\[(.+?)\]/, '(\1)') # convert chars classes
+
+        Regexp.new("^#{pattern}$", Regexp::IGNORECASE)
+      end
+    end
   end
 end

data/lib/mini_defender/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MiniDefender
-  VERSION = "0.6.7"
+  VERSION = "0.6.8"
 end

data/mini_defender.gemspec

@@ -34,4 +34,5 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'countries'
   spec.add_runtime_dependency 'money'
   spec.add_runtime_dependency 'marcel'
+  spec.add_runtime_dependency 'public_suffix'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mini_defender
 version: !ruby/object:Gem::Version
-  version: 0.6.7
+  version: 0.6.8
 platform: ruby
 authors:
 - Ali Alhoshaiyan
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-11-10 00:00:00.000000000 Z
+date: 2024-11-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -94,6 +94,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: public_suffix
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A small and efficient validation library for Rails and anything that
   uses Ruby.
 email:
@@ -110,6 +124,7 @@ files:
 - RULES.md
 - Rakefile
 - lib/mini_defender.rb
+- lib/mini_defender/data/private_network_patterns.txt
 - lib/mini_defender/extensions/enumerable.rb
 - lib/mini_defender/handles_validation_errors.rb
 - lib/mini_defender/rule.rb
@@ -181,7 +196,6 @@ files:
 - lib/mini_defender/rules/national_id.rb
 - lib/mini_defender/rules/not_ending_with.rb
 - lib/mini_defender/rules/not_in.rb
-- lib/mini_defender/rules/not_local_url.rb
 - lib/mini_defender/rules/not_regex.rb
 - lib/mini_defender/rules/not_starting_with.rb
 - lib/mini_defender/rules/numeric.rb
@@ -234,7 +248,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
+rubygems_version: 3.5.3
 signing_key:
 specification_version: 4
 summary: A small and efficient validation library for Rails and anything that uses

data/lib/mini_defender/rules/not_local_url.rb

@@ -1,31 +0,0 @@
-# frozen_string_literal: true
-
-class MiniDefender::Rules::NotLocalURL < MiniDefender::Rule
-  LOCALHOST_PATTERNS = [
-    /^localhost$/i,     # localhost, LOCALHOST
-    /^127\./,           # 127.x.x.x
-    /^::1$/,           # IPv6 localhost
-    /^0\.0\.0\.0$/,    # All interfaces IPv4
-    /^::$/,            # IPv6 unspecified
-    /\.local$/i,       # domain.local
-    /^local\./i,       # local.domain
-    /^localhost\./i,   # localhost.anything
-  ]
-
-  def self.signature
-    'not_local_url'
-  end
-
-  def passes?(attribute, value, validator)
-    uri = URI.parse(value.to_s)
-    host = uri.host.to_s.downcase
-
-    !LOCALHOST_PATTERNS.any? { |pattern| host.match?(pattern) }
-  rescue URI::InvalidURIError
-    false
-  end
-
-  def message(attribute, value, validator)
-    'URL cannot point to localhost or local domain.'
-  end
-end