RubyGems - rack-cors - Versions diffs - 0.4.1 → 2.0.1 - Mend

rack-cors 0.4.1 → 2.0.1

Potentially problematic release.

This version of rack-cors might be problematic. Click here for more details.

Files changed (25) hide show

checksums.yaml +5 -5
data/.github/workflows/ci.yaml +39 -0
data/.rubocop.yml +31 -0
data/CHANGELOG.md +99 -0
data/Gemfile +3 -1
data/README.md +68 -43
data/Rakefile +5 -4
data/lib/rack/cors/resource.rb +142 -0
data/lib/rack/cors/resources/cors_misconfiguration_error.rb +14 -0
data/lib/rack/cors/resources.rb +62 -0
data/lib/rack/cors/result.rb +63 -0
data/lib/rack/cors/version.rb +3 -1
data/lib/rack/cors.rb +124 -323
data/rack-cors.gemspec +20 -16
data/test/.rubocop.yml +8 -0
data/test/cors/test.cors.coffee +9 -2
data/test/cors/test.cors.js +22 -10
data/test/unit/cors_test.rb +303 -120
data/test/unit/dsl_test.rb +38 -26
data/test/unit/insecure.ru +10 -0
data/test/unit/non_http.ru +2 -0
data/test/unit/test.ru +34 -18
metadata +82 -27
data/.travis.yml +0 -6
data/CHANGELOG +0 -34

data/lib/rack/cors/result.rb ADDED Viewed

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+module Rack
+  class Cors
+    class Result
+      HEADER_KEY = 'x-rack-cors'
+      MISS_NO_ORIGIN = 'no-origin'
+      MISS_NO_PATH   = 'no-path'
+      MISS_NO_METHOD   = 'no-method'
+      MISS_DENY_METHOD = 'deny-method'
+      MISS_DENY_HEADER = 'deny-header'
+      attr_accessor :preflight, :hit, :miss_reason
+      def hit?
+        !!hit
+      end
+      def preflight?
+        !!preflight
+      end
+      def miss(reason)
+        self.hit = false
+        self.miss_reason = reason
+      end
+      def self.hit(env)
+        r = Result.new
+        r.preflight = false
+        r.hit = true
+        env[Rack::Cors::ENV_KEY] = r
+      end
+      def self.miss(env, reason)
+        r = Result.new
+        r.preflight = false
+        r.hit = false
+        r.miss_reason = reason
+        env[Rack::Cors::ENV_KEY] = r
+      end
+      def self.preflight(env)
+        r = Result.new
+        r.preflight = true
+        env[Rack::Cors::ENV_KEY] = r
+      end
+      def append_header(headers)
+        headers[HEADER_KEY] = if hit?
+                                preflight? ? 'preflight-hit' : 'hit'
+                              else
+                                [
+                                  (preflight? ? 'preflight-miss' : 'miss'),
+                                  miss_reason
+                                ].join('; ')
+                              end
+      end
+    end
+  end
+end

data/lib/rack/cors/version.rb CHANGED Viewed

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
 module Rack
   class Cors
-    VERSION = "0.4.1"
+    VERSION = '2.0.1'
   end
 end

