pakyow-routing 1.0.0.rc1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/CHANGELOG.md +137 -0
- data/LICENSE +4 -0
- data/README.md +33 -0
- data/lib/pakyow/behavior/definition.rb +35 -0
- data/lib/pakyow/routing/actions/respond_missing.rb +13 -0
- data/lib/pakyow/routing/controller/behavior/error_handling.rb +149 -0
- data/lib/pakyow/routing/controller/behavior/param_verification.rb +76 -0
- data/lib/pakyow/routing/controller.rb +872 -0
- data/lib/pakyow/routing/expansion.rb +104 -0
- data/lib/pakyow/routing/extensions/resource.rb +158 -0
- data/lib/pakyow/routing/extensions.rb +3 -0
- data/lib/pakyow/routing/framework.rb +82 -0
- data/lib/pakyow/routing/helpers/exposures.rb +25 -0
- data/lib/pakyow/routing/route.rb +85 -0
- data/lib/pakyow/routing.rb +10 -0
- data/lib/pakyow/security/base.rb +47 -0
- data/lib/pakyow/security/behavior/config.rb +34 -0
- data/lib/pakyow/security/behavior/disabling.rb +37 -0
- data/lib/pakyow/security/behavior/helpers.rb +19 -0
- data/lib/pakyow/security/behavior/insecure.rb +21 -0
- data/lib/pakyow/security/behavior/pipeline.rb +21 -0
- data/lib/pakyow/security/csrf/verify_authenticity_token.rb +26 -0
- data/lib/pakyow/security/csrf/verify_same_origin.rb +73 -0
- data/lib/pakyow/security/errors.rb +19 -0
- data/lib/pakyow/security/helpers/csrf.rb +15 -0
- data/lib/pakyow/security/pipelines/csrf.rb +24 -0
- metadata +98 -0
@@ -0,0 +1,73 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "uri"
|
4
|
+
|
5
|
+
require "pakyow/security/base"
|
6
|
+
|
7
|
+
module Pakyow
|
8
|
+
module Security
|
9
|
+
module CSRF
|
10
|
+
# Protects against Cross-Site Forgery Requests (CSRF).
|
11
|
+
# https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
|
12
|
+
#
|
13
|
+
# Allows requests if the origin or referer matches the request uri, or is whitelisted through
|
14
|
+
# the +config.origin.whitelist+ config option. The request is not allowed if values for both
|
15
|
+
# origin and referer are missing.
|
16
|
+
#
|
17
|
+
#
|
18
|
+
class VerifySameOrigin < Base
|
19
|
+
def initialize(*)
|
20
|
+
super
|
21
|
+
|
22
|
+
@whitelisted_origins = @config[:origin_whitelist].to_a.map { |origin|
|
23
|
+
parse_uri(origin)
|
24
|
+
}.compact
|
25
|
+
end
|
26
|
+
|
27
|
+
def allowed?(connection)
|
28
|
+
origin_uris(connection).yield_self { |origins|
|
29
|
+
!origins.empty? && origins.all? { |origin|
|
30
|
+
whitelisted_origin?(origin) || matching_origin?(origin, connection)
|
31
|
+
}
|
32
|
+
}
|
33
|
+
end
|
34
|
+
|
35
|
+
private
|
36
|
+
|
37
|
+
def origin_uris(connection)
|
38
|
+
origins = []
|
39
|
+
|
40
|
+
if connection.request_header?("origin")
|
41
|
+
origins.concat(connection.request_header("origin"))
|
42
|
+
end
|
43
|
+
|
44
|
+
if connection.request_header?("referer")
|
45
|
+
origins << connection.request_header("referer")
|
46
|
+
end
|
47
|
+
|
48
|
+
origins.map! { |value| parse_uri(value) }
|
49
|
+
end
|
50
|
+
|
51
|
+
def parse_uri(value)
|
52
|
+
URI.parse(value.to_s)
|
53
|
+
rescue URI::InvalidURIError
|
54
|
+
nil
|
55
|
+
end
|
56
|
+
|
57
|
+
def uris_match?(uri1, uri2)
|
58
|
+
uri1.scheme == uri2.scheme && uri1.host == uri2.host && uri1.port == uri2.port
|
59
|
+
end
|
60
|
+
|
61
|
+
def whitelisted_origin?(origin)
|
62
|
+
@whitelisted_origins.any? { |whitelisted|
|
63
|
+
uris_match?(whitelisted, origin)
|
64
|
+
}
|
65
|
+
end
|
66
|
+
|
67
|
+
def matching_origin?(origin, connection)
|
68
|
+
uris_match?(origin, parse_uri("#{connection.scheme}://#{connection.authority}"))
|
69
|
+
end
|
70
|
+
end
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
@@ -0,0 +1,19 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "pakyow/error"
|
4
|
+
|
5
|
+
module Pakyow
|
6
|
+
module Security
|
7
|
+
class Error < Pakyow::Error
|
8
|
+
end
|
9
|
+
|
10
|
+
class InsecureRequest < Error
|
11
|
+
end
|
12
|
+
|
13
|
+
class InsecureRedirect < Error
|
14
|
+
class_state :messages, default: {
|
15
|
+
default: "Cannot redirect to remote, untrusted location `{location}'"
|
16
|
+
}.freeze
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
@@ -0,0 +1,15 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "pakyow/support/message_verifier"
|
4
|
+
|
5
|
