RubyGems - rack-cors - Versions diffs - 1.0.2 → 2.0.0 - Mend

rack-cors 1.0.2 → 2.0.0

Files changed (23) hide show

checksums.yaml +5 -5
data/.rubocop.yml +31 -0
data/.travis.yml +10 -3
data/{CHANGELOG → CHANGELOG.md} +39 -0
data/Gemfile +3 -1
data/README.md +67 -42
data/Rakefile +5 -4
data/lib/rack/cors/resource.rb +132 -0
data/lib/rack/cors/resources/cors_misconfiguration_error.rb +14 -0
data/lib/rack/cors/resources.rb +62 -0
data/lib/rack/cors/result.rb +63 -0
data/lib/rack/cors/version.rb +3 -1
data/lib/rack/cors.rb +110 -345
data/rack-cors.gemspec +20 -16
data/test/.rubocop.yml +8 -0
data/test/cors/test.cors.coffee +9 -2
data/test/cors/test.cors.js +22 -10
data/test/unit/cors_test.rb +209 -151
data/test/unit/dsl_test.rb +30 -29
data/test/unit/insecure.ru +2 -0
data/test/unit/non_http.ru +2 -0
data/test/unit/test.ru +25 -19
metadata +81 -28

data/lib/rack/cors.rb CHANGED Viewed

@@ -1,38 +1,38 @@
+# frozen_string_literal: true
 require 'logger'
+require_relative 'cors/resources'
+require_relative 'cors/resource'
+require_relative 'cors/result'
+require_relative 'cors/version'
 module Rack
   class Cors
-    HTTP_ORIGIN   = 'HTTP_ORIGIN'.freeze
-    HTTP_X_ORIGIN = 'HTTP_X_ORIGIN'.freeze
+    HTTP_ORIGIN   = 'HTTP_ORIGIN'
+    HTTP_X_ORIGIN = 'HTTP_X_ORIGIN'
-    HTTP_ACCESS_CONTROL_REQUEST_METHOD  = 'HTTP_ACCESS_CONTROL_REQUEST_METHOD'.freeze
-    HTTP_ACCESS_CONTROL_REQUEST_HEADERS = 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS'.freeze
+    HTTP_ACCESS_CONTROL_REQUEST_METHOD  = 'HTTP_ACCESS_CONTROL_REQUEST_METHOD'
+    HTTP_ACCESS_CONTROL_REQUEST_HEADERS = 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS'
-    PATH_INFO      = 'PATH_INFO'.freeze
-    REQUEST_METHOD = 'REQUEST_METHOD'.freeze
+    PATH_INFO      = 'PATH_INFO'
+    REQUEST_METHOD = 'REQUEST_METHOD'
-    RACK_LOGGER = 'rack.logger'.freeze
+    RACK_LOGGER = 'rack.logger'
     RACK_CORS   =
-    # retaining the old key for backwards compatibility
-    ENV_KEY     = 'rack.cors'.freeze
+      # retaining the old key for backwards compatibility
+      ENV_KEY = 'rack.cors'
-    OPTIONS      = 'OPTIONS'.freeze
-    VARY         = 'Vary'.freeze
-    CONTENT_TYPE = 'Content-Type'.freeze
-    TEXT_PLAIN   = 'text/plain'.freeze
+    OPTIONS     = 'OPTIONS'
     DEFAULT_VARY_HEADERS = ['Origin'].freeze
-    # All CORS routes need to accept CORS simple headers at all times
-    # {https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers}
-    CORS_SIMPLE_HEADERS = ['accept', 'accept-language', 'content-language', 'content-type'].freeze
-    def initialize(app, opts={}, &block)
+    def initialize(app, opts = {}, &block)
       @app = app
       @debug_mode = !!opts[:debug]
       @logger = @logger_proc = nil
-      if logger = opts[:logger]
+      logger = opts[:logger]
+      if logger
         if logger.respond_to? :call
           @logger_proc = opts[:logger]
         else
@@ -40,12 +40,12 @@ module Rack
         end
       end
-      if block_given?
-        if block.arity == 1
-          block.call(self)
-        else
-          instance_eval(&block)
-        end
+      return unless block_given?
+      if block.arity == 1
+        block.call(self)
+      else
+        instance_eval(&block)
       end
     end
@@ -66,24 +66,29 @@ module Rack
     def call(env)
       env[HTTP_ORIGIN] ||= env[HTTP_X_ORIGIN] if env[HTTP_X_ORIGIN]
+      path = evaluate_path(env)
       add_headers = nil
       if env[HTTP_ORIGIN]
         debug(env) do
-          [ 'Incoming Headers:',
-            "  Origin: #{env[HTTP_ORIGIN]}",
-            "  Access-Control-Request-Method: #{env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]}",
-            "  Access-Control-Request-Headers: #{env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]}"
-            ].join("\n")
+          ['Incoming Headers:',
+           "  Origin: #{env[HTTP_ORIGIN]}",
+           "  Path-Info: #{path}",
+           "  Access-Control-Request-Method: #{env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]}",
+           "  Access-Control-Request-Headers: #{env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]}"].join("\n")
         end
-        if env[REQUEST_METHOD] == OPTIONS and env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
-          headers = process_preflight(env)
+        if env[REQUEST_METHOD] == OPTIONS && env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+          return [400, {}, []] unless Rack::Utils.valid_path?(path)
+          headers = process_preflight(env, path)
           debug(env) do