data/lib/rack/cors.rb CHANGED Viewed

@@ -1,21 +1,38 @@
+# frozen_string_literal: true
 require 'logger'
+require_relative 'cors/resources'
+require_relative 'cors/resource'
+require_relative 'cors/result'
+require_relative 'cors/version'
 module Rack
   class Cors
-    ENV_KEY = 'rack.cors'.freeze
+    HTTP_ORIGIN   = 'HTTP_ORIGIN'
+    HTTP_X_ORIGIN = 'HTTP_X_ORIGIN'
+    HTTP_ACCESS_CONTROL_REQUEST_METHOD  = 'HTTP_ACCESS_CONTROL_REQUEST_METHOD'
+    HTTP_ACCESS_CONTROL_REQUEST_HEADERS = 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS'
+    PATH_INFO      = 'PATH_INFO'
+    REQUEST_METHOD = 'REQUEST_METHOD'
+    RACK_LOGGER = 'rack.logger'
+    RACK_CORS   =
+      # retaining the old key for backwards compatibility
+      ENV_KEY = 'rack.cors'
-    ORIGIN_HEADER_KEY     = 'HTTP_ORIGIN'.freeze
-    ORIGIN_X_HEADER_KEY   = 'HTTP_X_ORIGIN'.freeze
-    PATH_INFO_HEADER_KEY  = 'PATH_INFO'.freeze
-    VARY_HEADER_KEY       = 'Vary'.freeze
-    DEFAULT_VARY_HEADERS  = ['Origin'].freeze
+    OPTIONS     = 'OPTIONS'
-    def initialize(app, opts={}, &block)
+    DEFAULT_VARY_HEADERS = ['Origin'].freeze
+    def initialize(app, opts = {}, &block)
       @app = app
       @debug_mode = !!opts[:debug]
       @logger = @logger_proc = nil
-      if logger = opts[:logger]
+      logger = opts[:logger]
+      if logger
         if logger.respond_to? :call
           @logger_proc = opts[:logger]
         else
@@ -23,12 +40,12 @@ module Rack
         end
       end
-      if block_given?
-        if block.arity == 1
-          block.call(self)
-        else
-          instance_eval(&block)
-        end
+      return unless block_given?
+      if block.arity == 1
+        block.call(self)
+      else
+        instance_eval(&block)
       end
     end
@@ -47,36 +64,40 @@ module Rack
     end
     def call(env)
-      env[ORIGIN_HEADER_KEY] ||= env[ORIGIN_X_HEADER_KEY] if env[ORIGIN_X_HEADER_KEY]
+      env[HTTP_ORIGIN] ||= env[HTTP_X_ORIGIN] if env[HTTP_X_ORIGIN]
+      path = evaluate_path(env)
       add_headers = nil
-      if env[ORIGIN_HEADER_KEY]
+      if env[HTTP_ORIGIN]
         debug(env) do
-          [ 'Incoming Headers:',
-            "  Origin: #{env[ORIGIN_HEADER_KEY]}",
-            "  Access-Control-Request-Method: #{env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']}",
-            "  Access-Control-Request-Headers: #{env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}"
-            ].join("\n")
+          ['Incoming Headers:',
+           "  Origin: #{env[HTTP_ORIGIN]}",
+           "  Path-Info: #{path}",
+           "  Access-Control-Request-Method: #{env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]}",
+           "  Access-Control-Request-Headers: #{env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]}"].join("\n")
         end
-        if env['REQUEST_METHOD'] == 'OPTIONS' and env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
-          if headers = process_preflight(env)
-            debug(env) do
-              "Preflight Headers:\n" +
-                  headers.collect{|kv| "  #{kv.join(': ')}"}.join("\n")
-            end
-            return [200, headers, []]
+        if env[REQUEST_METHOD] == OPTIONS && env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+          return [400, {}, []] unless Rack::Utils.valid_path?(path)
+          headers = process_preflight(env, path)
+          debug(env) do
+            "Preflight Headers:\n" +
+              headers.collect { |kv| "  #{kv.join(': ')}" }.join("\n")
           end
+          return [200, headers, []]
         else
-          add_headers = process_cors(env)
+          add_headers = process_cors(env, path)
         end
       else
         Result.miss(env, Result::MISS_NO_ORIGIN)
       end
       # This call must be done BEFORE calling the app because for some reason
-      # env[PATH_INFO_HEADER_KEY] gets changed after that and it won't match.
-      # (At least in rails 4.1.6)
-      vary_resource = resource_for_path(env[PATH_INFO_HEADER_KEY])
+      # env[PATH_INFO] gets changed after that and it won't match. (At least
+      # in rails 4.1.6)
+      vary_resource = resource_for_path(path)
       status, headers, body = @app.call env
@@ -84,9 +105,7 @@ module Rack
         headers = add_headers.merge(headers)
         debug(env) do
           add_headers.each_pair do |key, value|
-            if headers.has_key?(key)
-              headers["X-Rack-CORS-Original-#{key}"] = value
-            end
+            headers["x-rack-cors-original-#{key}"] = value if headers.key?(key)
           end
         end
       end
@@ -95,324 +114,106 @@ module Rack
       # response to be different depending on the Origin header value.
       # Better explained here: http://www.fastly.com/blog/best-practices-for-using-the-vary-header/
       if vary_resource
-        vary = headers[VARY_HEADER_KEY]
-        cors_vary_headers = if vary_resource.vary_headers && vary_resource.vary_headers.any?
-          vary_resource.vary_headers
-        else
-          DEFAULT_VARY_HEADERS
-        end
-        headers[VARY_HEADER_KEY] = ((vary ? vary.split(/,\s*/) : []) + cors_vary_headers).uniq.join(', ')
+        vary = headers['vary']
+        cors_vary_headers = if vary_resource.vary_headers&.any?
+                              vary_resource.vary_headers
+                            else
+                              DEFAULT_VARY_HEADERS
+                            end
