rack-utf8_sanitizer 1.5.0 → 1.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/lib/rack/utf8_sanitizer.rb +16 -1
- data/rack-utf8_sanitizer.gemspec +1 -1
- data/test/test_utf8_sanitizer.rb +28 -0
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 53093765db81984315b860f92ab0c1b51cc2e458147bc3cfb3d289424fb9b6d0
|
|
4
|
+
data.tar.gz: 21493f9709c2db974d65612a8f22328824f74118ee500f37eeafe957a3dd1d39
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 621f2ea1b68feaf198d558d22cdc9dbb22a1133cb61f755450c80757bc4e848a80b337657f0356d59ebef869633e348bb3392612ec7fe7954dc1134f03b04e5a
|
|
7
|
+
data.tar.gz: 917f05a6ed39b0656c84f60a076b072ed141418f15aa7b26d43c707be8268a739b1ce698955669bb8620f6e9f0c887e2c24a354f508a7e574af308c513e9da96
|
data/lib/rack/utf8_sanitizer.rb
CHANGED
|
@@ -63,6 +63,7 @@ module Rack
|
|
|
63
63
|
|
|
64
64
|
def sanitize(env)
|
|
65
65
|
sanitize_rack_input(env)
|
|
66
|
+
sanitize_cookies(env)
|
|
66
67
|
env.each do |key, value|
|
|
67
68
|
next if skip?(key)
|
|
68
69
|
|
|
@@ -105,7 +106,7 @@ module Rack
|
|
|
105
106
|
return unless @sanitizable_content_types.any? {|type| content_type == type }
|
|
106
107
|
uri_encoded = URI_ENCODED_CONTENT_TYPES.any? {|type| content_type == type}
|
|
107
108
|
|
|
108
|
-
if env[
|
|
109
|
+
if env['rack.input']
|
|
109
110
|
sanitized_input = sanitize_io(env['rack.input'], uri_encoded)
|
|
110
111
|
|
|
111
112
|
env['rack.input'] = sanitized_input
|
|
@@ -159,6 +160,20 @@ module Rack
|
|
|
159
160
|
SanitizedRackInput.new(io, StringIO.new(sanitized_input))
|
|
160
161
|
end
|
|
161
162
|
|
|
163
|
+
# Cookies need to be split and then sanitized as url encoded strings
|
|
164
|
+
# since the cookie string itself is not url encoded (separated by `;`),
|
|
165
|
+
# and the normal method of `sanitize_uri_encoded_string` would break
|
|
166
|
+
# later cookie parsing in the case that a cookie value contained an
|
|
167
|
+
# encoded `;`.
|
|
168
|
+
def sanitize_cookies(env)
|
|
169
|
+
return unless env['HTTP_COOKIE']
|
|
170
|
+
|
|
171
|
+
env['HTTP_COOKIE'] = env['HTTP_COOKIE']
|
|
172
|
+
.split(/[;,] */n)
|
|
173
|
+
.map { |cookie| sanitize_uri_encoded_string(cookie) }
|
|
174
|
+
.join('; ')
|
|
175
|
+
end
|
|
176
|
+
|
|
162
177
|
# URI.encode/decode expect the input to be in ASCII-8BIT.
|
|
163
178
|
# However, there could be invalid UTF-8 characters both in
|
|
164
179
|
# raw and percent-encoded form.
|
data/rack-utf8_sanitizer.gemspec
CHANGED
data/test/test_utf8_sanitizer.rb
CHANGED
|
@@ -325,6 +325,34 @@ describe Rack::UTF8Sanitizer do
|
|
|
325
325
|
end
|
|
326
326
|
end
|
|
327
327
|
|
|
328
|
+
describe "with custom content-type" do
|
|
329
|
+
def request_env
|
|
330
|
+
{
|
|
331
|
+
"REQUEST_METHOD" => "GET",
|
|
332
|
+
"CONTENT_TYPE" => "application/json",
|
|
333
|
+
"HTTP_COOKIE" => @cookie,
|
|
334
|
+
"rack.input" => StringIO.new,
|
|
335
|
+
}
|
|
336
|
+
end
|
|
337
|
+
|
|
338
|
+
it "sanitizes bad http cookie" do
|
|
339
|
+
@cookie = "foo=bla; quux=bar\xED"
|
|
340
|
+
response_env = @app.(request_env)
|
|
341
|
+
response_env['HTTP_COOKIE'].should != @cookie
|
|
342
|
+
response_env['HTTP_COOKIE'].should == 'foo=bla; quux=bar%EF%BF%BD'
|
|
343
|
+
end
|
|
344
|
+
|
|
345
|
+
it "does not change ok http cookie" do
|
|
346
|
+
@cookie = "foo=bla; quux=bar"
|
|
347
|
+
response_env = @app.(request_env)
|
|
348
|
+
response_env['HTTP_COOKIE'].should == @cookie
|
|
349
|
+
|
|
350
|
+
@cookie = "foo=b%3bla; quux=b%20a%20r"
|
|
351
|
+
response_env = @app.(request_env)
|
|
352
|
+
response_env['HTTP_COOKIE'].should == @cookie
|
|
353
|
+
end
|
|
354
|
+
end
|
|
355
|
+
|
|
328
356
|
describe "with custom content-type" do
|
|
329
357
|
def request_env
|
|
330
358
|
@plain_input = "foo bar лол".force_encoding('UTF-8')
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-utf8_sanitizer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- whitequark
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-06-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -110,7 +110,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
110
110
|
version: '0'
|
|
111
111
|
requirements: []
|
|
112
112
|
rubyforge_project:
|
|
113
|
-
rubygems_version: 2.
|
|
113
|
+
rubygems_version: 2.7.6
|
|
114
114
|
signing_key:
|
|
115
115
|
specification_version: 4
|
|
116
116
|
summary: Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters
|