rack-utf8_sanitizer 1.4.0 → 1.5.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 69f0fb52847e155e4c7afd57565531b8bf506149
4
- data.tar.gz: 0502a652822279ce9fd6b22e2db54126b9247b49
3
+ metadata.gz: 7122c2055da0fbed5a8f18a81078283040d0f614
4
+ data.tar.gz: 45526c40b0c2e96572f9511911c7fdc87d4c0a6a
5
5
  SHA512:
6
- metadata.gz: '01215648794d9d0b47ef805f40116644b0afab096a00d88ebe0d84df4aed839d025641ba1a40c032b62d525ff9467ec89498e396b6c3e69483535cd71b43e997'
7
- data.tar.gz: 95d5d7cfe3a6ec0564a566fe95aaed96f48605265a101483e98dd82a46eaf5a7aa1ff3a29106105fba5aa03f1ef6f108eb29c80ccd11a053ad6b91642e8a3003
6
+ metadata.gz: 766ad027d90baee2a60fdb4a6ac932ca94d42d8a65636ed3e50695e44b843a1512909966283da42484a9b243e8d26dc1836216fdbea42c78e1eec3cbc5be5d46
7
+ data.tar.gz: caade282f19e01c14ecce793b83adcc125a95f0f1d8b6c37f6ce2f0203518d7ec604776015265027a92ef45be1c21cb19680a5297d7995c3f347a994da8fa954
@@ -5,8 +5,10 @@ rvm:
5
5
  - 2.0.0
6
6
  - 2.1
7
7
  - 2.2
8
+ - 2.3
9
+ - 2.4
10
+ - 2.5
8
11
  - jruby
9
- - rbx-2
10
12
 
11
13
  before_install:
12
14
  - gem install bundler
data/README.md CHANGED
@@ -55,6 +55,22 @@ To explicitly set sanitizable content types and override the defaults, use the `
55
55
 
56
56
  config.middleware.insert 0, Rack::UTF8Sanitizer, sanitizable_content_types: ['application/vnd.api+json']
57
57
 
58
+ ### Whitelist/Blacklist Rack Env Keys
59
+
60
+ Using the `:only` and `:except` keys you can skip sanitation of values in the Rack Env. `:only` and `:except` are arrays that can contain strings or regular expressions.
61
+
62
+ Only sanitize the body, query string, and url of a request.
63
+
64
+ ```ruby
65
+ config.middleware.insert 0, Rack::UTF8Sanitizer, only: ['rack.input', 'PATH_INFO', 'QUERY_STRING']
66
+ ```
67
+
68
+ Sanitize everything except HTTP headers.
69
+
70
+ ```ruby
71
+ config.middleware.insert 0, Rack::UTF8Sanitizer, except: [/HTTP_.+/]
72
+ ```
73
+
58
74
  ### Strategies
59
75
 
60
76
  There are two built in strategies for handling invalid characters. The default strategy is `:replace`, which will cause any invalid characters to be replaces with the unicode replacement character (�). The second built in strategy is `:exception` which will cause an `EncodingError` exception to be raised if invalid characters are found (the exception can then be handled by another Rack middleware).
@@ -14,6 +14,8 @@ module Rack
14
14
  @strategy = build_strategy(options)
15
15
  @sanitizable_content_types = options[:sanitizable_content_types]
16
16
  @sanitizable_content_types ||= SANITIZABLE_CONTENT_TYPES + (options[:additional_content_types] || [])
17
+ @only = Array(options[:only]).flatten
18
+ @except = Array(options[:except]).flatten
17
19
  end
18
20
 
19
21
  def call(env)
@@ -62,6 +64,8 @@ module Rack
62
64
  def sanitize(env)
63
65
  sanitize_rack_input(env)
64
66
  env.each do |key, value|
67
+ next if skip?(key)
68
+
65
69
  if URI_FIELDS.include?(key)
66
70
  env[key] = transfer_frozen(value,
67
71
  sanitize_uri_encoded_string(value))
@@ -76,6 +80,13 @@ module Rack
76
80
 
