RubyGems - rack-cors - Versions diffs - 1.0.2 → 2.0.2 - Mend

rack-cors 1.0.2 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

checksums.yaml +5 -5
data/{CHANGELOG → CHANGELOG.md} +47 -0
data/README.md +66 -43
data/lib/rack/cors/resource.rb +142 -0
data/lib/rack/cors/resources/cors_misconfiguration_error.rb +14 -0
data/lib/rack/cors/resources.rb +62 -0
data/lib/rack/cors/result.rb +63 -0
data/lib/rack/cors/version.rb +3 -1
data/lib/rack/cors.rb +110 -345
metadata +80 -56
data/.travis.yml +0 -6
data/Gemfile +0 -6
data/Rakefile +0 -21
data/rack-cors.gemspec +0 -26
data/test/cors/expect.js +0 -1286
data/test/cors/mocha.css +0 -250
data/test/cors/mocha.js +0 -5373
data/test/cors/runner.html +0 -20
data/test/cors/test.cors.coffee +0 -42
data/test/cors/test.cors.js +0 -67
data/test/unit/cors_test.rb +0 -482
data/test/unit/dsl_test.rb +0 -69
data/test/unit/insecure.ru +0 -8
data/test/unit/non_http.ru +0 -8
data/test/unit/test.ru +0 -60

data/lib/rack/cors.rb CHANGED Viewed

@@ -1,38 +1,38 @@
+# frozen_string_literal: true
 require 'logger'
+require_relative 'cors/resources'
+require_relative 'cors/resource'
+require_relative 'cors/result'
+require_relative 'cors/version'
 module Rack
   class Cors
-    HTTP_ORIGIN   = 'HTTP_ORIGIN'.freeze
-    HTTP_X_ORIGIN = 'HTTP_X_ORIGIN'.freeze
+    HTTP_ORIGIN   = 'HTTP_ORIGIN'
+    HTTP_X_ORIGIN = 'HTTP_X_ORIGIN'
-    HTTP_ACCESS_CONTROL_REQUEST_METHOD  = 'HTTP_ACCESS_CONTROL_REQUEST_METHOD'.freeze
-    HTTP_ACCESS_CONTROL_REQUEST_HEADERS = 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS'.freeze
+    HTTP_ACCESS_CONTROL_REQUEST_METHOD  = 'HTTP_ACCESS_CONTROL_REQUEST_METHOD'
+    HTTP_ACCESS_CONTROL_REQUEST_HEADERS = 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS'
-    PATH_INFO      = 'PATH_INFO'.freeze
-    REQUEST_METHOD = 'REQUEST_METHOD'.freeze
+    PATH_INFO      = 'PATH_INFO'
+    REQUEST_METHOD = 'REQUEST_METHOD'
-    RACK_LOGGER = 'rack.logger'.freeze
+    RACK_LOGGER = 'rack.logger'
     RACK_CORS   =
-    # retaining the old key for backwards compatibility
-    ENV_KEY     = 'rack.cors'.freeze
+      # retaining the old key for backwards compatibility
+      ENV_KEY = 'rack.cors'
-    OPTIONS      = 'OPTIONS'.freeze
-    VARY         = 'Vary'.freeze
-    CONTENT_TYPE = 'Content-Type'.freeze
-    TEXT_PLAIN   = 'text/plain'.freeze
+    OPTIONS     = 'OPTIONS'
     DEFAULT_VARY_HEADERS = ['Origin'].freeze
-    # All CORS routes need to accept CORS simple headers at all times
-    # {https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers}
-    CORS_SIMPLE_HEADERS = ['accept', 'accept-language', 'content-language', 'content-type'].freeze
-    def initialize(app, opts={}, &block)
+    def initialize(app, opts = {}, &block)
       @app = app
       @debug_mode = !!opts[:debug]
       @logger = @logger_proc = nil
-      if logger = opts[:logger]
+      logger = opts[:logger]
+      if logger
         if logger.respond_to? :call
           @logger_proc = opts[:logger]
         else
@@ -40,12 +40,12 @@ module Rack
         end
       end
-      if block_given?
-        if block.arity == 1
-          block.call(self)
-        else
-          instance_eval(&block)
-        end
+      return unless block_given?
