RubyGems - rack-cors - Versions diffs - 0.4.1 → 2.0.1 - Mend

rack-cors 0.4.1 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rack-cors might be problematic. Click here for more details.

Files changed (25) hide show

checksums.yaml +5 -5
data/.github/workflows/ci.yaml +39 -0
data/.rubocop.yml +31 -0
data/CHANGELOG.md +99 -0
data/Gemfile +3 -1
data/README.md +68 -43
data/Rakefile +5 -4
data/lib/rack/cors/resource.rb +142 -0
data/lib/rack/cors/resources/cors_misconfiguration_error.rb +14 -0
data/lib/rack/cors/resources.rb +62 -0
data/lib/rack/cors/result.rb +63 -0
data/lib/rack/cors/version.rb +3 -1
data/lib/rack/cors.rb +124 -323
data/rack-cors.gemspec +20 -16
data/test/.rubocop.yml +8 -0
data/test/cors/test.cors.coffee +9 -2
data/test/cors/test.cors.js +22 -10
data/test/unit/cors_test.rb +303 -120
data/test/unit/dsl_test.rb +38 -26
data/test/unit/insecure.ru +10 -0
data/test/unit/non_http.ru +2 -0
data/test/unit/test.ru +34 -18
metadata +82 -27
data/.travis.yml +0 -6
data/CHANGELOG +0 -34

data/lib/rack/cors/result.rb ADDED Viewed

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+module Rack
+  class Cors
+    class Result
+      HEADER_KEY = 'x-rack-cors'
+      MISS_NO_ORIGIN = 'no-origin'
+      MISS_NO_PATH   = 'no-path'
+      MISS_NO_METHOD   = 'no-method'
+      MISS_DENY_METHOD = 'deny-method'
+      MISS_DENY_HEADER = 'deny-header'
+      attr_accessor :preflight, :hit, :miss_reason
+      def hit?
+        !!hit
+      end
+      def preflight?
+        !!preflight
+      end
+      def miss(reason)
+        self.hit = false
+        self.miss_reason = reason
+      end
+      def self.hit(env)
+        r = Result.new
+        r.preflight = false
+        r.hit = true
+        env[Rack::Cors::ENV_KEY] = r
+      end
+      def self.miss(env, reason)
+        r = Result.new
+        r.preflight = false
+        r.hit = false
+        r.miss_reason = reason
+        env[Rack::Cors::ENV_KEY] = r
+      end
+      def self.preflight(env)
+        r = Result.new
+        r.preflight = true
+        env[Rack::Cors::ENV_KEY] = r
+      end
+      def append_header(headers)
+        headers[HEADER_KEY] = if hit?
+                                preflight? ? 'preflight-hit' : 'hit'
+                              else
+                                [
+                                  (preflight? ? 'preflight-miss' : 'miss'),
+                                  miss_reason
+                                ].join('; ')
+                              end
+      end
+    end
+  end
+end

data/lib/rack/cors/version.rb CHANGED Viewed

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
 module Rack
   class Cors
-    VERSION = "0.4.1"
+    VERSION = '2.0.1'
   end
 end

