private_address_check 0.4.1 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/Gemfile +1 -1
- data/README.md +11 -1
- data/Rakefile +2 -2
- data/lib/private_address_check.rb +5 -4
- data/lib/private_address_check/tcpsocket_ext.rb +4 -5
- data/lib/private_address_check/version.rb +1 -1
- data/test/private_address_check/tcpsocket_ext_test.rb +7 -3
- data/test/private_address_check_test.rb +1 -1
- data/test/test_helper.rb +3 -3
- metadata +17 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 56efdc9f53367a9a51247cab85795bf6928aba58030b28cf09d1aec3db79e3c0
|
|
4
|
+
data.tar.gz: 6addbfe12464ff1b66ae49d77151b7e7eeceec21e04af71ff48cfbceccca300d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0aa89cd6d220c3a0a46b3cbb0ee0692c669b5204f3e88076eee1ce0da24ab48750dbd77f446e277adf96dfcfa404234966b10c77295451527679634d8db6f958
|
|
7
|
+
data.tar.gz: e793ca0fe49c9c402bcc9960182ff5ac1d82c1dfa06705fb04957ae0a2e6653372c024e27fded055351d0232985bd770dbf841559b4b13915d46e65bf678bf20
|
data/Gemfile
CHANGED
data/README.md
CHANGED
|
@@ -61,8 +61,18 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
|
|
|
61
61
|
|
|
62
62
|
Bug reports and pull requests are welcome on GitHub at https://github.com/jtdowney/private_address_check. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
|
|
63
63
|
|
|
64
|
+
## Security
|
|
65
|
+
|
|
66
|
+
If you've found a security issue in `private_address_check`, please reach out to @jtdowney via email to report.
|
|
67
|
+
|
|
68
|
+
### Time of check to time of use
|
|
69
|
+
|
|
70
|
+
A library like `private_address_check` is going to be easily susceptible to attacks like [time of check to time of use](https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use). DNS entries with a TTL of 0 can trigger this case where the initial resolution is a public address by the subsequent resolution is a private address. There are some possible defenses and workarounds:
|
|
71
|
+
|
|
72
|
+
- Use the TCPSocket extension in this library which checks the address the socket uses. This is most useful if your system is built on native Ruby like Net::HTTP.
|
|
73
|
+
- Use a feature like the `resolve` capability in curl and [curb](https://www.rubydoc.info/github/taf2/curb/Curl/Easy#resolve=-instance_method) to force the resolution to a pre-checked IP address.
|
|
74
|
+
- Implement your own caching DNS resolver with something like dnsmasq or unbound. These tools let you set a minimum cache time that can override the TTL of 0.
|
|
64
75
|
|
|
65
76
|
## License
|
|
66
77
|
|
|
67
78
|
The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
|
|
68
|
-
|
data/Rakefile
CHANGED
|
@@ -6,7 +6,8 @@ require "private_address_check/version"
|
|
|
6
6
|
module PrivateAddressCheck
|
|
7
7
|
module_function
|
|
8
8
|
|
|
9
|
-
# https://
|
|
9
|
+
# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
|
|
10
|
+
# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
|
|
10
11
|
CIDR_LIST = [
|
|
11
12
|
IPAddr.new("127.0.0.0/8"), # Loopback
|
|
12
13
|
IPAddr.new("::1/128"), # Loopback
|
|
@@ -35,10 +36,10 @@ module PrivateAddressCheck
|
|
|
35
36
|
IPAddr.new("fc00::/7"), # Unique local address
|
|
36
37
|
IPAddr.new("fe80::/10"), # Link-local address
|
|
37
38
|
IPAddr.new("ff00::/8") # Multicast
|
|
38
|
-
]
|
|
39
|
+
].freeze
|
|
39
40
|
|
|
40
41
|
def private_address?(address)
|
|
41
|
-
CIDR_LIST.any? do |cidr|
|
|
42
|
+
CIDR_LIST.any? do |cidr|
|
|
42
43
|
cidr.include?(address)
|
|
43
44
|
end
|
|
44
45
|
end
|
|
@@ -47,7 +48,7 @@ module PrivateAddressCheck
|
|
|
47
48
|
ips = Socket.getaddrinfo(hostname, nil).map { |info| IPAddr.new(info[3]) }
|
|
48
49
|
return true if ips.empty?