+      if block.arity == 1
+        block.call(self)
+      else
+        instance_eval(&block)
       end
     end
@@ -66,24 +66,29 @@ module Rack
     def call(env)
       env[HTTP_ORIGIN] ||= env[HTTP_X_ORIGIN] if env[HTTP_X_ORIGIN]
+      path = evaluate_path(env)
       add_headers = nil
       if env[HTTP_ORIGIN]
         debug(env) do
-          [ 'Incoming Headers:',
-            "  Origin: #{env[HTTP_ORIGIN]}",
-            "  Access-Control-Request-Method: #{env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]}",
-            "  Access-Control-Request-Headers: #{env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]}"
-            ].join("\n")
+          ['Incoming Headers:',
+           "  Origin: #{env[HTTP_ORIGIN]}",
+           "  Path-Info: #{path}",
+           "  Access-Control-Request-Method: #{env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]}",
+           "  Access-Control-Request-Headers: #{env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]}"].join("\n")
         end
-        if env[REQUEST_METHOD] == OPTIONS and env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
-          headers = process_preflight(env)
+        if env[REQUEST_METHOD] == OPTIONS && env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+          return [400, {}, []] unless Rack::Utils.valid_path?(path)
+          headers = process_preflight(env, path)
           debug(env) do
             "Preflight Headers:\n" +
-                headers.collect{|kv| "  #{kv.join(': ')}"}.join("\n")
+              headers.collect { |kv| "  #{kv.join(': ')}" }.join("\n")
           end
           return [200, headers, []]
         else
-          add_headers = process_cors(env)
+          add_headers = process_cors(env, path)
         end
       else
         Result.miss(env, Result::MISS_NO_ORIGIN)
@@ -92,7 +97,7 @@ module Rack
       # This call must be done BEFORE calling the app because for some reason
       # env[PATH_INFO] gets changed after that and it won't match. (At least
       # in rails 4.1.6)
-      vary_resource = resource_for_path(env[PATH_INFO])
+      vary_resource = resource_for_path(path)
       status, headers, body = @app.call env
@@ -100,9 +105,7 @@ module Rack
         headers = add_headers.merge(headers)
         debug(env) do
           add_headers.each_pair do |key, value|
-            if headers.has_key?(key)
-              headers["X-Rack-CORS-Original-#{key}"] = value
-            end
+            headers["x-rack-cors-original-#{key}"] = value if headers.key?(key)
           end
         end
       end
@@ -111,344 +114,106 @@ module Rack
       # response to be different depending on the Origin header value.
       # Better explained here: http://www.fastly.com/blog/best-practices-for-using-the-vary-header/
       if vary_resource
-        vary = headers[VARY]
-        cors_vary_headers = if vary_resource.vary_headers && vary_resource.vary_headers.any?
-          vary_resource.vary_headers
-        else
-          DEFAULT_VARY_HEADERS
-        end
-        headers[VARY] = ((vary ? vary.split(/,\s*/) : []) + cors_vary_headers).uniq.join(', ')
+        vary = headers['vary']
+        cors_vary_headers = if vary_resource.vary_headers&.any?
+                              vary_resource.vary_headers
+                            else
+                              DEFAULT_VARY_HEADERS
+                            end
+        headers['vary'] = ((vary ? [vary].flatten.map { |v| v.split(/,\s*/) }.flatten : []) + cors_vary_headers).uniq.join(', ')
       end
-      if debug? && result = env[RACK_CORS]
-        result.append_header(headers)
-      end
+      result = env[ENV_KEY]
+      result.append_header(headers) if debug? && result
       [status, headers, body]
     end
     protected
-      def debug(env, message = nil, &block)
-        (@logger || select_logger(env)).debug(message, &block) if debug?
-      end
-      def select_logger(env)
-        @logger = if @logger_proc
-          logger_proc = @logger_proc
-          @logger_proc = nil
-          logger_proc.call
+    def debug(env, message = nil, &block)
+      (@logger || select_logger(env)).debug(message, &block) if debug?