             "Preflight Headers:\n" +
-                headers.collect{|kv| "  #{kv.join(': ')}"}.join("\n")
+              headers.collect { |kv| "  #{kv.join(': ')}" }.join("\n")
           end
           return [200, headers, []]
         else
-          add_headers = process_cors(env)
+          add_headers = process_cors(env, path)
         end
       else
         Result.miss(env, Result::MISS_NO_ORIGIN)
@@ -92,7 +97,7 @@ module Rack
       # This call must be done BEFORE calling the app because for some reason
       # env[PATH_INFO] gets changed after that and it won't match. (At least
       # in rails 4.1.6)
-      vary_resource = resource_for_path(env[PATH_INFO])
+      vary_resource = resource_for_path(path)
       status, headers, body = @app.call env
@@ -100,9 +105,7 @@ module Rack
         headers = add_headers.merge(headers)
         debug(env) do
           add_headers.each_pair do |key, value|
-            if headers.has_key?(key)
-              headers["X-Rack-CORS-Original-#{key}"] = value
-            end
+            headers["x-rack-cors-original-#{key}"] = value if headers.key?(key)
           end
         end
       end
@@ -111,344 +114,106 @@ module Rack
       # response to be different depending on the Origin header value.
       # Better explained here: http://www.fastly.com/blog/best-practices-for-using-the-vary-header/
       if vary_resource
-        vary = headers[VARY]
-        cors_vary_headers = if vary_resource.vary_headers && vary_resource.vary_headers.any?
-          vary_resource.vary_headers
-        else
-          DEFAULT_VARY_HEADERS
-        end
-        headers[VARY] = ((vary ? vary.split(/,\s*/) : []) + cors_vary_headers).uniq.join(', ')
+        vary = headers['vary']
+        cors_vary_headers = if vary_resource.vary_headers&.any?
+                              vary_resource.vary_headers
+                            else
+                              DEFAULT_VARY_HEADERS
+                            end
+        headers['vary'] = ((vary ? [vary].flatten.map { |v| v.split(/,\s*/) }.flatten : []) + cors_vary_headers).uniq.join(', ')
       end
-      if debug? && result = env[RACK_CORS]
-        result.append_header(headers)
-      end
+      result = env[ENV_KEY]
+      result.append_header(headers) if debug? && result
       [status, headers, body]
     end
     protected
-      def debug(env, message = nil, &block)
-        (@logger || select_logger(env)).debug(message, &block) if debug?
-      end
-      def select_logger(env)
-        @logger = if @logger_proc
-          logger_proc = @logger_proc
-          @logger_proc = nil
-          logger_proc.call
+    def debug(env, message = nil, &block)
+      (@logger || select_logger(env)).debug(message, &block) if debug?
+    end
-        elsif defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
-          Rails.logger
+    def select_logger(env)
+      @logger = if @logger_proc
+                  logger_proc = @logger_proc
+                  @logger_proc = nil
+                  logger_proc.call
-        elsif env[RACK_LOGGER]
-          env[RACK_LOGGER]
+                elsif defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
+                  Rails.logger
-        else
-          ::Logger.new(STDOUT).tap { |logger| logger.level = ::Logger::Severity::DEBUG }
-        end
-      end
+                elsif env[RACK_LOGGER]
+                  env[RACK_LOGGER]
-      def all_resources
-        @all_resources ||= []
-      end
+                else
+                  ::Logger.new(STDOUT).tap { |logger| logger.level = ::Logger::Severity::DEBUG }
+                end
+    end
-      def process_preflight(env)
-        result = Result.preflight(env)
+    def evaluate_path(env)
+      path = env[PATH_INFO]
-        resource, error = match_resource(env)
-        unless resource
-          result.miss(error)
-          return {}
-        end
+      if path
+        path = Rack::Utils.unescape_path(path)
-        return resource.process_preflight(env, result)
+        path = Rack::Utils.clean_path_info(path) if Rack::Utils.valid_path?(path)
       end
-      def process_cors(env)
-        resource, error = match_resource(env)
-        if resource
-          Result.hit(env)
-          cors = resource.to_headers(env)
-          cors
-        else
-          Result.miss(env, error)
-          nil
-        end
-      end
+      path
+    end
-      def resource_for_path(path_info)
-        all_resources.each do |r|
-          if found = r.resource_for_path(path_info)