+        headers['vary'] = ((vary ? [vary].flatten.map { |v| v.split(/,\s*/) }.flatten : []) + cors_vary_headers).uniq.join(', ')
       end
-      if debug? && result = env[ENV_KEY]
-        result.append_header(headers)
-      end
+      result = env[ENV_KEY]
+      result.append_header(headers) if debug? && result
       [status, headers, body]
     end
     protected
-      def debug(env, message = nil, &block)
-        (@logger || select_logger(env)).debug(message, &block) if debug?
-      end
-      def select_logger(env)
-        @logger = if @logger_proc
-          logger_proc = @logger_proc
-          @logger_proc = nil
-          logger_proc.call
-        elsif defined?(Rails) && Rails.logger
-          Rails.logger
-        elsif env['rack.logger']
-          env['rack.logger']
-        else
-          ::Logger.new(STDOUT).tap { |logger| logger.level = ::Logger::Severity::DEBUG }
-        end
-      end
-      def all_resources
-        @all_resources ||= []
-      end
+    def debug(env, message = nil, &block)
+      (@logger || select_logger(env)).debug(message, &block) if debug?
+    end
-      def process_preflight(env)
-        resource, error = match_resource(env)
-        if resource
-          Result.preflight_hit(env)
-          preflight = resource.process_preflight(env)
-          preflight
+    def select_logger(env)
+      @logger = if @logger_proc
+                  logger_proc = @logger_proc
+                  @logger_proc = nil
+                  logger_proc.call
-        else
-          Result.preflight_miss(env, error)
-          nil
-        end
-      end
+                elsif defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
+                  Rails.logger
-      def process_cors(env)
-        resource, error = match_resource(env)
-        if resource
-          Result.hit(env)
-          cors = resource.to_headers(env)
-          cors
+                elsif env[RACK_LOGGER]
+                  env[RACK_LOGGER]
-        else
-          Result.miss(env, error)
-          nil
-        end
-      end
+                else
+                  ::Logger.new(STDOUT).tap { |logger| logger.level = ::Logger::Severity::DEBUG }
+                end
+    end
-      def resource_for_path(path_info)
-        all_resources.each do |r|
-          if found = r.resource_for_path(path_info)
-            return found
-          end
-        end
-        nil
-      end
+    def evaluate_path(env)
+      path = env[PATH_INFO]
-      def match_resource(env)
-        path   = env[PATH_INFO_HEADER_KEY]
-        origin = env[ORIGIN_HEADER_KEY]
-        origin_matched = false
-        all_resources.each do |r|
-          if r.allow_origin?(origin, env)
-            origin_matched = true
-            if found = r.match_resource(path, env)
-              return [found, nil]
-            end
-          end
-        end
+      if path
+        path = Rack::Utils.unescape_path(path)
-        [nil, origin_matched ? Result::MISS_NO_PATH : Result::MISS_NO_ORIGIN]
+        path = Rack::Utils.clean_path_info(path) if Rack::Utils.valid_path?(path)
       end
-      class Result
-        HEADER_KEY = 'X-Rack-CORS'.freeze
-        MISS_NO_ORIGIN = 'no-origin'.freeze
-        MISS_NO_PATH   = 'no-path'.freeze
-        attr_accessor :preflight, :hit, :miss_reason
-        def hit?
-          !!hit
-        end
-        def preflight?
-          !!preflight
-        end
-        def self.hit(env)
-          r = Result.new
-          r.preflight = false
-          r.hit = true
-          env[ENV_KEY] = r
-        end
-        def self.miss(env, reason)
-          r = Result.new
-          r.preflight = false
-          r.hit = false
-          r.miss_reason = reason
-          env[ENV_KEY] = r
-        end
+      path
+    end
-        def self.preflight_hit(env)
-          r = Result.new
-          r.preflight = true
-          r.hit = true
-          env[ENV_KEY] = r
-        end
+    def all_resources
+      @all_resources ||= []
+    end
-        def self.preflight_miss(env, reason)
-          r = Result.new
-          r.preflight = true
-          r.hit = false
-          r.miss_reason = reason
-          env[ENV_KEY] = r
-        end
+    def process_preflight(env, path)
+      result = Result.preflight(env)
-        def append_header(headers)
-          headers[HEADER_KEY] = if hit?
-            preflight? ? 'preflight-hit' : 'hit'
-          else
-            [
-              (preflight? ? 'preflight-miss' : 'miss'),
-              miss_reason
-            ].join('; ')
-          end
-        end
+      resource, error = match_resource(path, env)
+      unless resource
+        result.miss(error)
+        return {}
       end
-      class Resources
-        def initialize
-          @origins = []
-          @resources = []
-          @public_resources = false
-        end
-        def origins(*args, &blk)
-          @origins = args.flatten.collect do |n|
-            case n
-            when Regexp,
-                 /^https?:\/\//,
-                 'file://'        then n
-            when '*'              then @public_resources = true; n
-            else                  Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}$")
-            end
-          end.flatten
-          @origins.push(blk) if blk
-        end
-        def resource(path, opts={})
-          @resources << Resource.new(public_resources?, path, opts)
-        end
-        def public_resources?
-          @public_resources
-        end
-        def allow_origin?(source,env = {})
