RubyGems - rack-cors - Versions diffs - 1.0.5 → 2.0.1 - Mend

rack-cors 1.0.5 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rack-cors might be problematic. Click here for more details.

Files changed (24) hide show

checksums.yaml +4 -4
data/.github/workflows/ci.yaml +39 -0
data/.rubocop.yml +31 -0
data/CHANGELOG.md +26 -0
data/Gemfile +2 -0
data/README.md +56 -35
data/Rakefile +5 -4
data/lib/rack/cors/resource.rb +142 -0
data/lib/rack/cors/resources/cors_misconfiguration_error.rb +14 -0
data/lib/rack/cors/resources.rb +62 -0
data/lib/rack/cors/result.rb +63 -0
data/lib/rack/cors/version.rb +3 -1
data/lib/rack/cors.rb +105 -346
data/rack-cors.gemspec +20 -17
data/test/.rubocop.yml +8 -0
data/test/cors/test.cors.coffee +4 -2
data/test/cors/test.cors.js +6 -2
data/test/unit/cors_test.rb +174 -156
data/test/unit/dsl_test.rb +30 -29
data/test/unit/insecure.ru +2 -0
data/test/unit/non_http.ru +2 -0
data/test/unit/test.ru +24 -20
metadata +52 -17
data/.travis.yml +0 -8

data/lib/rack/cors.rb CHANGED Viewed

@@ -1,36 +1,38 @@
+# frozen_string_literal: true
 require 'logger'
+require_relative 'cors/resources'
+require_relative 'cors/resource'
+require_relative 'cors/result'
+require_relative 'cors/version'
 module Rack
   class Cors
-    HTTP_ORIGIN   = 'HTTP_ORIGIN'.freeze
-    HTTP_X_ORIGIN = 'HTTP_X_ORIGIN'.freeze
+    HTTP_ORIGIN   = 'HTTP_ORIGIN'
+    HTTP_X_ORIGIN = 'HTTP_X_ORIGIN'
-    HTTP_ACCESS_CONTROL_REQUEST_METHOD  = 'HTTP_ACCESS_CONTROL_REQUEST_METHOD'.freeze
-    HTTP_ACCESS_CONTROL_REQUEST_HEADERS = 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS'.freeze
+    HTTP_ACCESS_CONTROL_REQUEST_METHOD  = 'HTTP_ACCESS_CONTROL_REQUEST_METHOD'
+    HTTP_ACCESS_CONTROL_REQUEST_HEADERS = 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS'
-    PATH_INFO      = 'PATH_INFO'.freeze
-    REQUEST_METHOD = 'REQUEST_METHOD'.freeze
+    PATH_INFO      = 'PATH_INFO'
+    REQUEST_METHOD = 'REQUEST_METHOD'
-    RACK_LOGGER = 'rack.logger'.freeze
+    RACK_LOGGER = 'rack.logger'
     RACK_CORS   =
-    # retaining the old key for backwards compatibility
-    ENV_KEY     = 'rack.cors'.freeze
+      # retaining the old key for backwards compatibility
+      ENV_KEY = 'rack.cors'
-    OPTIONS     = 'OPTIONS'.freeze
-    VARY        = 'Vary'.freeze
+    OPTIONS     = 'OPTIONS'
     DEFAULT_VARY_HEADERS = ['Origin'].freeze
-    # All CORS routes need to accept CORS simple headers at all times
-    # {https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers}
-    CORS_SIMPLE_HEADERS = ['accept', 'accept-language', 'content-language', 'content-type'].freeze
-    def initialize(app, opts={}, &block)
+    def initialize(app, opts = {}, &block)
       @app = app
       @debug_mode = !!opts[:debug]
       @logger = @logger_proc = nil
-      if logger = opts[:logger]
+      logger = opts[:logger]
+      if logger
         if logger.respond_to? :call
           @logger_proc = opts[:logger]
         else
@@ -38,12 +40,12 @@ module Rack
         end
       end
-      if block_given?
-        if block.arity == 1
-          block.call(self)
-        else
-          instance_eval(&block)
-        end
+      return unless block_given?
+      if block.arity == 1
+        block.call(self)
+      else
+        instance_eval(&block)
       end
     end
@@ -69,18 +71,20 @@ module Rack
       add_headers = nil
       if env[HTTP_ORIGIN]
         debug(env) do
-          [ 'Incoming Headers:',
-            "  Origin: #{env[HTTP_ORIGIN]}",
-            "  Path-Info: #{path}",
-            "  Access-Control-Request-Method: #{env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]}",
-            "  Access-Control-Request-Headers: #{env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]}"
-            ].join("\n")
+          ['Incoming Headers:',
+           "  Origin: #{env[HTTP_ORIGIN]}",
+           "  Path-Info: #{path}",
+           "  Access-Control-Request-Method: #{env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]}",
+           "  Access-Control-Request-Headers: #{env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]}"].join("\n")
         end
-        if env[REQUEST_METHOD] == OPTIONS and env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+        if env[REQUEST_METHOD] == OPTIONS && env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+          return [400, {}, []] unless Rack::Utils.valid_path?(path)
           headers = process_preflight(env, path)
           debug(env) do
             "Preflight Headers:\n" +
-                headers.collect{|kv| "  #{kv.join(': ')}"}.join("\n")
+              headers.collect { |kv| "  #{kv.join(': ')}" }.join("\n")
           end
           return [200, headers, []]
         else
@@ -101,9 +105,7 @@ module Rack
         headers = add_headers.merge(headers)
         debug(env) do
           add_headers.each_pair do |key, value|
-            if headers.has_key?(key)
-              headers["X-Rack-CORS-Original-#{key}"] = value
-            end
+            headers["x-rack-cors-original-#{key}"] = value if headers.key?(key)
           end
         end
       end
@@ -112,349 +114,106 @@ module Rack
       # response to be different depending on the Origin header value.
       # Better explained here: http://www.fastly.com/blog/best-practices-for-using-the-vary-header/
       if vary_resource
-        vary = headers[VARY]
-        cors_vary_headers = if vary_resource.vary_headers && vary_resource.vary_headers.any?
-          vary_resource.vary_headers
-        else
-          DEFAULT_VARY_HEADERS
-        end
-        headers[VARY] = ((vary ? ([vary].flatten.map { |v| v.split(/,\s*/) }.flatten) : []) + cors_vary_headers).uniq.join(', ')
+        vary = headers['vary']
+        cors_vary_headers = if vary_resource.vary_headers&.any?
+                              vary_resource.vary_headers
+                            else
+                              DEFAULT_VARY_HEADERS
+                            end
+        headers['vary'] = ((vary ? [vary].flatten.map { |v| v.split(/,\s*/) }.flatten : []) + cors_vary_headers).uniq.join(', ')
       end
-      if debug? && result = env[RACK_CORS]
-        result.append_header(headers)
-      end
+      result = env[ENV_KEY]
+      result.append_header(headers) if debug? && result
       [status, headers, body]
     end
     protected
-      def debug(env, message = nil, &block)
-        (@logger || select_logger(env)).debug(message, &block) if debug?
-      end
-      def select_logger(env)
-        @logger = if @logger_proc
-          logger_proc = @logger_proc
