rack-cloudflare_middleware 1.1.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. checksums.yaml +4 -4
  2. data/.github/dependabot.yml +4 -0
  3. data/.github/workflows/ci.yml +9 -9
  4. data/.github/workflows/release.yml +3 -3
  5. data/.pre-commit-config.yaml +1 -1
  6. data/CHANGELOG.md +10 -0
  7. data/Gemfile +1 -1
  8. data/Gemfile.lock +36 -23
  9. data/README.md +9 -0
  10. data/lib/rack/cloudflare_middleware/deny_others.rb +3 -2
  11. data/lib/rack/cloudflare_middleware/trusted_ips.rb +2 -2
  12. data/lib/rack/cloudflare_middleware/version.rb +1 -1
  13. data/rack-cloudflare_middleware.gemspec +2 -0
  14. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1d791a3a095bff874bd6a9f6b400a03d1d9a442417720af6dc504738048f5011
4
- data.tar.gz: 75d1b89659db8315982e2ce22020611f4522c9d80b6e25253bf3132d3529babe
3
+ metadata.gz: 94b610b53380179d91c61ccbbbf7b4c624daf3e8fa35cd27d5af29be5162943f
4
+ data.tar.gz: e1448c8c0781ce69c42725372a711d3e382f646164ea4d03d5cd10519a3b7d74
5
5
  SHA512:
6
- metadata.gz: 0cd8c07c159038648cd922543f0ab50a764ee99075a02fd4a1a2b6b11c5d8f2f53351f71646790e864e0e3e559f7e28256240ee99512f1b99a710b6577eba1ab
7
- data.tar.gz: 8fc4cbc087364618a42298f20bc23a6e46be124db6f509ece22ddb5971d1bda081019b2a479cb563bfb40a21e1d11178a686368cb249b19bc2d57c70cab7661c
6
+ metadata.gz: ba708b039e3745945858582255235c6665ba932e3879874f321f006f7d66d193e24d121948c0a5c61d230d361edc20bab8bfa1aaa21eb71b07a91f29bf316fb7
7
+ data.tar.gz: 96a5395cdc80a1dbe181522b35dbc2868d49ad9b9d2964b895e118323ef2d139ade65caee49403e685e55fdd109ade8093173a102f3288e47bf5574ccb4bdffc
data/.github/dependabot.yml CHANGED
@@ -10,6 +10,8 @@ updates:
10
10
  schedule:
11
11
  interval: "weekly"
12
12
  day: "wednesday"
13
+ reviewers:
14
+ - instrumentl/code-reviewers
13
15
  labels:
14
16
  - ":robot: dependabot"
15
17
  - ":octocat: github-actions"
@@ -23,3 +25,5 @@ updates:
23
25
  - ":robot: dependabot"
24
26
  - ":gem: ruby"
25
27
  - ":heavy_plus_sign: dependencies"
28
+ reviewers:
29
+ - instrumentl/code-reviewers
data/.github/workflows/ci.yml CHANGED
@@ -16,12 +16,12 @@ jobs:
16
16
  strategy:
17
17
  fail-fast: true
18
18
  matrix:
19
- ruby: ["2.7", "3.0", "3.1", "3.2"]
19
+ ruby: ["2.7", "3.0", "3.1", "3.2", "3.3"]
20
20
  steps:
21
21
  - name: Checkout code
22
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
22
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
23
23
  - name: Install Ruby and gems
24
- uses: ruby/setup-ruby@904f3fef85a9c80a3750cbe7d5159268fd5caa9f
24
+ uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677
25
25
  with:
26
26
  bundler-cache: true
27
27
  ruby-version: ${{ matrix.ruby }}
@@ -35,17 +35,17 @@ jobs:
35
35
  contents: read
36
36
  steps:
37
37
  - name: Checkout code
38
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
38
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
39
39
  - name: Install Ruby and gems
40
- uses: ruby/setup-ruby@904f3fef85a9c80a3750cbe7d5159268fd5caa9f
40
+ uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677
41
41
  with:
42
42
  bundler-cache: true
43
- ruby-version: "3.1"
43
+ ruby-version: "3.3"
44
44
  - name: Bundle Audit Check
45
45
  run: bundle exec bundle-audit update && bundle exec bundle-audit check
46
46
  - name: Setup Python
47
- uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
47
+ uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c
48
48
  with:
49
- python-version: "3.10"
49
+ python-version: "3.12"
50
50
  - name: Run pre-commit
51
- uses: pre-commit/action@5f528da5c95691c4cf42ff76a4d10854b62cbb82
51
+ uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd
data/.github/workflows/release.yml CHANGED
@@ -7,12 +7,12 @@ jobs:
7
7
  runs-on: ubuntu-latest
8
8
  steps:
9
9
  - name: Checkout code
10
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
10
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
11
11
  - name: Install Ruby and gems
12
- uses: ruby/setup-ruby@904f3fef85a9c80a3750cbe7d5159268fd5caa9f
12
+ uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677
13
13
  with:
14
14
  bundler-cache: true
15
- ruby-version: "3.2"
15
+ ruby-version: "3.3"
16
16
  - name: Publish gem
17
17
  run: |
18
18
  umask 077
data/.pre-commit-config.yaml CHANGED
@@ -12,6 +12,6 @@ repos:
12
12
  exclude: '^spec/data/'
13
13
  - id: check-merge-conflict
14
14
  - repo: https://github.com/instrumentl/pre-commit-standardrb.git
15
- rev: '1ae56c7524a2d48cd2b7ca1f74bdb0cdd454477e'
15
+ rev: 'v1.34.0'
16
16
  hooks:
17
17
  - id: standardrb
data/CHANGELOG.md CHANGED
@@ -1,3 +1,13 @@
1
+ v1.2.1 - 2024-02-23
2
+ -------------------
3
+ - Update cloudflare trusted IP URL to include new required trailing slash
4
+ - Many dependabot bumps
5
+
6
+ v1.2.0 - 2023-06-05
7
+ -------------------
8
+ - Set `required_ruby_version` in the gemspec
9
+ - Add `trusted_request_proc` kwarg to DenyOthers middleware
10
+
1
11
  v1.1.0 - 2023-03-31
2
12
  -------------------
3
13
  - Expand requirements to allow using Rack 3.x
data/Gemfile CHANGED
@@ -13,6 +13,6 @@ group :development, :test do
13
13
  gem "rack-test", "~> 2"
14
14
  gem "standard", "~> 1"
15
15
  gem "pry"
16
- gem "webmock", "~> 3.18"
16
+ gem "webmock", "~> 3.19"
17
17
  gem "bundle-audit", "~> 0.1.0"
18
18
  end
data/Gemfile.lock CHANGED
@@ -1,14 +1,14 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- rack-cloudflare_middleware (1.1.0)
4
+ rack-cloudflare_middleware (1.2.1)
5
5
  faraday (>= 1.0, < 3)
6
6
  rack (>= 2, < 4)
7
7
 
8
8
  GEM
9
9
  remote: https://rubygems.org/
10
10
  specs:
11
- addressable (2.8.1)
11
+ addressable (2.8.5)
12
12
  public_suffix (>= 2.0.2, < 6.0)
13
13
  ast (2.4.2)
14
14
  bundle-audit (0.1.0)
@@ -20,28 +20,31 @@ GEM
20
20
  crack (0.4.5)
21
21
  rexml
22
22
  diff-lcs (1.5.0)
23
- faraday (2.7.4)
23
+ faraday (2.7.10)
24
24
  faraday-net_http (>= 2.0, < 3.1)
25
25
  ruby2_keywords (>= 0.0.4)
26
26
  faraday-net_http (3.0.2)
27
27
  hashdiff (1.0.1)
28
- json (2.6.3)
28
+ json (2.7.1)
29
29
  language_server-protocol (3.17.0.3)
30
+ lint_roller (1.1.0)
30
31
  method_source (1.0.0)
31
- parallel (1.22.1)
32
- parser (3.2.1.1)
32
+ parallel (1.24.0)
33
+ parser (3.3.0.5)
33
34
  ast (~> 2.4.1)
35
+ racc
34
36
  pry (0.14.2)
35
37
  coderay (~> 1.1)
36
38
  method_source (~> 1.0)
37
- public_suffix (5.0.1)
38
- rack (3.0.7)
39
+ public_suffix (5.0.3)
40
+ racc (1.7.3)
41
+ rack (3.0.9.1)
39
42
  rack-test (2.1.0)
40
43
  rack (>= 1.3)
41
44
  rainbow (3.1.1)
42
45
  rake (13.0.6)
43
- regexp_parser (2.7.0)
44
- rexml (3.2.5)
46
+ regexp_parser (2.9.0)
47
+ rexml (3.2.6)
45
48
  rspec (3.12.0)
46
49