-          return true if public_resources?
-          effective_source = (source == 'null' ? 'file://' : source)
-          return !! @origins.detect do |origin|
-            if origin.is_a?(Proc)
-              origin.call(source,env)
-            else
-              origin === effective_source
-            end
-          end
-        end
-        def match_resource(path, env)
-          @resources.detect { |r| r.match?(path, env) }
-        end
+      resource.process_preflight(env, result)
+    end
-        def resource_for_path(path)
-          @resources.detect { |r| r.matches_path?(path) }
-        end
+    def process_cors(env, path)
+      resource, error = match_resource(path, env)
+      if resource
+        Result.hit(env)
+        cors = resource.to_headers(env)
+        cors
+      else
+        Result.miss(env, error)
+        nil
       end
+    end
-      class Resource
-        attr_accessor :path, :methods, :headers, :expose, :max_age, :credentials, :pattern, :if_proc, :vary_headers
-        def initialize(public_resource, path, opts={})
-          self.path         = path
-          self.credentials  = opts[:credentials].nil? ? true : opts[:credentials]
-          self.max_age      = opts[:max_age] || 1728000
-          self.pattern      = compile(path)
-          self.if_proc      = opts[:if]
-          self.vary_headers = opts[:vary] && [opts[:vary]].flatten
-          @public_resource  = public_resource
-          self.headers = case opts[:headers]
-          when :any then :any
-          when nil then nil
-          else
-            [opts[:headers]].flatten.collect{|h| h.downcase}
-          end
-          self.methods = case opts[:methods]
-          when :any then [:get, :head, :post, :put, :patch, :delete, :options]
-          else
-            ensure_enum(opts[:methods]) || [:get]
-          end.map{|e| e.to_s }
-          self.expose = opts[:expose] ? [opts[:expose]].flatten : nil
-        end
-        def matches_path?(path)
-          pattern =~ path
-        end
-        def match?(path, env)
-          matches_path?(path) && (if_proc.nil? || if_proc.call(env))
-        end
-        def process_preflight(env)
-          return nil if invalid_method_request?(env) || invalid_headers_request?(env)
-          {'Content-Type' => 'text/plain'}.merge(to_preflight_headers(env))
-        end
-        def to_headers(env)
-          h = {
-            'Access-Control-Allow-Origin'     => origin_for_response_header(env[ORIGIN_HEADER_KEY]),
-            'Access-Control-Allow-Methods'    => methods.collect{|m| m.to_s.upcase}.join(', '),
-            'Access-Control-Expose-Headers'   => expose.nil? ? '' : expose.join(', '),
-            'Access-Control-Max-Age'          => max_age.to_s }
-          h['Access-Control-Allow-Credentials'] = 'true' if credentials
-          h
-        end
-        protected
-          def public_resource?
-            @public_resource
-          end
-          def origin_for_response_header(origin)
-            return '*' if public_resource? && !credentials
-            origin
-          end
-          def to_preflight_headers(env)
-            h = to_headers(env)
-            if env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
-              h.merge!('Access-Control-Allow-Headers' => env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])
-            end
-            h
-          end
-          def invalid_method_request?(env)
-            request_method = env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']
-            request_method.nil? || !methods.include?(request_method.downcase)
-          end
-          def invalid_headers_request?(env)
-            request_headers = env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
-            request_headers && !allow_headers?(request_headers)
-          end
+    def resource_for_path(path_info)
+      all_resources.each do |r|
+        found = r.resource_for_path(path_info)
+        return found if found
+      end
+      nil
+    end
-          def allow_headers?(request_headers)
-            return false if headers.nil?
-            headers == :any || begin
-              request_headers = request_headers.split(/,\s*/) if request_headers.kind_of?(String)
-              request_headers.all?{|h| headers.include?(h.downcase)}
-            end
-          end
+    def match_resource(path, env)
+      origin = env[HTTP_ORIGIN]
-          def ensure_enum(v)
-            return nil if v.nil?
-            [v].flatten
-          end
+      origin_matched = false
+      all_resources.each do |r|
+        next unless r.allow_origin?(origin, env)
-          def compile(path)
-            if path.respond_to? :to_str
-              special_chars = %w{. + ( )}
-              pattern =
-                path.to_str.gsub(/((:\w+)|[\*#{special_chars.join}])/) do |match|
-                  case match
-                  when "*"
-                    "(.*?)"
-                  when *special_chars
-                    Regexp.escape(match)
-                  else
-                    "([^/?&#]+)"
-                  end
-                end
-              /^#{pattern}$/
-            elsif path.respond_to? :match
-              path
-            else
-              raise TypeError, path
-            end
-          end
+        origin_matched = true
+        found = r.match_resource(path, env)
+        return [found, nil] if found
       end
+      [nil, origin_matched ? Result::MISS_NO_PATH : Result::MISS_NO_ORIGIN]
+    end
   end
 end