77
81
  protected
78
82
 
83
+ def skip?(rack_env_key)
84
+ return true if !@except.empty? && @except.any? { |matcher| rack_env_key[matcher] }
85
+ return true if !@only.empty? && @only.none? { |matcher| rack_env_key[matcher] }
86
+
87
+ false
88
+ end
89
+
79
90
  def build_strategy(options)
80
91
  strategy = options.fetch(:strategy) { :replace }
81
92
 
@@ -157,6 +168,7 @@ module Rack
157
168
  #
158
169
  # The result is guaranteed to be UTF-8-safe.
159
170
  def sanitize_uri_encoded_string(input)
171
+ return input if input.nil?
160
172
  decoded_value = decode_string(input)
161
173
  reencode_string(decoded_value)
162
174
  end
@@ -2,7 +2,7 @@
2
2
 
3
3
  Gem::Specification.new do |gem|
4
4
  gem.name = "rack-utf8_sanitizer"
5
- gem.version = '1.4.0'
5
+ gem.version = '1.5.0'
6
6
  gem.authors = ["whitequark"]
7
7
  gem.license = "MIT"
8
8
  gem.email = ["whitequark@whitequark.org"]
@@ -409,6 +409,63 @@ describe Rack::UTF8Sanitizer do
409
409
  end
410
410
  end
411
411
 
412
+ describe "with only and/or except options" do
413
+ before do
414
+ @plain_input = "foo\xe0".force_encoding('UTF-8')
415
+ end
416
+
417
+ def request_env
418
+ {
419
+ "REQUEST_METHOD" => "POST",
420
+ "CONTENT_TYPE" => "application/json",
421
+ "HTTP_USER_AGENT" => @plain_input,
422
+ "HTTP_CUSTOM_HEADER" => @plain_input,
423
+ "rack.input" => @rack_input,
424
+ }
425
+ end
426
+
427
+ def sanitize_data(request_env = request_env())
428
+ @response_env = @app.(request_env)
429
+ end
430
+
431
+ it 'skips unless in only' do
432
+ @app = Rack::UTF8Sanitizer.new(
433
+ -> env { env },
434
+ only: ['HTTP_CUSTOM_HEADER']
435
+ )
436
+ @rack_input = StringIO.new('{}')
437
+
438
+ sanitize_data
439
+ @response_env['HTTP_CUSTOM_HEADER'].should != @plain_input
440
+ @response_env['HTTP_USER_AGENT'].should == @plain_input
441
+ end
442
+
443
+ it 'skips if in except' do
444
+ @app = Rack::UTF8Sanitizer.new(
445
+ -> env { env },
446
+ except: ['HTTP_CUSTOM_HEADER']
447
+ )
448
+ @rack_input = StringIO.new('{}')
449
+
450
+ sanitize_data
451
+ @response_env['HTTP_CUSTOM_HEADER'].should == @plain_input
452
+ @response_env['HTTP_USER_AGENT'].should != @plain_input
453
+ end
454
+
455
+ it 'works with regular expressions' do
456
+ @app = Rack::UTF8Sanitizer.new(
457
+ -> env { env },
458
+ only: ['HTTP_CUSTOM_HEADER', /(agent|input)/i]
459
+ )
460
+ @rack_input = StringIO.new(@plain_input.force_encoding(Encoding::ASCII_8BIT))
461
+
462
+ sanitize_data
463
+ @response_env['HTTP_CUSTOM_HEADER'].should != @plain_input
464
+ @response_env['HTTP_USER_AGENT'].should != @plain_input
465
+ @response_env['rack.input'].read.should != @plain_input
466
+ end
467
+ end
468
+
412
469
  describe "with custom strategy" do
413
470
  def request_env
414
471
  @plain_input = "foo bar лол".force_encoding('UTF-8')
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-utf8_sanitizer
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.4.0
4
+ version: 1.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - whitequark
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-12-22 00:00:00.000000000 Z
11
+ date: 2018-02-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rack
@@ -110,7 +110,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
110
110
  version: '0'
111
111
  requirements: []
112
112
  rubyforge_project:
113
- rubygems_version: 2.5.2.1
113
+ rubygems_version: 2.5.2.2
114
114
  signing_key:
115
115
  specification_version: 4
116
116
  summary: Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters