rack-protection 4.0.0 → 4.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8762f8b7bc260c94e353c6c9eb9a24d3a0efe695cb5904f526a5a84094f567db
-  data.tar.gz: d3c7e05bf8bfea7c6b077025f330429f386b416bccce5ebfab2d91d0513e437b
+  metadata.gz: 127cb2d5f6bf0c9efee234cdf611e9f8760bd97a7933436f0df194ac6d46773e
+  data.tar.gz: ee71fb517c167af11a5d53ead6acb59a4a488b53baa11178b336ff584c8de65c
 SHA512:
-  metadata.gz: 48b9fffade45349249d1122c3acc8618f2cb8ca05cde4ce1959b063899faad7c5c433bf6481518beedd0a0dd2ff28c878b1f5898fc3f21629ea39233fa747dc6
-  data.tar.gz: ec3176d39b37dfdd97b4d230f98251681a93c6dddcb17db4659c998d8f296dc9fc97808a9b732bbf055d0d2b0504f9696f541b6d6864983b214df94ceff636a5
+  metadata.gz: 689e749c54382ad1b574a1feb6cccb0944e86136869809670a346534088ccfe1d2322ac835cd036d1a0747f4e6bfc8d2b245cb99cc9963971393f9bb0495fde2
+  data.tar.gz: b22f5e1659e9271e0b159a7de8f6dd3744befff2a4a06c1f20567ab63fe5c73e953077de77f86a66ce76ba867d62d629abf3c24d8031405a78215a01676b0c30

data/README.md

@@ -34,6 +34,10 @@ run MyApp
 
 # Prevented Attacks
 
+## DNS rebinding and other Host header attacks
+
+* [`Rack::Protection::HostAuthorization`][host-authorization] (not included by `use Rack::Protection`)
+
 ## Cross Site Request Forgery
 
 Prevented by:
@@ -109,6 +113,7 @@ The instrumenter is passed a namespace (String) and environment (Hash). The name
 [escaped-params]: http://www.sinatrarb.com/protection/escaped_params
 [form-token]: http://www.sinatrarb.com/protection/form_token
 [frame-options]: http://www.sinatrarb.com/protection/frame_options
+[host-authorization]: https://github.com/sinatra/sinatra/blob/main/rack-protection/lib/rack/protection/host_authorization.rb
 [http-origin]: http://www.sinatrarb.com/protection/http_origin
 [ip-spoofing]: http://www.sinatrarb.com/protection/ip_spoofing
 [json-csrf]: http://www.sinatrarb.com/protection/json_csrf

data/lib/rack/protection/authenticity_token.rb

@@ -46,15 +46,15 @@ module Rack
     # Install the gem, then run the program:
     #
     #   gem install 'rack-protection'
-    #   ruby server.rb
+    #   puma server.ru
     #
-    # Here is <tt>server.rb</tt>:
+    # Here is <tt>server.ru</tt>:
     #
     #   require 'rack/protection'
     #   require 'rack/session'
     #
     #   app = Rack::Builder.app do
-    #     use Rack::Session::Cookie, secret: 'secret'
+    #     use Rack::Session::Cookie, secret: 'CHANGEMEaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
     #     use Rack::Protection::AuthenticityToken
     #
     #     run -> (env) do
@@ -88,7 +88,7 @@ module Rack
     #     end
     #   end
     #
-    #   Rack::Handler::WEBrick.run app
+    #   run app
     #
     # == Example: Customize which POST parameter holds the token
     #

data/lib/rack/protection/base.rb

@@ -58,6 +58,13 @@ module Rack
         result if (Array === result) && (result.size == 3)
       end
 
+      def debug(env, message)
+        return unless options[:logging]
+
+        l = options[:logger] || env['rack.logger'] || ::Logger.new(env['rack.errors'])
+        l.debug(message)
+      end
+
       def warn(env, message)
         return unless options[:logging]
 

