RubyGems - rack-cloudflare_middleware - Versions diffs - 1.0.0 → 1.2.0 - Mend

rack-cloudflare_middleware 1.0.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

checksums.yaml +4 -4
data/.github/workflows/ci.yml +6 -6
data/.github/workflows/release.yml +2 -2
data/.pre-commit-config.yaml +1 -1
data/CHANGELOG.md +15 -0
data/Gemfile +1 -1
data/Gemfile.lock +23 -35
data/README.md +25 -0
data/lib/rack/cloudflare_middleware/deny_others.rb +15 -4
data/lib/rack/cloudflare_middleware/rewrite_remote_addr.rb +5 -3
data/lib/rack/cloudflare_middleware/version.rb +1 -1
data/lib/rack/cloudflare_middleware.rb +10 -1
data/rack-cloudflare_middleware.gemspec +3 -1
metadata +13 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e108186bec2a6dff38a2f6fa5edcfd196aa4e2199333a61d8c9a888edf65c3be
-  data.tar.gz: a8e0131c2fd8270784ed1155f114892bc26e3f65bf1eda55a547450bdf272fdb
+  metadata.gz: 1806fad87fa57e8317ff1937cd2cd45db0bcef1b89aabb7ba1c3d4aa71434d22
+  data.tar.gz: 47811778ab426303239fa18e3e29310e5f212cd54740efc71674061e30787c85
 SHA512:
-  metadata.gz: 5762e62571ea9c5dce83039b0616a3074a0ffa0f165430c4cc5dbc5c70ef0d3d34553965abe3f85c3c8e6222f0247290e1acb8a4538538e30bd1b88e6f5bbe7a
-  data.tar.gz: f04fa0b616f69d62f81568dc29c5e0428511a884e774685a6d869dfbef5765c9b0cac577fc42d1f08d747084369a1ff11baba8853cbbc36b71e8fee20e7773b2
+  metadata.gz: '084ac8b92afac4bd6aff7435c56a546c3f4faafaf4124d19a3f542fcef07b43b31ffa1222bccc49d46693deb97db5aad3dfd31f1800cc4dcdd1c7475afe0f806'
+  data.tar.gz: a10319a8ec1dabed6022d7efe051b8af63752f134fbafa4c9fc35d3e563780ec3e3d6fb3de26b81ffc637f1ac0c37ae87a6dabae78cbbeadc2a8b0cbb4d37715

data/.github/workflows/ci.yml CHANGED Viewed

@@ -19,9 +19,9 @@ jobs:
         ruby: ["2.7", "3.0", "3.1", "3.2"]
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
       - name: Install Ruby and gems
-        uses: ruby/setup-ruby@93287a1fa82c6ddbb6d8db978df4b0119cd8879f
+        uses: ruby/setup-ruby@8a45918450651f5e4784b6031db26f4b9f76b251
         with:
           bundler-cache: true
           ruby-version: ${{ matrix.ruby }}
@@ -35,17 +35,17 @@ jobs:
       contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
       - name: Install Ruby and gems
-        uses: ruby/setup-ruby@93287a1fa82c6ddbb6d8db978df4b0119cd8879f
+        uses: ruby/setup-ruby@8a45918450651f5e4784b6031db26f4b9f76b251
         with:
           bundler-cache: true
           ruby-version: "3.1"
       - name: Bundle Audit Check
         run: bundle exec bundle-audit update && bundle exec bundle-audit check
       - name: Setup Python
-        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
+        uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0
         with:
           python-version: "3.10"
       - name: Run pre-commit
-        uses: pre-commit/action@efd3bcfec120bd343786e46318186153b7bc8c68
+        uses: pre-commit/action@5f528da5c95691c4cf42ff76a4d10854b62cbb82

data/.github/workflows/release.yml CHANGED Viewed

@@ -7,9 +7,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
       - name: Install Ruby and gems
-        uses: ruby/setup-ruby@93287a1fa82c6ddbb6d8db978df4b0119cd8879f
+        uses: ruby/setup-ruby@8a45918450651f5e4784b6031db26f4b9f76b251
         with:
           bundler-cache: true
           ruby-version: "3.2"

