mini_defender 0.6.7 → 0.6.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '0766463845ff12b982d3230cbd2d62a4506d5b470160256a2ec0684146f4e8bc'
-  data.tar.gz: d24329e0981cb6dabe1d42a85e2c0bec719610a829dc2eb6d2dab480faace668
+  metadata.gz: 1a9dd7cd41807156b4aaa18aa7cf645fd00b67ea0dfbd9bc457e12c01bf9c6a3
+  data.tar.gz: 9b666b35cbe313a93783609ada72dadffe70feacd7eb22dfba05d958906ac283
 SHA512:
-  metadata.gz: 3a232eba0c84024e5248cabcc3f324af4c86956eb494c5f8fb4c1531f76965a32de4b1b674584b1008d4f566b2752712498b600646bf1a1ed94770d5ddeacfa9
-  data.tar.gz: 5afafaa73bd774d094540de2db462f1b2d0c840bf8fda34a5ff9c9959b0d1d6a9dfd0999343ac14d1ce31f1c94de2ff4a255f6650611fbe4d02cee63eb89f8e8
+  metadata.gz: f604e44530496d5f20eddecc82806cd3b52ea66b2158dcb6cb106f7571f26c57153d3bba13cdc8f2a78c63f7dd9deb16132ad1dde220ab1eaded04fa6167afb5
+  data.tar.gz: ce4951ee441eaac7eeba302336a9d7403a6cb18aa607784b28702ec02d654dc9b521bc8dde021e75bebc06ab9aad83b477da0aa90ba461514d03f7907fe2d1a3

data/lib/mini_defender/data/private_network_patterns.txt

@@ -0,0 +1,64 @@
+# RFC 2606 - Reserved Domain Names
+# https://datatracker.ietf.org/doc/html/rfc2606
+*.test
+*.example
+*.invalid
+localhost
+*.localhost
+example.com
+example.net
+example.org
+
+# RFC 6761 - Special-Use Domain Names
+# https://datatracker.ietf.org/doc/html/rfc6761
+*.local
+*.onion
+*.home.arpa
+
+# RFC 1918 - Private Address Space
+# https://datatracker.ietf.org/doc/html/rfc1918
+10.*
+172.(1[6-9]|2[0-9]|3[0-1]).*
+192.168.*
+
+# RFC 3330 - Special-Use IPv4 Addresses
+# https://datatracker.ietf.org/doc/html/rfc3330
+127.*
+169.254.*
+0.0.0.0
+
+# RFC 4291 - IPv6 Addressing Architecture
+# https://datatracker.ietf.org/doc/html/rfc4291
+::1
+fe80:*
+::
+::ffff:*
+
+# RFC 4193 - Unique Local IPv6 Unicast Addresses
+# https://datatracker.ietf.org/doc/html/rfc4193
+fc00:*
+fd00:*
+
+# Common Internal Network Patterns (based on RFC 2606 and 6761)
+*.intranet
+*.internal
+*.corp
+*.lan
+intranet.*
+internal.*
+corp.*
+lan.*
+
+# Development Environments (based on RFC 2606)
+*.dev.test
+*.staging.test
+*.qa.test
+dev.example.*
+staging.example.*
+qa.example.*
+
+# RFC 6052 - IPv6 Translation
+64:ff9b::*
+
+# RFC 3986 - URI Encoded Forms
+%6C%6F%63%61%6C%68%6F%73%74

data/lib/mini_defender/rules/numeric.rb

@@ -6,11 +6,27 @@ class MiniDefender::Rules::Numeric < MiniDefender::Rule
   end
 
   def coerce(value)
-    value.is_a?(Numeric) ? value : Float(value.to_s)
+    if value.is_a?(Numeric)
+      return value
+    end
+
+    if value.is_a?(String)
+      value = value.gsub(',', '')
+    end
+
+    Float(value.to_s)
   end
 
   def passes?(attribute, value, validator)
-    value.is_a?(Numeric) || Float(value.to_s) rescue false
+    if value.is_a?(Numeric)
+      return true
+    end
+
+    if value.is_a?(String)
+      value = value.gsub(',', '')
+    end
+
+    Float(value.to_s) rescue false
   end
 
   def message(attribute, value, validator)

data/lib/mini_defender/rules/url.rb

@@ -1,17 +1,140 @@
 # frozen_string_literal: true
 
 require 'uri'
+require 'ipaddr'
+require 'public_suffix'
 
 class MiniDefender::Rules::Url < MiniDefender::Rule
+  ALLOWED_MODIFIERS = %w[https public not_ip not_private]
+
+  def initialize(modifiers = [])
+    @modifiers = Array(modifiers).map(&:to_s)
+
+    unless @modifiers.empty?
+      validate_modifiers!
+    end
+
+    @validation_error = nil
+  end
+
   def self.signature
     'url'
   end
 