data/lib/rack/protection/host_authorization.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require 'rack/protection'
+require 'ipaddr'
+
+module Rack
+  module Protection
+    ##
+    # Prevented attack::   DNS rebinding and other Host header attacks
+    # Supported browsers:: all
+    # More infos::         https://en.wikipedia.org/wiki/DNS_rebinding
+    #                      https://portswigger.net/web-security/host-header
+    #
+    # Blocks HTTP requests with an unrecognized hostname in any of the following
+    # HTTP headers: Host, X-Forwarded-Host, Forwarded
+    #
+    # If you want to permit a specific hostname, you can pass in as the `:permitted_hosts` option:
+    #
+    #     use Rack::Protection::HostAuthorization, permitted_hosts: ["www.example.org", "sinatrarb.com"]
+    #
+    # The `:allow_if` option can also be set to a proc to use custom allow/deny logic.
+    class HostAuthorization < Base
+      DOT = '.'
+      PORT_REGEXP = /:\d+\z/.freeze
+      SUBDOMAINS = /[a-z0-9\-.]+/.freeze
+      private_constant :DOT,
+                       :PORT_REGEXP,
+                       :SUBDOMAINS
+      default_reaction :deny
+      default_options allow_if: nil,
+                      message: 'Host not permitted'
+
+      def initialize(*)
+        super
+        @permitted_hosts = []
+        @domain_hosts = []
+        @ip_hosts = []
+        @all_permitted_hosts = Array(options[:permitted_hosts])
+
+        @all_permitted_hosts.each do |host|
+          case host
+          when String
+            if host.start_with?(DOT)
+              domain = host[1..-1]
+              @permitted_hosts << domain.downcase
+              @domain_hosts << /\A#{SUBDOMAINS}#{Regexp.escape(domain)}\z/i
+            else
+              @permitted_hosts << host.downcase
+            end
+          when IPAddr then @ip_hosts << host
+          end
+        end
+      end
+
+      def accepts?(env)
+        return true if options[:allow_if]&.call(env)
+        return true if @all_permitted_hosts.empty?
+
+        request = Request.new(env)
+        origin_host = extract_host(request.host_authority)
+        forwarded_host = extract_host(request.forwarded_authority)
+
+        debug env, "#{self.class} " \
+                   "@all_permitted_hosts=#{@all_permitted_hosts.inspect} " \
+                   "@permitted_hosts=#{@permitted_hosts.inspect} " \
+                   "@domain_hosts=#{@domain_hosts.inspect} " \
+                   "@ip_hosts=#{@ip_hosts.inspect} " \
+                   "origin_host=#{origin_host.inspect} " \
+                   "forwarded_host=#{forwarded_host.inspect}"
+
+        if host_permitted?(origin_host)
+          if forwarded_host.nil?
+            true
+          else
+            host_permitted?(forwarded_host)
+          end
+        else
+          false
+        end
+      end
+
+      private
+
+      def extract_host(authority)
+        authority.to_s.split(PORT_REGEXP).first&.downcase
+      end
+
+      def host_permitted?(host)
+        exact_match?(host) || domain_match?(host) || ip_match?(host)
+      end
+
+      def exact_match?(host)
+        @permitted_hosts.include?(host)
+      end
+
+      def domain_match?(host)
+        return false if host.nil?
+        return false if host.start_with?(DOT)
+
+        @domain_hosts.any? { |domain_host| host.match?(domain_host) }
+      end
+
+      def ip_match?(host)
+        @ip_hosts.any? { |ip_host| ip_host.include?(host) }
+      rescue IPAddr::InvalidAddressError
+        false
+      end
+    end
+  end
+end

data/lib/rack/protection/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   module Protection
-    VERSION = '4.0.0'
+    VERSION = '4.2.1'
   end
 end

data/lib/rack/protection.rb

@@ -12,6 +12,7 @@ module Rack
     autoload :EscapedParams,         'rack/protection/escaped_params'
     autoload :FormToken,             'rack/protection/form_token'
     autoload :FrameOptions,          'rack/protection/frame_options'
+    autoload :HostAuthorization,     'rack/protection/host_authorization'
     autoload :HttpOrigin,            'rack/protection/http_origin'
     autoload :IPSpoofing,            'rack/protection/ip_spoofing'
     autoload :JsonCsrf,              'rack/protection/json_csrf'

data/rack-protection.gemspec

@@ -40,5 +40,6 @@ RubyGems 2.0 or newer is required to protect against public gem pushes. You can
 
   # dependencies
   s.add_dependency 'base64', '>= 0.1.0'
+  s.add_dependency 'logger', '>= 1.6.0'
   s.add_dependency 'rack', '>= 3.0.0', '< 4'
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack-protection
 version: !ruby/object:Gem::Version
-  version: 4.0.0
+  version: 4.2.1
 platform: ruby
 authors:
 - https://github.com/sinatra/sinatra/graphs/contributors
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-01-19 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -24,6 +23,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.1.0
+- !ruby/object:Gem::Dependency
+  name: logger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -64,6 +77,7 @@ files:
 - lib/rack/protection/escaped_params.rb
 - lib/rack/protection/form_token.rb
 - lib/rack/protection/frame_options.rb
+- lib/rack/protection/host_authorization.rb
 - lib/rack/protection/http_origin.rb
 - lib/rack/protection/ip_spoofing.rb
 - lib/rack/protection/json_csrf.rb
@@ -85,7 +99,6 @@ metadata:
   homepage_uri: http://sinatrarb.com/protection/
   documentation_uri: https://www.rubydoc.info/gems/rack-protection
   rubygems_mfa_required: 'true'
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -100,8 +113,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
-signing_key: 
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Protect against typical web attacks, works with all Rack apps, including
   Rails.