rack-utf8_sanitizer 1.6.0 → 1.7.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +34 -3
- data/lib/rack/utf8_sanitizer.rb +1 -1
- data/rack-utf8_sanitizer.gemspec +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4156ca74bbd8c43750cdb733ca500a1cb974492ceb823ffa50e9adaa5733d7d9
|
|
4
|
+
data.tar.gz: 2acc566fb2020de35fa94822f3fcf018988e9166682ccf2f72f7bb9ca7c209d7
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5332f698e7d2a06427fe009a1e2f368ca56c4ab04d5b4551f79689dabbce3351733d657e9df14266c6416f5627305e45e511aee701f5a2d783f1b28d7a7d4435
|
|
7
|
+
data.tar.gz: 7df6257e5945eec1c928ab2ab9e446fe9d853c74b572732b5318e655b1b34d89557d949ee1300004ac67111fd170fddba7ab89b842dbbf65c9ca79717bdf1aa2
|
data/README.md
CHANGED
|
@@ -1,6 +1,9 @@
|
|
|
1
1
|
# Rack::UTF8Sanitizer
|
|
2
2
|
|
|
3
|
-
Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters in request URI and headers.
|
|
3
|
+
Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters in request URI and headers. Additionally,
|
|
4
|
+
it cleans up invalid UTF8 characters in the request body (depending on the configurable content type filters) by reading
|
|
5
|
+
the input into a string, sanitizing the string, then replacing the Rack input stream with a rewindable input stream backed
|
|
6
|
+
by the sanitized string.
|
|
4
7
|
|
|
5
8
|
## Installation
|
|
6
9
|
|
|
@@ -45,7 +48,7 @@ For fields with "percent-encoded data", the algorithm is applied twice to catch
|
|
|
45
48
|
|
|
46
49
|
### Sanitizable content types
|
|
47
50
|
|
|
48
|
-
The default content types to be sanitized are 'text/plain', 'application/x-www-form-urlencoded', 'application/json', 'text/javascript'. You may wish to modify this, for example if your app accepts specific or custom media types in the CONTENT_TYPE header. If you want to change the sanitizable content types, you can pass options when using Rack::UTF8Sanitizer.
|
|
51
|
+
The default content types to be sanitized are 'text/plain', 'application/x-www-form-urlencoded', 'application/json', 'text/javascript'. You may wish to modify this, for example if your app accepts specific or custom media types in the CONTENT_TYPE header. If you want to change the sanitizable content types, you can pass options when using Rack::UTF8Sanitizer.
|
|
49
52
|
|
|
50
53
|
To add sanitizable content types to the list of defaults, pass the `additional_content_types` options when using Rack::UTF8Sanitizer, e.g.
|
|
51
54
|
|
|
@@ -75,7 +78,35 @@ config.middleware.insert 0, Rack::UTF8Sanitizer, except: [/HTTP_.+/]
|
|
|
75
78
|
|
|
76
79
|
There are two built in strategies for handling invalid characters. The default strategy is `:replace`, which will cause any invalid characters to be replaces with the unicode replacement character (�). The second built in strategy is `:exception` which will cause an `EncodingError` exception to be raised if invalid characters are found (the exception can then be handled by another Rack middleware).
|
|
77
80
|
|
|
78
|
-
|
|
81
|
+
This is an example of handling the `:exception` strategy with additional middleware:
|
|
82
|
+
|
|
83
|
+
```ruby
|
|
84
|
+
require "./your/middleware/directory/utf8_sanitizer_exception_handler.rb"
|
|
85
|
+
|
|
86
|
+
config.middleware.insert 0, Rack::UTF8SanitizerExceptionHandler
|
|
87
|
+
config.middleware.insert_after Rack::UTF8SanitizerExceptionHandler, Rack::UTF8Sanitizer, strategy: :exception
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
Note: The exception handling middleware must be inserted before `Rack::UTF8Sanitizer`
|
|
91
|
+
|
|
92
|
+
```ruby
|
|
93
|
+
module Rack
|
|
94
|
+
class UTF8SanitizerExceptionHandler
|
|
95
|
+
def initialize(app)
|
|
96
|
+
@app = app
|
|
97
|
+
end
|
|
98
|
+
|
|
99
|
+
def call(env)
|
|
100
|
+
@app.call(env)
|
|
101
|
+
rescue EncodingError => exception
|
|
102
|
+
# OPTIONAL: Add error logging service of your choice here
|
|
103
|
+
return [400, {}, ["Bad Request"]]
|
|
104
|
+
end
|
|
105
|
+
end
|
|
106
|
+
end
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
An object that responds to `#call` and accepts the offending string with invalid characters as an argument can also be passed as a `:strategy`. This is how you can define custom strategies.
|
|
79
110
|
|
|
80
111
|
```ruby
|
|
81
112
|
config.middleware.insert 0, Rack::UTF8Sanitizer, strategy: :exception
|
data/lib/rack/utf8_sanitizer.rb
CHANGED
|
@@ -231,7 +231,7 @@ module Rack
|
|
|
231
231
|
# Performs the reverse function of `unescape_unreserved`. Unlike
|
|
232
232
|
# the previous function, we can reuse the logic in URI#encode
|
|
233
233
|
def escape_unreserved(input)
|
|
234
|
-
URI.
|
|
234
|
+
URI::DEFAULT_PARSER.escape(input, UNSAFE)
|
|
235
235
|
end
|
|
236
236
|
|
|
237
237
|
def sanitize_string(input)
|
data/rack-utf8_sanitizer.gemspec
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-utf8_sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.7.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- whitequark
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-03-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -110,7 +110,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
110
110
|
version: '0'
|
|
111
111
|
requirements: []
|
|
112
112
|
rubyforge_project:
|
|
113
|
-
rubygems_version: 2.7.6
|
|
113
|
+
rubygems_version: 2.7.6.2
|
|
114
114
|
signing_key:
|
|
115
115
|
specification_version: 4
|
|
116
116
|
summary: Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters
|