rack-protection 2.1.0 → 4.1.1

data/lib/rack/protection/frame_options.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -17,7 +19,7 @@ module Rack
     #                 frame. Use :deny to forbid any embedding, :sameorigin
     #                 to allow embedding from the same origin (default).
     class FrameOptions < Base
-      default_options :frame_options => :sameorigin
+      default_options frame_options: :sameorigin
 
       def frame_options
         @frame_options ||= begin
@@ -29,7 +31,7 @@ module Rack
 
       def call(env)
         status, headers, body        = @app.call(env)
-        headers['X-Frame-Options'] ||= frame_options if html? headers
+        headers['x-frame-options'] ||= frame_options if html? headers
         [status, headers, body]
       end
     end

data/lib/rack/protection/host_authorization.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+require 'ipaddr'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   DNS rebinding and other Host header attacks
+    # Supported browsers:: all
+    # More infos::         https://en.wikipedia.org/wiki/DNS_rebinding
+    #                      https://portswigger.net/web-security/host-header
+    #
+    # Blocks HTTP requests with an unrecognized hostname in any of the following
+    # HTTP headers: Host, X-Forwarded-Host, Forwarded
+    #
+    # If you want to permit a specific hostname, you can pass in as the `:permitted_hosts` option:
+    #
+    #     use Rack::Protection::HostAuthorization, permitted_hosts: ["www.example.org", "sinatrarb.com"]
+    #
+    # The `:allow_if` option can also be set to a proc to use custom allow/deny logic.
+    class HostAuthorization < Base
+      DOT = '.'
+      PORT_REGEXP = /:\d+\z/.freeze
+      SUBDOMAINS = /[a-z0-9\-.]+/.freeze
+      private_constant :DOT,
+                       :PORT_REGEXP,
+                       :SUBDOMAINS
+      default_reaction :deny
+      default_options allow_if: nil,
+                      message: 'Host not permitted'
+
+      def initialize(*)
+        super
+        @permitted_hosts = []
+        @domain_hosts = []
+        @ip_hosts = []
+        @all_permitted_hosts = Array(options[:permitted_hosts])
+
+        @all_permitted_hosts.each do |host|
+          case host
+          when String
+            if host.start_with?(DOT)
+              domain = host[1..-1]
+              @permitted_hosts << domain.downcase
+              @domain_hosts << /\A#{SUBDOMAINS}#{Regexp.escape(domain)}\z/i
+            else
+              @permitted_hosts << host.downcase
+            end
+          when IPAddr then @ip_hosts << host
+          end
+        end
+      end
+
+      def accepts?(env)
+        return true if options[:allow_if]&.call(env)
+        return true if @all_permitted_hosts.empty?
+
+        request = Request.new(env)
+        origin_host = extract_host(request.host_authority)
+        forwarded_host = extract_host(request.forwarded_authority)
+
+        debug env, "#{self.class} " \
+                   "@all_permitted_hosts=#{@all_permitted_hosts.inspect} " \
+                   "@permitted_hosts=#{@permitted_hosts.inspect} " \
+                   "@domain_hosts=#{@domain_hosts.inspect} " \
+                   "@ip_hosts=#{@ip_hosts.inspect} " \
+                   "origin_host=#{origin_host.inspect} " \
+                   "forwarded_host=#{forwarded_host.inspect}"
+
+        if host_permitted?(origin_host)
+          if forwarded_host.nil?
+            true
+          else
+            host_permitted?(forwarded_host)
+          end
+        else
+          false
+        end
+      end
+
+      private
+
+      def extract_host(authority)
+        authority.to_s.split(PORT_REGEXP).first&.downcase
+      end
+
+      def host_permitted?(host)
+        exact_match?(host) || domain_match?(host) || ip_match?(host)
+      end
+
+      def exact_match?(host)
+        @permitted_hosts.include?(host)
+      end
+
+      def domain_match?(host)
+        return false if host.nil?
+        return false if host.start_with?(DOT)
+
+        @domain_hosts.any? { |domain_host| host.match?(domain_host) }
+      end
+
+      def ip_match?(host)
+        @ip_hosts.any? { |ip_host| ip_host.include?(host) }
+      rescue IPAddr::InvalidAddressError
+        false
+      end
+    end
+  end
+end

data/lib/rack/protection/http_origin.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -19,7 +21,7 @@ module Rack
     class HttpOrigin < Base
       DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
       default_reaction :deny
-      default_options :allow_if => nil
+      default_options allow_if: nil
 
       def base_url(env)
         request = Rack::Request.new(env)
@@ -29,19 +31,13 @@ module Rack
 
       def accepts?(env)
         return true if safe? env
-        return true unless origin = env['HTTP_ORIGIN']
+        return true unless (origin = env['HTTP_ORIGIN'])
         return true if base_url(env) == origin
-        return true if options[:allow_if] && options[:allow_if].call(env)
-
-        if options.key? :origin_whitelist
-          warn "Rack::Protection origin_whitelist option is deprecated and will be removed, " \
-            "use permitted_origins instead.\n"
-        end
+        return true if options[:allow_if]&.call(env)
 
