rack-corsgate 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/lib/classes/cors_gate.rb +55 -0
- data/lib/classes/cors_gate_origin_processor.rb +50 -0
- data/lib/rack-corsgate.rb +2 -0
- metadata +89 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: a6cdb87f1acca69a803813daa4afd4f54ff0474c
|
4
|
+
data.tar.gz: 286851367e3d467458b2a63ae29ac97fa6c9674c
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 24077b24d4c823142a341d3c55067a53708360a4ee0f61b19f6c17f1f5801f2985e5156b6a77a66fe494564bf89fa6f0498b374fde51399c6f08c09572df147d
|
7
|
+
data.tar.gz: b7e5b21bce87b6759fa19b452923025eed78848c6a75e72bef19bb1c101acf41d03fcdd90743af1441fc73bb8f7c32be01ab836663cf7aec239d55f12980018d
|
@@ -0,0 +1,55 @@
|
|
1
|
+
require_relative './cors_gate_origin_processor.rb'
|
2
|
+
|
3
|
+
module Rack
|
4
|
+
class CorsGate
|
5
|
+
def initialize(app, opts = {}, &forbidden_handler)
|
6
|
+
@app = app
|
7
|
+
|
8
|
+
@simulation = opts[:simulation] || false
|
9
|
+
@strict = opts[:strict] || false
|
10
|
+
@allow_safe = opts[:allow_safe] || false
|
11
|
+
@forbidden_handler = forbidden_handler
|
12
|
+
end
|
13
|
+
|
14
|
+
def call(env)
|
15
|
+
origin = env['HTTP_X_ORIGIN'] || env['HTTP_ORIGIN']
|
16
|
+
method = env['REQUEST_METHOD']
|
17
|
+
|
18
|
+
if is_allowed(env, origin, method)
|
19
|
+
# valid request
|
20
|
+
@app.call(env)
|
21
|
+
else
|
22
|
+
# allow logging, etc
|
23
|
+
@forbidden_handler.call(env, origin, method) if @forbidden_handler
|
24
|
+
|
25
|
+
# if we're simulating, forbidden_handler will have been called, but we continue with app-execution
|
26
|
+
return @app.call(env) if @simulation
|
27
|
+
|
28
|
+
# 403 Forbidden
|
29
|
+
[403, {}, []]
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
def self.use(middleware, opts = {}, &forbidden_handler)
|
34
|
+
middleware.insert_before Rack::Cors, Rack::CorsGateOriginProcessor, opts
|
35
|
+
middleware.insert_after Rack::Cors, Rack::CorsGate, opts, &forbidden_handler
|
36
|
+
end
|
37
|
+
|
38
|
+
private
|
39
|
+
|
40
|
+
def is_allowed(env, origin, method)
|
41
|
+
# if strict, require an Origin header
|
42
|
+
if origin.nil?
|
43
|
+
return true unless @strict
|
44
|
+
|
45
|
+
# if strict, but allow_safe we let GET and HEAD through
|
46
|
+
if @allow_safe && ['GET', 'HEAD'].include?(method)
|
47
|
+
return true
|
48
|
+
end
|
49
|
+
return false
|
50
|
+
end
|
51
|
+
|
52
|
+
env['rack.cors'].hit?
|
53
|
+
end
|
54
|
+
end
|
55
|
+
end
|
@@ -0,0 +1,50 @@
|
|
1
|
+
module Rack
|
2
|
+
# CorsGateOriginProcessor allows:
|
3
|
+
# - referer header to be transformed to Origin header
|
4
|
+
# - removal of "Origin: null" (Chrome)
|
5
|
+
|
6
|
+
class CorsGateOriginProcessor
|
7
|
+
def initialize(app, opts = {})
|
8
|
+
@app = app
|
9
|
+
@remove_null_origin = opts[:remove_null_origin] || false
|
10
|
+
end
|
11
|
+
|
12
|
+
def call(env)
|
13
|
+
if @remove_null_origin
|
14
|
+
# Consider Chrome's "null" origin the same as no origin being set at all
|
15
|
+
|
16
|
+
env.delete('HTTP_ORIGIN') if env['HTTP_ORIGIN'] == 'null'
|
17
|
+
env.delete('HTTP_X_ORIGIN') if env['HTTP_X_ORIGIN'] == 'null'
|
18
|
+
end
|
19
|
+
|
20
|
+
# Use referer header if no origin-header is present
|
21
|
+
|
22
|
+
origin = env['HTTP_X_ORIGIN'] || env['HTTP_ORIGIN']
|
23
|
+
referer = env['HTTP_REFERER']
|
24
|
+
|
25
|
+
if origin.nil? && referer
|
26
|
+
env['HTTP_ORIGIN'] = referer_to_origin(referer)
|
27
|
+
end
|
28
|
+
|
29
|
+
@app.call(env)
|
30
|
+
end
|
31
|
+
|
32
|
+
private
|
33
|
+
|
34
|
+
def referer_to_origin(referer)
|
35
|
+
uri = URI(referer)
|
36
|
+
|
37
|
+
if is_standard_port(uri)
|
38
|
+
"#{uri.scheme}://#{uri.host}"
|
39
|
+
else
|
40
|
+
"#{uri.scheme}://#{uri.host}:#{uri.port}"
|
41
|
+
end
|
42
|
+
end
|
43
|
+
|
44
|
+
def is_standard_port(uri)
|
45
|
+
return true if uri.scheme == 'https' && uri.port == 443
|
46
|
+
return true if uri.scheme == 'http' && uri.port == 80
|
47
|
+
false
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
metadata
ADDED
@@ -0,0 +1,89 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: rack-corsgate
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.1.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Ron Korving
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2018-09-13 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: rack-cors
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - "~>"
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: 1.0.2
|
20
|
+
type: :development
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - "~>"
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: 1.0.2
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: rspec-rails
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - "~>"
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '3.8'
|
34
|
+
type: :development
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - "~>"
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '3.8'
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: rack-test
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - "~>"
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '1.1'
|
48
|
+
type: :development
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - "~>"
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '1.1'
|
55
|
+
description: This middleware builds on top of rack-cors, using CORS rules to mitigate
|
56
|
+
CSRF-attacks.
|
57
|
+
email: rkorving@moneytree.jp
|
58
|
+
executables: []
|
59
|
+
extensions: []
|
60
|
+
extra_rdoc_files: []
|
61
|
+
files:
|
62
|
+
- lib/classes/cors_gate.rb
|
63
|
+
- lib/classes/cors_gate_origin_processor.rb
|
64
|
+
- lib/rack-corsgate.rb
|
65
|
+
homepage: https://github.com/moneytree/rack-corsgate
|
66
|
+
licenses:
|
67
|
+
- MIT
|
68
|
+
metadata: {}
|
69
|
+
post_install_message:
|
70
|
+
rdoc_options: []
|
71
|
+
require_paths:
|
72
|
+
- lib
|
73
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
74
|
+
requirements:
|
75
|
+
- - ">="
|
76
|
+
- !ruby/object:Gem::Version
|
77
|
+
version: '0'
|
78
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
79
|
+
requirements:
|
80
|
+
- - ">="
|
81
|
+
- !ruby/object:Gem::Version
|
82
|
+
version: '0'
|
83
|
+
requirements: []
|
84
|
+
rubyforge_project:
|
85
|
+
rubygems_version: 2.4.5.2
|
86
|
+
signing_key:
|
87
|
+
specification_version: 4
|
88
|
+
summary: Modern CORS-based CSRF-protection for Rack apps
|
89
|
+
test_files: []
|