-            return found
-          end
-        end
-        nil
-      end
+    def all_resources
+      @all_resources ||= []
+    end
-      def match_resource(env)
-        path   = env[PATH_INFO]
-        origin = env[HTTP_ORIGIN]
-        origin_matched = false
-        all_resources.each do |r|
-          if r.allow_origin?(origin, env)
-            origin_matched = true
-            if found = r.match_resource(path, env)
-              return [found, nil]
-            end
-          end
-        end
+    def process_preflight(env, path)
+      result = Result.preflight(env)
-        [nil, origin_matched ? Result::MISS_NO_PATH : Result::MISS_NO_ORIGIN]
+      resource, error = match_resource(path, env)
+      unless resource
+        result.miss(error)
+        return {}
       end
-      class Result
-        HEADER_KEY = 'X-Rack-CORS'.freeze
-        MISS_NO_ORIGIN = 'no-origin'.freeze
-        MISS_NO_PATH   = 'no-path'.freeze
-        MISS_NO_METHOD   = 'no-method'.freeze
-        MISS_DENY_METHOD = 'deny-method'.freeze
-        MISS_DENY_HEADER = 'deny-header'.freeze
-        attr_accessor :preflight, :hit, :miss_reason
-        def hit?
-          !!hit
-        end
-        def preflight?
-          !!preflight
-        end
-        def miss(reason)
-          self.hit = false
-          self.miss_reason = reason
-        end
-        def self.hit(env)
-          r = Result.new
-          r.preflight = false
-          r.hit = true
-          env[RACK_CORS] = r
-        end
-        def self.miss(env, reason)
-          r = Result.new
-          r.preflight = false
-          r.hit = false
-          r.miss_reason = reason
-          env[RACK_CORS] = r
-        end
-        def self.preflight(env)
-          r = Result.new
-          r.preflight = true
-          env[RACK_CORS] = r
-        end
+      resource.process_preflight(env, result)
+    end
+    def process_cors(env, path)
+      resource, error = match_resource(path, env)
+      if resource
+        Result.hit(env)
+        cors = resource.to_headers(env)
+        cors
-        def append_header(headers)
-          headers[HEADER_KEY] = if hit?
-            preflight? ? 'preflight-hit' : 'hit'
-          else
-            [
-              (preflight? ? 'preflight-miss' : 'miss'),
-              miss_reason
-            ].join('; ')
-          end
-        end
+      else
+        Result.miss(env, error)
+        nil
       end
+    end
-      class Resources
-        attr_reader :resources
-        def initialize
-          @origins = []
-          @resources = []
-          @public_resources = false
-        end
-        def origins(*args, &blk)
-          @origins = args.flatten.reject{ |s| s == '' }.map do |n|
-            case n
-            when Proc,
-                 Regexp,
-                 /^https?:\/\//,
-                 'file://'        then n
-            when '*'              then @public_resources = true; n
-            else                  Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}$")
-            end
-          end.flatten
-          @origins.push(blk) if blk
-        end
-        def resource(path, opts={})
-          @resources << Resource.new(public_resources?, path, opts)
-        end
-        def public_resources?
-          @public_resources
-        end
-        def allow_origin?(source,env = {})
-          return true if public_resources?
-          return !! @origins.detect do |origin|
-            if origin.is_a?(Proc)
-              origin.call(source,env)
-            else
-              origin === source
-            end
-          end
-        end
-        def match_resource(path, env)
-          @resources.detect { |r| r.match?(path, env) }
-        end
-        def resource_for_path(path)
-          @resources.detect { |r| r.matches_path?(path) }
-        end
+    def resource_for_path(path_info)
+      all_resources.each do |r|
+        found = r.resource_for_path(path_info)
+        return found if found
       end
+      nil
+    end
-      class Resource
-        class CorsMisconfigurationError < StandardError
-          def message
-            "Allowing credentials for wildcard origins is insecure."\
-            " Please specify more restrictive origins or set 'credentials' to false in your CORS configuration."
-          end
-        end
-        attr_accessor :path, :methods, :headers, :expose, :max_age, :credentials, :pattern, :if_proc, :vary_headers
-        def initialize(public_resource, path, opts={})
-          raise CorsMisconfigurationError if public_resource && opts[:credentials] == true
-          self.path         = path
-          self.credentials  = public_resource ? false : (opts[:credentials] == true)
-          self.max_age      = opts[:max_age] || 1728000
-          self.pattern      = compile(path)
-          self.if_proc      = opts[:if]
-          self.vary_headers = opts[:vary] && [opts[:vary]].flatten
-          @public_resource  = public_resource
-          self.headers = case opts[:headers]
-          when :any then :any
-          when nil then nil
-          else
-            [opts[:headers]].flatten.collect{|h| h.downcase}
-          end
-          self.methods = case opts[:methods]
-          when :any then [:get, :head, :post, :put, :patch, :delete, :options]
-          else
-            ensure_enum(opts[:methods]) || [:get]
-          end.map{|e| e.to_s }
-          self.expose = opts[:expose] ? [opts[:expose]].flatten : nil
-        end
-        def matches_path?(path)
-          pattern =~ path
-        end
-        def match?(path, env)
-          matches_path?(path) && (if_proc.nil? || if_proc.call(env))
-        end
-        def process_preflight(env, result)
-          headers = {CONTENT_TYPE => TEXT_PLAIN}
-          request_method = env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
-          if request_method.nil?
-            result.miss(Result::MISS_NO_METHOD) and return headers
-          end
-          if !methods.include?(request_method.downcase)
-            result.miss(Result::MISS_DENY_METHOD) and return headers
-          end
-          request_headers = env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
-          if request_headers && !allow_headers?(request_headers)
-            result.miss(Result::MISS_DENY_HEADER) and return headers
-          end
-          result.hit = true
-          headers.merge(to_preflight_headers(env))
-        end
-        def to_headers(env)
-          h = {
-            'Access-Control-Allow-Origin'     => origin_for_response_header(env[HTTP_ORIGIN]),
-            'Access-Control-Allow-Methods'    => methods.collect{|m| m.to_s.upcase}.join(', '),
-            'Access-Control-Expose-Headers'   => expose.nil? ? '' : expose.join(', '),
-            'Access-Control-Max-Age'          => max_age.to_s }
-          h['Access-Control-Allow-Credentials'] = 'true' if credentials
-          h
-        end
-        protected
-          def public_resource?
-            @public_resource
-          end
-          def origin_for_response_header(origin)
-            return '*' if public_resource?
-            origin
-          end
-          def to_preflight_headers(env)
-            h = to_headers(env)
-            if env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
-              h.merge!('Access-Control-Allow-Headers' => env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS])
-            end
-            h
-          end
-          def allow_headers?(request_headers)
-            headers = self.headers || []
-            if headers == :any
-              return true
-            end
-            request_headers = request_headers.split(/,\s*/) if request_headers.kind_of?(String)
-            request_headers.all? do |header|
-              header = header.downcase
-              CORS_SIMPLE_HEADERS.include?(header) || headers.include?(header)
-            end
-          end
+    def match_resource(path, env)
+      origin = env[HTTP_ORIGIN]
-          def ensure_enum(v)
-            return nil if v.nil?
-            [v].flatten
-          end
+      origin_matched = false
+      all_resources.each do |r|
+        next unless r.allow_origin?(origin, env)
-          def compile(path)
-            if path.respond_to? :to_str
-              special_chars = %w{. + ( )}
-              pattern =
-                path.to_str.gsub(/((:\w+)|[\*#{special_chars.join}])/) do |match|
-                  case match
-                  when "*"
-                    "(.*?)"
-                  when *special_chars
-                    Regexp.escape(match)
-                  else
-                    "([^/?&#]+)"
-                  end
-                end
-              /^#{pattern}$/
-            elsif path.respond_to? :match
-              path
-            else
-              raise TypeError, path
-            end
-          end
+        origin_matched = true
+        found = r.match_resource(path, env)
+        return [found, nil] if found
       end
+      [nil, origin_matched ? Result::MISS_NO_PATH : Result::MISS_NO_ORIGIN]
+    end
   end
 end

