rack-protection 1.5.2 → 1.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rack-protection might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/lib/rack/protection/base.rb +3 -1
  3. data/lib/rack/protection/version.rb +1 -1
  4. data/rack-protection.gemspec +14 -8
  5. data/spec/base_spec.rb +32 -1
  6. data/spec/protection_spec.rb +35 -0
  7. metadata +22 -15
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 522f79f2479b2792fe66e2e0831afa23d9b4c039
4
- data.tar.gz: 093a7f64d629cde5c16ef3355fe4604d57fee5d0
3
+ metadata.gz: 738b46a37db596fd6ab75ccccfcf98b8530684d5
4
+ data.tar.gz: ba76d3a2e8e5f5ec8493acf43980325a5a2bfb55
5
5
  SHA512:
6
- metadata.gz: ecb85cac807d3e454773435a8d931a36c4edd90d11aa85486efe80cfd8bf021684394547f9e22cffab41ee798301743322d937d82d88556a443dc498411c4f8b
7
- data.tar.gz: f4c57b6fa768de957a90f234efb45aa0b50581322e1c953b159549e8ac4d137f673538137d51bc9eb35fce7b7ad54bfd24fe35c3c7466686575f41844afff35a
6
+ metadata.gz: 3c88e6d4d2bcb83aa35327db0bf8d1ef7e0057579573e305958a99cdb642bffab66009e73404322be636bc3860c0acbd58fc6c15a6dda8d55948713ef28fbae4
7
+ data.tar.gz: 651bf843d47d99accab655195673ae835d266602845edb8fadd913c7bff8677636c0b2db825ea0e087309b6d62f89035d503eccf6e698c2d11c625150eccb111
data/lib/rack/protection/base.rb CHANGED
@@ -43,7 +43,6 @@ module Rack
43
43
 
44
44
  def call(env)
45
45
  unless accepts? env
46
- warn env, "attack prevented by #{self.class}"
47
46
  instrument env
48
47
  result = react env
49
48
  end
@@ -68,10 +67,12 @@ module Rack
68
67
  end
69
68
 
70
69
  def deny(env)
70
+ warn env, "attack prevented by #{self.class}"
71
71
  [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
72
72
  end
73
73
 
74
74
  def report(env)
75
+ warn env, "attack reported by #{self.class}"
75
76
  env[options[:report_key]] = true
76
77
  end
77
78
 
@@ -92,6 +93,7 @@ module Rack
92
93
  ref = env['HTTP_REFERER'].to_s
93
94
  return if !options[:allow_empty_referrer] and ref.empty?
94
95
  URI.parse(ref).host || Request.new(env).host
96
+ rescue URI::InvalidURIError
95
97
  end
96
98
 
97
99
  def origin(env)
data/lib/rack/protection/version.rb CHANGED
@@ -4,7 +4,7 @@ module Rack
4
4
  VERSION
5
5
  end
6
6
 
7
- SIGNATURE = [1, 5, 2]
7
+ SIGNATURE = [1, 5, 3]
8
8
  VERSION = SIGNATURE.join('.')
9
9
 
10
10
  VERSION.extend Comparable
data/rack-protection.gemspec CHANGED
@@ -2,7 +2,7 @@
2
2
  Gem::Specification.new do |s|
3
3
  # general infos
4
4
  s.name = "rack-protection"
5
- s.version = "1.5.2"
5
+ s.version = "1.5.3"
6
6
  s.description = "You should use protection!"
7
7
  s.homepage = "http://github.com/rkh/rack-protection"
8
8
  s.summary = s.description
@@ -13,13 +13,14 @@ Gem::Specification.new do |s|
13
13
  "Konstantin Haase",
14
14
  "Alex Rodionov",
15
15
  "Patrick Ellis",
16
+ "Jason Staten",
16
17
  "ITO Nobuaki",
17
- "Matteo Centenaro",
18
18
  "Jeff Welling",
19
- "David Kellum",
19
+ "Matteo Centenaro",
20
20
  "Egor Homakov",
21
21
  "Florian Gilcher",
22
22
  "Fojas",
23
+ "Igor Bochkariov",
23
24
  "Mael Clerambault",
24
25
  "Martin Mauch",
25
26
  "Renne Nissinen",
@@ -27,27 +28,30 @@ Gem::Specification.new do |s|
27
28
  "Stanislav Savulchik",
28
29
  "Steve Agalloco",
29
30
  "TOBY",
31
+ "Thais Camilo and Konstantin Haase",
30
32
  "Vipul A M",
31
33
  "Akzhan Abdulin",
32
34
  "brookemckim",
33
- "Bj\u00F8rge N\u00E6ss",
35
+ "Bj\u{f8}rge N\u{e6}ss",
34
36
  "Chris Heald",
35
37
  "Chris Mytton",
36
38
  "Corey Ward",
37
- "Dario Cravero"
39
+ "Dario Cravero",
40
+ "David Kellum"
38
41
  ]
39
42
 
