private_address_check 0.4.1 → 0.5.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: c1a4bcbc9ec82314b86bb620261268077132d6c9
4
- data.tar.gz: fe1ecc17c73d3cef97a38e9bc845089e42b360f1
2
+ SHA256:
3
+ metadata.gz: 56efdc9f53367a9a51247cab85795bf6928aba58030b28cf09d1aec3db79e3c0
4
+ data.tar.gz: 6addbfe12464ff1b66ae49d77151b7e7eeceec21e04af71ff48cfbceccca300d
5
5
  SHA512:
6
- metadata.gz: 6b7551e633389296e49e25687a29fbd066614e37ef103dd6745dc6f7b3a332c3e0c500a1a1eb8196dd46ef8cc38041980b483b49426f531aeea98b05a1de4457
7
- data.tar.gz: dd232f46857c690672d00a68a245026f1701775f8e34f017ee6fc48a3d04e75ffd7ec89da4ab6ba7e19e276005bbbedea99ba1089036663c751de04e03287e5b
6
+ metadata.gz: 0aa89cd6d220c3a0a46b3cbb0ee0692c669b5204f3e88076eee1ce0da24ab48750dbd77f446e277adf96dfcfa404234966b10c77295451527679634d8db6f958
7
+ data.tar.gz: e793ca0fe49c9c402bcc9960182ff5ac1d82c1dfa06705fb04957ae0a2e6653372c024e27fded055351d0232985bd770dbf841559b4b13915d46e65bf678bf20
data/Gemfile CHANGED
@@ -1,4 +1,4 @@
1
- source 'https://rubygems.org'
1
+ source "https://rubygems.org"
2
2
 
3
3
  # Specify your gem's dependencies in private_address_check.gemspec
4
4
  gemspec
data/README.md CHANGED
@@ -61,8 +61,18 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
61
61
 
62
62
  Bug reports and pull requests are welcome on GitHub at https://github.com/jtdowney/private_address_check. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
63
63
 
64
+ ## Security
65
+
66
+ If you've found a security issue in `private_address_check`, please reach out to @jtdowney via email to report.
67
+
68
+ ### Time of check to time of use
69
+
70
+ A library like `private_address_check` is going to be easily susceptible to attacks like [time of check to time of use](https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use). DNS entries with a TTL of 0 can trigger this case where the initial resolution is a public address by the subsequent resolution is a private address. There are some possible defenses and workarounds:
71
+
72
+ - Use the TCPSocket extension in this library which checks the address the socket uses. This is most useful if your system is built on native Ruby like Net::HTTP.
73
+ - Use a feature like the `resolve` capability in curl and [curb](https://www.rubydoc.info/github/taf2/curb/Curl/Easy#resolve=-instance_method) to force the resolution to a pre-checked IP address.
74
+ - Implement your own caching DNS resolver with something like dnsmasq or unbound. These tools let you set a minimum cache time that can override the TTL of 0.
64
75
 
65
76
  ## License
66
77
 
67
78
  The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
68
-
data/Rakefile CHANGED
@@ -4,7 +4,7 @@ require "rake/testtask"
4
4
  Rake::TestTask.new(:test) do |t|
5
5
  t.libs << "test"
6
6
  t.libs << "lib"
7
- t.test_files = FileList['test/**/*_test.rb']
7
+ t.test_files = FileList["test/**/*_test.rb"]
8
8
  end
9
9
 
10
- task :default => :test
10
+ task default: :test
@@ -6,7 +6,8 @@ require "private_address_check/version"
6
6
  module PrivateAddressCheck
7
7
  module_function
8
8
 
9
- # https://en.wikipedia.org/wiki/Reserved_IP_addresses
9
+ # https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
10
+ # https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
10
11
  CIDR_LIST = [
11
12
  IPAddr.new("127.0.0.0/8"), # Loopback
12
13
  IPAddr.new("::1/128"), # Loopback
@@ -35,10 +36,10 @@ module PrivateAddressCheck
35
36
  IPAddr.new("fc00::/7"), # Unique local address
36
37
  IPAddr.new("fe80::/10"), # Link-local address
37
38
  IPAddr.new("ff00::/8") # Multicast
38
- ]
39
+ ].freeze
39
40
 
40
41
  def private_address?(address)
41
- CIDR_LIST.any? do |cidr|
42
+ CIDR_LIST.any? do |cidr|
42
43
  cidr.include?(address)
43
44
  end
44
45
  end
@@ -47,7 +48,7 @@ module PrivateAddressCheck
47
48
  ips = Socket.getaddrinfo(hostname, nil).map { |info| IPAddr.new(info[3]) }
48
49
  return true if ips.empty?
49
50
 
50
- ips.any? do |ip|
51
+ ips.any? do |ip|
51
52
  private_address?(ip)
52
53
  end
53
54
  end
@@ -12,13 +12,12 @@ module PrivateAddressCheck
12
12
  end
13
13
 
14
14
  TCPSocket.class_eval do
15
- alias initialize_without_private_address_check initialize
15
+ alias_method :initialize_without_private_address_check, :initialize
16
16
 
17
- def initialize(remote_host, remote_port, local_host = nil, local_port = nil)
18
- if Thread.current[:private_address_check] && PrivateAddressCheck.resolves_to_private_address?(remote_host)
17
+ def initialize(*args)
18
+ initialize_without_private_address_check(*args)
19
+ if Thread.current[:private_address_check] && PrivateAddressCheck.resolves_to_private_address?(remote_address.ip_address)
19
20
  raise PrivateAddressCheck::PrivateConnectionAttemptedError
20
21
  end
21
-
22
- initialize_without_private_address_check(remote_host, remote_port, local_host, local_port)
23
22
  end
24
23
  end
@@ -1,3 +1,3 @@
1
1
  module PrivateAddressCheck
2
- VERSION = "0.4.1"
2
+ VERSION = "0.5.0".freeze
3
3
  end
@@ -1,13 +1,17 @@
1
- require 'test_helper'
2
- require 'private_address_check/tcpsocket_ext'
1
+ require "test_helper"
2
+ require "private_address_check/tcpsocket_ext"
3
3
 
4
4
  class TCPSocketExtTest < Minitest::Test
5
5
  def test_private_address
6
+ server = TCPServer.new(63_453)
7
+ thread = Thread.start { server.accept }
6
8
  assert_raises PrivateAddressCheck::PrivateConnectionAttemptedError do
7
9
  PrivateAddressCheck.only_public_connections do
8
- TCPSocket.new("localhost", 80)
10
+ TCPSocket.new("localhost", 63_453)
9
11
  end
10
12
  end
13
+ ensure
14
+ thread.exit if thread
11
15
  end
12
16
 
13
17
  def test_public_address
@@ -1,4 +1,4 @@
1
- require 'test_helper'
1
+ require "test_helper"
2
2
 
3
3
  class PrivateAddressCheckTest < Minitest::Test
4
4
  def test_private_address_for_public_addresses
@@ -1,4 +1,4 @@
1
- $LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
2
- require 'private_address_check'
1
+ $LOAD_PATH.unshift File.expand_path("../../lib", __FILE__)
2
+ require "private_address_check"
3
3
 
4
- require 'minitest/autorun'
4
+ require "minitest/autorun"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: private_address_check
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.1
4
+ version: 0.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - John Downey
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-11-16 00:00:00.000000000 Z
11
+ date: 2018-05-29 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -52,6 +52,20 @@ dependencies:
52
52
  - - "~>"
53
53
  - !ruby/object:Gem::Version
54
54
  version: '5.0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: rubocop
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - "~>"
60
+ - !ruby/object:Gem::Version
61
+ version: 0.50.0
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - "~>"
67
+ - !ruby/object:Gem::Version
68
+ version: 0.50.0
55
69
  description: Checks if a IP or hostname would cause a request to a private network
56
70
  (RFC 1918)
57
71
  email:
@@ -91,7 +105,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
91
105
  version: '0'
92
106
  requirements: []
93
107
  rubyforge_project:
94
- rubygems_version: 2.6.13
108
+ rubygems_version: 2.7.6
95
109
  signing_key:
96
110
  specification_version: 4
97
111
  summary: Prevent Server Side Request Forgery attacks by checking the destination