+  def self.make(modifiers) # no need to raise an error when no modifier is entered; as 'url' rule checks URL structure on its own
+    new(modifiers)
+  end
+
   def passes?(attribute, value, validator)
-    value.is_a?(String) && URI.regexp(%w[http https]).match?(value)
+    unless value.is_a?(String)
+      return false
+    end
+
+    begin
+      uri = URI.parse(value)
+
+      if uri.host.blank? || uri.scheme.blank?
+        return false
+      end
+
+      unless %w[http https].include?(uri.scheme)
+        @validation_error = 'URL protocol must be HTTP or HTTPS.'
+        return false
+      end
+
+      if @modifiers.empty?
+        return true
+      end
+
+      if @modifiers.include?('https') && uri.scheme != 'https'
+        @validation_error = 'The URL must use HTTPS.'
+        return false
+      end
+
+      if @modifiers.include?('public') && (!PublicSuffix.valid?(uri.host) || private_network?(uri.host))
+        @validation_error = 'The URL must use a valid public domain.'
+        return false
+      end
+
+      if @modifiers.include?('not_ip') && ip_address?(uri.host)
+        @validation_error = 'IP addresses are not allowed in URLs.'
+        return false
+      end
+
+      if @modifiers.include?('not_private') && private_network?(uri.host)
+        @validation_error = 'Private or reserved resources are not allowed.'
+        return false
+      end
+
+      true
+    rescue URI::InvalidURIError
+      @validation_error = 'The field must contain a valid URL.'
+      false
+    rescue PublicSuffix::Error
+      false
+    end
   end
 
   def message(attribute, value, validator)
-    'The field must contain a valid URL.'
+    @validation_error || 'The field must contain a valid URL.'
+  end
+
+  def private_network?(host)
+    unless host
+      return false
+    end
+
+    host = host.downcase
+
+    private_patterns.any? { |pattern| pattern.match?(host) }
+  end
+
+  private
+
+  def validate_modifiers!
+    invalid_modifiers = @modifiers - ALLOWED_MODIFIERS
+    if invalid_modifiers.empty?
+      return
+    end
+
+    raise ArgumentError, "Invalid URL modifiers: #{invalid_modifiers.join(', ')}"
+  end
+
+  def ip_address?(host)
+    unless host
+      return false
+    end
+
+    begin
+      IPAddr.new(host)
+      true
+    rescue IPAddr::InvalidAddressError
+      false
+    end
+  end
+
+  def private_patterns
+    # Cache the result in class variable to avoid loading again
+    # across multiple instances
+    @@private_patterns ||= begin
+      pattern_file = File.expand_path('../data/private_network_patterns.txt', __dir__)
+
+      File.readlines(pattern_file).filter_map do |line|
+        line = line.strip
+
+        if line.empty? || line.start_with?('#')
+          next
+        end
+
+        # Pattern => regex (once)
+        pattern = line
+          .gsub('.', '\.')           # escape dots
+          .gsub('*', '.*')           # wildcards => regex
+          .gsub('[0-9]+', '\d+')     # convert number ranges
+          .gsub(/\[(.+?)\]/, '(\1)') # convert chars classes
+
+        Regexp.new("^#{pattern}$", Regexp::IGNORECASE)
+      end
+    end
   end
 end

data/lib/mini_defender/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MiniDefender
-  VERSION = "0.6.7"
+  VERSION = "0.6.9"
 end

data/mini_defender.gemspec

@@ -34,4 +34,5 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'countries'
   spec.add_runtime_dependency 'money'
   spec.add_runtime_dependency 'marcel'
+  spec.add_runtime_dependency 'public_suffix'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mini_defender
 version: !ruby/object:Gem::Version
-  version: 0.6.7
+  version: 0.6.9
 platform: ruby
 authors:
 - Ali Alhoshaiyan
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-11-10 00:00:00.000000000 Z
+date: 2025-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -94,6 +94,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: public_suffix
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A small and efficient validation library for Rails and anything that
   uses Ruby.
 email:
@@ -102,7 +116,6 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".DS_Store"
 - CHANGELOG.md
 - Gemfile
 - LICENSE.md
@@ -110,6 +123,7 @@ files:
 - RULES.md
 - Rakefile
 - lib/mini_defender.rb
+- lib/mini_defender/data/private_network_patterns.txt
 - lib/mini_defender/extensions/enumerable.rb
 - lib/mini_defender/handles_validation_errors.rb
 - lib/mini_defender/rule.rb
@@ -181,7 +195,6 @@ files:
 - lib/mini_defender/rules/national_id.rb
 - lib/mini_defender/rules/not_ending_with.rb
 - lib/mini_defender/rules/not_in.rb
-- lib/mini_defender/rules/not_local_url.rb
 - lib/mini_defender/rules/not_regex.rb
 - lib/mini_defender/rules/not_starting_with.rb
 - lib/mini_defender/rules/numeric.rb

data/lib/mini_defender/rules/not_local_url.rb

@@ -1,31 +0,0 @@
-# frozen_string_literal: true
-
-class MiniDefender::Rules::NotLocalURL < MiniDefender::Rule
-  LOCALHOST_PATTERNS = [
-    /^localhost$/i,     # localhost, LOCALHOST
-    /^127\./,           # 127.x.x.x
-    /^::1$/,           # IPv6 localhost
-    /^0\.0\.0\.0$/,    # All interfaces IPv4
-    /^::$/,            # IPv6 unspecified
-    /\.local$/i,       # domain.local
-    /^local\./i,       # local.domain
-    /^localhost\./i,   # localhost.anything
-  ]
-
-  def self.signature
-    'not_local_url'
-  end
-
-  def passes?(attribute, value, validator)
-    uri = URI.parse(value.to_s)
-    host = uri.host.to_s.downcase
-
-    !LOCALHOST_PATTERNS.any? { |pattern| host.match?(pattern) }
-  rescue URI::InvalidURIError
-    false
-  end
-
-  def message(attribute, value, validator)
-    'URL cannot point to localhost or local domain.'
-  end
-end