rack-cleanser 0.1.0

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.4.0
+before_install: gem install bundler -v 1.15.2

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at open.source@ribose.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,9 @@
+# (c) Copyright 2017 Ribose Inc.
+#
+
+source "https://rubygems.org"
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in rack-cleanser.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Ribose Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.adoc

@@ -0,0 +1,57 @@
+= Rack::Cleanser
+:source-highlighter: pygments
+:pygments-style: native
+:pygments-linenums-mode: inline
+
+image:https://img.shields.io/gem/v/rack-cleanser.svg["Gem Version", link="https://rubygems.org/gems/rack-cleanser"]
+image:https://img.shields.io/travis/riboseinc/rack-cleanser/master.svg["Build Status", link="https://travis-ci.org/riboseinc/rack-cleanser"]
+image:https://img.shields.io/codeclimate/github/riboseinc/rack-cleanser.svg["Code Climate", link="https://codeclimate.com/github/riboseinc/rack-cleanser"]
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/rack/cleanser`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+TODO: Delete this and the text above, and describe your gem
+
+== Installation
+
+Add this line to your application's Gemfile:
+
+[source,ruby]
+----
+gem 'rack-cleanser'
+----
+
+And then execute:
+
+[source,sh]
+----
+$ bundle
+----
+
+Or install it yourself as:
+
+[source,sh]
+----
+$ gem install rack-cleanser
+----
+
+== Usage
+
+TODO: Write usage instructions here
+
+== Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to https://rubygems.org[rubygems.org].
+
+== Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/riboseinc/rack-cleanser. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the http://contributor-covenant.org[Contributor Covenant] code of conduct.
+
+== License
+
+The gem is available as open source under the terms of the http://opensource.org/licenses/MIT[MIT License].
+
+== Code of Conduct
+
+Everyone interacting in the Rack::Cleanser project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the https://github.com/riboseinc/rack-cleanser/blob/master/CODE_OF_CONDUCT.md[code of conduct].

data/Rakefile

@@ -0,0 +1,12 @@
+# (c) Copyright 2017 Ribose Inc.
+#
+
+# Hashrocket style looks better when describing task dependencies.
+# rubocop:disable Style/HashSyntax
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "rack/cleanser"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/rack/cleanser.rb

@@ -0,0 +1,76 @@
+# (c) Copyright 2017 Ribose Inc.
+#
+
+require "rack"
+require "rack/cleanser/version"
+require "forwardable"
+require "json"
+require "pp"
+
+module Rack
+  class Cleanser
+    autoload :ParamLengthLimiter, "rack/cleanser/param_length_limiter"
+    autoload :InvalidURIEncoding, "rack/cleanser/invalid_uri_encoding"
+
+    class << self
+      attr_accessor :oversize_response
+
+      def limit_param_length(name, options = {}, &block)
+        param_length_limits[name] = ParamLengthLimiter.new(name, options, block)
+      end
+
+      def filter_bad_uri_encoding
+        @want_uri_encoding_filtering = true
+      end
+
+      def param_length_limits
+        @param_length_limits ||= {}
+      end
+
+      def filter_bad_uri_encoding!(env)
+        InvalidURIEncoding.new[env] if @want_uri_encoding_filtering
+      end
+
+      def limit_param_length!(env)
+        param_length_limits.each do |_name, limit|
+          limit[env]
+        end
+      end
+
+      def clear!
+        @want_uri_encoding_filtering = false
+        @param_length_limits         = {}
+      end
+
+      def cleanse!(env)
+        limit_param_length!(env)
+        filter_bad_uri_encoding!(env)
+      end
+    end
+
+    def initialize(app)
+      @app = app
+    end
+
+    @oversize_response = lambda { |_env, exn|
+      [
+        413,
+        { "Content-Type" => "application/json" },
+        [{
+          error_message: "Request entity too large, #{exn.message}",
+        }.to_json],
+      ]
+    }
+
+    def call(env)
+      cleanse!(env)
+      @app.call(env)
+    rescue RequestTooLargeException => e
+      self.class.oversize_response.call(env, e)
+    end
+
+    extend Forwardable
+    def_delegators self,
+                   :cleanse!
+  end
+end

data/lib/rack/cleanser/invalid_uri_encoding.rb

@@ -0,0 +1,96 @@
+# (c) Copyright 2017 Ribose Inc.
+#
+
+# This is a middleware to check for invalid user's request path and request
+# parameters.
+module Rack
+  class Cleanser
+    class InvalidURIEncoding
+      # General Checking for user's input params
+      # throw 404 if params contain abnormal input
+      def check_encoding(query)
+        # make sure all params have valid encoding
+        all_values_for_hash(query).each do |param|
+          if param.respond_to?(:valid_encoding?) && !param.valid_encoding?
+            return :bad_encoding
+          end
+        end
+      end
+
+      def check_nested(query)
+        Rack::Utils.parse_nested_query(query)
+      rescue
+        :bad_query
+      end
+
+      # to get all values from a nested hash (i.e a hash contains hashes/arrays)
+      # e.g. {:a => 1, :b => {:ba => 2, :bb => [3, 4]}} gives you [1, 2, 3, 4]
+      def all_values_for_hash(hash)
+        result = []
+        hash.values.each do |hash_value|
+          case hash_value
+          when Hash
+            result += all_values_for_hash(hash_value)
+          when Array
+            # convert the array to hash
+            sub_hash = Hash[
+              hash_value.flatten.map.with_index do |value, index|
+                [index, value]
+              end
+            ]
+            result += all_values_for_hash(sub_hash)
+          else
+            result << hash_value
+          end
+        end
+        result
+      end
+
+      def [](env)
+        # Check and clean up trailing % characters by replacing them with their
+        # encoded equivalent %25
+        %w[
+          HTTP_REFERER
+          PATH_INFO
+          QUERY_STRING
+          REQUEST_PATH
+          REQUEST_URI
+          HTTP_X_FORWARDED_HOST
+        ].each do |key|
+          unless /\A(?:%[0-9a-fA-F]{2}|[^%])*\z/.match?(env[key].to_s)
+            env[key] = env[key].gsub(/%(?![0-9a-fA-F]{2})/, "%25")
+          end
+          raise_404_error if check_nested(env[key]) == :bad_query
+        end
+
+        # use these methods to get params as there is conflict with openresty
+        # request_params = Rack::Request.new(env).params
+        post_params = {}
+
+        post_params = if env["CONTENT_TYPE"].match?(%r{\Amultipart/form-data.*boundary=\"?([^\";,]+)\"?}n)
+                        {}
+                      else
+                        Rack::Utils.parse_query(env["rack.input"].read, "&")
+                      end
+
+        get_params = Rack::Utils.parse_query(env["QUERY_STRING"], "&")
+        request_params = {}.merge(get_params).merge(post_params)
+
+        # Because env['rack.input'] is String IO object, so we need to rewind
+        # that to ensure it can be read again by others.
+        env["rack.input"].rewind
+
+        raise_404_error if check_encoding(request_params) == :bad_encoding
+
+        # make sure the authenticity token is a string
+        request_params.keys.each do |key|
+          raise_404_error if key.match?(/\Aauthenticity_token\[(.)*\]\z/)
+        end
+      end
+
+      def raise_404_error
+        raise ActionController::RoutingError.new("Not Found")
+      end
+    end
+  end
+end

data/lib/rack/cleanser/param_length_limiter.rb

@@ -0,0 +1,73 @@
+# (c) Copyright 2017 Ribose Inc.
+#
+
+# URL:
+# https://content.pivotal.io/blog/sanitizing-post-params-with-custom-rack-middleware
+#
+module Rack
+  class Cleanser
+    class RequestTooLargeException < RuntimeError; end
+
+    class ParamLengthLimiter
+      def initialize(name, options, block)
+        @name               = name
+        @default_max_length = options[:default] || 2048
+        @block              = block
+      end
+
+      attr_reader :env
+
+      def filter_exceptions
+        env["CONTENT_TYPE"] !~ %r{\Amultipart/form-data.*boundary=\"?([^\";,]+)\"?}n
+      end
+
+      # 2048 is arbitrary
+      # In characters.
+      def max_length
+        result = @block.call(env)
+
+        if result.is_a? Integer
+          result
+        else
+          @default_max_length
+        end
+      end
+
+      def check_val(val)
+        case val
+        when String then
+          if val.length > max_length
+            raise RequestTooLargeException, "#{val.length} >= #{max_length}"
+          end
+        end
+      end
+
+      def scrub!
+        rack_input = env["rack.input"].read
+        params = Rack::Utils.parse_query(rack_input, "&") if filter_exceptions
+
+        traverse_hash(params) do |val|
+          check_val(val)
+        end
+      ensure
+        env["rack.input"].rewind
+      end
+
+      # Recursively traverse values of given Hash with given block.
+      def traverse_hash(hash_or_not, &blk)
+        case hash_or_not
+        when Hash then
+          hash_or_not.each_pair do |_k, v|
+            traverse_hash(v, &blk)
+          end
+        else yield hash_or_not
+        end
+      end
+
+      def [](env)
+        @env = env
+        scrub!
+      end
+    end
+  end
+end