data/lib/rack/cors.rb CHANGED Viewed

@@ -1,21 +1,38 @@
+# frozen_string_literal: true
 require 'logger'
+require_relative 'cors/resources'
+require_relative 'cors/resource'
+require_relative 'cors/result'
+require_relative 'cors/version'
 module Rack
   class Cors
-    ENV_KEY = 'rack.cors'.freeze
+    HTTP_ORIGIN   = 'HTTP_ORIGIN'
+    HTTP_X_ORIGIN = 'HTTP_X_ORIGIN'
+    HTTP_ACCESS_CONTROL_REQUEST_METHOD  = 'HTTP_ACCESS_CONTROL_REQUEST_METHOD'
+    HTTP_ACCESS_CONTROL_REQUEST_HEADERS = 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS'
+    PATH_INFO      = 'PATH_INFO'
+    REQUEST_METHOD = 'REQUEST_METHOD'
+    RACK_LOGGER = 'rack.logger'
+    RACK_CORS   =
+      # retaining the old key for backwards compatibility
+      ENV_KEY = 'rack.cors'
-    ORIGIN_HEADER_KEY     = 'HTTP_ORIGIN'.freeze
-    ORIGIN_X_HEADER_KEY   = 'HTTP_X_ORIGIN'.freeze
-    PATH_INFO_HEADER_KEY  = 'PATH_INFO'.freeze
-    VARY_HEADER_KEY       = 'Vary'.freeze
-    DEFAULT_VARY_HEADERS  = ['Origin'].freeze
+    OPTIONS     = 'OPTIONS'
-    def initialize(app, opts={}, &block)
+    DEFAULT_VARY_HEADERS = ['Origin'].freeze
+    def initialize(app, opts = {}, &block)
       @app = app
       @debug_mode = !!opts[:debug]
       @logger = @logger_proc = nil
-      if logger = opts[:logger]
+      logger = opts[:logger]
+      if logger
         if logger.respond_to? :call
           @logger_proc = opts[:logger]
         else
@@ -23,12 +40,12 @@ module Rack
         end
       end
-      if block_given?
-        if block.arity == 1
-          block.call(self)
-        else
-          instance_eval(&block)
-        end
+      return unless block_given?
+      if block.arity == 1
+        block.call(self)
+      else
+        instance_eval(&block)
       end
     end
@@ -47,36 +64,40 @@ module Rack
     end
     def call(env)
-      env[ORIGIN_HEADER_KEY] ||= env[ORIGIN_X_HEADER_KEY] if env[ORIGIN_X_HEADER_KEY]
+      env[HTTP_ORIGIN] ||= env[HTTP_X_ORIGIN] if env[HTTP_X_ORIGIN]
+      path = evaluate_path(env)
       add_headers = nil
-      if env[ORIGIN_HEADER_KEY]
+      if env[HTTP_ORIGIN]
         debug(env) do
-          [ 'Incoming Headers:',
-            "  Origin: #{env[ORIGIN_HEADER_KEY]}",
-            "  Access-Control-Request-Method: #{env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']}",
-            "  Access-Control-Request-Headers: #{env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}"
-            ].join("\n")
+          ['Incoming Headers:',
+           "  Origin: #{env[HTTP_ORIGIN]}",
+           "  Path-Info: #{path}",
+           "  Access-Control-Request-Method: #{env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]}",
+           "  Access-Control-Request-Headers: #{env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]}"].join("\n")
         end
-        if env['REQUEST_METHOD'] == 'OPTIONS' and env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
-          if headers = process_preflight(env)
-            debug(env) do
-              "Preflight Headers:\n" +
-                  headers.collect{|kv| "  #{kv.join(': ')}"}.join("\n")
-            end
-            return [200, headers, []]
+        if env[REQUEST_METHOD] == OPTIONS && env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+          return [400, {}, []] unless Rack::Utils.valid_path?(path)
+          headers = process_preflight(env, path)
+          debug(env) do
+            "Preflight Headers:\n" +
+              headers.collect { |kv| "  #{kv.join(': ')}" }.join("\n")
           end
+          return [200, headers, []]
         else
-          add_headers = process_cors(env)
+          add_headers = process_cors(env, path)
         end
       else
         Result.miss(env, Result::MISS_NO_ORIGIN)
       end
       # This call must be done BEFORE calling the app because for some reason
-      # env[PATH_INFO_HEADER_KEY] gets changed after that and it won't match.
-      # (At least in rails 4.1.6)
-      vary_resource = resource_for_path(env[PATH_INFO_HEADER_KEY])
+      # env[PATH_INFO] gets changed after that and it won't match. (At least
+      # in rails 4.1.6)
+      vary_resource = resource_for_path(path)
       status, headers, body = @app.call env
@@ -84,9 +105,7 @@ module Rack
         headers = add_headers.merge(headers)
         debug(env) do
           add_headers.each_pair do |key, value|
-            if headers.has_key?(key)
-              headers["X-Rack-CORS-Original-#{key}"] = value
-            end
+            headers["x-rack-cors-original-#{key}"] = value if headers.key?(key)
           end
         end
       end
@@ -95,324 +114,106 @@ module Rack
       # response to be different depending on the Origin header value.
       # Better explained here: http://www.fastly.com/blog/best-practices-for-using-the-vary-header/
       if vary_resource
-        vary = headers[VARY_HEADER_KEY]
-        cors_vary_headers = if vary_resource.vary_headers && vary_resource.vary_headers.any?
-          vary_resource.vary_headers
-        else
-          DEFAULT_VARY_HEADERS
-        end
-        headers[VARY_HEADER_KEY] = ((vary ? vary.split(/,\s*/) : []) + cors_vary_headers).uniq.join(', ')
+        vary = headers['vary']
+        cors_vary_headers = if vary_resource.vary_headers&.any?
+                              vary_resource.vary_headers
+                            else
+                              DEFAULT_VARY_HEADERS
+                            end