-        permitted_origins = options[:permitted_origins] || options[:origin_whitelist]
+        permitted_origins = options[:permitted_origins]
         Array(permitted_origins).include? origin
       end
-
     end
   end
 end

data/lib/rack/protection/ip_spoofing.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -13,9 +15,11 @@ module Rack
 
       def accepts?(env)
         return true unless env.include? 'HTTP_X_FORWARDED_FOR'
-        ips = env['HTTP_X_FORWARDED_FOR'].split(/\s*,\s*/)
-        return false if env.include? 'HTTP_CLIENT_IP' and not ips.include? env['HTTP_CLIENT_IP']
-        return false if env.include? 'HTTP_X_REAL_IP' and not ips.include? env['HTTP_X_REAL_IP']
+
+        ips = env['HTTP_X_FORWARDED_FOR'].split(',').map(&:strip)
+        return false if env.include?('HTTP_CLIENT_IP') && (!ips.include? env['HTTP_CLIENT_IP'])
+        return false if env.include?('HTTP_X_REAL_IP') && (!ips.include? env['HTTP_X_REAL_IP'])
+
         true
       end
     end

data/lib/rack/protection/json_csrf.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -17,7 +19,7 @@ module Rack
     #
     # The `:allow_if` option can be set to a proc to use custom allow/deny logic.
     class JsonCsrf < Base
-      default_options :allow_if => nil
+      default_options allow_if: nil
 
       alias react deny
 
@@ -36,8 +38,9 @@ module Rack
 
       def has_vector?(request, headers)
         return false if request.xhr?
-        return false if options[:allow_if] && options[:allow_if].call(request.env)
-        return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
+        return false if options[:allow_if]&.call(request.env)
+        return false unless headers['content-type'].to_s.split(';', 2).first =~ %r{^\s*application/json\s*$}
+
         origin(request.env).nil? and referrer(request.env) != request.host
       end
 

data/lib/rack/protection/path_traversal.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -11,11 +13,11 @@ module Rack
     # Thus <tt>GET /foo/%2e%2e%2fbar</tt> becomes <tt>GET /bar</tt>.
     class PathTraversal < Base
       def call(env)
-        path_was         = env["PATH_INFO"]
-        env["PATH_INFO"] = cleanup path_was if path_was && !path_was.empty?
+        path_was         = env['PATH_INFO']
+        env['PATH_INFO'] = cleanup path_was if path_was && !path_was.empty?
         app.call env
       ensure
-        env["PATH_INFO"] = path_was
+        env['PATH_INFO'] = path_was
       end
 
       def cleanup(path)
@@ -29,12 +31,13 @@ module Rack
         unescaped = unescaped.gsub(backslash, slash)
 
         unescaped.split(slash).each do |part|
-          next if part.empty? or part == dot
+          next if part.empty? || (part == dot)
+
           part == '..' ? parts.pop : parts << part
         end
 
         cleaned = slash + parts.join(slash)
-        cleaned << slash if parts.any? and unescaped =~ %r{/\.{0,2}$}
+        cleaned << slash if parts.any? && unescaped =~ (%r{/\.{0,2}$})
         cleaned
       end
     end

data/lib/rack/protection/referrer_policy.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -13,11 +15,11 @@ module Rack
     # Options:
     # referrer_policy:: The policy to use (default: 'strict-origin-when-cross-origin')
     class ReferrerPolicy < Base
-      default_options :referrer_policy => 'strict-origin-when-cross-origin'
+      default_options referrer_policy: 'strict-origin-when-cross-origin'
 
       def call(env)
         status, headers, body = @app.call(env)
-        headers['Referrer-Policy'] ||= options[:referrer_policy]
+        headers['referrer-policy'] ||= options[:referrer_policy]
         [status, headers, body]
       end
     end

data/lib/rack/protection/remote_referrer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack

data/lib/rack/protection/remote_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack

data/lib/rack/protection/session_hijacking.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -13,23 +15,22 @@ module Rack
     # spoofed, too, this will not prevent determined hijacking attempts.
     class SessionHijacking < Base
       default_reaction :drop_session
-      default_options :tracking_key => :tracking, :encrypt_tracking => true,
-        :track => %w[HTTP_USER_AGENT]
+      default_options tracking_key: :tracking,
+                      track: %w[HTTP_USER_AGENT]
 
       def accepts?(env)
         session = session env
         key     = options[:tracking_key]
         if session.include? key
-          session[key].all? { |k,v| v == encrypt(env[k]) }
+          session[key].all? { |k, v| v == encode(env[k]) }
         else
           session[key] = {}
-          options[:track].each { |k| session[key][k] = encrypt(env[k]) }
+          options[:track].each { |k| session[key][k] = encode(env[k]) }
         end
       end
 
-      def encrypt(value)
-        value = value.to_s.downcase
-        options[:encrypt_tracking] ? super(value) : value
+      def encode(value)
+        value.to_s.downcase
       end
     end
   end

data/lib/rack/protection/strict_transport.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -18,11 +20,11 @@ module Rack
     # preload:: Allow this domain to be included in browsers HSTS preload list. See https://hstspreload.appspot.com/
 
     class StrictTransport < Base
-      default_options :max_age => 31_536_000, :include_subdomains => false, :preload => false
+      default_options max_age: 31_536_000, include_subdomains: false, preload: false
 
       def strict_transport
         @strict_transport ||= begin
-          strict_transport = 'max-age=' + options[:max_age].to_s
+          strict_transport = "max-age=#{options[:max_age]}"
           strict_transport += '; includeSubDomains' if options[:include_subdomains]
           strict_transport += '; preload' if options[:preload]
           strict_transport.to_str
@@ -31,7 +33,7 @@ module Rack
 
       def call(env)
         status, headers, body = @app.call(env)
-        headers['Strict-Transport-Security'] ||= strict_transport
+        headers['strict-transport-security'] ||= strict_transport
         [status, headers, body]
       end
     end

data/lib/rack/protection/version.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module Rack
   module Protection
-    VERSION = '2.1.0'
+    VERSION = '4.1.1'
   end
 end

data/lib/rack/protection/xss_header.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection'
 
 module Rack
@@ -12,12 +14,12 @@ module Rack
     # Options:
     # xss_mode:: How the browser should prevent the attack (default: :block)
     class XSSHeader < Base
-      default_options :xss_mode => :block, :nosniff => true
+      default_options xss_mode: :block, nosniff: true
 
       def call(env)
         status, headers, body = @app.call(env)
-        headers['X-XSS-Protection']       ||= "1; mode=#{options[:xss_mode]}" if html? headers
-        headers['X-Content-Type-Options'] ||= 'nosniff'                       if options[:nosniff]
+        headers['x-xss-protection']       ||= "1; mode=#{options[:xss_mode]}" if html? headers
+        headers['x-content-type-options'] ||= 'nosniff'                       if options[:nosniff]
         [status, headers, body]
       end
     end

data/lib/rack/protection.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack/protection/version'
 require 'rack'
 
@@ -10,6 +12,7 @@ module Rack
     autoload :EscapedParams,         'rack/protection/escaped_params'
     autoload :FormToken,             'rack/protection/form_token'
     autoload :FrameOptions,          'rack/protection/frame_options'
+    autoload :HostAuthorization,     'rack/protection/host_authorization'
     autoload :HttpOrigin,            'rack/protection/http_origin'
     autoload :IPSpoofing,            'rack/protection/ip_spoofing'
     autoload :JsonCsrf,              'rack/protection/json_csrf'
@@ -22,12 +25,11 @@ module Rack
     autoload :XSSHeader,             'rack/protection/xss_header'
 
     def self.new(app, options = {})
-      # does not include: RemoteReferrer, AuthenticityToken and FormToken
       except = Array options[:except]
       use_these = Array options[:use]
 
       if options.fetch(:without_session, false)
-        except += [:session_hijacking, :remote_token]
+        except += %i[remote_token]
       end
 
       Rack::Builder.new do
@@ -39,6 +41,7 @@ module Rack
         use ::Rack::Protection::FormToken,             options if use_these.include? :form_token
         use ::Rack::Protection::ReferrerPolicy,        options if use_these.include? :referrer_policy
         use ::Rack::Protection::RemoteReferrer,        options if use_these.include? :remote_referrer
+        use ::Rack::Protection::SessionHijacking,      options if use_these.include? :session_hijacking
         use ::Rack::Protection::StrictTransport,       options if use_these.include? :strict_transport
 
         # On by default, unless skipped
@@ -48,7 +51,6 @@ module Rack
         use ::Rack::Protection::JsonCsrf,              options unless except.include? :json_csrf
         use ::Rack::Protection::PathTraversal,         options unless except.include? :path_traversal
         use ::Rack::Protection::RemoteToken,           options unless except.include? :remote_token
-        use ::Rack::Protection::SessionHijacking,      options unless except.include? :session_hijacking
         use ::Rack::Protection::XSSHeader,             options unless except.include? :xss_header
         run app
       end.to_app

data/lib/rack-protection.rb

@@ -1 +1 @@
-require "rack/protection"
+require 'rack/protection'

data/lib/rack_protection.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'rack/protection'

data/rack-protection.gemspec

@@ -1,40 +1,45 @@
-version = File.read(File.expand_path("../../VERSION", __FILE__)).strip
+# frozen_string_literal: true
+
+version = File.read(File.expand_path('../VERSION', __dir__)).strip
 