|
|
49
50
|
|
|
50
|
-
ips.any? do |ip|
|
|
51
|
+
ips.any? do |ip|
|
|
51
52
|
private_address?(ip)
|
|
52
53
|
end
|
|
53
54
|
end
|
|
@@ -12,13 +12,12 @@ module PrivateAddressCheck
|
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
TCPSocket.class_eval do
|
|
15
|
-
|
|
15
|
+
alias_method :initialize_without_private_address_check, :initialize
|
|
16
16
|
|
|
17
|
-
def initialize(
|
|
18
|
-
|
|
17
|
+
def initialize(*args)
|
|
18
|
+
initialize_without_private_address_check(*args)
|
|
19
|
+
if Thread.current[:private_address_check] && PrivateAddressCheck.resolves_to_private_address?(remote_address.ip_address)
|
|
19
20
|
raise PrivateAddressCheck::PrivateConnectionAttemptedError
|
|
20
21
|
end
|
|
21
|
-
|
|
22
|
-
initialize_without_private_address_check(remote_host, remote_port, local_host, local_port)
|
|
23
22
|
end
|
|
24
23
|
end
|
|
@@ -1,13 +1,17 @@
|
|
|
1
|
-
require
|
|
2
|
-
require
|
|
1
|
+
require "test_helper"
|
|
2
|
+
require "private_address_check/tcpsocket_ext"
|
|
3
3
|
|
|
4
4
|
class TCPSocketExtTest < Minitest::Test
|
|
5
5
|
def test_private_address
|
|
6
|
+
server = TCPServer.new(63_453)
|
|
7
|
+
thread = Thread.start { server.accept }
|
|
6
8
|
assert_raises PrivateAddressCheck::PrivateConnectionAttemptedError do
|
|
7
9
|
PrivateAddressCheck.only_public_connections do
|
|
8
|
-
TCPSocket.new("localhost",
|
|
10
|
+
TCPSocket.new("localhost", 63_453)
|
|
9
11
|
end
|
|
10
12
|
end
|
|
13
|
+
ensure
|
|
14
|
+
thread.exit if thread
|
|
11
15
|
end
|
|
12
16
|
|
|
13
17
|
def test_public_address
|
data/test/test_helper.rb
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
$LOAD_PATH.unshift File.expand_path(
|
|
2
|
-
require
|
|
1
|
+
$LOAD_PATH.unshift File.expand_path("../../lib", __FILE__)
|
|
2
|
+
require "private_address_check"
|
|
3
3
|
|
|
4
|
-
require
|
|
4
|
+
require "minitest/autorun"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: private_address_check
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- John Downey
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2018-05-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -52,6 +52,20 @@ dependencies:
|
|
|
52
52
|
- - "~>"
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
54
|
version: '5.0'
|
|
55
|
+
- !ruby/object:Gem::Dependency
|
|
56
|
+
name: rubocop
|
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
|
58
|
+
requirements:
|
|
59
|
+
- - "~>"
|
|
60
|
+
- !ruby/object:Gem::Version
|
|
61
|
+
version: 0.50.0
|
|
62
|
+
type: :development
|
|
63
|
+
prerelease: false
|
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
65
|
+
requirements:
|
|
66
|
+
- - "~>"
|
|
67
|
+
- !ruby/object:Gem::Version
|
|
68
|
+
version: 0.50.0
|
|
55
69
|
description: Checks if a IP or hostname would cause a request to a private network
|
|
56
70
|
(RFC 1918)
|
|
57
71
|
email:
|
|
@@ -91,7 +105,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
91
105
|
version: '0'
|
|
92
106
|
requirements: []
|
|
93
107
|
rubyforge_project:
|
|
94
|
-
rubygems_version: 2.6
|
|
108
|
+
rubygems_version: 2.7.6
|
|
95
109
|
signing_key:
|
|
96
110
|
specification_version: 4
|
|
97
111
|
summary: Prevent Server Side Request Forgery attacks by checking the destination
|