rack-security-middleware 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 74db62ac80f57ad5d8d5579123623ca30b367f66bd9c411b587b4f833f84183d
|
|
4
|
+
data.tar.gz: 763041d7915a503b45c0de7f1a7c02e7fb8641a53e9a6244a66a0b3770a4e78c
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: ae576b3b616e23c59494f3476241bfbb5dd6dca20ec5a4f92ac409e7b8609616447d5876a877ec32aeec7f441bcdf2ff59c150add05a2631a30691a3f135e7dc
|
|
7
|
+
data.tar.gz: 1226727bd35eda1eb0ac35f65c0ef685467bc4066eb634569f781b3d8384822d62aa0f4e1d4ec6f9bfb6b19577a04785229a6300161c0e4baabaaef90fb240d2
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
# Inspired by https://github.com/sinatra/sinatra/blob/master/rack-protection/lib/rack/protection/path_traversal.rb
|
|
2
|
+
# but we want to completely block any abnormal url
|
|
3
|
+
|
|
4
|
+
module RackSecurityMiddleware
|
|
5
|
+
class BlockPathTraversal
|
|
6
|
+
def initialize(app)
|
|
7
|
+
@app = app
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def call(env)
|
|
11
|
+
if has_path_traversal?(env['PATH_INFO'])
|
|
12
|
+
[403, { 'Content-Type' => 'text/html' }, ['Forbidden']]
|
|
13
|
+
else
|
|
14
|
+
@app.call env
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
private
|
|
19
|
+
|
|
20
|
+
def has_path_traversal?(path)
|
|
21
|
+
encoding = path.encoding
|
|
22
|
+
dot = '.'.encode(encoding)
|
|
23
|
+
unescaped = path.gsub(/%2e/i, dot)
|
|
24
|
+
|
|
25
|
+
unescaped.include?("#{dot}#{dot}")
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
require 'rack-security-middleware/block_path_traversal'
|
|
3
|
+
|
|
4
|
+
RSpec.describe RackSecurityMiddleware::BlockPathTraversal do
|
|
5
|
+
let(:app) do
|
|
6
|
+
Class.new do
|
|
7
|
+
attr_reader :request
|
|
8
|
+
|
|
9
|
+
def call(env)
|
|
10
|
+
@request = ActionDispatch::Request.new(env)
|
|
11
|
+
[200, { 'Content-Type' => 'text/plain' }, ['OK']]
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
let(:stack) { described_class.new(app.new) }
|
|
17
|
+
let(:request) { Rack::MockRequest.new(stack) }
|
|
18
|
+
|
|
19
|
+
describe '.call' do
|
|
20
|
+
it 'does not affect normal calls' do
|
|
21
|
+
response = request.get('/')
|
|
22
|
+
|
|
23
|
+
expect(response.status).to eq(200)
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
it 'blocks calls trying path traversal' do
|
|
27
|
+
response = request.get('/../root/passwords')
|
|
28
|
+
|
|
29
|
+
expect(response.status).to eq(403)
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
# this could catch things that are not path traversals
|
|
33
|
+
# but there are all kinds of variations like %c1%9c.. or %252f.. or x5Cx5Cx5C.. etc
|
|
34
|
+
# and a legit use case for .. in the middle of a section of the path is arguable
|
|
35
|
+
# so we chose to be more aggressive and safer here
|
|
36
|
+
it 'blocks calls with .. but not /' do
|
|
37
|
+
response = request.get('/ohno..root/passwords')
|
|
38
|
+
|
|
39
|
+
expect(response.status).to eq(403)
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
end
|
data/spec/spec_helper.rb
ADDED
metadata
ADDED
|
@@ -0,0 +1,131 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: rack-security-middleware
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.0.1
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Gusto Open Source
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2021-01-06 00:00:00.000000000 Z
|
|
12
|
+
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: actionpack
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - "~>"
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: '5.2'
|
|
20
|
+
type: :development
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - "~>"
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: '5.2'
|
|
27
|
+
- !ruby/object:Gem::Dependency
|
|
28
|
+
name: activesupport
|
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
|
30
|
+
requirements:
|
|
31
|
+
- - "~>"
|
|
32
|
+
- !ruby/object:Gem::Version
|
|
33
|
+
version: '5.2'
|
|
34
|
+
type: :development
|
|
35
|
+
prerelease: false
|
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
37
|
+
requirements:
|
|
38
|
+
- - "~>"
|
|
39
|
+
- !ruby/object:Gem::Version
|
|
40
|
+
version: '5.2'
|
|
41
|
+
- !ruby/object:Gem::Dependency
|
|
42
|
+
name: pry-byebug
|
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
|
44
|
+
requirements:
|
|
45
|
+
- - ">="
|
|
46
|
+
- !ruby/object:Gem::Version
|
|
47
|
+
version: '0'
|
|
48
|
+
type: :development
|
|
49
|
+
prerelease: false
|
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
51
|
+
requirements:
|
|
52
|
+
- - ">="
|
|
53
|
+
- !ruby/object:Gem::Version
|
|
54
|
+
version: '0'
|
|
55
|
+
- !ruby/object:Gem::Dependency
|
|
56
|
+
name: rack-test
|
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
|
58
|
+
requirements:
|
|
59
|
+
- - "~>"
|
|
60
|
+
- !ruby/object:Gem::Version
|
|
61
|
+
version: '1.0'
|
|
62
|
+
type: :development
|
|
63
|
+
prerelease: false
|
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
65
|
+
requirements:
|
|
66
|
+
- - "~>"
|
|
67
|
+
- !ruby/object:Gem::Version
|
|
68
|
+
version: '1.0'
|
|
69
|
+
- !ruby/object:Gem::Dependency
|
|
70
|
+
name: rake
|
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
|
72
|
+
requirements:
|
|
73
|
+
- - "~>"
|
|
74
|
+
- !ruby/object:Gem::Version
|
|
75
|
+
version: '12.3'
|
|
76
|
+
type: :development
|
|
77
|
+
prerelease: false
|
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
79
|
+
requirements:
|
|
80
|
+
- - "~>"
|
|
81
|
+
- !ruby/object:Gem::Version
|
|
82
|
+
version: '12.3'
|
|
83
|
+
- !ruby/object:Gem::Dependency
|
|
84
|
+
name: rspec
|
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
|
86
|
+
requirements:
|
|
87
|
+
- - "~>"
|
|
88
|
+
- !ruby/object:Gem::Version
|
|
89
|
+
version: 3.1.0
|
|
90
|
+
type: :development
|
|
91
|
+
prerelease: false
|
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
93
|
+
requirements:
|
|
94
|
+
- - "~>"
|
|
95
|
+
- !ruby/object:Gem::Version
|
|
96
|
+
version: 3.1.0
|
|
97
|
+
description: Middleware collection to secure a Rack application
|
|
98
|
+
email: open-source@gusto.com
|
|
99
|
+
executables: []
|
|
100
|
+
extensions: []
|
|
101
|
+
extra_rdoc_files: []
|
|
102
|
+
files:
|
|
103
|
+
- lib/rack-security-middleware/block_path_traversal.rb
|
|
104
|
+
- lib/rack-security-middleware/version.rb
|
|
105
|
+
- spec/block_path_traversal_spec.rb
|
|
106
|
+
- spec/spec_helper.rb
|
|
107
|
+
homepage: https://github.com/Gusto/rack-security-middleware
|
|
108
|
+
licenses: []
|
|
109
|
+
metadata: {}
|
|
110
|
+
post_install_message:
|
|
111
|
+
rdoc_options: []
|
|
112
|
+
require_paths:
|
|
113
|
+
- lib
|
|
114
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
115
|
+
requirements:
|
|
116
|
+
- - ">="
|
|
117
|
+
- !ruby/object:Gem::Version
|
|
118
|
+
version: '0'
|
|
119
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
120
|
+
requirements:
|
|
121
|
+
- - ">="
|
|
122
|
+
- !ruby/object:Gem::Version
|
|
123
|
+
version: '0'
|
|
124
|
+
requirements: []
|
|
125
|
+
rubygems_version: 3.1.6
|
|
126
|
+
signing_key:
|
|
127
|
+
specification_version: 4
|
|
128
|
+
summary: Middleware collection to secure a Rack application
|
|
129
|
+
test_files:
|
|
130
|
+
- spec/spec_helper.rb
|
|
131
|
+
- spec/block_path_traversal_spec.rb
|