-          @logger_proc = nil
-          logger_proc.call
-        elsif defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
-          Rails.logger
-        elsif env[RACK_LOGGER]
-          env[RACK_LOGGER]
-        else
-          ::Logger.new(STDOUT).tap { |logger| logger.level = ::Logger::Severity::DEBUG }
-        end
-      end
+    def debug(env, message = nil, &block)
+      (@logger || select_logger(env)).debug(message, &block) if debug?
+    end
-      def evaluate_path(env)
-        path = env[PATH_INFO]
-        path = Rack::Utils.clean_path_info(Rack::Utils.unescape_path(path)) if path
-        path
-      end
+    def select_logger(env)
+      @logger = if @logger_proc
+                  logger_proc = @logger_proc
+                  @logger_proc = nil
+                  logger_proc.call
-      def all_resources
-        @all_resources ||= []
-      end
+                elsif defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
+                  Rails.logger
-      def process_preflight(env, path)
-        result = Result.preflight(env)
+                elsif env[RACK_LOGGER]
+                  env[RACK_LOGGER]
-        resource, error = match_resource(path, env)
-        unless resource
-          result.miss(error)
-          return {}
-        end
+                else
+                  ::Logger.new(STDOUT).tap { |logger| logger.level = ::Logger::Severity::DEBUG }
+                end
+    end
-        return resource.process_preflight(env, result)
-      end
+    def evaluate_path(env)
+      path = env[PATH_INFO]
-      def process_cors(env, path)
-        resource, error = match_resource(path, env)
-        if resource
-          Result.hit(env)
-          cors = resource.to_headers(env)
-          cors
+      if path
+        path = Rack::Utils.unescape_path(path)
-        else
-          Result.miss(env, error)
-          nil
-        end
+        path = Rack::Utils.clean_path_info(path) if Rack::Utils.valid_path?(path)
       end
-      def resource_for_path(path_info)
-        all_resources.each do |r|
-          if found = r.resource_for_path(path_info)
-            return found
-          end
-        end
-        nil
-      end
+      path
+    end
-      def match_resource(path, env)
-        origin = env[HTTP_ORIGIN]
+    def all_resources
+      @all_resources ||= []
+    end
-        origin_matched = false
-        all_resources.each do |r|
-          if r.allow_origin?(origin, env)
-            origin_matched = true
-            if found = r.match_resource(path, env)
-              return [found, nil]
-            end
-          end
-        end
+    def process_preflight(env, path)
+      result = Result.preflight(env)
-        [nil, origin_matched ? Result::MISS_NO_PATH : Result::MISS_NO_ORIGIN]
+      resource, error = match_resource(path, env)
+      unless resource
+        result.miss(error)
+        return {}
       end
-      class Result
-        HEADER_KEY = 'X-Rack-CORS'.freeze
-        MISS_NO_ORIGIN = 'no-origin'.freeze
-        MISS_NO_PATH   = 'no-path'.freeze
-        MISS_NO_METHOD   = 'no-method'.freeze
-        MISS_DENY_METHOD = 'deny-method'.freeze
-        MISS_DENY_HEADER = 'deny-header'.freeze
-        attr_accessor :preflight, :hit, :miss_reason
-        def hit?
-          !!hit
-        end
-        def preflight?
-          !!preflight
-        end
-        def miss(reason)
-          self.hit = false
-          self.miss_reason = reason
-        end
-        def self.hit(env)
-          r = Result.new
-          r.preflight = false
-          r.hit = true
-          env[RACK_CORS] = r
-        end
-        def self.miss(env, reason)
-          r = Result.new
-          r.preflight = false
-          r.hit = false
-          r.miss_reason = reason
-          env[RACK_CORS] = r
-        end
-        def self.preflight(env)
-          r = Result.new
-          r.preflight = true
-          env[RACK_CORS] = r
-        end
+      resource.process_preflight(env, result)
+    end
+    def process_cors(env, path)
+      resource, error = match_resource(path, env)
+      if resource
+        Result.hit(env)
+        cors = resource.to_headers(env)
+        cors
-        def append_header(headers)
-          headers[HEADER_KEY] = if hit?
-            preflight? ? 'preflight-hit' : 'hit'
-          else
-            [
-              (preflight? ? 'preflight-miss' : 'miss'),
-              miss_reason
-            ].join('; ')
-          end
-        end
+      else
+        Result.miss(env, error)
+        nil
       end
+    end
-      class Resources
-        attr_reader :resources
-        def initialize
-          @origins = []
-          @resources = []
-          @public_resources = false
-        end
-        def origins(*args, &blk)
-          @origins = args.flatten.reject{ |s| s == '' }.map do |n|
-            case n
-            when Proc,
-                 Regexp,
-                 /^https?:\/\//,
-                 'file://'        then n
-            when '*'              then @public_resources = true; n
-            else                  Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}$")
-            end
-          end.flatten
-          @origins.push(blk) if blk
-        end
-        def resource(path, opts={})
-          @resources << Resource.new(public_resources?, path, opts)
-        end
-        def public_resources?
-          @public_resources
-        end
-        def allow_origin?(source,env = {})
-          return true if public_resources?
-          return !! @origins.detect do |origin|
-            if origin.is_a?(Proc)
-              origin.call(source,env)
-            else
-              origin === source
-            end
-          end
-        end
-        def match_resource(path, env)
-          @resources.detect { |r| r.match?(path, env) }
-        end
-        def resource_for_path(path)
-          @resources.detect { |r| r.matches_path?(path) }
-        end
+    def resource_for_path(path_info)
+      all_resources.each do |r|
+        found = r.resource_for_path(path_info)
+        return found if found
       end
+      nil
+    end
-      class Resource
-        class CorsMisconfigurationError < StandardError
-          def message
-            "Allowing credentials for wildcard origins is insecure."\
-            " Please specify more restrictive origins or set 'credentials' to false in your CORS configuration."
-          end
-        end
-        attr_accessor :path, :methods, :headers, :expose, :max_age, :credentials, :pattern, :if_proc, :vary_headers
-        def initialize(public_resource, path, opts={})
-          raise CorsMisconfigurationError if public_resource && opts[:credentials] == true
-          self.path         = path
-          self.credentials  = public_resource ? false : (opts[:credentials] == true)
-          self.max_age      = opts[:max_age] || 7200
-          self.pattern      = compile(path)
-          self.if_proc      = opts[:if]
-          self.vary_headers = opts[:vary] && [opts[:vary]].flatten
-          @public_resource  = public_resource
-          self.headers = case opts[:headers]
-          when :any then :any
-          when nil then nil
-          else
-            [opts[:headers]].flatten.collect{|h| h.downcase}
-          end
-          self.methods = case opts[:methods]
-          when :any then [:get, :head, :post, :put, :patch, :delete, :options]
-          else
-            ensure_enum(opts[:methods]) || [:get]
-          end.map{|e| e.to_s }
-          self.expose = opts[:expose] ? [opts[:expose]].flatten : nil
-        end
-        def matches_path?(path)
-          pattern =~ path
-        end
-        def match?(path, env)
-          matches_path?(path) && (if_proc.nil? || if_proc.call(env))
-        end
-        def process_preflight(env, result)
-          headers = {}
-          request_method = env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
-          if request_method.nil?
-            result.miss(Result::MISS_NO_METHOD) and return headers
-          end
-          if !methods.include?(request_method.downcase)
-            result.miss(Result::MISS_DENY_METHOD) and return headers
-          end
-          request_headers = env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
-          if request_headers && !allow_headers?(request_headers)
-            result.miss(Result::MISS_DENY_HEADER) and return headers
-          end
-          result.hit = true
-          headers.merge(to_preflight_headers(env))
-        end
-        def to_headers(env)
-          h = {
-            'Access-Control-Allow-Origin'     => origin_for_response_header(env[HTTP_ORIGIN]),
-            'Access-Control-Allow-Methods'    => methods.collect{|m| m.to_s.upcase}.join(', '),
-            'Access-Control-Expose-Headers'   => expose.nil? ? '' : expose.join(', '),
-            'Access-Control-Max-Age'          => max_age.to_s }
-          h['Access-Control-Allow-Credentials'] = 'true' if credentials
-          h
-        end
-        protected
-          def public_resource?
-            @public_resource
-          end
-          def origin_for_response_header(origin)
-            return '*' if public_resource?
-            origin
-          end
-          def to_preflight_headers(env)
-            h = to_headers(env)
-            if env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]
-              h.merge!('Access-Control-Allow-Headers' => env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS])
-            end
-            h
-          end
-          def allow_headers?(request_headers)
-            headers = self.headers || []
-            if headers == :any
-              return true
-            end
-            request_headers = request_headers.split(/,\s*/) if request_headers.kind_of?(String)
-            request_headers.all? do |header|
-              header = header.downcase
-              CORS_SIMPLE_HEADERS.include?(header) || headers.include?(header)
-            end
-          end
+    def match_resource(path, env)
+      origin = env[HTTP_ORIGIN]
-          def ensure_enum(v)
-            return nil if v.nil?
-            [v].flatten
-          end
+      origin_matched = false
+      all_resources.each do |r|
+        next unless r.allow_origin?(origin, env)
-          def compile(path)
-            if path.respond_to? :to_str
-              special_chars = %w{. + ( )}
-              pattern =
-                path.to_str.gsub(/((:\w+)|[\*#{special_chars.join}])/) do |match|
-                  case match
-                  when "*"
-                    "(.*?)"
-                  when *special_chars
-                    Regexp.escape(match)
-                  else
-                    "([^/?&#]+)"
-                  end
-                end
-              /^#{pattern}$/
-            elsif path.respond_to? :match
-              path
-            else
-              raise TypeError, path
-            end
-          end
+        origin_matched = true
+        found = r.match_resource(path, env)
+        return [found, nil] if found
       end
+      [nil, origin_matched ? Result::MISS_NO_PATH : Result::MISS_NO_ORIGIN]
+    end
   end
 end