data/rack-cors.gemspec CHANGED Viewed

@@ -1,26 +1,30 @@
-# coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
+# frozen_string_literal: true
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'rack/cors/version'
 Gem::Specification.new do |spec|
-  spec.name          = "rack-cors"
+  spec.name          = 'rack-cors'
   spec.version       = Rack::Cors::VERSION
-  spec.authors       = ["Calvin Yu"]
-  spec.email         = ["me@sourcebender.com"]
-  spec.description   = %q{Middleware that will make Rack-based apps CORS compatible.  Read more here: http://blog.sourcebender.com/2010/06/09/introducin-rack-cors.html.  Fork the project here: https://github.com/cyu/rack-cors}
-  spec.summary       = %q{Middleware for enabling Cross-Origin Resource Sharing in Rack apps}
-  spec.homepage      = "https://github.com/cyu/rack-cors"
-  spec.license       = "MIT"
+  spec.authors       = ['Calvin Yu']
+  spec.email         = ['me@sourcebender.com']
+  spec.description   = 'Middleware that will make Rack-based apps CORS compatible. Fork the project here: https://github.com/cyu/rack-cors'
+  spec.summary       = 'Middleware for enabling Cross-Origin Resource Sharing in Rack apps'
+  spec.homepage      = 'https://github.com/cyu/rack-cors'
+  spec.license       = 'MIT'
-  spec.files         = `git ls-files`.split($/).reject { |f| f == '.gitignore' or f =~ /^examples/ }
+  spec.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR).reject { |f| (f == '.gitignore') || f =~ /^examples/ }
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
-  spec.add_development_dependency "bundler", "~> 1.3"
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "minitest", ">= 5.3.0"
-  spec.add_development_dependency "mocha", ">= 0.14.0"
-  spec.add_development_dependency "rack-test", ">= 0"
+  spec.add_dependency 'rack', '>= 2.0.0'
+  spec.add_development_dependency 'bundler', '>= 1.16.0', '< 3'
+  spec.add_development_dependency 'minitest', '~> 5.11.0'
+  spec.add_development_dependency 'mocha', '~> 1.6.0'
+  spec.add_development_dependency 'pry', '~> 0.12'
+  spec.add_development_dependency 'rack-test', '~> 1.1.0'
+  spec.add_development_dependency 'rake', '~> 12.3.0'
+  spec.add_development_dependency 'rubocop', '~> 0.80.1'
 end

data/test/.rubocop.yml ADDED Viewed

@@ -0,0 +1,8 @@
+---
+inherit_from: ../.rubocop.yml
+# Disables
+Style/ClassAndModuleChildren:
+  Enabled: false
+Security/Eval:
+  Enabled: false

data/test/cors/test.cors.coffee CHANGED Viewed

@@ -1,4 +1,6 @@
-CORS_SERVER = '127.0.0.1.xip.io:9292'
+CORS_SERVER = '127.0.0.1.xip.io:3000'
+mocha.setup({ignoreLeaks: true});
 describe 'CORS', ->
@@ -12,6 +14,11 @@ describe 'CORS', ->
       expect(data).to.eql('Hello world')
       done()
+  it 'should allow PATCH access to dynamic resource', (done) ->
+    $.ajax("http://#{CORS_SERVER}/", type: 'PATCH').done (data, textStatus, jqXHR) ->
+      expect(data).to.eql('Hello world')
+      done()
   it 'should allow HEAD access to dynamic resource', (done) ->
     $.ajax("http://#{CORS_SERVER}/", type: 'HEAD').done (data, textStatus, jqXHR) ->
       expect(jqXHR.status).to.eql(200)
@@ -29,7 +36,7 @@ describe 'CORS', ->
   it 'should allow access to static resource', (done) ->
     $.get "http://#{CORS_SERVER}/static.txt", (data, status, xhr) ->
-      expect($.trim(data)).to.eql("hello world")
+      expect($.trim(data)).to.eql("Hello world")
       done()
   it 'should allow post resource', (done) ->