rack-cors 1.0.3 → 1.0.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +1 -0
- data/CHANGELOG.md +8 -0
- data/lib/rack/cors.rb +18 -10
- data/lib/rack/cors/version.rb +1 -1
- data/rack-cors.gemspec +1 -0
- data/test/unit/cors_test.rb +6 -0
- data/test/unit/test.ru +1 -0
- metadata +17 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a12cdfc5aca2abf0cf86fb1ca217619fa6b40cad19721118016e064554f46ba0
|
|
4
|
+
data.tar.gz: 2874199b748909fdfd3e8ec601bd8620bc0235e60c66226259a79ff2404dbaf8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2b71fe191ad396ab85e8c1966e979fa3516ee768bae6ed93fd1d43644eada8a455dbab00990ef22440ee7f82dab16a37b283897403d4eba674547bda1f0b86f5
|
|
7
|
+
data.tar.gz: a31481b3f6d9d45bdc522c444e923438f7f513a57796bf2cf6eaaa665d87f7479bf5f1e5f5ea8d380ce7194f0d3690823e1a681e55c17317cab29bf87b7a7303
|
data/.travis.yml
CHANGED
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,14 @@
|
|
|
1
1
|
# Change Log
|
|
2
2
|
All notable changes to this project will be documented in this file.
|
|
3
3
|
|
|
4
|
+
## 1.0.5 - 2019-11-14
|
|
5
|
+
### Changed
|
|
6
|
+
- Update Gem spec to require rack >= 1.6.0
|
|
7
|
+
|
|
8
|
+
## 1.0.4 - 2019-11-13
|
|
9
|
+
### Security
|
|
10
|
+
- Escape and resolve path before evaluating resource rules (thanks to Colby Morgan)
|
|
11
|
+
|
|
4
12
|
## 1.0.3 - 2019-03-24
|
|
5
13
|
### Changed
|
|
6
14
|
- Don't send 'Content-Type' header with pre-flight requests
|
data/lib/rack/cors.rb
CHANGED
|
@@ -64,24 +64,27 @@ module Rack
|
|
|
64
64
|
def call(env)
|
|
65
65
|
env[HTTP_ORIGIN] ||= env[HTTP_X_ORIGIN] if env[HTTP_X_ORIGIN]
|
|
66
66
|
|
|
67
|
+
path = evaluate_path(env)
|
|
68
|
+
|
|
67
69
|
add_headers = nil
|
|
68
70
|
if env[HTTP_ORIGIN]
|
|
69
71
|
debug(env) do
|
|
70
72
|
[ 'Incoming Headers:',
|
|
71
73
|
" Origin: #{env[HTTP_ORIGIN]}",
|
|
74
|
+
" Path-Info: #{path}",
|
|
72
75
|
" Access-Control-Request-Method: #{env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]}",
|
|
73
76
|
" Access-Control-Request-Headers: #{env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]}"
|
|
74
77
|
].join("\n")
|
|
75
78
|
end
|
|
76
79
|
if env[REQUEST_METHOD] == OPTIONS and env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
|
|
77
|
-
headers = process_preflight(env)
|
|
80
|
+
headers = process_preflight(env, path)
|
|
78
81
|
debug(env) do
|
|
79
82
|
"Preflight Headers:\n" +
|
|
80
83
|
headers.collect{|kv| " #{kv.join(': ')}"}.join("\n")
|
|
81
84
|
end
|
|
82
85
|
return [200, headers, []]
|
|
83
86
|
else
|
|
84
|
-
add_headers = process_cors(env)
|
|
87
|
+
add_headers = process_cors(env, path)
|
|
85
88
|
end
|
|
86
89
|
else
|
|
87
90
|
Result.miss(env, Result::MISS_NO_ORIGIN)
|
|
@@ -90,7 +93,7 @@ module Rack
|
|
|
90
93
|
# This call must be done BEFORE calling the app because for some reason
|
|
91
94
|
# env[PATH_INFO] gets changed after that and it won't match. (At least
|
|
92
95
|
# in rails 4.1.6)
|
|
93
|
-
vary_resource = resource_for_path(
|
|
96
|
+
vary_resource = resource_for_path(path)
|
|
94
97
|
|
|
95
98
|
status, headers, body = @app.call env
|
|
96
99
|
|
|
@@ -147,14 +150,20 @@ module Rack
|
|
|
147
150
|
end
|
|
148
151
|
end
|
|
149
152
|
|
|
153
|
+
def evaluate_path(env)
|
|
154
|
+
path = env[PATH_INFO]
|
|
155
|
+
path = Rack::Utils.clean_path_info(Rack::Utils.unescape_path(path)) if path
|
|
156
|
+
path
|
|
157
|
+
end
|
|
158
|
+
|
|
150
159
|
def all_resources
|
|
151
160
|
@all_resources ||= []
|
|
152
161
|
end
|
|
153
162
|
|
|
154
|
-
def process_preflight(env)
|
|
163
|
+
def process_preflight(env, path)
