rack-canonical-host 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 35d3203952564f0ba3368443e122d7469a26e1d3
-  data.tar.gz: b818b81e58a6fe8a720dbc27387b783d48d94ced
+  metadata.gz: e6bc6bda17ed0ec22ca85d722327dd5d1bcd53d3
+  data.tar.gz: d1b695e4c981811aec5d8885c0e59a1e6e7e2a3f
 SHA512:
-  metadata.gz: c3a7af383aaf322c84ca2bdfc6994963ca3cb149b787cd6dec803e103d9e23857f8db48a204bb2cd77ab40740b925c5c183ac544f028bb836ed4af35ca4d5dd6
-  data.tar.gz: 270717db4dbf29ba4a5356fd682e01a5faef0dba3847b231394e6ffd4dc7bdb2ab659a73ad7e74a4edb94b190af190dfe9ef66adf506cf0e27dc2b83e0c67b40
+  metadata.gz: b3d53af79ae673e177030f52176c93d7ba6e44aaf8c85bdbfa36f54404daa10fa7fc30ccac7ef7684562f8ced86e01e5b2d4a1c05f9e6ed83b88d60934ae714f
+  data.tar.gz: b1a74f4130768e4112aec5dcb1eb2bb07a16358eef146517e12af84370098582ac036621a2a529b1c2208cb185960ac7e7cd4d574c72f3c957cbeebb3e5a33c5

data/.rspec

@@ -1,2 +1,3 @@
 --color
---format progress
+--warnings
+--require spec_helper

data/.travis.yml

@@ -1,5 +1,7 @@
 language: ruby
+cache: bundler
 script: bundle exec rspec
+sudo: false
 rvm:
   - 1.9.3
   - 2.0.0

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.2.0 (2016-03-28)
+
+  * Normalize redirect URL to avoid XSS vulnerability ([Thomas Maurer][tma])
+  * Remove `:force_ssl` option in favor of using [rack-ssl][rack-ssl]
+    ([Nathaniel Bibler][nbibler])
+
+[rack-ssl]: http://rubygems.org/gems/rack-ssl
+
 ## 0.1.0 (2014-04-16)
 
   * Add `:force_ssl` option ([Jeff Carbonella][jcarbo])
@@ -45,11 +53,12 @@
 
   * Initial release ([Tyler Hunt][tylerhunt])
 
-[jcarbo]: http://github.com/jcarbo
 [finack]: http://github.com/finack
 [firedev]: http://github.com/firedev
+[jcarbo]: http://github.com/jcarbo
 [jellybob]: http://github.com/jellybob
 [jschuur]: http://github.com/jschuur
 [nbibler]: http://github.com/nbibler
 [rubymaverick]: http://github.com/ericallam
+[tma]: http://github.com/tma
 [tylerhunt]: http://github.com/tylerhunt

data/README.md

@@ -4,11 +4,10 @@ Rack middleware that lets you define a single host name as the canonical host
 for your application. Requests for other host names will then be redirected to
 the canonical host.
 
-[![Build Status][travis-image]][travis]
-
-[travis]: http://travis-ci.org/tylerhunt/rack-canonical-host
-[travis-image]: https://secure.travis-ci.org/tylerhunt/rack-canonical-host.png
-
+[![Gem Version](https://img.shields.io/gem/v/rack-canonical-host.svg)](http://rubygems.org/gems/rack-canonical-host)
+[![Build Status](https://img.shields.io/travis/tylerhunt/rack-canonical-host/master.svg)](https://travis-ci.org/tylerhunt/rack-canonical-host)
+[![Code Climate](https://img.shields.io/codeclimate/github/tylerhunt/rack-canonical-host.svg)](https://codeclimate.com/github/tylerhunt/rack-canonical-host)
+[![Dependency Status](https://gemnasium.com/tylerhunt/rack-canonical-host.svg)](https://gemnasium.com/tylerhunt/rack-canonical-host)
 
 ## Installation
 
@@ -96,16 +95,6 @@ use Rack::CanonicalHost, 'example.com', if: /.*\.example\.com/
 use Rack::CanonicalHost, 'example.ru', if: /.*\.example\.ru/
 ```
 
-If you'd like to enforce the use of HTTPS, use the `:force_ssl` option:
-
-``` ruby
-use Rack::CanonicalHost, 'example.com', force_ssl: true
-```
-
-In this case, requests like `http://example.com` will be redirected to
-`https://example.com`.
-
-
 ## Contributing
 
   1. Fork it
@@ -120,6 +109,7 @@ In this case, requests like `http://example.com` will be redirected to
 Thanks to the following people who have contributed patches or helpful
 suggestions:
 
+  * [Thomas Maurer](https://github.com/tma)
   * [Jeff Carbonella](https://github.com/jcarbo)
   * [Joost Schuur](https://github.com/jellybob)
   * [Jon Wood](https://github.com/jellybob)
@@ -131,5 +121,6 @@ suggestions:
 
 ## Copyright
 
-Copyright © 2009-2012 Tyler Hunt.
+Copyright © 2009-2016 Tyler Hunt.
+
 Released under the terms of the MIT license. See LICENSE for details.

data/lib/rack/canonical_host.rb

@@ -5,27 +5,34 @@ require 'rack/canonical_host/version'
 module Rack
   class CanonicalHost
     def initialize(app, host=nil, options={}, &block)
-      @app = app
-      @host = host
-      @options = options
-      @block = block
+      self.app = app
+      self.host = host
+      self.options = options
+      self.block = block
     end
 
     def call(env)
-      host = host(env)
-      redirect = Redirect.new(env, host, @options)
+      host = evaluate_host(env)
+      redirect = Redirect.new(env, host, options)
 
       if redirect.canonical?
-        @app.call(env)
+        app.call(env)
       else
         redirect.response
       end
     end
 
+  protected
+
+    attr_accessor :app
+    attr_accessor :host
+    attr_accessor :options
+    attr_accessor :block
+
   private
 
-    def host(env)
-      @block ? @block.call(env) || @host : @host
+    def evaluate_host(env)
+      block and block.call(env) or host
     end
   end
 end

data/lib/rack/canonical_host/redirect.rb

@@ -1,4 +1,5 @@
 require 'addressable/uri'
+require 'rack'
 
 module Rack
   class CanonicalHost
@@ -15,56 +16,64 @@ module Rack
       HTML
 
       def initialize(env, host, options={})
-        @env = env
-        @host = host
-        @force_ssl = options[:force_ssl]
-        @ignore = Array(options[:ignore])
-        @if = Array(options[:if])
+        self.env = env
+        self.host = host
+        self.ignore = Array(options[:ignore])
+        self.conditions = Array(options[:if])
       end
 
       def canonical?
-        (known? && ssl?) || ignored? || !conditions_match?
+        return true unless enabled?
+        known? || ignored?
       end
 
       def response
-        headers = { 'Location' => new_url, 'Content-Type' => 'text/html' }
         [301, headers, [HTML_TEMPLATE % new_url]]
       end
 
+    protected
+
+      attr_accessor :env
+      attr_accessor :host
+      attr_accessor :ignore
+      attr_accessor :conditions
+
     private
 
-      def known?
-        @host.nil? || request_uri.host == @host
+      def any_match?(patterns, string)
+        patterns.any? { |pattern| string[pattern] }
       end
 
-      def ssl?
-        !@force_ssl || request_uri.scheme == "https"
+      def headers
+        {
+          'Location' => new_url,
+          'Content-Type' => 'text/html',
+        }
       end
 
-      def ignored?
-        @ignore && @ignore.include?(request_uri.host)
+      def enabled?
+        return true if conditions.empty?
+
+        conditions.include?(request_uri.host) ||
+          any_match?(conditions, request_uri.host)
       end
 
-      def conditions_match?
-        return true unless @if.size > 0
-        @if.include?( request_uri.host ) || any_regexp_match?( @if, request_uri.host )
+      def ignored?
+        ignore.include?(request_uri.host)
       end
-      private :conditions_match?
 
-      def any_regexp_match?( regexp_array, string )
-        regexp_array.any?{ |r| string[r] }
+      def known?
+        host.nil? || request_uri.host == host
       end
-      private :any_regexp_match?
 
       def new_url
-        request_uri.tap { |uri|
-          uri.host = @host if @host
-          uri.scheme = "https" if @force_ssl
-        }.to_s
+        uri = request_uri.dup
+        uri.host = host
+        uri.normalize.to_s
       end
 
       def request_uri
-        Addressable::URI.parse(Rack::Request.new(@env).url)
+        @request_uri ||= Addressable::URI.parse(Rack::Request.new(env).url)
       end
     end
   end

data/lib/rack/canonical_host/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class CanonicalHost
-    VERSION = '0.1.0'
+    VERSION = '0.2.0'
   end
 end

data/rack-canonical-host.gemspec

@@ -7,9 +7,10 @@ Gem::Specification.new do |gem|
   gem.homepage = 'http://github.com/tylerhunt/rack-canonical-host'
   gem.author = 'Tyler Hunt'
 
-  gem.add_dependency 'addressable'
+  gem.add_dependency 'addressable', '> 0', '< 3'
   gem.add_dependency 'rack', '~> 1.0'
-  gem.add_development_dependency 'rspec', '~> 2.0'
+  gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'rspec', '~> 3.0'
 
   gem.files = `git ls-files`.split($\)
   gem.executables = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }

data/spec/rack/canonical_host_spec.rb

@@ -1,10 +1,10 @@
 require 'spec_helper'
 
 describe Rack::CanonicalHost do
-  let(:response) { [200, { 'Content-Type' => 'text/plain' }, 'OK'] }
+  let(:response) { [200, { 'Content-Type' => 'text/plain' }, ['OK']] }
   let(:inner_app) { lambda { |env| response } }
 