  rspec-core (~> 3.12.0)
47
50
  rspec-expectations (~> 3.12.0)
@@ -58,36 +61,46 @@ GEM
58
61
  diff-lcs (>= 1.2.0, < 2.0)
59
62
  rspec-support (~> 3.12.0)
60
63
  rspec-support (3.12.0)
61
- rubocop (1.48.1)
64
+ rubocop (1.60.2)
62
65
  json (~> 2.3)
66
+ language_server-protocol (>= 3.17.0)
63
67
  parallel (~> 1.10)
64
- parser (>= 3.2.0.0)
68
+ parser (>= 3.3.0.2)
65
69
  rainbow (>= 2.2.2, < 4.0)
66
70
  regexp_parser (>= 1.8, < 3.0)
67
71
  rexml (>= 3.2.5, < 4.0)
68
- rubocop-ast (>= 1.26.0, < 2.0)
72
+ rubocop-ast (>= 1.30.0, < 2.0)
69
73
  ruby-progressbar (~> 1.7)
70
74
  unicode-display_width (>= 2.4.0, < 3.0)
71
- rubocop-ast (1.28.0)
75
+ rubocop-ast (1.30.0)
72
76
  parser (>= 3.2.1.0)
73
- rubocop-performance (1.16.0)
74
- rubocop (>= 1.7.0, < 2.0)
75
- rubocop-ast (>= 0.4.0)
77
+ rubocop-performance (1.20.2)
78
+ rubocop (>= 1.48.1, < 2.0)
79
+ rubocop-ast (>= 1.30.0, < 2.0)
76
80
  ruby-progressbar (1.13.0)
77
81
  ruby2_keywords (0.0.5)
78
- standard (1.25.3)
82
+ standard (1.34.0)
79
83
  language_server-protocol (~> 3.17.0.2)
80
- rubocop (~> 1.48.1)
81
- rubocop-performance (~> 1.16.0)
84
+ lint_roller (~> 1.0)
85
+ rubocop (~> 1.60)
86
+ standard-custom (~> 1.0.0)
87
+ standard-performance (~> 1.3)
88
+ standard-custom (1.0.2)
89
+ lint_roller (~> 1.0)
90
+ rubocop (~> 1.50)
91
+ standard-performance (1.3.1)
92
+ lint_roller (~> 1.1)
93
+ rubocop-performance (~> 1.20.2)
82
94
  thor (1.2.1)
83
- unicode-display_width (2.4.2)
84
- webmock (3.18.1)
95
+ unicode-display_width (2.5.0)
96
+ webmock (3.19.1)
85
97
  addressable (>= 2.8.0)
86
98
  crack (>= 0.3.2)
87
99
  hashdiff (>= 0.4.0, < 2.0.0)
88
100
 
89
101
  PLATFORMS
90
102
  arm64-darwin-22
103
+ arm64-darwin-23
91
104
  x86_64-linux
92
105
 
93
106
  DEPENDENCIES
@@ -101,7 +114,7 @@ DEPENDENCIES
101
114
  rspec (~> 3.0)
102
115
  rspec-its (~> 1.3)
103
116
  standard (~> 1)
104
- webmock (~> 3.18)
117
+ webmock (~> 3.19)
105
118
 
106
119
  BUNDLED WITH
107
120
  2.4.7
data/README.md CHANGED
@@ -42,4 +42,13 @@ use Rack::CloudflareMiddleware::DenyOthers, on_fail_proc: ->(env) do
42
42
  end
43
43
  ```
44
44
 
45
+ `DenyOthers` also takes a `trusted_request_proc` which receives a `Rack::Request` object and should return a boolean of whether or not the request is to be allowed through regardless of Source IP. This is primarily intended for healthchecks. Example usage:
46
+
47
+ ```ruby
48
+ require "rack/cloudflare_middleware"
49
+ use Rack::CloudflareMiddleware::DenyOthers, trusted_request_proc: ->(request) do
50
+ request.path.start_with? "/health/check"
51
+ end
52
+ ```
53
+
45
54
  Both middlewares also include a convenience called `trust_xff_if_private` mode; this will change them to use the right-most contents of `X-Forwarded-For` as `REMOTE_ADDR` if and only if the actual `REMOTE_ADDR` is a private address. This is a moderately-unsafe option, but may be required if your application provider has made poor choices in routing technologies (and, for example, is required on Heroku). If you're in this state, you should tell your provider to use the PROXY protocol internally instead of `X-Forwarded-For`. There have been many security issues related to Heroku's poor parsing of `X-Forwarded-For` in their router/load-balancer layer, and may be more in the future.
