rack-shield 1.1.1 → 1.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +2 -2
- data/lib/rack/shield/version.rb +1 -1
- data/lib/rack/shield.rb +34 -9
- metadata +5 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8853aad4ab5646f5a5477f712fe297f005660958e15358144fc175d4f1497215
|
|
4
|
+
data.tar.gz: 23cf1ec7e0b8d547ccbaf66a63bcb8f8914677a70b1377b8ca4c4ba3894f8d56
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ddcbe97f5e6f3ba3ba3d50be2b60c248ac1c2e5c730744e498e7b7f6093d4f5adbc7b3c87bdae15569184387c6ef6afaf098752482d869b6842aaaf32eba8360
|
|
7
|
+
data.tar.gz: e558e60a3711893170dc994a9ec6d7c31b871f4237ba8ba7779cec44cc65ed8dd198579f2729e8e438948cbe5c953adba3c521adb70ecea999d22a4ec010567f
|
data/README.md
CHANGED
|
@@ -37,10 +37,10 @@ Adding to path matchers:
|
|
|
37
37
|
|
|
38
38
|
```ruby
|
|
39
39
|
# Regexp will be matched
|
|
40
|
-
Rack::Shield.
|
|
40
|
+
Rack::Shield.paths << /\.sql\z/
|
|
41
41
|
|
|
42
42
|
# String will be checked for inclusion
|
|
43
|
-
Rack::Shield.
|
|
43
|
+
Rack::Shield.paths << '/wp-admin'
|
|
44
44
|
```
|
|
45
45
|
Defaults are defined in `Rack::Shield::DEFAULT_EVIL_PATHS`.
|
|
46
46
|
|
data/lib/rack/shield/version.rb
CHANGED
data/lib/rack/shield.rb
CHANGED
|
@@ -8,7 +8,7 @@ require_relative 'shield/request_ext'
|
|
|
8
8
|
module Rack
|
|
9
9
|
module Shield
|
|
10
10
|
DEFAULT_PATHS = [/\/wp-(includes|content|admin|json|config)/,
|
|
11
|
-
/\.(php|cgi|asp|aspx|shtml|log|(my)?sql(\.tar)?(\.t?(gz|zip))?|cfm|py|lasso|e?rb|pl|jsp|do|action|sh)\z/i,
|
|
11
|
+
/\.(php|cgi|asp|aspx|shtml|log|(my)?sql(\.tar)?(\.t?(gz|zip))?|cfm|py|lasso|e?rb|pl|jsp|do|action|sh|dll)\z/i,
|
|
12
12
|
'cgi-bin',
|
|
13
13
|
'phpmyadmin',
|
|
14
14
|
'/pma/',
|
|
@@ -42,12 +42,18 @@ module Rack
|
|
|
42
42
|
'deployment-config.json',
|
|
43
43
|
'ftpsync.settings',
|
|
44
44
|
'/_profiler/latest',
|
|
45
|
-
'/_ignition/
|
|
45
|
+
'/_ignition/',
|
|
46
46
|
'/_wpeprivate/',
|
|
47
47
|
'/Config/SaveUploadedHotspotLogoFile',
|
|
48
48
|
'ALFA_DATA',
|
|
49
49
|
'cgialfa',
|
|
50
50
|
'alfacgiapi',
|
|
51
|
+
'/+CSCOT+/',
|
|
52
|
+
'/api/v2/cmdb/system',
|
|
53
|
+
'com.vmware.vsan.client.services',
|
|
54
|
+
'/aspnet-ajax/',
|
|
55
|
+
'/Portal.mwsl',
|
|
56
|
+
'/adminer',
|
|
51
57
|
/\A\/"/,
|
|
52
58
|
/\/\.(hg|git|svn|bzr|htaccess|ftpconfig|vscode|remote-sync|aws|env|DS_Store)/,
|
|
53
59
|
/\/old\/?\z/,
|
|
@@ -70,17 +76,16 @@ module Rack
|
|
|
70
76
|
'<php>',
|
|
71
77
|
'onload=confirm',
|
|
72
78
|
'HelloThinkCMF',
|
|
73
|
-
'XDEBUG_SESSION_START'
|
|
74
|
-
|
|
75
|
-
|
|
79
|
+
'XDEBUG_SESSION_START']
|
|
80
|
+
|
|
81
|
+
DEFAULT_BODIES = []
|
|
82
|
+
|
|
76
83
|
class << self
|
|
77
84
|
|
|
78
|
-
attr_accessor :paths, :queries, :checks, :responder
|
|
85
|
+
attr_accessor :paths, :queries, :bodies, :checks, :responder
|
|
79
86
|
|
|
80
87
|
def evil?(req)
|
|
81
|
-
(req
|
|
82
|
-
(req.query_string && queries.any? { |matcher| match?(req.query_string, matcher) }) ||
|
|
83
|
-
(checks.any? { |matcher| match?(req, matcher) })
|
|
88
|
+
evil_paths?(req) || evil_queries?(req) || evil_checks?(req) || evil_bodies?(req)
|
|
84
89
|
end
|
|
85
90
|
|
|
86
91
|
def template
|
|
@@ -96,10 +101,30 @@ module Rack
|
|
|
96
101
|
when Proc then matcher.call(obj)
|
|
97
102
|
end
|
|
98
103
|
end
|
|
104
|
+
|
|
105
|
+
def evil_paths?(req)
|
|
106
|
+
req.path && paths.any? { |matcher| match?(req.path, matcher) }
|
|
107
|
+
end
|
|
108
|
+
|
|
109
|
+
def evil_queries?(req)
|
|
110
|
+
req.query_string && queries.any? { |matcher| match?(req.query_string, matcher) }
|
|
111
|
+
end
|
|
112
|
+
|
|
113
|
+
def evil_checks?(req)
|
|
114
|
+
checks.any? { |matcher| match?(req, matcher) }
|
|
115
|
+
end
|
|
116
|
+
|
|
117
|
+
def evil_bodies?(req)
|
|
118
|
+
return false unless req.post? || req.put? || req.patch?
|
|
119
|
+
return false unless body = req.raw_post_data
|
|
120
|
+
return false if body.empty?
|
|
121
|
+
bodies.any? { |matcher| match?(body, matcher) }
|
|
122
|
+
end
|
|
99
123
|
end
|
|
100
124
|
|
|
101
125
|
self.paths = DEFAULT_PATHS.dup
|
|
102
126
|
self.queries = DEFAULT_QUERIES.dup
|
|
127
|
+
self.bodies = DEFAULT_BODIES.dup
|
|
103
128
|
self.checks = []
|
|
104
129
|
self.responder = Responder
|
|
105
130
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-shield
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Matthias Grosser
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-03-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack-attack
|
|
@@ -44,7 +44,7 @@ homepage: https://github.com/mtgrosser/rack-shield
|
|
|
44
44
|
licenses:
|
|
45
45
|
- MIT
|
|
46
46
|
metadata: {}
|
|
47
|
-
post_install_message:
|
|
47
|
+
post_install_message:
|
|
48
48
|
rdoc_options: []
|
|
49
49
|
require_paths:
|
|
50
50
|
- lib
|
|
@@ -60,7 +60,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
60
60
|
version: '0'
|
|
61
61
|
requirements: []
|
|
62
62
|
rubygems_version: 3.1.4
|
|
63
|
-
signing_key:
|
|
63
|
+
signing_key:
|
|
64
64
|
specification_version: 4
|
|
65
65
|
summary: Block and unblock evil requests
|
|
66
66
|
test_files: []
|