rack-cloudflare_middleware 1.1.0 → 1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1d791a3a095bff874bd6a9f6b400a03d1d9a442417720af6dc504738048f5011
-  data.tar.gz: 75d1b89659db8315982e2ce22020611f4522c9d80b6e25253bf3132d3529babe
+  metadata.gz: 94b610b53380179d91c61ccbbbf7b4c624daf3e8fa35cd27d5af29be5162943f
+  data.tar.gz: e1448c8c0781ce69c42725372a711d3e382f646164ea4d03d5cd10519a3b7d74
 SHA512:
-  metadata.gz: 0cd8c07c159038648cd922543f0ab50a764ee99075a02fd4a1a2b6b11c5d8f2f53351f71646790e864e0e3e559f7e28256240ee99512f1b99a710b6577eba1ab
-  data.tar.gz: 8fc4cbc087364618a42298f20bc23a6e46be124db6f509ece22ddb5971d1bda081019b2a479cb563bfb40a21e1d11178a686368cb249b19bc2d57c70cab7661c
+  metadata.gz: ba708b039e3745945858582255235c6665ba932e3879874f321f006f7d66d193e24d121948c0a5c61d230d361edc20bab8bfa1aaa21eb71b07a91f29bf316fb7
+  data.tar.gz: 96a5395cdc80a1dbe181522b35dbc2868d49ad9b9d2964b895e118323ef2d139ade65caee49403e685e55fdd109ade8093173a102f3288e47bf5574ccb4bdffc

data/.github/dependabot.yml

@@ -10,6 +10,8 @@ updates:
     schedule:
       interval: "weekly"
       day: "wednesday"
+    reviewers:
+      - instrumentl/code-reviewers
     labels:
       - ":robot: dependabot"
       - ":octocat: github-actions"
@@ -23,3 +25,5 @@ updates:
       - ":robot: dependabot"
       - ":gem: ruby"
       - ":heavy_plus_sign: dependencies"
+    reviewers:
+      - instrumentl/code-reviewers

data/.github/workflows/ci.yml

@@ -16,12 +16,12 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        ruby: ["2.7", "3.0", "3.1", "3.2"]
+        ruby: ["2.7", "3.0", "3.1", "3.2", "3.3"]
     steps:
       - name: Checkout code
-        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       - name: Install Ruby and gems
-        uses: ruby/setup-ruby@904f3fef85a9c80a3750cbe7d5159268fd5caa9f
+        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677
         with:
           bundler-cache: true
           ruby-version: ${{ matrix.ruby }}
@@ -35,17 +35,17 @@ jobs:
       contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       - name: Install Ruby and gems
-        uses: ruby/setup-ruby@904f3fef85a9c80a3750cbe7d5159268fd5caa9f
+        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677
         with:
           bundler-cache: true
-          ruby-version: "3.1"
+          ruby-version: "3.3"
       - name: Bundle Audit Check
         run: bundle exec bundle-audit update && bundle exec bundle-audit check
       - name: Setup Python
-        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c
         with:
-          python-version: "3.10"
+          python-version: "3.12"
       - name: Run pre-commit
-        uses: pre-commit/action@5f528da5c95691c4cf42ff76a4d10854b62cbb82
+        uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd

data/.github/workflows/release.yml

@@ -7,12 +7,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       - name: Install Ruby and gems
-        uses: ruby/setup-ruby@904f3fef85a9c80a3750cbe7d5159268fd5caa9f
+        uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677
         with:
           bundler-cache: true
-          ruby-version: "3.2"
+          ruby-version: "3.3"
       - name: Publish gem
         run: |
           umask 077

data/.pre-commit-config.yaml

@@ -12,6 +12,6 @@ repos:
     exclude: '^spec/data/'
   - id: check-merge-conflict
 - repo: https://github.com/instrumentl/pre-commit-standardrb.git
-  rev: '1ae56c7524a2d48cd2b7ca1f74bdb0cdd454477e'
+  rev: 'v1.34.0'
   hooks:
     - id: standardrb

