rack-utf8_sanitizer 1.4.0 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.travis.yml +3 -1
- data/README.md +16 -0
- data/lib/rack/utf8_sanitizer.rb +12 -0
- data/rack-utf8_sanitizer.gemspec +1 -1
- data/test/test_utf8_sanitizer.rb +57 -0
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7122c2055da0fbed5a8f18a81078283040d0f614
|
|
4
|
+
data.tar.gz: 45526c40b0c2e96572f9511911c7fdc87d4c0a6a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 766ad027d90baee2a60fdb4a6ac932ca94d42d8a65636ed3e50695e44b843a1512909966283da42484a9b243e8d26dc1836216fdbea42c78e1eec3cbc5be5d46
|
|
7
|
+
data.tar.gz: caade282f19e01c14ecce793b83adcc125a95f0f1d8b6c37f6ce2f0203518d7ec604776015265027a92ef45be1c21cb19680a5297d7995c3f347a994da8fa954
|
data/.travis.yml
CHANGED
data/README.md
CHANGED
|
@@ -55,6 +55,22 @@ To explicitly set sanitizable content types and override the defaults, use the `
|
|
|
55
55
|
|
|
56
56
|
config.middleware.insert 0, Rack::UTF8Sanitizer, sanitizable_content_types: ['application/vnd.api+json']
|
|
57
57
|
|
|
58
|
+
### Whitelist/Blacklist Rack Env Keys
|
|
59
|
+
|
|
60
|
+
Using the `:only` and `:except` keys you can skip sanitation of values in the Rack Env. `:only` and `:except` are arrays that can contain strings or regular expressions.
|
|
61
|
+
|
|
62
|
+
Only sanitize the body, query string, and url of a request.
|
|
63
|
+
|
|
64
|
+
```ruby
|
|
65
|
+
config.middleware.insert 0, Rack::UTF8Sanitizer, only: ['rack.input', 'PATH_INFO', 'QUERY_STRING']
|
|
66
|
+
```
|
|
67
|
+
|
|
68
|
+
Sanitize everything except HTTP headers.
|
|
69
|
+
|
|
70
|
+
```ruby
|
|
71
|
+
config.middleware.insert 0, Rack::UTF8Sanitizer, except: [/HTTP_.+/]
|
|
72
|
+
```
|
|
73
|
+
|
|
58
74
|
### Strategies
|
|
59
75
|
|
|
60
76
|
There are two built in strategies for handling invalid characters. The default strategy is `:replace`, which will cause any invalid characters to be replaces with the unicode replacement character (�). The second built in strategy is `:exception` which will cause an `EncodingError` exception to be raised if invalid characters are found (the exception can then be handled by another Rack middleware).
|
data/lib/rack/utf8_sanitizer.rb
CHANGED
|
@@ -14,6 +14,8 @@ module Rack
|
|
|
14
14
|
@strategy = build_strategy(options)
|
|
15
15
|
@sanitizable_content_types = options[:sanitizable_content_types]
|
|
16
16
|
@sanitizable_content_types ||= SANITIZABLE_CONTENT_TYPES + (options[:additional_content_types] || [])
|
|
17
|
+
@only = Array(options[:only]).flatten
|
|
18
|
+
@except = Array(options[:except]).flatten
|
|
17
19
|
end
|
|
18
20
|
|
|
19
21
|
def call(env)
|
|
@@ -62,6 +64,8 @@ module Rack
|
|
|
62
64
|
def sanitize(env)
|
|
63
65
|
sanitize_rack_input(env)
|
|
64
66
|
env.each do |key, value|
|
|
67
|
+
next if skip?(key)
|
|
68
|
+
|
|
65
69
|
if URI_FIELDS.include?(key)
|
|
66
70
|
env[key] = transfer_frozen(value,
|
|
67
71
|
sanitize_uri_encoded_string(value))
|
|
@@ -76,6 +80,13 @@ module Rack
|
|
|
76
80
|
|
|
77
81
|
protected
|
|
78
82
|
|
|
83
|
+
def skip?(rack_env_key)
|
|
84
|
+
return true if !@except.empty? && @except.any? { |matcher| rack_env_key[matcher] }
|
|
85
|
+
return true if !@only.empty? && @only.none? { |matcher| rack_env_key[matcher] }
|
|
86
|
+
|
|
87
|
+
false
|
|
88
|
+
end
|
|
89
|
+
|
|
79
90
|
def build_strategy(options)
|
|
80
91
|
strategy = options.fetch(:strategy) { :replace }
|
|
81
92
|
|
|
@@ -157,6 +168,7 @@ module Rack
|
|
|
157
168
|
#
|
|
158
169
|
# The result is guaranteed to be UTF-8-safe.
|
|
159
170
|
def sanitize_uri_encoded_string(input)
|
|
171
|
+
return input if input.nil?
|
|
160
172
|
decoded_value = decode_string(input)
|
|
161
173
|
reencode_string(decoded_value)
|
|
162
174
|
end
|
data/rack-utf8_sanitizer.gemspec
CHANGED
data/test/test_utf8_sanitizer.rb
CHANGED
|
@@ -409,6 +409,63 @@ describe Rack::UTF8Sanitizer do
|
|
|
409
409
|
end
|
|
410
410
|
end
|
|
411
411
|
|
|
412
|
+
describe "with only and/or except options" do
|
|
413
|
+
before do
|
|
414
|
+
@plain_input = "foo\xe0".force_encoding('UTF-8')
|
|
415
|
+
end
|
|
416
|
+
|
|
417
|
+
def request_env
|
|
418
|
+
{
|
|
419
|
+
"REQUEST_METHOD" => "POST",
|
|
420
|
+
"CONTENT_TYPE" => "application/json",
|
|
421
|
+
"HTTP_USER_AGENT" => @plain_input,
|
|
422
|
+
"HTTP_CUSTOM_HEADER" => @plain_input,
|
|
423
|
+
"rack.input" => @rack_input,
|
|
424
|
+
}
|
|
425
|
+
end
|
|
426
|
+
|
|
427
|
+
def sanitize_data(request_env = request_env())
|
|
428
|
+
@response_env = @app.(request_env)
|
|
429
|
+
end
|
|
430
|
+
|
|
431
|
+
it 'skips unless in only' do
|
|
432
|
+
@app = Rack::UTF8Sanitizer.new(
|
|
433
|
+
-> env { env },
|
|
434
|
+
only: ['HTTP_CUSTOM_HEADER']
|
|
435
|
+
)
|
|
436
|
+
@rack_input = StringIO.new('{}')
|
|
437
|
+
|
|
438
|
+
sanitize_data
|
|
439
|
+
@response_env['HTTP_CUSTOM_HEADER'].should != @plain_input
|
|
440
|
+
@response_env['HTTP_USER_AGENT'].should == @plain_input
|
|
441
|
+
end
|
|
442
|
+
|
|
443
|
+
it 'skips if in except' do
|
|
444
|
+
@app = Rack::UTF8Sanitizer.new(
|
|
445
|
+
-> env { env },
|
|
446
|
+
except: ['HTTP_CUSTOM_HEADER']
|
|
447
|
+
)
|
|
448
|
+
@rack_input = StringIO.new('{}')
|
|
449
|
+
|
|
450
|
+
sanitize_data
|
|
451
|
+
@response_env['HTTP_CUSTOM_HEADER'].should == @plain_input
|
|
452
|
+
@response_env['HTTP_USER_AGENT'].should != @plain_input
|
|
453
|
+
end
|
|
454
|
+
|
|
455
|
+
it 'works with regular expressions' do
|
|
456
|
+
@app = Rack::UTF8Sanitizer.new(
|
|
457
|
+
-> env { env },
|
|
458
|
+
only: ['HTTP_CUSTOM_HEADER', /(agent|input)/i]
|
|
459
|
+
)
|
|
460
|
+
@rack_input = StringIO.new(@plain_input.force_encoding(Encoding::ASCII_8BIT))
|
|
461
|
+
|
|
462
|
+
sanitize_data
|
|
463
|
+
@response_env['HTTP_CUSTOM_HEADER'].should != @plain_input
|
|
464
|
+
@response_env['HTTP_USER_AGENT'].should != @plain_input
|
|
465
|
+
@response_env['rack.input'].read.should != @plain_input
|
|
466
|
+
end
|
|
467
|
+
end
|
|
468
|
+
|
|
412
469
|
describe "with custom strategy" do
|
|
413
470
|
def request_env
|
|
414
471
|
@plain_input = "foo bar лол".force_encoding('UTF-8')
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-utf8_sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- whitequark
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2018-02-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -110,7 +110,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
110
110
|
version: '0'
|
|
111
111
|
requirements: []
|
|
112
112
|
rubyforge_project:
|
|
113
|
-
rubygems_version: 2.5.2.
|
|
113
|
+
rubygems_version: 2.5.2.2
|
|
114
114
|
signing_key:
|
|
115
115
|
specification_version: 4
|
|
116
116
|
summary: Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters
|