data/.pre-commit-config.yaml CHANGED Viewed

@@ -12,6 +12,6 @@ repos:
     exclude: '^spec/data/'
   - id: check-merge-conflict
 - repo: https://github.com/instrumentl/pre-commit-standardrb.git
-  rev: '1ae56c7524a2d48cd2b7ca1f74bdb0cdd454477e'
+  rev: 'b9c5657a92bcc2ebfa9ec295754b0c56877fbed8'
   hooks:
     - id: standardrb

data/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,15 @@
+v1.2.0 - 2023-06-05
+-------------------
+- Set `required_ruby_version` in the gemspec
+- Add `trusted_request_proc` kwarg to DenyOthers middleware
+v1.1.0 - 2023-03-31
+-------------------
+- Expand requirements to allow using Rack 3.x
+- Add `trust_xff_if_private` kwarg to both middlewares
+- Add `on_fail_proc` to DenyOthers middleware
+- Bump various build-time dependencies
+v1.0.0 - 2023-03-31
+-------------------
+- Initial release

data/Gemfile CHANGED Viewed

@@ -4,7 +4,7 @@ source "https://rubygems.org"
 gemspec
-gem "faraday", "~> 1.0"
+gem "faraday", "~> 2.7"
 gem "rake", "~> 13.0"
 group :development, :test do

data/Gemfile.lock CHANGED Viewed

@@ -1,9 +1,9 @@
 PATH
   remote: .
   specs:
-    rack-cloudflare_middleware (1.0.0)
+    rack-cloudflare_middleware (1.2.0)
       faraday (>= 1.0, < 3)
-      rack (~> 2)
+      rack (>= 2, < 4)
 GEM
   remote: https://rubygems.org/
@@ -20,47 +20,28 @@ GEM
     crack (0.4.5)
       rexml
     diff-lcs (1.5.0)
-    faraday (1.10.3)
-      faraday-em_http (~> 1.0)
-      faraday-em_synchrony (~> 1.0)
-      faraday-excon (~> 1.1)
-      faraday-httpclient (~> 1.0)
-      faraday-multipart (~> 1.0)
-      faraday-net_http (~> 1.0)
-      faraday-net_http_persistent (~> 1.0)
-      faraday-patron (~> 1.0)
-      faraday-rack (~> 1.0)
-      faraday-retry (~> 1.0)
+    faraday (2.7.5)
+      faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
-    faraday-em_http (1.0.0)
-    faraday-em_synchrony (1.0.0)
-    faraday-excon (1.1.0)
-    faraday-httpclient (1.0.1)
-    faraday-multipart (1.0.4)
-      multipart-post (~> 2)
-    faraday-net_http (1.0.1)
-    faraday-net_http_persistent (1.2.0)
-    faraday-patron (1.0.0)
-    faraday-rack (1.0.0)
-    faraday-retry (1.0.3)
+    faraday-net_http (3.0.2)
     hashdiff (1.0.1)
     json (2.6.3)
     language_server-protocol (3.17.0.3)
+    lint_roller (1.0.0)
     method_source (1.0.0)
-    multipart-post (2.3.0)
-    parallel (1.22.1)
-    parser (3.2.1.1)
+    parallel (1.23.0)
+    parser (3.2.2.1)
       ast (~> 2.4.1)
     pry (0.14.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
     public_suffix (5.0.1)
-    rack (2.2.6.4)
+    rack (3.0.7)
     rack-test (2.1.0)
       rack (>= 1.3)
     rainbow (3.1.1)
     rake (13.0.6)
-    regexp_parser (2.7.0)
+    regexp_parser (2.8.0)
     rexml (3.2.5)
     rspec (3.12.0)
       rspec-core (~> 3.12.0)
@@ -78,26 +59,33 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
     rspec-support (3.12.0)
-    rubocop (1.48.1)
+    rubocop (1.50.2)
       json (~> 2.3)
       parallel (~> 1.10)
       parser (>= 3.2.0.0)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.26.0, < 2.0)
+      rubocop-ast (>= 1.28.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.28.0)
+    rubocop-ast (1.28.1)
       parser (>= 3.2.1.0)
     rubocop-performance (1.16.0)
       rubocop (>= 1.7.0, < 2.0)
       rubocop-ast (>= 0.4.0)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
-    standard (1.25.3)
+    standard (1.28.4)
       language_server-protocol (~> 3.17.0.2)
-      rubocop (~> 1.48.1)
+      lint_roller (~> 1.0)
+      rubocop (~> 1.50.2)
+      standard-custom (~> 1.0.0)
+      standard-performance (~> 1.0.1)
+    standard-custom (1.0.0)
+      lint_roller (~> 1.0)
+    standard-performance (1.0.1)
+      lint_roller (~> 1.0)
       rubocop-performance (~> 1.16.0)
     thor (1.2.1)
     unicode-display_width (2.4.2)
@@ -113,7 +101,7 @@ PLATFORMS
 DEPENDENCIES
   bundle-audit (~> 0.1.0)
   bundler (~> 2)
-  faraday (~> 1.0)
+  faraday (~> 2.7)
   pry
   rack-cloudflare_middleware!
   rack-test (~> 2)

data/README.md CHANGED Viewed

@@ -1,5 +1,8 @@
 This is a small Rack middleware for use with the [Cloudflare](https://www.cloudflare.com/) CDN.
+[![CI](https://github.com/instrumentl/rack-cloudflare_middleware/actions/workflows/ci.yml/badge.svg)](https://github.com/instrumentl/rack-cloudflare_middleware/actions/workflows/ci.yml)
+[![Gem Version](https://badge.fury.io/rb/rack-cloudflare_middleware.svg)](https://badge.fury.io/rb/rack-cloudflare_middleware)
 We include two middlewares:
  * `Rack::CloudflareMiddleware::RewriteRemoteAddr` swaps in `CF-Connecting-IP` for `REMOTE_ADDR` if and only if the "real" remote address is a trusted Cloudflare source IP address.
@@ -27,3 +30,25 @@ run Sinatra::Application
 ```
 The `allow_private` kwarg to `DenyOthers` controls whether or not private and loopback addresses are allowed through. Whether or not you should set this depends on the exact specifics of your deployment environment; often it should be set in development, but not in production.
+`DenyOthers` also takes an `on_fail_proc` kwarg which receives the request environment and should return an appropriate error response (as a standard Rack tuple of `(status, headers, body)`). Example usage:
+```ruby
+require "rack/cloudflare_middleware"
+use Rack::CloudflareMiddleware::DenyOthers, on_fail_proc: ->(env) do
+  MyLogger.warn "Bad request from #{env["REMOTE_ADDR"]}"
+  [403, {"Content-Type" => "text/plain"}, ["you did a bad thing"]]
+end
+```
+`DenyOthers` also takes a `trusted_request_proc` which receives a `Rack::Request` object and should return a boolean of whether or not the request is to be allowed through regardless of Source IP. This is primarily intended for healthchecks. Example usage:
+```ruby
+require "rack/cloudflare_middleware"
+use Rack::CloudflareMiddleware::DenyOthers, trusted_request_proc: ->(request) do
+  request.path.start_with? "/health/check"
+end
+```
+Both middlewares also include a convenience called `trust_xff_if_private` mode; this will change them to use the right-most contents of `X-Forwarded-For` as `REMOTE_ADDR` if and only if the actual `REMOTE_ADDR` is a private address. This is a moderately-unsafe option, but may be required if your application provider has made poor choices in routing technologies (and, for example, is required on Heroku). If you're in this state, you should tell your provider to use the PROXY protocol internally instead of `X-Forwarded-For`. There have been many security issues related to Heroku's poor parsing of `X-Forwarded-For` in their router/load-balancer layer, and may be more in the future.

data/lib/rack/cloudflare_middleware/deny_others.rb CHANGED Viewed

@@ -3,20 +3,31 @@
 module Rack
   module CloudflareMiddleware
     class DenyOthers
-      def initialize(app, allow_private: false)
+      def initialize(app, allow_private: false, trusted_request_proc: nil, on_fail_proc: nil, trust_xff_if_private: false)
         @allow_private = allow_private
+        @trusted_request_proc = trusted_request_proc
+        @on_fail_proc = on_fail_proc
+        @trust_xff_if_private = trust_xff_if_private
         @app = app
       end
       def call(env)
         TrustedIps.instance.check_update
-        remote_addr = IPAddr.new env["REMOTE_ADDR"]
-        if (@allow_private && (remote_addr.private? || remote_addr.loopback?)) || TrustedIps.instance.include?(remote_addr)
+        remote_addr = Rack::CloudflareMiddleware.get_remote_addr(env, @trust_xff_if_private)
+        if (@allow_private && (remote_addr.private? || remote_addr.loopback?)) || TrustedIps.instance.include?(remote_addr) || @trusted_request_proc&.call(Rack::Request.new(env))
           @app.call(env)
+        elsif @on_fail_proc.nil?
+          default_on_fail(remote_addr)
         else
-          ["403", {"Content-Type" => "text/plain"}, ["Forbidden by policy statement"]]
+          @on_fail_proc.call(env)
         end
       end
+      private
+      def default_on_fail(remote_addr)
+        ["403", {"Content-Type" => "text/plain"}, ["Forbidden by policy statement (#{remote_addr})"]]
+      end
     end
   end
 end

data/lib/rack/cloudflare_middleware/rewrite_remote_addr.rb CHANGED Viewed

@@ -3,15 +3,17 @@
 module Rack
   module CloudflareMiddleware
     class RewriteRemoteAddr
-      def initialize(app)
+      def initialize(app, trust_xff_if_private: false)
+        @trust_xff_if_private = trust_xff_if_private
         @app = app
       end
       def call(env)
         TrustedIps.instance.check_update
-        if TrustedIps.instance.include? env["REMOTE_ADDR"]
+        remote_addr = Rack::CloudflareMiddleware.get_remote_addr(env, @trust_xff_if_private)
+        if TrustedIps.instance.include? remote_addr
           unless env["HTTP_CF_CONNECTING_IP"].nil?
-            env["HTTP_CF_ORIGINAL_REMOTE_ADDR"] = env["REMOTE_ADDR"]
+            env["HTTP_CF_ORIGINAL_REMOTE_ADDR"] = remote_addr
             env["REMOTE_ADDR"] = env["HTTP_CF_CONNECTING_IP"]
           end
         end

data/lib/rack/cloudflare_middleware/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Rack
   module CloudflareMiddleware
-    VERSION = "1.0.0"
+    VERSION = "1.2.0"
   end
 end

data/lib/rack/cloudflare_middleware.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
+require "ipaddr"
 require_relative "cloudflare_middleware/version"
 require_relative "cloudflare_middleware/trusted_ips"
 require_relative "cloudflare_middleware/rewrite_remote_addr"
@@ -7,6 +9,13 @@ require_relative "cloudflare_middleware/deny_others"
 module Rack
   module CloudflareMiddleware
-    attr_accessor :logger
+    def self.get_remote_addr(env, trust_xff_if_private)
+      if trust_xff_if_private && IPAddr.new(env["REMOTE_ADDR"]).private? &&
+          !env["HTTP_X_FORWARDED_FOR"].nil? && env["HTTP_X_FORWARDED_FOR"] != ""
+        IPAddr.new(env["HTTP_X_FORWARDED_FOR"].split(",")&.last&.strip)
+      else
+        IPAddr.new(env["REMOTE_ADDR"])
+      end
+    end
   end
 end

data/rack-cloudflare_middleware.gemspec CHANGED Viewed

@@ -21,8 +21,10 @@ Gem::Specification.new do |spec|
   end
   spec.require_paths = ["lib"]
+  spec.required_ruby_version = ">= 2.7"
   spec.add_dependency "faraday", ">= 1.0", "< 3"
-  spec.add_dependency "rack", "~> 2"
+  spec.add_dependency "rack", ">= 2", "< 4"
   spec.add_development_dependency "bundler", "~> 2"
   spec.add_development_dependency "rake", "~> 13.0"

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-cloudflare_middleware
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.2.0
 platform: ruby
 authors:
 - James Brown
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-31 00:00:00.000000000 Z
+date: 2023-06-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -34,16 +34,22 @@ dependencies:
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -113,6 +119,7 @@ files:
 - ".gitignore"
 - ".pre-commit-config.yaml"
 - ".rubocop.yml"
+- CHANGELOG.md
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -137,14 +144,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.7'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.1
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: Rack middleware for handling Cloudflare remote IP headers