rack-corsgate 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: a6cdb87f1acca69a803813daa4afd4f54ff0474c
+  data.tar.gz: 286851367e3d467458b2a63ae29ac97fa6c9674c
+SHA512:
+  metadata.gz: 24077b24d4c823142a341d3c55067a53708360a4ee0f61b19f6c17f1f5801f2985e5156b6a77a66fe494564bf89fa6f0498b374fde51399c6f08c09572df147d
+  data.tar.gz: b7e5b21bce87b6759fa19b452923025eed78848c6a75e72bef19bb1c101acf41d03fcdd90743af1441fc73bb8f7c32be01ab836663cf7aec239d55f12980018d

data/lib/classes/cors_gate.rb

@@ -0,0 +1,55 @@
+require_relative './cors_gate_origin_processor.rb'
+
+module Rack
+  class CorsGate
+    def initialize(app, opts = {}, &forbidden_handler)
+      @app = app
+
+      @simulation = opts[:simulation] || false
+      @strict = opts[:strict] || false
+      @allow_safe = opts[:allow_safe] || false
+      @forbidden_handler = forbidden_handler
+    end
+
+    def call(env)
+      origin = env['HTTP_X_ORIGIN'] || env['HTTP_ORIGIN']
+      method = env['REQUEST_METHOD']
+
+      if is_allowed(env, origin, method)
+        # valid request
+        @app.call(env)
+      else
+        # allow logging, etc
+        @forbidden_handler.call(env, origin, method) if @forbidden_handler
+
+        # if we're simulating, forbidden_handler will have been called, but we continue with app-execution
+        return @app.call(env) if @simulation
+
+        # 403 Forbidden
+        [403, {}, []]
+      end
+    end
+
+    def self.use(middleware, opts = {}, &forbidden_handler)
+      middleware.insert_before Rack::Cors, Rack::CorsGateOriginProcessor, opts
+      middleware.insert_after Rack::Cors, Rack::CorsGate, opts, &forbidden_handler
+    end
+
+    private
+
+    def is_allowed(env, origin, method)
+      # if strict, require an Origin header
+      if origin.nil?
+        return true unless @strict
+
+        # if strict, but allow_safe we let GET and HEAD through
+        if @allow_safe && ['GET', 'HEAD'].include?(method)
+          return true
+        end
+        return false
+      end
+
+      env['rack.cors'].hit?
+    end
+  end
+end

data/lib/classes/cors_gate_origin_processor.rb

@@ -0,0 +1,50 @@
+module Rack
+  # CorsGateOriginProcessor allows:
+  # - referer header to be transformed to Origin header
+  # - removal of "Origin: null" (Chrome)
+
+  class CorsGateOriginProcessor
+    def initialize(app, opts = {})
+      @app = app
+      @remove_null_origin = opts[:remove_null_origin] || false
+    end
+
+    def call(env)
+      if @remove_null_origin
+        # Consider Chrome's "null" origin the same as no origin being set at all
+
+        env.delete('HTTP_ORIGIN') if env['HTTP_ORIGIN'] == 'null'
+        env.delete('HTTP_X_ORIGIN') if env['HTTP_X_ORIGIN'] == 'null'
+      end
+
+      # Use referer header if no origin-header is present
+
+      origin = env['HTTP_X_ORIGIN'] || env['HTTP_ORIGIN']
+      referer = env['HTTP_REFERER']
+
+      if origin.nil? && referer
+        env['HTTP_ORIGIN'] = referer_to_origin(referer)
+      end
+
+      @app.call(env)
+    end
+
+    private
+
+    def referer_to_origin(referer)
+      uri = URI(referer)
+
+      if is_standard_port(uri)
+        "#{uri.scheme}://#{uri.host}"
+      else
+        "#{uri.scheme}://#{uri.host}:#{uri.port}"
+      end
+    end
+
+    def is_standard_port(uri)
+      return true if uri.scheme == 'https' && uri.port == 443
+      return true if uri.scheme == 'http' && uri.port == 80
+      false
+    end
+  end
+end

data/lib/rack-corsgate.rb

@@ -0,0 +1,2 @@
+require_relative './classes/cors_gate.rb'
+require_relative './classes/cors_gate_origin_processor.rb'

metadata

@@ -0,0 +1,89 @@
+--- !ruby/object:Gem::Specification
+name: rack-corsgate
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Ron Korving
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-09-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack-cors
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.2
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+description: This middleware builds on top of rack-cors, using CORS rules to mitigate
+  CSRF-attacks.
+email: rkorving@moneytree.jp
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/classes/cors_gate.rb
+- lib/classes/cors_gate_origin_processor.rb
+- lib/rack-corsgate.rb
+homepage: https://github.com/moneytree/rack-corsgate
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.2
+signing_key: 
+specification_version: 4
+summary: Modern CORS-based CSRF-protection for Rack apps
+test_files: []