|
|
155
164
|
result = Result.preflight(env)
|
|
156
165
|
|
|
157
|
-
resource, error = match_resource(env)
|
|
166
|
+
resource, error = match_resource(path, env)
|
|
158
167
|
unless resource
|
|
159
168
|
result.miss(error)
|
|
160
169
|
return {}
|
|
@@ -163,8 +172,8 @@ module Rack
|
|
|
163
172
|
return resource.process_preflight(env, result)
|
|
164
173
|
end
|
|
165
174
|
|
|
166
|
-
def process_cors(env)
|
|
167
|
-
resource, error = match_resource(env)
|
|
175
|
+
def process_cors(env, path)
|
|
176
|
+
resource, error = match_resource(path, env)
|
|
168
177
|
if resource
|
|
169
178
|
Result.hit(env)
|
|
170
179
|
cors = resource.to_headers(env)
|
|
@@ -185,8 +194,7 @@ module Rack
|
|
|
185
194
|
nil
|
|
186
195
|
end
|
|
187
196
|
|
|
188
|
-
def match_resource(env)
|
|
189
|
-
path = env[PATH_INFO]
|
|
197
|
+
def match_resource(path, env)
|
|
190
198
|
origin = env[HTTP_ORIGIN]
|
|
191
199
|
|
|
192
200
|
origin_matched = false
|
|
@@ -330,7 +338,7 @@ module Rack
|
|
|
330
338
|
|
|
331
339
|
self.path = path
|
|
332
340
|
self.credentials = public_resource ? false : (opts[:credentials] == true)
|
|
333
|
-
self.max_age = opts[:max_age] ||
|
|
341
|
+
self.max_age = opts[:max_age] || 7200
|
|
334
342
|
self.pattern = compile(path)
|
|
335
343
|
self.if_proc = opts[:if]
|
|
336
344
|
self.vary_headers = opts[:vary] && [opts[:vary]].flatten
|
data/lib/rack/cors/version.rb
CHANGED
data/rack-cors.gemspec
CHANGED
|
@@ -18,6 +18,7 @@ Gem::Specification.new do |spec|
|
|
|
18
18
|
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
|
19
19
|
spec.require_paths = ["lib"]
|
|
20
20
|
|
|
21
|
+
spec.add_dependency "rack", ">= 1.6.0"
|
|
21
22
|
spec.add_development_dependency "bundler", ">= 1.16.0", '< 3'
|
|
22
23
|
spec.add_development_dependency "rake", "~> 12.3.0"
|
|
23
24
|
spec.add_development_dependency "minitest", "~> 5.11.0"
|
data/test/unit/cors_test.rb
CHANGED
|
@@ -146,6 +146,12 @@ describe Rack::Cors do
|
|
|
146
146
|
last_response.headers['Vary'].must_equal 'Origin, Host'
|
|
147
147
|
end
|
|
148
148
|
|
|
149
|
+
it "decode URL and resolve paths before resource matching" do
|
|
150
|
+
header 'Origin', 'http://localhost:3000'
|
|
151
|
+
get '/public/a/..%2F..%2Fprivate/stuff'
|
|
152
|
+
last_response.wont_render_cors_success
|
|
153
|
+
end
|
|
154
|
+
|
|
149
155
|
describe 'with array of upstream Vary headers' do
|
|
150
156
|
let(:app) { load_app('test', { proxy: true }) }
|
|
151
157
|
|
data/test/unit/test.ru
CHANGED
metadata
CHANGED
|
@@ -1,15 +1,29 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-cors
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Calvin Yu
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-11-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: rack
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - ">="
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: 1.6.0
|
|
20
|
+
type: :runtime
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - ">="
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: 1.6.0
|
|
13
27
|
- !ruby/object:Gem::Dependency
|
|
14
28
|
name: bundler
|
|
15
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -133,8 +147,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
133
147
|
- !ruby/object:Gem::Version
|
|
134
148
|
version: '0'
|
|
135
149
|
requirements: []
|
|
136
|
-
|
|
137
|
-
rubygems_version: 2.7.6
|
|
150
|
+
rubygems_version: 3.0.6
|
|
138
151
|
signing_key:
|
|
139
152
|
specification_version: 4
|
|
140
153
|
summary: Middleware for enabling Cross-Origin Resource Sharing in Rack apps
|