rack-shield 1.1.2 → 1.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +4 -2
- data/lib/rack/shield/version.rb +1 -1
- data/lib/rack/shield.rb +38 -9
- metadata +5 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a08b10397030d6fb099720d6d2012adee70498c920e3cd058390dfab5ddfa4b0
|
4
|
+
data.tar.gz: 3270af671fe6fc922884ac0b54fe13432e25db90d1dfee511b48add36cef4e5e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bf63b373e4028d497234fd10a78b57084225ac43893794a92ee9e7f81e0ae224afda214ec39b13ac723c9cad82bd092ba8081430c070d6eef6565e552d70309f
|
7
|
+
data.tar.gz: 35593332faa7b985a5f227d014ae280344041eb0d69f783ce4e4ca7b855da6888dc464031bd2ae8f796e203e0d8546ddbdb5f8ac04e95176fab59f0ba992d7ec
|
data/README.md
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
[![Gem Version](https://badge.fury.io/rb/rack-shield.svg)](http://badge.fury.io/rb/rack-shield) [![build](https://github.com/mtgrosser/rack-shield/actions/workflows/build.yml/badge.svg)](https://github.com/mtgrosser/rack-shield/actions/workflows/build.yml)
|
2
|
+
|
1
3
|
![Shield](https://raw.githubusercontent.com/mtgrosser/rack-shield/master/doc/shield.svg)
|
2
4
|
|
3
5
|
# Rack::Shield
|
@@ -37,10 +39,10 @@ Adding to path matchers:
|
|
37
39
|
|
38
40
|
```ruby
|
39
41
|
# Regexp will be matched
|
40
|
-
Rack::Shield.
|
42
|
+
Rack::Shield.paths << /\.sql\z/
|
41
43
|
|
42
44
|
# String will be checked for inclusion
|
43
|
-
Rack::Shield.
|
45
|
+
Rack::Shield.paths << '/wp-admin'
|
44
46
|
```
|
45
47
|
Defaults are defined in `Rack::Shield::DEFAULT_EVIL_PATHS`.
|
46
48
|
|
data/lib/rack/shield/version.rb
CHANGED
data/lib/rack/shield.rb
CHANGED
@@ -8,7 +8,7 @@ require_relative 'shield/request_ext'
|
|
8
8
|
module Rack
|
9
9
|
module Shield
|
10
10
|
DEFAULT_PATHS = [/\/wp-(includes|content|admin|json|config)/,
|
11
|
-
/\.(php
|
11
|
+
/\.(php\d?|cgi|asp|aspx|shtml|log|(my)?sql(\.tar)?(\.t?(gz|zip))?|cfm|cmd|py|lasso|e?rb|pl|jsp|do|action|sh|dll|lsp)\z/i,
|
12
12
|
'cgi-bin',
|
13
13
|
'phpmyadmin',
|
14
14
|
'/pma/',
|
@@ -54,12 +54,22 @@ module Rack
|
|
54
54
|
'/aspnet-ajax/',
|
55
55
|
'/Portal.mwsl',
|
56
56
|
'/adminer',
|
57
|
+
'/appsuite/signin',
|
58
|
+
'/io.ox/',
|
59
|
+
'/tkset/',
|
60
|
+
'/bakula-web',
|
61
|
+
'/snort/',
|
62
|
+
'/officescan/',
|
63
|
+
'/servlet/',
|
64
|
+
'/ox6/',
|
65
|
+
'/ws_utc/',
|
57
66
|
/\A\/"/,
|
58
67
|
/\/\.(hg|git|svn|bzr|htaccess|ftpconfig|vscode|remote-sync|aws|env|DS_Store)/,
|
59
68
|
/\/old\/?\z/,
|
60
69
|
/\/\.env\z/,
|
61
70
|
/\A\/old-wp/,
|
62
|
-
/\A\/(wordpress|wp)(\/|\z)
|
71
|
+
/\A\/(wordpress|wp)(\/|\z)/,
|
72
|
+
/Open-Xchange/i]
|
63
73
|
|
64
74
|
DEFAULT_QUERIES = [/SELECT.+FROM.+/i,
|
65
75
|
/SELECT.+COUNT/i,
|
@@ -76,17 +86,16 @@ module Rack
|
|
76
86
|
'<php>',
|
77
87
|
'onload=confirm',
|
78
88
|
'HelloThinkCMF',
|
79
|
-
'XDEBUG_SESSION_START'
|
80
|
-
|
81
|
-
|
89
|
+
'XDEBUG_SESSION_START']
|
90
|
+
|
91
|
+
DEFAULT_BODIES = []
|
92
|
+
|
82
93
|
class << self
|
83
94
|
|
84
|
-
attr_accessor :paths, :queries, :checks, :responder
|
95
|
+
attr_accessor :paths, :queries, :bodies, :checks, :responder
|
85
96
|
|
86
97
|
def evil?(req)
|
87
|
-
(req
|
88
|
-
(req.query_string && queries.any? { |matcher| match?(req.query_string, matcher) }) ||
|
89
|
-
(checks.any? { |matcher| match?(req, matcher) })
|
98
|
+
evil_paths?(req) || evil_queries?(req) || evil_checks?(req) || evil_bodies?(req)
|
90
99
|
end
|
91
100
|
|
92
101
|
def template
|
@@ -102,10 +111,30 @@ module Rack
|
|
102
111
|
when Proc then matcher.call(obj)
|
103
112
|
end
|
104
113
|
end
|
114
|
+
|
115
|
+
def evil_paths?(req)
|
116
|
+
req.path && paths.any? { |matcher| match?(req.path, matcher) }
|
117
|
+
end
|
118
|
+
|
119
|
+
def evil_queries?(req)
|
120
|
+
req.query_string && queries.any? { |matcher| match?(req.query_string, matcher) }
|
121
|
+
end
|
122
|
+
|
123
|
+
def evil_checks?(req)
|
124
|
+
checks.any? { |matcher| match?(req, matcher) }
|
125
|
+
end
|
126
|
+
|
127
|
+
def evil_bodies?(req)
|
128
|
+
return false unless req.post? || req.put? || req.patch?
|
129
|
+
return false unless body = req.raw_post_data
|
130
|
+
return false if body.empty?
|
131
|
+
bodies.any? { |matcher| match?(body, matcher) }
|
132
|
+
end
|
105
133
|
end
|
106
134
|
|
107
135
|
self.paths = DEFAULT_PATHS.dup
|
108
136
|
self.queries = DEFAULT_QUERIES.dup
|
137
|
+
self.bodies = DEFAULT_BODIES.dup
|
109
138
|
self.checks = []
|
110
139
|
self.responder = Responder
|
111
140
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-shield
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.1
|
4
|
+
version: 1.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Matthias Grosser
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-05-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rack-attack
|
@@ -44,7 +44,7 @@ homepage: https://github.com/mtgrosser/rack-shield
|
|
44
44
|
licenses:
|
45
45
|
- MIT
|
46
46
|
metadata: {}
|
47
|
-
post_install_message:
|
47
|
+
post_install_message:
|
48
48
|
rdoc_options: []
|
49
49
|
require_paths:
|
50
50
|
- lib
|
@@ -60,7 +60,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
60
60
|
version: '0'
|
61
61
|
requirements: []
|
62
62
|
rubygems_version: 3.1.4
|
63
|
-
signing_key:
|
63
|
+
signing_key:
|
64
64
|
specification_version: 4
|
65
65
|
summary: Block and unblock evil requests
|
66
66
|
test_files: []
|