+        headers['vary'] = ((vary ? [vary].flatten.map { |v| v.split(/,\s*/) }.flatten : []) + cors_vary_headers).uniq.join(', ')
       end
-      if debug? && result = env[ENV_KEY]
-        result.append_header(headers)
-      end
+      result = env[ENV_KEY]
+      result.append_header(headers) if debug? && result
       [status, headers, body]
     end
     protected
-      def debug(env, message = nil, &block)
-        (@logger || select_logger(env)).debug(message, &block) if debug?
-      end
-      def select_logger(env)
-        @logger = if @logger_proc
-          logger_proc = @logger_proc
-          @logger_proc = nil
-          logger_proc.call
-        elsif defined?(Rails) && Rails.logger
-          Rails.logger
-        elsif env['rack.logger']
-          env['rack.logger']
-        else
-          ::Logger.new(STDOUT).tap { |logger| logger.level = ::Logger::Severity::DEBUG }
-        end
-      end
-      def all_resources
-        @all_resources ||= []
-      end
+    def debug(env, message = nil, &block)
+      (@logger || select_logger(env)).debug(message, &block) if debug?
+    end
-      def process_preflight(env)
-        resource, error = match_resource(env)
-        if resource
-          Result.preflight_hit(env)
-          preflight = resource.process_preflight(env)
-          preflight
+    def select_logger(env)
+      @logger = if @logger_proc
+                  logger_proc = @logger_proc
+                  @logger_proc = nil
+                  logger_proc.call
-        else
-          Result.preflight_miss(env, error)
-          nil
-        end
-      end
+                elsif defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
+                  Rails.logger
-      def process_cors(env)
-        resource, error = match_resource(env)
-        if resource
-          Result.hit(env)
-          cors = resource.to_headers(env)
-          cors
+                elsif env[RACK_LOGGER]
+                  env[RACK_LOGGER]
-        else
-          Result.miss(env, error)
-          nil
-        end
-      end
+                else
+                  ::Logger.new(STDOUT).tap { |logger| logger.level = ::Logger::Severity::DEBUG }
+                end
+    end
-      def resource_for_path(path_info)
-        all_resources.each do |r|
-          if found = r.resource_for_path(path_info)
-            return found
-          end
-        end
-        nil
-      end
+    def evaluate_path(env)
+      path = env[PATH_INFO]
-      def match_resource(env)
-        path   = env[PATH_INFO_HEADER_KEY]
-        origin = env[ORIGIN_HEADER_KEY]
-        origin_matched = false
-        all_resources.each do |r|
-          if r.allow_origin?(origin, env)
-            origin_matched = true
-            if found = r.match_resource(path, env)
-              return [found, nil]
-            end
-          end
-        end
+      if path
+        path = Rack::Utils.unescape_path(path)
-        [nil, origin_matched ? Result::MISS_NO_PATH : Result::MISS_NO_ORIGIN]
+        path = Rack::Utils.clean_path_info(path) if Rack::Utils.valid_path?(path)
       end
-      class Result
-        HEADER_KEY = 'X-Rack-CORS'.freeze
-        MISS_NO_ORIGIN = 'no-origin'.freeze
-        MISS_NO_PATH   = 'no-path'.freeze
-        attr_accessor :preflight, :hit, :miss_reason
-        def hit?
-          !!hit
-        end
-        def preflight?
-          !!preflight
-        end
-        def self.hit(env)
-          r = Result.new
-          r.preflight = false
-          r.hit = true
-          env[ENV_KEY] = r
-        end
-        def self.miss(env, reason)
-          r = Result.new
-          r.preflight = false
-          r.hit = false
-          r.miss_reason = reason
-          env[ENV_KEY] = r
-        end
+      path
+    end
-        def self.preflight_hit(env)
-          r = Result.new
-          r.preflight = true
-          r.hit = true
-          env[ENV_KEY] = r
-        end
+    def all_resources
+      @all_resources ||= []
+    end
-        def self.preflight_miss(env, reason)
-          r = Result.new
-          r.preflight = true
-          r.hit = false
-          r.miss_reason = reason
-          env[ENV_KEY] = r
-        end
+    def process_preflight(env, path)
+      result = Result.preflight(env)
-        def append_header(headers)
-          headers[HEADER_KEY] = if hit?
-            preflight? ? 'preflight-hit' : 'hit'
-          else
-            [
-              (preflight? ? 'preflight-miss' : 'miss'),
-              miss_reason
-            ].join('; ')
-          end
-        end
+      resource, error = match_resource(path, env)
+      unless resource
+        result.miss(error)
+        return {}
       end
-      class Resources
-        def initialize
-          @origins = []
-          @resources = []
-          @public_resources = false
-        end
-        def origins(*args, &blk)
-          @origins = args.flatten.collect do |n|
-            case n
-            when Regexp,
-                 /^https?:\/\//,
-                 'file://'        then n
-            when '*'              then @public_resources = true; n
-            else                  Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}$")
-            end
-          end.flatten
-          @origins.push(blk) if blk
-        end
-        def resource(path, opts={})
-          @resources << Resource.new(public_resources?, path, opts)
-        end
-        def public_resources?
-          @public_resources
-        end
-        def allow_origin?(source,env = {})
