rack-protection 1.5.2 → 1.5.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of rack-protection might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 522f79f2479b2792fe66e2e0831afa23d9b4c039
4
- data.tar.gz: 093a7f64d629cde5c16ef3355fe4604d57fee5d0
3
+ metadata.gz: 738b46a37db596fd6ab75ccccfcf98b8530684d5
4
+ data.tar.gz: ba76d3a2e8e5f5ec8493acf43980325a5a2bfb55
5
5
  SHA512:
6
- metadata.gz: ecb85cac807d3e454773435a8d931a36c4edd90d11aa85486efe80cfd8bf021684394547f9e22cffab41ee798301743322d937d82d88556a443dc498411c4f8b
7
- data.tar.gz: f4c57b6fa768de957a90f234efb45aa0b50581322e1c953b159549e8ac4d137f673538137d51bc9eb35fce7b7ad54bfd24fe35c3c7466686575f41844afff35a
6
+ metadata.gz: 3c88e6d4d2bcb83aa35327db0bf8d1ef7e0057579573e305958a99cdb642bffab66009e73404322be636bc3860c0acbd58fc6c15a6dda8d55948713ef28fbae4
7
+ data.tar.gz: 651bf843d47d99accab655195673ae835d266602845edb8fadd913c7bff8677636c0b2db825ea0e087309b6d62f89035d503eccf6e698c2d11c625150eccb111
@@ -43,7 +43,6 @@ module Rack
43
43
 
44
44
  def call(env)
45
45
  unless accepts? env
46
- warn env, "attack prevented by #{self.class}"
47
46
  instrument env
48
47
  result = react env
49
48
  end
@@ -68,10 +67,12 @@ module Rack
68
67
  end
69
68
 
70
69
  def deny(env)
70
+ warn env, "attack prevented by #{self.class}"
71
71
  [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
72
72
  end
73
73
 
74
74
  def report(env)
75
+ warn env, "attack reported by #{self.class}"
75
76
  env[options[:report_key]] = true
76
77
  end
77
78
 
@@ -92,6 +93,7 @@ module Rack
92
93
  ref = env['HTTP_REFERER'].to_s
93
94
  return if !options[:allow_empty_referrer] and ref.empty?
94
95
  URI.parse(ref).host || Request.new(env).host
96
+ rescue URI::InvalidURIError
95
97
  end
96
98
 
97
99
  def origin(env)
@@ -4,7 +4,7 @@ module Rack
4
4
  VERSION
5
5
  end
6
6
 
7
- SIGNATURE = [1, 5, 2]
7
+ SIGNATURE = [1, 5, 3]
8
8
  VERSION = SIGNATURE.join('.')
9
9
 
10
10
  VERSION.extend Comparable
@@ -2,7 +2,7 @@
2
2
  Gem::Specification.new do |s|
3
3
  # general infos
4
4
  s.name = "rack-protection"
5
- s.version = "1.5.2"
5
+ s.version = "1.5.3"
6
6
  s.description = "You should use protection!"
7
7
  s.homepage = "http://github.com/rkh/rack-protection"
8
8
  s.summary = s.description
@@ -13,13 +13,14 @@ Gem::Specification.new do |s|
13
13
  "Konstantin Haase",
14
14
  "Alex Rodionov",
15
15
  "Patrick Ellis",
16
+ "Jason Staten",
16
17
  "ITO Nobuaki",
17
- "Matteo Centenaro",
18
18
  "Jeff Welling",
19
- "David Kellum",
19
+ "Matteo Centenaro",
20
20
  "Egor Homakov",
21
21
  "Florian Gilcher",
22
22
  "Fojas",
23
+ "Igor Bochkariov",
23
24
  "Mael Clerambault",
24
25
  "Martin Mauch",
25
26
  "Renne Nissinen",
@@ -27,27 +28,30 @@ Gem::Specification.new do |s|
27
28
  "Stanislav Savulchik",
28
29
  "Steve Agalloco",
29
30
  "TOBY",
31
+ "Thais Camilo and Konstantin Haase",
30
32
  "Vipul A M",
31
33
  "Akzhan Abdulin",
32
34
  "brookemckim",
33
- "Bj\u00F8rge N\u00E6ss",
35
+ "Bj\u{f8}rge N\u{e6}ss",
34
36
  "Chris Heald",
35
37
  "Chris Mytton",
36
38
  "Corey Ward",
37
- "Dario Cravero"
39
+ "Dario Cravero",
40
+ "David Kellum"
38
41
  ]
39
42
 
40
43
  # generated from git shortlog -sne
41
44
  s.email = [
42
45
  "konstantin.mailinglists@googlemail.com",
43
46
  "p0deje@gmail.com",
47
+ "jstaten07@gmail.com",
44
48
  "patrick@soundcloud.com",
45
49
  "jeff.welling@gmail.com",
46
- "daydream.trippers@gmail.com",
47
50
  "bugant@gmail.com",
48
- "homakov@gmail.com",
51
+ "daydream.trippers@gmail.com",
49
52
  "florian.gilcher@asquera.de",
50
53
  "developer@fojasaur.us",
54
+ "ujifgc@gmail.com",
51
55
  "mael@clerambault.fr",
52
56
  "martin.mauch@gmail.com",
53
57
  "rennex@iki.fi",
@@ -55,6 +59,7 @@ Gem::Specification.new do |s|
55
59
  "s.savulchik@gmail.com",
56
60
  "steve.agalloco@gmail.com",
57
61
  "toby.net.info.mail+git@gmail.com",
62
+ "dev+narwen+rkh@rkh.im",
58
63
  "vipulnsward@gmail.com",
59
64
  "akzhan.abdulin@gmail.com",
60
65
  "brooke@digitalocean.com",
@@ -63,7 +68,8 @@ Gem::Specification.new do |s|
63
68
  "self@hecticjeff.net",
64
69
  "coreyward@me.com",
65
70
  "dario@uxtemple.com",
66
- "dek-oss@gravitext.com"
71
+ "dek-oss@gravitext.com",
72
+ "homakov@gmail.com"
67
73
  ]
68
74
 
69
75
  # generated from git ls-files
@@ -1,9 +1,40 @@
1
1
  require File.expand_path('../spec_helper.rb', __FILE__)
2
2
 
3
3
  describe Rack::Protection::Base do
4
+
5
+ subject { described_class.new(lambda {}) }
6
+
4
7
  describe "#random_string" do
5
8
  it "outputs a string of 32 characters" do
6
- described_class.new(lambda {}).random_string.length.should == 32
9
+ subject.random_string.length.should == 32
10
+ end
11
+ end
12
+
13
+ describe "#referrer" do
14
+ it "Reads referrer from Referer header" do
15
+ env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/valid"}
16
+ subject.referrer(env).should == "bar.com"
17
+ end
18
+
19
+ it "Reads referrer from Host header when Referer header is relative" do
20
+ env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "/valid"}
21
+ subject.referrer(env).should == "foo.com"
22
+ end
23
+
24
+ it "Reads referrer from Host header when Referer header is missing" do
25
+ env = {"HTTP_HOST" => "foo.com"}
26
+ subject.referrer(env).should == "foo.com"
27
+ end
28
+
29
+ it "Returns nil when Referer header is missing and allow_empty_referrer is false" do
30
+ env = {"HTTP_HOST" => "foo.com"}
31
+ subject.options[:allow_empty_referrer] = false
32
+ subject.referrer(env).should be_nil
33
+ end
34
+
35
+ it "Returns nil when Referer header is invalid" do
36
+ env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/bad|uri"}
37
+ subject.referrer(env).should be_nil
7
38
  end
8
39
  end
9
40
  end
@@ -30,6 +30,41 @@ describe Rack::Protection do
30
30
  body.should == "true"
31
31
  end
32
32
 
33
+ describe "#react" do
34
+ it 'prevents attacks and warns about it' do
35
+ io = StringIO.new
36
+ mock_app do
37
+ use Rack::Protection, :logger => Logger.new(io)
38
+ run DummyApp
39
+ end
40
+ post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
41
+ io.string.should match /prevented.*Origin/
42
+ end
43
+
44
+ it 'reports attacks if reaction is to report' do
45
+ io = StringIO.new
46
+ mock_app do
47
+ use Rack::Protection, :reaction => :report, :logger => Logger.new(io)
48
+ run DummyApp
49
+ end
50
+ post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
51
+ io.string.should match /reported.*Origin/
52
+ io.string.should_not match /prevented.*Origin/
53
+ end
54
+
55
+ it 'passes errors to reaction method if specified' do
56
+ io = StringIO.new
57
+ Rack::Protection::Base.send(:define_method, :special) { |*args| io << args.inspect }
58
+ mock_app do
59
+ use Rack::Protection, :reaction => :special, :logger => Logger.new(io)
60
+ run DummyApp
61
+ end
62
+ post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
63
+ io.string.should match /HTTP_ORIGIN.*malicious.com/
64
+ io.string.should_not match /reported|prevented/
65
+ end
66
+ end
67
+
33
68
  describe "#html?" do
34
69
  context "given an appropriate content-type header" do
35
70
  subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/html" }
metadata CHANGED
@@ -1,19 +1,20 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-protection
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.5.2
4
+ version: 1.5.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Konstantin Haase
8
8
  - Alex Rodionov
9
9
  - Patrick Ellis
10
+ - Jason Staten
10
11
  - ITO Nobuaki
11
- - Matteo Centenaro
12
12
  - Jeff Welling
13
- - David Kellum
13
+ - Matteo Centenaro
14
14
  - Egor Homakov
15
15
  - Florian Gilcher
16
16
  - Fojas
17
+ - Igor Bochkariov
17
18
  - Mael Clerambault
18
19
  - Martin Mauch
19
20
  - Renne Nissinen
@@ -21,6 +22,7 @@ authors:
21
22
  - Stanislav Savulchik
22
23
  - Steve Agalloco
23
24
  - TOBY
25
+ - Thais Camilo and Konstantin Haase
24
26
  - Vipul A M
25
27
  - Akzhan Abdulin
26
28
  - brookemckim
@@ -29,64 +31,66 @@ authors:
29
31
  - Chris Mytton
30
32
  - Corey Ward
31
33
  - Dario Cravero
34
+ - David Kellum
32
35
  autorequire:
33
36
  bindir: bin
34
37
  cert_chain: []
35
- date: 2014-01-15 00:00:00.000000000 Z
38
+ date: 2014-04-08 00:00:00.000000000 Z
36
39
  dependencies:
37
40
  - !ruby/object:Gem::Dependency
38
41
  name: rack
39
42
  requirement: !ruby/object:Gem::Requirement
40
43
  requirements:
41
- - - '>='
44
+ - - ">="
42
45
  - !ruby/object:Gem::Version
43
46
  version: '0'
44
47
  type: :runtime
45
48
  prerelease: false
46
49
  version_requirements: !ruby/object:Gem::Requirement
47
50
  requirements:
48
- - - '>='
51
+ - - ">="
49
52
  - !ruby/object:Gem::Version
50
53
  version: '0'
51
54
  - !ruby/object:Gem::Dependency
52
55
  name: rack-test
53
56
  requirement: !ruby/object:Gem::Requirement
54
57
  requirements:
55
- - - '>='
58
+ - - ">="
56
59
  - !ruby/object:Gem::Version
57
60
  version: '0'
58
61
  type: :development
59
62
  prerelease: false
60
63
  version_requirements: !ruby/object:Gem::Requirement
61
64
  requirements:
62
- - - '>='
65
+ - - ">="
63
66
  - !ruby/object:Gem::Version
64
67
  version: '0'
65
68
  - !ruby/object:Gem::Dependency
66
69
  name: rspec
67
70
  requirement: !ruby/object:Gem::Requirement
68
71
  requirements:
69
- - - ~>
72
+ - - "~>"
70
73
  - !ruby/object:Gem::Version
71
74
  version: '2.0'
72
75
  type: :development
73
76
  prerelease: false
74
77
  version_requirements: !ruby/object:Gem::Requirement
75
78
  requirements:
76
- - - ~>
79
+ - - "~>"
77
80
  - !ruby/object:Gem::Version
78
81
  version: '2.0'
79
82
  description: You should use protection!
80
83
  email:
81
84
  - konstantin.mailinglists@googlemail.com
82
85
  - p0deje@gmail.com
86
+ - jstaten07@gmail.com
83
87
  - patrick@soundcloud.com
84
88
  - jeff.welling@gmail.com
85
- - daydream.trippers@gmail.com
86
89
  - bugant@gmail.com
87
- - homakov@gmail.com
90
+ - daydream.trippers@gmail.com
88
91
  - florian.gilcher@asquera.de
89
92
  - developer@fojasaur.us
93
+ - ujifgc@gmail.com
90
94
  - mael@clerambault.fr
91
95
  - martin.mauch@gmail.com
92
96
  - rennex@iki.fi
@@ -94,6 +98,7 @@ email:
94
98
  - s.savulchik@gmail.com
95
99
  - steve.agalloco@gmail.com
96
100
  - toby.net.info.mail+git@gmail.com
101
+ - dev+narwen+rkh@rkh.im
97
102
  - vipulnsward@gmail.com
98
103
  - akzhan.abdulin@gmail.com
99
104
  - brooke@digitalocean.com
@@ -103,6 +108,7 @@ email:
103
108
  - coreyward@me.com
104
109
  - dario@uxtemple.com
105
110
  - dek-oss@gravitext.com
111
+ - homakov@gmail.com
106
112
  executables: []
107
113
  extensions: []
108
114
  extra_rdoc_files: []
@@ -152,18 +158,19 @@ require_paths:
152
158
  - lib
153
159
  required_ruby_version: !ruby/object:Gem::Requirement
154
160
  requirements:
155
- - - '>='
161
+ - - ">="
156
162
  - !ruby/object:Gem::Version
157
163
  version: '0'
158
164
  required_rubygems_version: !ruby/object:Gem::Requirement
159
165
  requirements:
160
- - - '>='
166
+ - - ">="
161
167
  - !ruby/object:Gem::Version
162
168
  version: '0'
163
169
  requirements: []
164
170
  rubyforge_project:
165
- rubygems_version: 2.2.0
171
+ rubygems_version: 2.0.14
166
172
  signing_key:
167
173
  specification_version: 4
168
174
  summary: You should use protection!
169
175
  test_files: []
176
+ has_rdoc: