rack-corsgate 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: a6cdb87f1acca69a803813daa4afd4f54ff0474c
4
+ data.tar.gz: 286851367e3d467458b2a63ae29ac97fa6c9674c
5
+ SHA512:
6
+ metadata.gz: 24077b24d4c823142a341d3c55067a53708360a4ee0f61b19f6c17f1f5801f2985e5156b6a77a66fe494564bf89fa6f0498b374fde51399c6f08c09572df147d
7
+ data.tar.gz: b7e5b21bce87b6759fa19b452923025eed78848c6a75e72bef19bb1c101acf41d03fcdd90743af1441fc73bb8f7c32be01ab836663cf7aec239d55f12980018d
@@ -0,0 +1,55 @@
1
+ require_relative './cors_gate_origin_processor.rb'
2
+
3
+ module Rack
4
+ class CorsGate
5
+ def initialize(app, opts = {}, &forbidden_handler)
6
+ @app = app
7
+
8
+ @simulation = opts[:simulation] || false
9
+ @strict = opts[:strict] || false
10
+ @allow_safe = opts[:allow_safe] || false
11
+ @forbidden_handler = forbidden_handler
12
+ end
13
+
14
+ def call(env)
15
+ origin = env['HTTP_X_ORIGIN'] || env['HTTP_ORIGIN']
16
+ method = env['REQUEST_METHOD']
17
+
18
+ if is_allowed(env, origin, method)
19
+ # valid request
20
+ @app.call(env)
21
+ else
22
+ # allow logging, etc
23
+ @forbidden_handler.call(env, origin, method) if @forbidden_handler
24
+
25
+ # if we're simulating, forbidden_handler will have been called, but we continue with app-execution
26
+ return @app.call(env) if @simulation
27
+
28
+ # 403 Forbidden
29
+ [403, {}, []]
30
+ end
31
+ end
32
+
33
+ def self.use(middleware, opts = {}, &forbidden_handler)
34
+ middleware.insert_before Rack::Cors, Rack::CorsGateOriginProcessor, opts
35
+ middleware.insert_after Rack::Cors, Rack::CorsGate, opts, &forbidden_handler
36
+ end
37
+
38
+ private
39
+
40
+ def is_allowed(env, origin, method)
41
+ # if strict, require an Origin header
42
+ if origin.nil?
43
+ return true unless @strict
44
+
45
+ # if strict, but allow_safe we let GET and HEAD through
46
+ if @allow_safe && ['GET', 'HEAD'].include?(method)
47
+ return true
48
+ end
49
+ return false
50
+ end
51
+
52
+ env['rack.cors'].hit?
53
+ end
54
+ end
55
+ end
@@ -0,0 +1,50 @@
1
+ module Rack
2
+ # CorsGateOriginProcessor allows:
3
+ # - referer header to be transformed to Origin header
4
+ # - removal of "Origin: null" (Chrome)
5
+
6
+ class CorsGateOriginProcessor
7
+ def initialize(app, opts = {})
8
+ @app = app
9
+ @remove_null_origin = opts[:remove_null_origin] || false
10
+ end
11
+
12
+ def call(env)
13
+ if @remove_null_origin
14
+ # Consider Chrome's "null" origin the same as no origin being set at all
15
+
16
+ env.delete('HTTP_ORIGIN') if env['HTTP_ORIGIN'] == 'null'
17
+ env.delete('HTTP_X_ORIGIN') if env['HTTP_X_ORIGIN'] == 'null'
18
+ end
19
+
20
+ # Use referer header if no origin-header is present
21
+
22
+ origin = env['HTTP_X_ORIGIN'] || env['HTTP_ORIGIN']
23
+ referer = env['HTTP_REFERER']
24
+
25
+ if origin.nil? && referer
26
+ env['HTTP_ORIGIN'] = referer_to_origin(referer)
27
+ end
28
+
29
+ @app.call(env)
30
+ end
31
+
32
+ private
33
+
34
+ def referer_to_origin(referer)
35
+ uri = URI(referer)
36
+
37
+ if is_standard_port(uri)
38
+ "#{uri.scheme}://#{uri.host}"
39
+ else
40
+ "#{uri.scheme}://#{uri.host}:#{uri.port}"
41
+ end
42
+ end
43
+
44
+ def is_standard_port(uri)
45
+ return true if uri.scheme == 'https' && uri.port == 443
46
+ return true if uri.scheme == 'http' && uri.port == 80
47
+ false
48
+ end
49
+ end
50
+ end
@@ -0,0 +1,2 @@
1
+ require_relative './classes/cors_gate.rb'
2
+ require_relative './classes/cors_gate_origin_processor.rb'
metadata ADDED
@@ -0,0 +1,89 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: rack-corsgate
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: ruby
6
+ authors:
7
+ - Ron Korving
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2018-09-13 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: rack-cors
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: 1.0.2
20
+ type: :development
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: 1.0.2
27
+ - !ruby/object:Gem::Dependency
28
+ name: rspec-rails
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: '3.8'
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: '3.8'
41
+ - !ruby/object:Gem::Dependency
42
+ name: rack-test
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: '1.1'
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - "~>"
53
+ - !ruby/object:Gem::Version
54
+ version: '1.1'
55
+ description: This middleware builds on top of rack-cors, using CORS rules to mitigate
56
+ CSRF-attacks.
57
+ email: rkorving@moneytree.jp
58
+ executables: []
59
+ extensions: []
60
+ extra_rdoc_files: []
61
+ files:
62
+ - lib/classes/cors_gate.rb
63
+ - lib/classes/cors_gate_origin_processor.rb
64
+ - lib/rack-corsgate.rb
65
+ homepage: https://github.com/moneytree/rack-corsgate
66
+ licenses:
67
+ - MIT
68
+ metadata: {}
69
+ post_install_message:
70
+ rdoc_options: []
71
+ require_paths:
72
+ - lib
73
+ required_ruby_version: !ruby/object:Gem::Requirement
74
+ requirements:
75
+ - - ">="
76
+ - !ruby/object:Gem::Version
77
+ version: '0'
78
+ required_rubygems_version: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - ">="
81
+ - !ruby/object:Gem::Version
82
+ version: '0'
83
+ requirements: []
84
+ rubyforge_project:
85
+ rubygems_version: 2.4.5.2
86
+ signing_key:
87
+ specification_version: 4
88
+ summary: Modern CORS-based CSRF-protection for Rack apps
89
+ test_files: []