-          return true if public_resources?
-          effective_source = (source == 'null' ? 'file://' : source)
-          return !! @origins.detect do |origin|
-            if origin.is_a?(Proc)
-              origin.call(source,env)
-            else
-              origin === effective_source
-            end
-          end
-        end
-        def match_resource(path, env)
-          @resources.detect { |r| r.match?(path, env) }
-        end
+      resource.process_preflight(env, result)
+    end
-        def resource_for_path(path)
-          @resources.detect { |r| r.matches_path?(path) }
-        end
+    def process_cors(env, path)
+      resource, error = match_resource(path, env)
+      if resource
+        Result.hit(env)
+        cors = resource.to_headers(env)
+        cors
+      else
+        Result.miss(env, error)
+        nil
       end
+    end
-      class Resource
-        attr_accessor :path, :methods, :headers, :expose, :max_age, :credentials, :pattern, :if_proc, :vary_headers
-        def initialize(public_resource, path, opts={})
-          self.path         = path
-          self.credentials  = opts[:credentials].nil? ? true : opts[:credentials]
-          self.max_age      = opts[:max_age] || 1728000
-          self.pattern      = compile(path)
-          self.if_proc      = opts[:if]
-          self.vary_headers = opts[:vary] && [opts[:vary]].flatten
-          @public_resource  = public_resource
-          self.headers = case opts[:headers]
-          when :any then :any
-          when nil then nil
-          else
-            [opts[:headers]].flatten.collect{|h| h.downcase}
-          end
-          self.methods = case opts[:methods]
-          when :any then [:get, :head, :post, :put, :patch, :delete, :options]
-          else
-            ensure_enum(opts[:methods]) || [:get]
-          end.map{|e| e.to_s }
-          self.expose = opts[:expose] ? [opts[:expose]].flatten : nil
-        end
-        def matches_path?(path)
-          pattern =~ path
-        end
-        def match?(path, env)
-          matches_path?(path) && (if_proc.nil? || if_proc.call(env))
-        end
-        def process_preflight(env)
-          return nil if invalid_method_request?(env) || invalid_headers_request?(env)
-          {'Content-Type' => 'text/plain'}.merge(to_preflight_headers(env))
-        end
-        def to_headers(env)
-          h = {
-            'Access-Control-Allow-Origin'     => origin_for_response_header(env[ORIGIN_HEADER_KEY]),
-            'Access-Control-Allow-Methods'    => methods.collect{|m| m.to_s.upcase}.join(', '),
-            'Access-Control-Expose-Headers'   => expose.nil? ? '' : expose.join(', '),
-            'Access-Control-Max-Age'          => max_age.to_s }
-          h['Access-Control-Allow-Credentials'] = 'true' if credentials
-          h
-        end
-        protected
-          def public_resource?
-            @public_resource
-          end
-          def origin_for_response_header(origin)
-            return '*' if public_resource? && !credentials
-            origin
-          end
-          def to_preflight_headers(env)
-            h = to_headers(env)
-            if env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
-              h.merge!('Access-Control-Allow-Headers' => env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])
-            end
-            h
-          end
-          def invalid_method_request?(env)
-            request_method = env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
-            request_method.nil? || !methods.include?(request_method.downcase)
-          end
-          def invalid_headers_request?(env)
-            request_headers = env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
-            request_headers && !allow_headers?(request_headers)
-          end
+    def resource_for_path(path_info)
+      all_resources.each do |r|
+        found = r.resource_for_path(path_info)
+        return found if found
+      end
+      nil
+    end
-          def allow_headers?(request_headers)
-            return false if headers.nil?
-            headers == :any || begin
-              request_headers = request_headers.split(/,\s*/) if request_headers.kind_of?(String)
-              request_headers.all?{|h| headers.include?(h.downcase)}
-            end
-          end
+    def match_resource(path, env)
+      origin = env[HTTP_ORIGIN]
-          def ensure_enum(v)
-            return nil if v.nil?
-            [v].flatten
-          end
+      origin_matched = false
+      all_resources.each do |r|
+        next unless r.allow_origin?(origin, env)
-          def compile(path)
-            if path.respond_to? :to_str
-              special_chars = %w{. + ( )}
-              pattern =
-                path.to_str.gsub(/((:\w+)|[\*#{special_chars.join}])/) do |match|
-                  case match
-                  when "*"
-                    "(.*?)"
-                  when *special_chars
-                    Regexp.escape(match)
-                  else
-                    "([^/?&#]+)"
-                  end
-                end
-              /^#{pattern}$/
-            elsif path.respond_to? :match
-              path
-            else
-              raise TypeError, path
-            end
-          end
+        origin_matched = true
+        found = r.match_resource(path, env)
+        return [found, nil] if found
       end
+      [nil, origin_matched ? Result::MISS_NO_PATH : Result::MISS_NO_ORIGIN]
+    end
   end
 end