data/rack-cors.gemspec CHANGED Viewed

@@ -1,26 +1,30 @@
-# coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
+# frozen_string_literal: true
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'rack/cors/version'
 Gem::Specification.new do |spec|
-  spec.name          = "rack-cors"
+  spec.name          = 'rack-cors'
   spec.version       = Rack::Cors::VERSION
-  spec.authors       = ["Calvin Yu"]
-  spec.email         = ["me@sourcebender.com"]
-  spec.description   = %q{Middleware that will make Rack-based apps CORS compatible.  Read more here: http://blog.sourcebender.com/2010/06/09/introducin-rack-cors.html.  Fork the project here: https://github.com/cyu/rack-cors}
-  spec.summary       = %q{Middleware for enabling Cross-Origin Resource Sharing in Rack apps}
-  spec.homepage      = "https://github.com/cyu/rack-cors"
-  spec.license       = "MIT"
+  spec.authors       = ['Calvin Yu']
+  spec.email         = ['me@sourcebender.com']
+  spec.description   = 'Middleware that will make Rack-based apps CORS compatible. Fork the project here: https://github.com/cyu/rack-cors'
+  spec.summary       = 'Middleware for enabling Cross-Origin Resource Sharing in Rack apps'
+  spec.homepage      = 'https://github.com/cyu/rack-cors'
+  spec.license       = 'MIT'
-  spec.files         = `git ls-files`.split($/).reject { |f| f == '.gitignore' or f =~ /^examples/ }
+  spec.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR).reject { |f| (f == '.gitignore') || f =~ /^examples/ }
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
-  spec.add_development_dependency "bundler", "~> 1.3"
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "minitest", ">= 5.3.0"
-  spec.add_development_dependency "mocha", ">= 0.14.0"
-  spec.add_development_dependency "rack-test", ">= 0"
+  spec.add_dependency 'rack', '>= 2.0.0'
+  spec.add_development_dependency 'bundler', '>= 1.16.0', '< 3'
+  spec.add_development_dependency 'minitest', '~> 5.11.0'
+  spec.add_development_dependency 'mocha', '~> 1.6.0'
+  spec.add_development_dependency 'pry', '~> 0.12'
+  spec.add_development_dependency 'rack-test', '>= 1.1.0'
+  spec.add_development_dependency 'rake', '~> 12.3.0'
+  spec.add_development_dependency 'rubocop', '~> 0.80.1'
 end

data/test/.rubocop.yml ADDED Viewed

@@ -0,0 +1,8 @@
+---
+inherit_from: ../.rubocop.yml
+# Disables
+Style/ClassAndModuleChildren:
+  Enabled: false
+Security/Eval:
+  Enabled: false