+    end
-        elsif defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
-          Rails.logger
+    def select_logger(env)
+      @logger = if @logger_proc
+                  logger_proc = @logger_proc
+                  @logger_proc = nil
+                  logger_proc.call
-        elsif env[RACK_LOGGER]
-          env[RACK_LOGGER]
+                elsif defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
+                  Rails.logger
-        else
-          ::Logger.new(STDOUT).tap { |logger| logger.level = ::Logger::Severity::DEBUG }
-        end
-      end
+                elsif env[RACK_LOGGER]
+                  env[RACK_LOGGER]
-      def all_resources
-        @all_resources ||= []
-      end
+                else
+                  ::Logger.new(STDOUT).tap { |logger| logger.level = ::Logger::Severity::DEBUG }
+                end
+    end
-      def process_preflight(env)
-        result = Result.preflight(env)
+    def evaluate_path(env)
+      path = env[PATH_INFO]
-        resource, error = match_resource(env)
-        unless resource
-          result.miss(error)
-          return {}
-        end
+      if path
+        path = Rack::Utils.unescape_path(path)
-        return resource.process_preflight(env, result)
+        path = Rack::Utils.clean_path_info(path) if Rack::Utils.valid_path?(path)
       end
-      def process_cors(env)
-        resource, error = match_resource(env)
-        if resource
-          Result.hit(env)
-          cors = resource.to_headers(env)
-          cors
-        else
-          Result.miss(env, error)
-          nil
-        end
-      end
+      path
+    end
-      def resource_for_path(path_info)
-        all_resources.each do |r|
-          if found = r.resource_for_path(path_info)
-            return found
-          end
-        end
-        nil
-      end
+    def all_resources
+      @all_resources ||= []
+    end
-      def match_resource(env)
-        path   = env[PATH_INFO]
-        origin = env[HTTP_ORIGIN]
-        origin_matched = false
-        all_resources.each do |r|
-          if r.allow_origin?(origin, env)
-            origin_matched = true
-            if found = r.match_resource(path, env)
-              return [found, nil]
-            end
-          end
-        end
+    def process_preflight(env, path)
+      result = Result.preflight(env)
-        [nil, origin_matched ? Result::MISS_NO_PATH : Result::MISS_NO_ORIGIN]
+      resource, error = match_resource(path, env)
+      unless resource
+        result.miss(error)
+        return {}
       end
-      class Result
-        HEADER_KEY = 'X-Rack-CORS'.freeze
-        MISS_NO_ORIGIN = 'no-origin'.freeze
-        MISS_NO_PATH   = 'no-path'.freeze
-        MISS_NO_METHOD   = 'no-method'.freeze
-        MISS_DENY_METHOD = 'deny-method'.freeze
-        MISS_DENY_HEADER = 'deny-header'.freeze
-        attr_accessor :preflight, :hit, :miss_reason
-        def hit?
-          !!hit
-        end
-        def preflight?
-          !!preflight
-        end
-        def miss(reason)
-          self.hit = false
-          self.miss_reason = reason
-        end
-        def self.hit(env)
-          r = Result.new
-          r.preflight = false
-          r.hit = true
-          env[RACK_CORS] = r
-        end
-        def self.miss(env, reason)
-          r = Result.new
-          r.preflight = false
-          r.hit = false
-          r.miss_reason = reason
-          env[RACK_CORS] = r
-        end
-        def self.preflight(env)
-          r = Result.new
-          r.preflight = true
-          env[RACK_CORS] = r
-        end
+      resource.process_preflight(env, result)
+    end
+    def process_cors(env, path)
+      resource, error = match_resource(path, env)
+      if resource
+        Result.hit(env)
+        cors = resource.to_headers(env)
+        cors
-        def append_header(headers)
-          headers[HEADER_KEY] = if hit?
-            preflight? ? 'preflight-hit' : 'hit'
-          else
-            [
-              (preflight? ? 'preflight-miss' : 'miss'),
-              miss_reason
-            ].join('; ')
-          end
-        end
+      else
+        Result.miss(env, error)
+        nil
       end
+    end
-      class Resources
-        attr_reader :resources
-        def initialize
-          @origins = []
-          @resources = []
-          @public_resources = false
-        end
-        def origins(*args, &blk)
-          @origins = args.flatten.reject{ |s| s == '' }.map do |n|
-            case n
-            when Proc,
-                 Regexp,
-                 /^https?:\/\//,
-                 'file://'        then n
-            when '*'              then @public_resources = true; n
-            else                  Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}$")
-            end
-          end.flatten
-          @origins.push(blk) if blk
-        end
-        def resource(path, opts={})
-          @resources << Resource.new(public_resources?, path, opts)
-        end
-        def public_resources?
-          @public_resources
-        end
-        def allow_origin?(source,env = {})
-          return true if public_resources?
-          return !! @origins.detect do |origin|
-            if origin.is_a?(Proc)
-              origin.call(source,env)
-            else
-              origin === source
-            end
-          end
-        end
-        def match_resource(path, env)
-          @resources.detect { |r| r.match?(path, env) }
-        end
-        def resource_for_path(path)
-          @resources.detect { |r| r.matches_path?(path) }
-        end
+    def resource_for_path(path_info)
+      all_resources.each do |r|
+        found = r.resource_for_path(path_info)
+        return found if found
       end
+      nil
+    end
-      class Resource
-        class CorsMisconfigurationError < StandardError
-          def message
-            "Allowing credentials for wildcard origins is insecure."\
-            " Please specify more restrictive origins or set 'credentials' to false in your CORS configuration."