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+v1.2.1 - 2024-02-23
+-------------------
+- Update cloudflare trusted IP URL to include new required trailing slash
+- Many dependabot bumps
+
+v1.2.0 - 2023-06-05
+-------------------
+- Set `required_ruby_version` in the gemspec
+- Add `trusted_request_proc` kwarg to DenyOthers middleware
+
 v1.1.0 - 2023-03-31
 -------------------
 - Expand requirements to allow using Rack 3.x

data/Gemfile

@@ -13,6 +13,6 @@ group :development, :test do
   gem "rack-test", "~> 2"
   gem "standard", "~> 1"
   gem "pry"
-  gem "webmock", "~> 3.18"
+  gem "webmock", "~> 3.19"
   gem "bundle-audit", "~> 0.1.0"
 end

data/Gemfile.lock

@@ -1,14 +1,14 @@
 PATH
   remote: .
   specs:
-    rack-cloudflare_middleware (1.1.0)
+    rack-cloudflare_middleware (1.2.1)
       faraday (>= 1.0, < 3)
       rack (>= 2, < 4)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.8.1)
+    addressable (2.8.5)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
     bundle-audit (0.1.0)
@@ -20,28 +20,31 @@ GEM
     crack (0.4.5)
       rexml
     diff-lcs (1.5.0)
-    faraday (2.7.4)
+    faraday (2.7.10)
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
     hashdiff (1.0.1)
-    json (2.6.3)
+    json (2.7.1)
     language_server-protocol (3.17.0.3)
+    lint_roller (1.1.0)
     method_source (1.0.0)
-    parallel (1.22.1)
-    parser (3.2.1.1)
+    parallel (1.24.0)
+    parser (3.3.0.5)
       ast (~> 2.4.1)
+      racc
     pry (0.14.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (5.0.1)
-    rack (3.0.7)
+    public_suffix (5.0.3)
+    racc (1.7.3)
+    rack (3.0.9.1)
     rack-test (2.1.0)
       rack (>= 1.3)
     rainbow (3.1.1)
     rake (13.0.6)
-    regexp_parser (2.7.0)
-    rexml (3.2.5)
+    regexp_parser (2.9.0)
+    rexml (3.2.6)
     rspec (3.12.0)
       rspec-core (~> 3.12.0)
       rspec-expectations (~> 3.12.0)
@@ -58,36 +61,46 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
     rspec-support (3.12.0)
-    rubocop (1.48.1)
+    rubocop (1.60.2)
       json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
-      parser (>= 3.2.0.0)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.26.0, < 2.0)
+      rubocop-ast (>= 1.30.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.28.0)
+    rubocop-ast (1.30.0)
       parser (>= 3.2.1.0)
-    rubocop-performance (1.16.0)
-      rubocop (>= 1.7.0, < 2.0)
-      rubocop-ast (>= 0.4.0)
+    rubocop-performance (1.20.2)
+      rubocop (>= 1.48.1, < 2.0)
+      rubocop-ast (>= 1.30.0, < 2.0)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
-    standard (1.25.3)
+    standard (1.34.0)
       language_server-protocol (~> 3.17.0.2)
-      rubocop (~> 1.48.1)
-      rubocop-performance (~> 1.16.0)
+      lint_roller (~> 1.0)
+      rubocop (~> 1.60)
+      standard-custom (~> 1.0.0)
+      standard-performance (~> 1.3)
+    standard-custom (1.0.2)
+      lint_roller (~> 1.0)
+      rubocop (~> 1.50)
+    standard-performance (1.3.1)
+      lint_roller (~> 1.1)
+      rubocop-performance (~> 1.20.2)
     thor (1.2.1)
-    unicode-display_width (2.4.2)
-    webmock (3.18.1)
+    unicode-display_width (2.5.0)
+    webmock (3.19.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
 