-  def build_app(host=nil, options={}, inner_app=inner_app, &block)
+  def build_app(host=nil, options={}, inner_app=inner_app(), &block)
     Rack::Builder.new do
       use Rack::Lint
       use Rack::CanonicalHost, host, options, &block
@@ -19,7 +19,7 @@ describe Rack::CanonicalHost do
       it { should_not be_redirect }
 
       it 'calls the inner app' do
-        inner_app.should_receive(:call).with(env).and_return(response)
+        expect(inner_app).to receive(:call).with(env).and_return(response)
         subject
       end
     end
@@ -32,7 +32,7 @@ describe Rack::CanonicalHost do
       it { should be_redirect.via(301).to('http://example.com/full/path') }
 
       it 'does not call the inner app' do
-        inner_app.should_not_receive(:call)
+        expect(inner_app).to_not receive(:call)
         subject
       end
     end
@@ -54,6 +54,23 @@ describe Rack::CanonicalHost do
       include_context 'a matching request'
     end
 
+    context 'with an X-Forwarded-Host' do
+      let(:app) { build_app('example.com') }
+      let(:url) { 'http://proxied.url/full/path' }
+
+      context 'which matches the canonical host' do
+        let(:env) { Rack::MockRequest.env_for(url, 'HTTP_X_FORWARDED_HOST' => 'example.com:80') }
+
+        include_context 'a matching request'
+      end
+
+      context 'which does not match the canonical host' do
+        let(:env) { Rack::MockRequest.env_for(url, 'HTTP_X_FORWARDED_HOST' => 'www.example.com:80') }
+
+        include_context 'a non-matching request'
+      end
+    end
+
     context 'without any options' do
       let(:app) { build_app('example.com') }
 
@@ -79,7 +96,7 @@ describe Rack::CanonicalHost do
         it { should_not be_redirect }
 
         it 'calls the inner app' do
-          inner_app.should_receive(:call).with(env).and_return(response)
+          expect(inner_app).to receive(:call).with(env).and_return(response)
           subject
         end
       end
@@ -117,34 +134,6 @@ describe Rack::CanonicalHost do
 
     end
 
-    context 'with :force_ssl option' do
-      let(:app) { build_app('example.com', :force_ssl => true) }
-
-      context 'with a non-ssl request' do
-        let(:url) { 'http://example.com/full/path' }
-        it { should be_redirect.to('https://example.com/full/path') }
-      end
-
-      context 'with an ssl request' do
-        let(:url) { 'https://example.com/full/path' }
-        it { should_not be_redirect }
-      end
-
-      context 'when host is not set' do
-        let(:app) { build_app(nil, :force_ssl => true) }
-        let(:url) { 'http://example.com/full/path' }
-
-        it { should be_redirect.to('https://example.com/full/path') }
-      end
-
-      context 'when :forse_ssl is false' do
-        let(:app) { build_app('example.com', :force_ssl => false) }
-        let(:url) { 'http://example.com/full/path' }
-
-        it { should_not be_redirect }
-      end
-    end
-
     context 'with a block' do
       let(:app) { build_app { 'example.com' } }
 
@@ -156,5 +145,18 @@ describe Rack::CanonicalHost do
         include_context 'matching and non-matching requests'
       end
     end
+
+    context 'with URL containing JavaScript XSS' do
+      let(:url) { 'http://subdomain.example.net/full/path' }
+      let(:env) do
+        Rack::MockRequest.env_for(url).tap do |env|
+          env['QUERY_STRING'] = '"><script>alert(73541);</script>'
+        end
+      end
+
+      let(:app) { build_app('example.com') }
+
+      it { should be_redirect.to('http://example.com/full/path?%22%3E%3Cscript%3Ealert(73541)%3B%3C/script%3E') }
+    end
   end
 end

data/spec/spec_helper.rb

@@ -5,7 +5,22 @@ Dir[File.expand_path('../support/**/*.rb', __FILE__)].each do |file|
 end
 
 RSpec.configure do |config|
-  config.treat_symbols_as_metadata_keys_with_true_values = true
-  config.run_all_when_everything_filtered = true
   config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  config.order = :random
+  Kernel.srand config.seed
+
+  if config.files_to_run.one?
+    config.default_formatter = 'doc'
+  end
+
+  config.expect_with :rspec do |expectations|
+    expectations.syntax = :expect
+  end
+
+  config.mock_with :rspec do |mocks|
+    mocks.syntax = :expect
+    mocks.verify_partial_doubles = true
+  end
 end

data/spec/support/matchers/be_redirect.rb

@@ -34,11 +34,11 @@ module BeRedirect
       end
     end
 
-    def failure_message_for_should
+    def failure_message
       "Expected response to #{description}"
     end
 
-    def failure_message_for_should_not
+    def failure_message_when_negated
       "Did not expect response to #{description}"
     end
 

metadata

@@ -1,66 +1,86 @@
 --- !ruby/object:Gem::Specification
 name: rack-canonical-host
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Tyler Hunt
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-04-17 00:00:00.000000000 Z
+date: 2016-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">"
       - !ruby/object:Gem::Version
         version: '0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">"
       - !ruby/object:Gem::Version
         version: '0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
 description: 
 email: 
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
-- .travis.yml
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
 - CHANGELOG.md
 - Gemfile
 - LICENSE
@@ -83,17 +103,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.14
+rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
 summary: Rack middleware for defining a canonical host name.