-          end
-        end
-        attr_accessor :path, :methods, :headers, :expose, :max_age, :credentials, :pattern, :if_proc, :vary_headers
-        def initialize(public_resource, path, opts={})
-          raise CorsMisconfigurationError if public_resource && opts[:credentials] == true
-          self.path         = path
-          self.credentials  = public_resource ? false : (opts[:credentials] == true)
-          self.max_age      = opts[:max_age] || 1728000
-          self.pattern      = compile(path)
-          self.if_proc      = opts[:if]
-          self.vary_headers = opts[:vary] && [opts[:vary]].flatten
-          @public_resource  = public_resource
-          self.headers = case opts[:headers]
-          when :any then :any
-          when nil then nil
-          else
-            [opts[:headers]].flatten.collect{|h| h.downcase}
-          end
-          self.methods = case opts[:methods]
-          when :any then [:get, :head, :post, :put, :patch, :delete, :options]
-          else
-            ensure_enum(opts[:methods]) || [:get]
-          end.map{|e| e.to_s }
-          self.expose = opts[:expose] ? [opts[:expose]].flatten : nil
-        end
-        def matches_path?(path)
-          pattern =~ path
-        end
-        def match?(path, env)
-          matches_path?(path) && (if_proc.nil? || if_proc.call(env))
-        end
-        def process_preflight(env, result)
-          headers = {CONTENT_TYPE => TEXT_PLAIN}
-          request_method = env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
-          if request_method.nil?
-            result.miss(Result::MISS_NO_METHOD) and return headers
-          end
-          if !methods.include?(request_method.downcase)
-            result.miss(Result::MISS_DENY_METHOD) and return headers
-          end
-          request_headers = env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
-          if request_headers && !allow_headers?(request_headers)
-            result.miss(Result::MISS_DENY_HEADER) and return headers
-          end
-          result.hit = true
-          headers.merge(to_preflight_headers(env))
-        end
-        def to_headers(env)
-          h = {
-            'Access-Control-Allow-Origin'     => origin_for_response_header(env[HTTP_ORIGIN]),
-            'Access-Control-Allow-Methods'    => methods.collect{|m| m.to_s.upcase}.join(', '),
-            'Access-Control-Expose-Headers'   => expose.nil? ? '' : expose.join(', '),
-            'Access-Control-Max-Age'          => max_age.to_s }
-          h['Access-Control-Allow-Credentials'] = 'true' if credentials
-          h
-        end
-        protected
-          def public_resource?
-            @public_resource
-          end
-          def origin_for_response_header(origin)
-            return '*' if public_resource?
-            origin
-          end
-          def to_preflight_headers(env)
-            h = to_headers(env)
-            if env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
-              h.merge!('Access-Control-Allow-Headers' => env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS])
-            end
-            h
-          end
-          def allow_headers?(request_headers)
-            headers = self.headers || []
-            if headers == :any
-              return true
-            end
-            request_headers = request_headers.split(/,\s*/) if request_headers.kind_of?(String)
-            request_headers.all? do |header|
-              header = header.downcase
-              CORS_SIMPLE_HEADERS.include?(header) || headers.include?(header)
-            end
-          end
+    def match_resource(path, env)
+      origin = env[HTTP_ORIGIN]
-          def ensure_enum(v)
-            return nil if v.nil?
-            [v].flatten
-          end
+      origin_matched = false
+      all_resources.each do |r|
+        next unless r.allow_origin?(origin, env)
-          def compile(path)
-            if path.respond_to? :to_str
-              special_chars = %w{. + ( )}
-              pattern =
-                path.to_str.gsub(/((:\w+)|[\*#{special_chars.join}])/) do |match|
-                  case match
-                  when "*"
-                    "(.*?)"
-                  when *special_chars
-                    Regexp.escape(match)
-                  else
-                    "([^/?&#]+)"
-                  end
-                end
-              /^#{pattern}$/
-            elsif path.respond_to? :match
-              path
-            else
-              raise TypeError, path
-            end
-          end
+        origin_matched = true
+        found = r.match_resource(path, env)
+        return [found, nil] if found
       end
+      [nil, origin_matched ? Result::MISS_NO_PATH : Result::MISS_NO_ORIGIN]
+    end
   end
 end