data/lib/rack/cloudflare_middleware/deny_others.rb CHANGED
@@ -3,8 +3,9 @@
3
3
  module Rack
4
4
  module CloudflareMiddleware
5
5
  class DenyOthers
6
- def initialize(app, allow_private: false, on_fail_proc: nil, trust_xff_if_private: false)
6
+ def initialize(app, allow_private: false, trusted_request_proc: nil, on_fail_proc: nil, trust_xff_if_private: false)
7
7
  @allow_private = allow_private
8
+ @trusted_request_proc = trusted_request_proc
8
9
  @on_fail_proc = on_fail_proc
9
10
  @trust_xff_if_private = trust_xff_if_private
10
11
  @app = app
@@ -13,7 +14,7 @@ module Rack
13
14
  def call(env)
14
15
  TrustedIps.instance.check_update
15
16
  remote_addr = Rack::CloudflareMiddleware.get_remote_addr(env, @trust_xff_if_private)
16
- if (@allow_private && (remote_addr.private? || remote_addr.loopback?)) || TrustedIps.instance.include?(remote_addr)
17
+ if (@allow_private && (remote_addr.private? || remote_addr.loopback?)) || TrustedIps.instance.include?(remote_addr) || @trusted_request_proc&.call(Rack::Request.new(env))
17
18
  @app.call(env)
18
19
  elsif @on_fail_proc.nil?
19
20
  default_on_fail(remote_addr)
data/lib/rack/cloudflare_middleware/trusted_ips.rb CHANGED
@@ -40,8 +40,8 @@ module Rack
40
40
  end
41
41
 
42
42
  def update!
43
- read_network "https://www.cloudflare.com/ips-v4", 4
44
- read_network "https://www.cloudflare.com/ips-v6", 6
43
+ read_network "https://www.cloudflare.com/ips-v4/", 4
44
+ read_network "https://www.cloudflare.com/ips-v6/", 6
45
45
  end
46
46
 
47
47
  def check_update
data/lib/rack/cloudflare_middleware/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Rack
4
4
  module CloudflareMiddleware
5
- VERSION = "1.1.0"
5
+ VERSION = "1.2.1"
6
6
  end
7
7
  end
data/rack-cloudflare_middleware.gemspec CHANGED
@@ -21,6 +21,8 @@ Gem::Specification.new do |spec|
21
21
  end
22
22
  spec.require_paths = ["lib"]
23
23
 
24
+ spec.required_ruby_version = ">= 2.7"
25
+
24
26
  spec.add_dependency "faraday", ">= 1.0", "< 3"
25
27
  spec.add_dependency "rack", ">= 2", "< 4"
26
28
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-cloudflare_middleware
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.0
4
+ version: 1.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - James Brown
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-03-31 00:00:00.000000000 Z
11
+ date: 2024-02-23 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: faraday
@@ -144,14 +144,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
144
144
  requirements:
145
145
  - - ">="
146
146
  - !ruby/object:Gem::Version
147
- version: '0'
147
+ version: '2.7'
148
148
  required_rubygems_version: !ruby/object:Gem::Requirement
149
149
  requirements:
150
150
  - - ">="
151
151
  - !ruby/object:Gem::Version
152
152
  version: '0'
153
153
  requirements: []
154
- rubygems_version: 3.4.10
154
+ rubygems_version: 3.5.3
155
155
  signing_key:
156
156
  specification_version: 4
157
157
  summary: Rack middleware for handling Cloudflare remote IP headers