40
43
  # generated from git shortlog -sne
41
44
  s.email = [
42
45
  "konstantin.mailinglists@googlemail.com",
43
46
  "p0deje@gmail.com",
47
+ "jstaten07@gmail.com",
44
48
  "patrick@soundcloud.com",
45
49
  "jeff.welling@gmail.com",
46
- "daydream.trippers@gmail.com",
47
50
  "bugant@gmail.com",
48
- "homakov@gmail.com",
51
+ "daydream.trippers@gmail.com",
49
52
  "florian.gilcher@asquera.de",
50
53
  "developer@fojasaur.us",
54
+ "ujifgc@gmail.com",
51
55
  "mael@clerambault.fr",
52
56
  "martin.mauch@gmail.com",
53
57
  "rennex@iki.fi",
@@ -55,6 +59,7 @@ Gem::Specification.new do |s|
55
59
  "s.savulchik@gmail.com",
56
60
  "steve.agalloco@gmail.com",
57
61
  "toby.net.info.mail+git@gmail.com",
62
+ "dev+narwen+rkh@rkh.im",
58
63
  "vipulnsward@gmail.com",
59
64
  "akzhan.abdulin@gmail.com",
60
65
  "brooke@digitalocean.com",
@@ -63,7 +68,8 @@ Gem::Specification.new do |s|
63
68
  "self@hecticjeff.net",
64
69
  "coreyward@me.com",
65
70
  "dario@uxtemple.com",
66
- "dek-oss@gravitext.com"
71
+ "dek-oss@gravitext.com",
72
+ "homakov@gmail.com"
67
73
  ]
68
74
 
69
75
  # generated from git ls-files
data/spec/base_spec.rb CHANGED
@@ -1,9 +1,40 @@
1
1
  require File.expand_path('../spec_helper.rb', __FILE__)
2
2
 
3
3
  describe Rack::Protection::Base do
4
+
5
+ subject { described_class.new(lambda {}) }
6
+
4
7
  describe "#random_string" do
5
8
  it "outputs a string of 32 characters" do
6
- described_class.new(lambda {}).random_string.length.should == 32
9
+ subject.random_string.length.should == 32
10
+ end
11
+ end
12
+
13
+ describe "#referrer" do
14
+ it "Reads referrer from Referer header" do
15
+ env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/valid"}
16
+ subject.referrer(env).should == "bar.com"
17
+ end
18
+
19
+ it "Reads referrer from Host header when Referer header is relative" do
20
+ env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "/valid"}
21
+ subject.referrer(env).should == "foo.com"
22
+ end
23
+
24
+ it "Reads referrer from Host header when Referer header is missing" do
25
+ env = {"HTTP_HOST" => "foo.com"}
26
+ subject.referrer(env).should == "foo.com"
27
+ end
28
+
29
+ it "Returns nil when Referer header is missing and allow_empty_referrer is false" do
30
+ env = {"HTTP_HOST" => "foo.com"}
31
+ subject.options[:allow_empty_referrer] = false
32
+ subject.referrer(env).should be_nil
33
+ end
34
+
35
+ it "Returns nil when Referer header is invalid" do
36
+ env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/bad|uri"}
37
+ subject.referrer(env).should be_nil
7
38
  end
8
39
  end
9
40
  end
data/spec/protection_spec.rb CHANGED
@@ -30,6 +30,41 @@ describe Rack::Protection do
30
30
  body.should == "true"
31
31
  end
32
32
 
33
+ describe "#react" do
34
+ it 'prevents attacks and warns about it' do
35
+ io = StringIO.new
36
+ mock_app do
37
+ use Rack::Protection, :logger => Logger.new(io)
38
+ run DummyApp
39
+ end
40
+ post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
41
+ io.string.should match /prevented.*Origin/
42
+ end
43
+
44
+ it 'reports attacks if reaction is to report' do
45
+ io = StringIO.new
46
+ mock_app do
47
+ use Rack::Protection, :reaction => :report, :logger => Logger.new(io)
48
+ run DummyApp
49
+ end
50
+ post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
51
+ io.string.should match /reported.*Origin/
52
+ io.string.should_not match /prevented.*Origin/
53
+ end
54
+
55
+ it 'passes errors to reaction method if specified' do
56
+ io = StringIO.new
57
+ Rack::Protection::Base.send(:define_method, :special) { |*args| io << args.inspect }
58
+ mock_app do
59
+ use Rack::Protection, :reaction => :special, :logger => Logger.new(io)
60
+ run DummyApp
61
+ end
62
+ post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
63
+ io.string.should match /HTTP_ORIGIN.*malicious.com/
64
+ io.string.should_not match /reported|prevented/
65
+ end
66
+ end
67
+
33
68
  describe "#html?" do
34
69
  context "given an appropriate content-type header" do
35
70
  subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/html" }
metadata CHANGED
@@ -1,19 +1,20 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-protection
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.5.2
4
+ version: 1.5.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Konstantin Haase
8
8
  - Alex Rodionov
9
9
  - Patrick Ellis
10
+ - Jason Staten
10
11
  - ITO Nobuaki
11
- - Matteo Centenaro
12
12
  - Jeff Welling
13
- - David Kellum
13
+ - Matteo Centenaro
14
14
  - Egor Homakov
15
15
  - Florian Gilcher
16
16
  - Fojas
17
+ - Igor Bochkariov
17
18
  - Mael Clerambault
18
19
  - Martin Mauch
19
20
  - Renne Nissinen
@@ -21,6 +22,7 @@ authors:
21
22
  - Stanislav Savulchik
22
23
  - Steve Agalloco
23
24
  - TOBY
25
+ - Thais Camilo and Konstantin Haase
24
26
  - Vipul A M
25
27
  - Akzhan Abdulin
26
28
  - brookemckim
@@ -29,64 +31,66 @@ authors:
29
31
  - Chris Mytton
30
32
  - Corey Ward
31
33
  - Dario Cravero
34
+ - David Kellum
32
35
  autorequire:
33
36
  bindir: bin
34
37
  cert_chain: []
35
- date: 2014-01-15 00:00:00.000000000 Z
38
+ date: 2014-04-08 00:00:00.000000000 Z
36
39
  dependencies:
37
40
  - !ruby/object:Gem::Dependency
38
41
  name: rack
39
42
  requirement: !ruby/object:Gem::Requirement
40
43
  requirements:
41
- - - '>='
44
+ - - ">="
42
45
  - !ruby/object:Gem::Version
43
46
  version: '0'
44
47
  type: :runtime
45
48
  prerelease: false
46
49
  version_requirements: !ruby/object:Gem::Requirement
47
50
  requirements:
48
- - - '>='
51
+ - - ">="
49
52
  - !ruby/object:Gem::Version
50
53
  version: '0'
51
54
  - !ruby/object:Gem::Dependency
52
55
  name: rack-test
53
56
  requirement: !ruby/object:Gem::Requirement
54
57
  requirements:
55
- - - '>='
58
+ - - ">="
56
59
  - !ruby/object:Gem::Version
57
60
  version: '0'
58
61
  type: :development
59
62
  prerelease: false
60
63
  version_requirements: !ruby/object:Gem::Requirement
61
64
  requirements:
62
- - - '>='
65
+ - - ">="
63
66
  - !ruby/object:Gem::Version
64
67
  version: '0'
65
68
  - !ruby/object:Gem::Dependency
66
69
  name: rspec
67
70
  requirement: !ruby/object:Gem::Requirement
68
71
  requirements:
69
- - - ~>
72
+ - - "~>"
70
73
  - !ruby/object:Gem::Version
71
74
  version: '2.0'
72
75
  type: :development
73
76
  prerelease: false
74
77
  version_requirements: !ruby/object:Gem::Requirement
75
78
  requirements:
76
- - - ~>
79
+ - - "~>"
77
80
  - !ruby/object:Gem::Version
78
81
  version: '2.0'
79
82
  description: You should use protection!
80
83
  email:
81
84
  - konstantin.mailinglists@googlemail.com
82
85
  - p0deje@gmail.com
86
+ - jstaten07@gmail.com
83
87
  - patrick@soundcloud.com
84
88
  - jeff.welling@gmail.com
85
- - daydream.trippers@gmail.com
86
89
  - bugant@gmail.com
87
- - homakov@gmail.com
90
+ - daydream.trippers@gmail.com
88
91
  - florian.gilcher@asquera.de
89
92
  - developer@fojasaur.us
93
+ - ujifgc@gmail.com
90
94
  - mael@clerambault.fr
91
95
  - martin.mauch@gmail.com
92
96
  - rennex@iki.fi
@@ -94,6 +98,7 @@ email:
94
98
  - s.savulchik@gmail.com
95
99
  - steve.agalloco@gmail.com
96
100
  - toby.net.info.mail+git@gmail.com
101
+ - dev+narwen+rkh@rkh.im
97
102
  - vipulnsward@gmail.com
98
103
  - akzhan.abdulin@gmail.com
99
104
  - brooke@digitalocean.com
@@ -103,6 +108,7 @@ email:
103
108
  - coreyward@me.com
104
109
  - dario@uxtemple.com
105
110
  - dek-oss@gravitext.com
111
+ - homakov@gmail.com
106
112
  executables: []
107
113
  extensions: []
108
114
  extra_rdoc_files: []
@@ -152,18 +158,19 @@ require_paths:
152
158
  - lib
153
159
  required_ruby_version: !ruby/object:Gem::Requirement
154
160
  requirements:
155
- - - '>='
161
+ - - ">="
156
162
  - !ruby/object:Gem::Version
157
163
  version: '0'
158
164
  required_rubygems_version: !ruby/object:Gem::Requirement
159
165
  requirements:
160
- - - '>='
166
+ - - ">="
161
167
  - !ruby/object:Gem::Version
162
168
  version: '0'
163
169
  requirements: []
164
170
  rubyforge_project:
165
- rubygems_version: 2.2.0
171
+ rubygems_version: 2.0.14
166
172
  signing_key:
167
173
  specification_version: 4
168
174
  summary: You should use protection!
169
175
  test_files: []
176
+ has_rdoc: