RubyGems - private_address_check - Versions diffs - 0.4.1 → 0.5.0 - Mend

private_address_check 0.4.1 → 0.5.0

Files changed (11) hide show

checksums.yaml +5 -5
data/Gemfile +1 -1
data/README.md +11 -1
data/Rakefile +2 -2
data/lib/private_address_check.rb +5 -4
data/lib/private_address_check/tcpsocket_ext.rb +4 -5
data/lib/private_address_check/version.rb +1 -1
data/test/private_address_check/tcpsocket_ext_test.rb +7 -3
data/test/private_address_check_test.rb +1 -1
data/test/test_helper.rb +3 -3
metadata +17 -3

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: c1a4bcbc9ec82314b86bb620261268077132d6c9
-  data.tar.gz: fe1ecc17c73d3cef97a38e9bc845089e42b360f1
+SHA256:
+  metadata.gz: 56efdc9f53367a9a51247cab85795bf6928aba58030b28cf09d1aec3db79e3c0
+  data.tar.gz: 6addbfe12464ff1b66ae49d77151b7e7eeceec21e04af71ff48cfbceccca300d
 SHA512:
-  metadata.gz: 6b7551e633389296e49e25687a29fbd066614e37ef103dd6745dc6f7b3a332c3e0c500a1a1eb8196dd46ef8cc38041980b483b49426f531aeea98b05a1de4457
-  data.tar.gz: dd232f46857c690672d00a68a245026f1701775f8e34f017ee6fc48a3d04e75ffd7ec89da4ab6ba7e19e276005bbbedea99ba1089036663c751de04e03287e5b
+  metadata.gz: 0aa89cd6d220c3a0a46b3cbb0ee0692c669b5204f3e88076eee1ce0da24ab48750dbd77f446e277adf96dfcfa404234966b10c77295451527679634d8db6f958
+  data.tar.gz: e793ca0fe49c9c402bcc9960182ff5ac1d82c1dfa06705fb04957ae0a2e6653372c024e27fded055351d0232985bd770dbf841559b4b13915d46e65bf678bf20

data/Gemfile CHANGED

@@ -1,4 +1,4 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
 # Specify your gem's dependencies in private_address_check.gemspec
 gemspec

data/README.md CHANGED

@@ -61,8 +61,18 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 Bug reports and pull requests are welcome on GitHub at https://github.com/jtdowney/private_address_check. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+## Security
+If you've found a security issue in `private_address_check`, please reach out to @jtdowney via email to report.
+### Time of check to time of use
+A library like `private_address_check` is going to be easily susceptible to attacks like [time of check to time of use](https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use). DNS entries with a TTL of 0 can trigger this case where the initial resolution is a public address by the subsequent resolution is a private address. There are some possible defenses and workarounds:
+- Use the TCPSocket extension in this library which checks the address the socket uses. This is most useful if your system is built on native Ruby like Net::HTTP.
+- Use a feature like the `resolve` capability in curl and [curb](https://www.rubydoc.info/github/taf2/curb/Curl/Easy#resolve=-instance_method) to force the resolution to a pre-checked IP address.
+- Implement your own caching DNS resolver with something like dnsmasq or unbound. These tools let you set a minimum cache time that can override the TTL of 0.
 ## License
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile CHANGED

@@ -4,7 +4,7 @@ require "rake/testtask"
 Rake::TestTask.new(:test) do |t|
   t.libs << "test"
   t.libs << "lib"
-  t.test_files = FileList['test/**/*_test.rb']
+  t.test_files = FileList["test/**/*_test.rb"]
 end
-task :default => :test
+task default: :test

data/lib/private_address_check.rb CHANGED

@@ -6,7 +6,8 @@ require "private_address_check/version"
 module PrivateAddressCheck
   module_function
-  # https://en.wikipedia.org/wiki/Reserved_IP_addresses
+  # https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
+  # https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
   CIDR_LIST = [
     IPAddr.new("127.0.0.0/8"),     # Loopback
     IPAddr.new("::1/128"),         # Loopback
@@ -35,10 +36,10 @@ module PrivateAddressCheck
     IPAddr.new("fc00::/7"),        # Unique local address
     IPAddr.new("fe80::/10"),       # Link-local address
     IPAddr.new("ff00::/8")         # Multicast
-  ]
+  ].freeze
   def private_address?(address)
-    CIDR_LIST.any? do |cidr|
+    CIDR_LIST.any? do |cidr|
       cidr.include?(address)
     end
   end
@@ -47,7 +48,7 @@ module PrivateAddressCheck
     ips = Socket.getaddrinfo(hostname, nil).map { |info| IPAddr.new(info[3]) }
     return true if ips.empty?
-    ips.any? do |ip|
+    ips.any? do |ip|
       private_address?(ip)
     end
   end

data/lib/private_address_check/tcpsocket_ext.rb CHANGED

@@ -12,13 +12,12 @@ module PrivateAddressCheck
 end
 TCPSocket.class_eval do
-  alias initialize_without_private_address_check initialize
+  alias_method :initialize_without_private_address_check, :initialize
-  def initialize(remote_host, remote_port, local_host = nil, local_port = nil)
-    if Thread.current[:private_address_check] && PrivateAddressCheck.resolves_to_private_address?(remote_host)
+  def initialize(*args)
+    initialize_without_private_address_check(*args)
+    if Thread.current[:private_address_check] && PrivateAddressCheck.resolves_to_private_address?(remote_address.ip_address)
       raise PrivateAddressCheck::PrivateConnectionAttemptedError
     end
-    initialize_without_private_address_check(remote_host, remote_port, local_host, local_port)
   end
 end

data/lib/private_address_check/version.rb CHANGED

@@ -1,3 +1,3 @@
 module PrivateAddressCheck
-  VERSION = "0.4.1"
+  VERSION = "0.5.0".freeze
 end

data/test/private_address_check/tcpsocket_ext_test.rb CHANGED

@@ -1,13 +1,17 @@
-require 'test_helper'
-require 'private_address_check/tcpsocket_ext'
+require "test_helper"
+require "private_address_check/tcpsocket_ext"
 class TCPSocketExtTest < Minitest::Test
   def test_private_address
+    server = TCPServer.new(63_453)
+    thread = Thread.start { server.accept }
     assert_raises PrivateAddressCheck::PrivateConnectionAttemptedError do
       PrivateAddressCheck.only_public_connections do
-        TCPSocket.new("localhost", 80)
+        TCPSocket.new("localhost", 63_453)
       end
     end
+  ensure
+    thread.exit if thread
   end
   def test_public_address

data/test/private_address_check_test.rb CHANGED

@@ -1,4 +1,4 @@
-require 'test_helper'
+require "test_helper"
 class PrivateAddressCheckTest < Minitest::Test
   def test_private_address_for_public_addresses

data/test/test_helper.rb CHANGED

@@ -1,4 +1,4 @@
-$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
-require 'private_address_check'
+$LOAD_PATH.unshift File.expand_path("../../lib", __FILE__)
+require "private_address_check"
-require 'minitest/autorun'
+require "minitest/autorun"

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: private_address_check
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 0.5.0
 platform: ruby
 authors:
 - John Downey
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-11-16 00:00:00.000000000 Z
+date: 2018-05-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -52,6 +52,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.50.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.50.0
 description: Checks if a IP or hostname would cause a request to a private network
   (RFC 1918)
 email:
@@ -91,7 +105,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.6.13
+rubygems_version: 2.7.6
 signing_key:
 specification_version: 4
 summary: Prevent Server Side Request Forgery attacks by checking the destination