+
module Pakyow
|
6
|
+
module Security
|
7
|
+
module Helpers
|
8
|
+
module CSRF
|
9
|
+
def authenticity_client_id
|
10
|
+
@authenticity_client_id ||= Support::MessageVerifier.key
|
11
|
+
end
|
12
|
+
end
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "pakyow/support/pipeline"
|
4
|
+
|
5
|
+
module Pakyow
|
6
|
+
module Security
|
7
|
+
module Pipelines
|
8
|
+
module CSRF
|
9
|
+
extend Support::Pipeline
|
10
|
+
|
11
|
+
action :verify_same_origin
|
12
|
+
action :verify_authenticity_token
|
13
|
+
|
14
|
+
def verify_same_origin
|
15
|
+
config.security.csrf.protection[:origin].call(@connection)
|
16
|
+
end
|
17
|
+
|
18
|
+
def verify_authenticity_token
|
19
|
+
config.security.csrf.protection[:authenticity].call(@connection)
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
metadata
ADDED
@@ -0,0 +1,98 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: pakyow-routing
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 1.0.0.rc1
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Bryan Powell
|
8
|
+
- Bret Young
|
9
|
+
autorequire:
|
10
|
+
bindir: bin
|
11
|
+
cert_chain: []
|
12
|
+
date: 2019-07-03 00:00:00.000000000 Z
|
13
|
+
dependencies:
|
14
|
+
- !ruby/object:Gem::Dependency
|
15
|
+
name: pakyow-core
|
16
|
+
requirement: !ruby/object:Gem::Requirement
|
17
|
+
requirements:
|
18
|
+
- - '='
|
19
|
+
- !ruby/object:Gem::Version
|
20
|
+
version: 1.0.0.rc1
|
21
|
+
type: :runtime
|
22
|
+
prerelease: false
|
23
|
+
version_requirements: !ruby/object:Gem::Requirement
|
24
|
+
requirements:
|
25
|
+
- - '='
|
26
|
+
- !ruby/object:Gem::Version
|
27
|
+
version: 1.0.0.rc1
|
28
|
+
- !ruby/object:Gem::Dependency
|
29
|
+
name: pakyow-support
|
30
|
+
requirement: !ruby/object:Gem::Requirement
|
31
|
+
requirements:
|
32
|
+
- - '='
|
33
|
+
- !ruby/object:Gem::Version
|
34
|
+
version: 1.0.0.rc1
|
35
|
+
type: :runtime
|
36
|
+
prerelease: false
|
37
|
+
version_requirements: !ruby/object:Gem::Requirement
|
38
|
+
requirements:
|
39
|
+
- - '='
|
40
|
+
- !ruby/object:Gem::Version
|
41
|
+
version: 1.0.0.rc1
|
42
|
+
description: Routing functionality for Pakyow
|
43
|
+
email: bryan@metabahn.com
|
44
|
+
executables: []
|
45
|
+
extensions: []
|
46
|
+
extra_rdoc_files: []
|
47
|
+
files:
|
48
|
+
- CHANGELOG.md
|
49
|
+
- LICENSE
|
50
|
+
- README.md
|
51
|
+
- lib/pakyow/behavior/definition.rb
|
52
|
+
- lib/pakyow/routing.rb
|
53
|
+
- lib/pakyow/routing/actions/respond_missing.rb
|
54
|
+
- lib/pakyow/routing/controller.rb
|
55
|
+
- lib/pakyow/routing/controller/behavior/error_handling.rb
|
56
|
+
- lib/pakyow/routing/controller/behavior/param_verification.rb
|
57
|
+
- lib/pakyow/routing/expansion.rb
|
58
|
+
- lib/pakyow/routing/extensions.rb
|
59
|
+
- lib/pakyow/routing/extensions/resource.rb
|
60
|
+
- lib/pakyow/routing/framework.rb
|
61
|
+
- lib/pakyow/routing/helpers/exposures.rb
|
62
|
+
- lib/pakyow/routing/route.rb
|
63
|
+
- lib/pakyow/security/base.rb
|
64
|
+
- lib/pakyow/security/behavior/config.rb
|
65
|
+
- lib/pakyow/security/behavior/disabling.rb
|
66
|
+
- lib/pakyow/security/behavior/helpers.rb
|
67
|
+
- lib/pakyow/security/behavior/insecure.rb
|
68
|
+
- lib/pakyow/security/behavior/pipeline.rb
|
69
|
+
- lib/pakyow/security/csrf/verify_authenticity_token.rb
|
70
|
+
- lib/pakyow/security/csrf/verify_same_origin.rb
|
71
|
+
- lib/pakyow/security/errors.rb
|
72
|
+
- lib/pakyow/security/helpers/csrf.rb
|
73
|
+
- lib/pakyow/security/pipelines/csrf.rb
|
74
|
+
homepage: https://pakyow.org
|
75
|
+
licenses:
|
76
|
+
- LGPL-3.0
|
77
|
+
metadata: {}
|
78
|
+
post_install_message:
|
79
|
+
rdoc_options: []
|
80
|
+
require_paths:
|
81
|
+
- lib
|
82
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
83
|
+
requirements:
|
84
|
+
- - ">="
|
85
|
+
- !ruby/object:Gem::Version
|
86
|
+
version: 2.5.0
|
87
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
88
|
+
requirements:
|
89
|
+
- - ">"
|
90
|
+
- !ruby/object:Gem::Version
|
91
|
+
version: 1.3.1
|
92
|
+
requirements: []
|
93
|
+
rubyforge_project:
|
94
|
+
rubygems_version: 2.7.6
|
95
|
+
signing_key:
|
96
|
+
specification_version: 4
|
97
|
+
summary: Pakyow Routing
|
98
|
+
test_files: []
|