 Gem::Specification.new do |s|
   # general infos
-  s.name        = "rack-protection"
+  s.name        = 'rack-protection'
   s.version     = version
-  s.description = "Protect against typical web attacks, works with all Rack apps, including Rails."
-  s.homepage    = "http://sinatrarb.com/protection/"
-  s.summary     = s.description
+  s.description = 'Protect against typical web attacks, works with all Rack apps, including Rails'
+  s.homepage    = 'https://sinatrarb.com/protection/'
+  s.summary     = "#{s.description}."
   s.license     = 'MIT'
-  s.authors     = ["https://github.com/sinatra/sinatra/graphs/contributors"]
-  s.email       = "sinatrarb@googlegroups.com"
-  s.files       = Dir["lib/**/*.rb"] + [
-    "License",
-    "README.md",
-    "Rakefile",
-    "Gemfile",
-    "rack-protection.gemspec"
+  s.authors     = ['https://github.com/sinatra/sinatra/graphs/contributors']
+  s.email       = 'sinatrarb@googlegroups.com'
+  s.files       = Dir['lib/**/*.rb'] + [
+    'License',
+    'README.md',
+    'Rakefile',
+    'Gemfile',
+    'rack-protection.gemspec'
   ]
 
-  if s.respond_to?(:metadata)
-    s.metadata = {
-      'source_code_uri'   => 'https://github.com/sinatra/sinatra/tree/master/rack-protection',
-      'homepage_uri'      => 'http://sinatrarb.com/protection/',
-      'documentation_uri' => 'https://www.rubydoc.info/gems/rack-protection'
-    }
-  else
-    raise <<-EOF
+  unless s.respond_to?(:metadata)
+    raise <<-WARN
 RubyGems 2.0 or newer is required to protect against public gem pushes. You can update your rubygems version by running:
   gem install rubygems-update
   update_rubygems:
   gem update --system
-EOF
+    WARN
   end
 
+  s.metadata = {
+    'source_code_uri' => 'https://github.com/sinatra/sinatra/tree/main/rack-protection',
+    'homepage_uri' => 'http://sinatrarb.com/protection/',
+    'documentation_uri' => 'https://www.rubydoc.info/gems/rack-protection',
+    'rubygems_mfa_required' => 'true'
+  }
+
+  s.required_ruby_version = '>= 2.7.8'
+
   # dependencies
-  s.add_dependency "rack"
-  s.add_development_dependency "rack-test"
-  s.add_development_dependency "rspec", "~> 3.6"
+  s.add_dependency 'base64', '>= 0.1.0'
+  s.add_dependency 'logger', '>= 1.6.0'
+  s.add_dependency 'rack', '>= 3.0.0', '< 4'
 end

metadata

@@ -1,59 +1,65 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 4.1.1
 platform: ruby
 authors:
 - https://github.com/sinatra/sinatra/graphs/contributors
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-04 00:00:00.000000000 Z
+date: 2024-11-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: rack
+  name: base64
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.1.0
 - !ruby/object:Gem::Dependency
-  name: rack-test
+  name: logger
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
+        version: 1.6.0
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.6.0
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '3.6'
-  type: :development
+        version: '4'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '3.6'
+        version: '4'
 description: Protect against typical web attacks, works with all Rack apps, including
-  Rails.
+  Rails
 email: sinatrarb@googlegroups.com
 executables: []
 extensions: []
@@ -72,6 +78,7 @@ files:
 - lib/rack/protection/escaped_params.rb
 - lib/rack/protection/form_token.rb
 - lib/rack/protection/frame_options.rb
+- lib/rack/protection/host_authorization.rb
 - lib/rack/protection/http_origin.rb
 - lib/rack/protection/ip_spoofing.rb
 - lib/rack/protection/json_csrf.rb
@@ -83,14 +90,16 @@ files:
 - lib/rack/protection/strict_transport.rb
 - lib/rack/protection/version.rb
 - lib/rack/protection/xss_header.rb
+- lib/rack_protection.rb
 - rack-protection.gemspec
-homepage: http://sinatrarb.com/protection/
+homepage: https://sinatrarb.com/protection/
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/sinatra/sinatra/tree/master/rack-protection
+  source_code_uri: https://github.com/sinatra/sinatra/tree/main/rack-protection
   homepage_uri: http://sinatrarb.com/protection/
   documentation_uri: https://www.rubydoc.info/gems/rack-protection
+  rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -99,14 +108,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.7.8
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.5.22
 signing_key: 
 specification_version: 4
 summary: Protect against typical web attacks, works with all Rack apps, including