data/rack-cors.gemspec CHANGED Viewed

@@ -1,27 +1,30 @@
-# coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
+# frozen_string_literal: true
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'rack/cors/version'
 Gem::Specification.new do |spec|
-  spec.name          = "rack-cors"
+  spec.name          = 'rack-cors'
   spec.version       = Rack::Cors::VERSION
-  spec.authors       = ["Calvin Yu"]
-  spec.email         = ["me@sourcebender.com"]
-  spec.description   = %q{Middleware that will make Rack-based apps CORS compatible. Fork the project here: https://github.com/cyu/rack-cors}
-  spec.summary       = %q{Middleware for enabling Cross-Origin Resource Sharing in Rack apps}
-  spec.homepage      = "https://github.com/cyu/rack-cors"
-  spec.license       = "MIT"
+  spec.authors       = ['Calvin Yu']
+  spec.email         = ['me@sourcebender.com']
+  spec.description   = 'Middleware that will make Rack-based apps CORS compatible. Fork the project here: https://github.com/cyu/rack-cors'
+  spec.summary       = 'Middleware for enabling Cross-Origin Resource Sharing in Rack apps'
+  spec.homepage      = 'https://github.com/cyu/rack-cors'
+  spec.license       = 'MIT'
-  spec.files         = `git ls-files`.split($/).reject { |f| f == '.gitignore' or f =~ /^examples/ }
+  spec.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR).reject { |f| (f == '.gitignore') || f =~ /^examples/ }
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
-  spec.add_dependency "rack", ">= 1.6.0"
-  spec.add_development_dependency "bundler", ">= 1.16.0", '< 3'
-  spec.add_development_dependency "rake", "~> 12.3.0"
-  spec.add_development_dependency "minitest", "~> 5.11.0"
-  spec.add_development_dependency "mocha", "~> 1.6.0"
-  spec.add_development_dependency "rack-test", "~> 1.1.0"
+  spec.add_dependency 'rack', '>= 2.0.0'
+  spec.add_development_dependency 'bundler', '>= 1.16.0', '< 3'
+  spec.add_development_dependency 'minitest', '~> 5.11.0'
+  spec.add_development_dependency 'mocha', '~> 1.6.0'
+  spec.add_development_dependency 'pry', '~> 0.12'
+  spec.add_development_dependency 'rack-test', '>= 1.1.0'
+  spec.add_development_dependency 'rake', '~> 12.3.0'
+  spec.add_development_dependency 'rubocop', '~> 0.80.1'
 end

data/test/.rubocop.yml ADDED Viewed

@@ -0,0 +1,8 @@
+---
+inherit_from: ../.rubocop.yml
+# Disables
+Style/ClassAndModuleChildren:
+  Enabled: false
+Security/Eval:
+  Enabled: false

data/test/cors/test.cors.coffee CHANGED Viewed

@@ -1,4 +1,6 @@
-CORS_SERVER = '127.0.0.1.xip.io:9292'
+CORS_SERVER = '127.0.0.1.xip.io:3000'
+mocha.setup({ignoreLeaks: true});
 describe 'CORS', ->
@@ -34,7 +36,7 @@ describe 'CORS', ->
   it 'should allow access to static resource', (done) ->
     $.get "http://#{CORS_SERVER}/static.txt", (data, status, xhr) ->
-      expect($.trim(data)).to.eql("hello world")
+      expect($.trim(data)).to.eql("Hello world")
       done()
   it 'should allow post resource', (done) ->

data/test/cors/test.cors.js CHANGED Viewed

@@ -2,7 +2,11 @@
 (function() {
   var CORS_SERVER;
-  CORS_SERVER = '127.0.0.1.xip.io:9292';
+  CORS_SERVER = '127.0.0.1.xip.io:3000';
+  mocha.setup({
+    ignoreLeaks: true
+  });
   describe('CORS', function() {
     it('should allow access to dynamic resource', function(done) {
@@ -53,7 +57,7 @@
     });
     it('should allow access to static resource', function(done) {
       return $.get(`http://${CORS_SERVER}/static.txt`, function(data, status, xhr) {
-        expect($.trim(data)).to.eql("hello world");
+        expect($.trim(data)).to.eql("Hello world");
         return done();
       });
     });