rack-utf8_sanitizer 1.4.0 → 1.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +3 -1
- data/README.md +16 -0
- data/lib/rack/utf8_sanitizer.rb +12 -0
- data/rack-utf8_sanitizer.gemspec +1 -1
- data/test/test_utf8_sanitizer.rb +57 -0
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7122c2055da0fbed5a8f18a81078283040d0f614
|
|
4
|
+
data.tar.gz: 45526c40b0c2e96572f9511911c7fdc87d4c0a6a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 766ad027d90baee2a60fdb4a6ac932ca94d42d8a65636ed3e50695e44b843a1512909966283da42484a9b243e8d26dc1836216fdbea42c78e1eec3cbc5be5d46
|
|
7
|
+
data.tar.gz: caade282f19e01c14ecce793b83adcc125a95f0f1d8b6c37f6ce2f0203518d7ec604776015265027a92ef45be1c21cb19680a5297d7995c3f347a994da8fa954
|
data/.travis.yml
CHANGED
data/README.md
CHANGED
|
@@ -55,6 +55,22 @@ To explicitly set sanitizable content types and override the defaults, use the `
|
|
|
55
55
|
|
|
56
56
|
config.middleware.insert 0, Rack::UTF8Sanitizer, sanitizable_content_types: ['application/vnd.api+json']
|
|
57
57
|
|
|
58
|
+
### Whitelist/Blacklist Rack Env Keys
|
|
59
|
+
|
|
60
|
+
Using the `:only` and `:except` keys you can skip sanitation of values in the Rack Env. `:only` and `:except` are arrays that can contain strings or regular expressions.
|
|
61
|
+
|
|
62
|
+
Only sanitize the body, query string, and url of a request.
|
|
63
|
+
|
|
64
|
+
```ruby
|
|
65
|
+
config.middleware.insert 0, Rack::UTF8Sanitizer, only: ['rack.input', 'PATH_INFO', 'QUERY_STRING']
|
|
66
|
+
```
|
|
67
|
+
|
|
68
|
+
Sanitize everything except HTTP headers.
|
|
69
|
+
|
|
70
|
+
```ruby
|
|
71
|
+
config.middleware.insert 0, Rack::UTF8Sanitizer, except: [/HTTP_.+/]
|
|
72
|
+
```
|
|
73
|
+
|
|
58
74
|
### Strategies
|
|
59
75
|
|
|
60
76
|
There are two built in strategies for handling invalid characters. The default strategy is `:replace`, which will cause any invalid characters to be replaces with the unicode replacement character (�). The second built in strategy is `:exception` which will cause an `EncodingError` exception to be raised if invalid characters are found (the exception can then be handled by another Rack middleware).
|
data/lib/rack/utf8_sanitizer.rb
CHANGED
|
@@ -14,6 +14,8 @@ module Rack
|
|
|
14
14
|
@strategy = build_strategy(options)
|
|
15
15
|
@sanitizable_content_types = options[:sanitizable_content_types]
|
|
16
16
|
@sanitizable_content_types ||= SANITIZABLE_CONTENT_TYPES + (options[:additional_content_types] || [])
|
|
17
|
+
@only = Array(options[:only]).flatten
|
|
18
|
+
@except = Array(options[:except]).flatten
|
|
17
19
|
end
|
|
18
20
|
|
|
19
21
|
def call(env)
|
|
@@ -62,6 +64,8 @@ module Rack
|
|
|
62
64
|
def sanitize(env)
|
|
63
65
|
sanitize_rack_input(env)
|
|
64
66
|
env.each do |key, value|
|
|
67
|
+
next if skip?(key)
|
|
68
|
+
|
|
65
69
|
if URI_FIELDS.include?(key)
|
|
66
70
|
env[key] = transfer_frozen(value,
|
|
67
71
|
sanitize_uri_encoded_string(value))
|
|
@@ -76,6 +80,13 @@ module Rack
|
|
|
76
80
|
|
|
77
81
|
protected
|
|
78
82
|
|
|
83
|
+
def skip?(rack_env_key)
|
|
84
|
+
return true if !@except.empty? && @except.any? { |matcher| rack_env_key[matcher] }
|
|
85
|
+
return true if !@only.empty? && @only.none? { |matcher| rack_env_key[matcher] }
|
|
86
|
+
|
|
87
|
+
false
|
|
88
|
+
end
|
|
89
|
+
|
|
79
90
|
def build_strategy(options)
|
|
80
91
|
strategy = options.fetch(:strategy) { :replace }
|
|
81
92
|
|
|
@@ -157,6 +168,7 @@ module Rack
|
|
|
157
168
|
#
|
|
158
169
|
# The result is guaranteed to be UTF-8-safe.
|
|
159
170
|
def sanitize_uri_encoded_string(input)
|
|
171
|
+
return input if input.nil?
|
|
160
172
|
decoded_value = decode_string(input)
|
|
161
173
|
reencode_string(decoded_value)
|
|
162
174
|
end
|
data/rack-utf8_sanitizer.gemspec
CHANGED
data/test/test_utf8_sanitizer.rb
CHANGED
|
@@ -409,6 +409,63 @@ describe Rack::UTF8Sanitizer do
|
|
|
409
409
|
end
|
|
410
410
|
end
|
|
411
411
|
|
|
412
|
+
describe "with only and/or except options" do
|
|
413
|
+
before do
|
|
414
|
+
@plain_input = "foo\xe0".force_encoding('UTF-8')
|
|
415
|
+
end
|
|
416
|
+
|
|
417
|
+
def request_env
|
|
418
|
+
{
|
|
419
|
+
"REQUEST_METHOD" => "POST",
|
|
420
|
+
"CONTENT_TYPE" => "application/json",
|
|
421
|
+
"HTTP_USER_AGENT" => @plain_input,
|
|
422
|
+
"HTTP_CUSTOM_HEADER" => @plain_input,
|
|
423
|
+
"rack.input" => @rack_input,
|
|
424
|
+
}
|
|
425
|
+
end
|
|
426
|
+
|
|
427
|
+
def sanitize_data(request_env = request_env())
|
|
428
|
+
@response_env = @app.(request_env)
|
|
429
|
+
end
|
|
430
|
+
|
|
431
|
+
it 'skips unless in only' do
|
|
432
|
+
@app = Rack::UTF8Sanitizer.new(
|
|
433
|
+
-> env { env },
|
|
434
|
+
only: ['HTTP_CUSTOM_HEADER']
|
|
435
|
+
)
|
|
436
|
+
@rack_input = StringIO.new('{}')
|
|
437
|
+
|
|
438
|
+
sanitize_data
|
|
439
|
+
@response_env['HTTP_CUSTOM_HEADER'].should != @plain_input
|
|
440
|
+
@response_env['HTTP_USER_AGENT'].should == @plain_input
|
|
441
|
+
end
|
|
442
|
+
|
|
443
|
+
it 'skips if in except' do
|
|
444
|
+
@app = Rack::UTF8Sanitizer.new(
|
|
445
|
+
-> env { env },
|
|
446
|
+
except: ['HTTP_CUSTOM_HEADER']
|
|
447
|
+
)
|
|
448
|
+
@rack_input = StringIO.new('{}')
|
|
449
|
+
|
|
450
|
+
sanitize_data
|
|
451
|
+
@response_env['HTTP_CUSTOM_HEADER'].should == @plain_input
|
|
452
|
+
@response_env['HTTP_USER_AGENT'].should != @plain_input
|
|
453
|
+
end
|
|
454
|
+
|
|
455
|
+
it 'works with regular expressions' do
|
|
456
|
+
@app = Rack::UTF8Sanitizer.new(
|
|
457
|
+
-> env { env },
|
|
458
|
+
only: ['HTTP_CUSTOM_HEADER', /(agent|input)/i]
|
|
459
|
+
)
|
|
460
|
+
@rack_input = StringIO.new(@plain_input.force_encoding(Encoding::ASCII_8BIT))
|
|
461
|
+
|
|
462
|
+
sanitize_data
|
|
463
|
+
@response_env['HTTP_CUSTOM_HEADER'].should != @plain_input
|
|
464
|
+
@response_env['HTTP_USER_AGENT'].should != @plain_input
|
|
465
|
+
@response_env['rack.input'].read.should != @plain_input
|
|
466
|
+
end
|
|
467
|
+
end
|
|
468
|
+
|
|
412
469
|
describe "with custom strategy" do
|
|
413
470
|
def request_env
|
|
414
471
|
@plain_input = "foo bar лол".force_encoding('UTF-8')
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-utf8_sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- whitequark
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2018-02-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -110,7 +110,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
110
110
|
version: '0'
|
|
111
111
|
requirements: []
|
|
112
112
|
rubyforge_project:
|
|
113
|
-
rubygems_version: 2.5.2.
|
|
113
|
+
rubygems_version: 2.5.2.2
|
|
114
114
|
signing_key:
|
|
115
115
|
specification_version: 4
|
|
116
116
|
summary: Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters
|