 PLATFORMS
   arm64-darwin-22
+  arm64-darwin-23
   x86_64-linux
 
 DEPENDENCIES
@@ -101,7 +114,7 @@ DEPENDENCIES
   rspec (~> 3.0)
   rspec-its (~> 1.3)
   standard (~> 1)
-  webmock (~> 3.18)
+  webmock (~> 3.19)
 
 BUNDLED WITH
    2.4.7

data/README.md

@@ -42,4 +42,13 @@ use Rack::CloudflareMiddleware::DenyOthers, on_fail_proc: ->(env) do
 end
 ```
 
+`DenyOthers` also takes a `trusted_request_proc` which receives a `Rack::Request` object and should return a boolean of whether or not the request is to be allowed through regardless of Source IP. This is primarily intended for healthchecks. Example usage:
+
+```ruby
+require "rack/cloudflare_middleware"
+use Rack::CloudflareMiddleware::DenyOthers, trusted_request_proc: ->(request) do
+  request.path.start_with? "/health/check"
+end
+```
+
 Both middlewares also include a convenience called `trust_xff_if_private` mode; this will change them to use the right-most contents of `X-Forwarded-For` as `REMOTE_ADDR` if and only if the actual `REMOTE_ADDR` is a private address. This is a moderately-unsafe option, but may be required if your application provider has made poor choices in routing technologies (and, for example, is required on Heroku). If you're in this state, you should tell your provider to use the PROXY protocol internally instead of `X-Forwarded-For`. There have been many security issues related to Heroku's poor parsing of `X-Forwarded-For` in their router/load-balancer layer, and may be more in the future.

data/lib/rack/cloudflare_middleware/deny_others.rb

@@ -3,8 +3,9 @@
 module Rack
   module CloudflareMiddleware
     class DenyOthers
-      def initialize(app, allow_private: false, on_fail_proc: nil, trust_xff_if_private: false)
+      def initialize(app, allow_private: false, trusted_request_proc: nil, on_fail_proc: nil, trust_xff_if_private: false)
         @allow_private = allow_private
+        @trusted_request_proc = trusted_request_proc
         @on_fail_proc = on_fail_proc
         @trust_xff_if_private = trust_xff_if_private
         @app = app
@@ -13,7 +14,7 @@ module Rack
       def call(env)
         TrustedIps.instance.check_update
         remote_addr = Rack::CloudflareMiddleware.get_remote_addr(env, @trust_xff_if_private)
-        if (@allow_private && (remote_addr.private? || remote_addr.loopback?)) || TrustedIps.instance.include?(remote_addr)
+        if (@allow_private && (remote_addr.private? || remote_addr.loopback?)) || TrustedIps.instance.include?(remote_addr) || @trusted_request_proc&.call(Rack::Request.new(env))
           @app.call(env)
         elsif @on_fail_proc.nil?
           default_on_fail(remote_addr)

data/lib/rack/cloudflare_middleware/trusted_ips.rb

@@ -40,8 +40,8 @@ module Rack
       end
 
       def update!
-        read_network "https://www.cloudflare.com/ips-v4", 4
-        read_network "https://www.cloudflare.com/ips-v6", 6
+        read_network "https://www.cloudflare.com/ips-v4/", 4
+        read_network "https://www.cloudflare.com/ips-v6/", 6
       end
 
       def check_update

data/lib/rack/cloudflare_middleware/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   module CloudflareMiddleware
-    VERSION = "1.1.0"
+    VERSION = "1.2.1"
   end
 end

data/rack-cloudflare_middleware.gemspec

@@ -21,6 +21,8 @@ Gem::Specification.new do |spec|
   end
   spec.require_paths = ["lib"]
 
+  spec.required_ruby_version = ">= 2.7"
+
   spec.add_dependency "faraday", ">= 1.0", "< 3"
   spec.add_dependency "rack", ">= 2", "< 4"
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-cloudflare_middleware
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.1
 platform: ruby
 authors:
 - James Brown
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-03-31 00:00:00.000000000 Z
+date: 2024-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -144,14 +144,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.7'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.5.3
 signing_key: 
 specification_version: 4
 summary: Rack middleware for handling Cloudflare remote IP headers