data/rack-cors.gemspec CHANGED Viewed

@@ -1,26 +1,30 @@
-# coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
+# frozen_string_literal: true
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'rack/cors/version'
 Gem::Specification.new do |spec|
-  spec.name          = "rack-cors"
+  spec.name          = 'rack-cors'
   spec.version       = Rack::Cors::VERSION
-  spec.authors       = ["Calvin Yu"]
-  spec.email         = ["me@sourcebender.com"]
-  spec.description   = %q{Middleware that will make Rack-based apps CORS compatible.  Read more here: http://blog.sourcebender.com/2010/06/09/introducin-rack-cors.html.  Fork the project here: https://github.com/cyu/rack-cors}
-  spec.summary       = %q{Middleware for enabling Cross-Origin Resource Sharing in Rack apps}
-  spec.homepage      = "https://github.com/cyu/rack-cors"
-  spec.license       = "MIT"
+  spec.authors       = ['Calvin Yu']
+  spec.email         = ['me@sourcebender.com']
+  spec.description   = 'Middleware that will make Rack-based apps CORS compatible. Fork the project here: https://github.com/cyu/rack-cors'
+  spec.summary       = 'Middleware for enabling Cross-Origin Resource Sharing in Rack apps'
+  spec.homepage      = 'https://github.com/cyu/rack-cors'
+  spec.license       = 'MIT'
-  spec.files         = `git ls-files`.split($/).reject { |f| f == '.gitignore' or f =~ /^examples/ }
+  spec.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR).reject { |f| (f == '.gitignore') || f =~ /^examples/ }
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
-  spec.add_development_dependency "bundler", "~> 1.3"
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "minitest", ">= 5.3.0"
-  spec.add_development_dependency "mocha", ">= 0.14.0"
-  spec.add_development_dependency "rack-test", ">= 0"
+  spec.add_dependency 'rack', '>= 2.0.0'
+  spec.add_development_dependency 'bundler', '>= 1.16.0', '< 3'
+  spec.add_development_dependency 'minitest', '~> 5.11.0'
+  spec.add_development_dependency 'mocha', '~> 1.6.0'
+  spec.add_development_dependency 'pry', '~> 0.12'
+  spec.add_development_dependency 'rack-test', '>= 1.1.0'
+  spec.add_development_dependency 'rake', '~> 12.3.0'
+  spec.add_development_dependency 'rubocop', '~> 0.80.1'
 end

data/test/.rubocop.yml ADDED Viewed

@@ -0,0 +1,8 @@
+---
+inherit_from: ../.rubocop.yml
+# Disables
+Style/ClassAndModuleChildren:
+  Enabled: false
+Security/Eval:
+  Enabled: false