roda 3.42.0 → 3.43.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e2bdd27a69c76000c9c1d2d8f37f9919145fdae55224706c78adec42850c5d21
-  data.tar.gz: 8b92e1dbc9ec83ebca5d2d5b068c67fa282dfee25fe241451c93228a406a4749
+  metadata.gz: 6bca86a88a2d0e6fc0952ec2b2a91aa2e4d6dc0374546d5ac9d74d5b39a30abc
+  data.tar.gz: 20044ea95c1b1efabc06d8cda365384193c33ddd8140c7c91f9977483975e004
 SHA512:
-  metadata.gz: 5c9f2d3f0f021b7b0a16628cefe28c4d4001f2a80804f2bde9b48b641a70482a5d13d699252cb9f7c747de50710b91df30f893f83263e3e73c874621948b4cc6
-  data.tar.gz: c060f123bfb7bd0f02a83d864169d7d2a021c14cd152b8f3e7641c4c7e0317affb84fce0812afcb0d382e0828e31e2fd97b46482338ae92574fbad97793c8996
+  metadata.gz: 2281aac1898e6a81c114023fefb15f77c14ad1ebcd37daad10a1f5c51815c0d175c68a052627bb5025e02c92821d6c64cf6eb3757d801b277b771e73daddc20f
+  data.tar.gz: a55217f87afb2989312e62804715b65c8213997699b187f52a78f8a96dfb592a62ee7adeb029a52663631887ef5cdd15c746930cf9dfba437b744df159b7090c

data/CHANGELOG

@@ -1,3 +1,7 @@
+= 3.43.0 (2021-04-12)
+
+* Add host_authorization plugin, for checking that requests are submitted using an approved host (jeremyevans)
+
 = 3.42.0 (2021-03-12)
 
 * Make Roda.plugin support plugins using keyword arguments in Ruby 3 (jeremyevans)

data/doc/release_notes/3.43.0.txt

@@ -0,0 +1,34 @@
+= New Features
+
+* A host_authorization plugin has been added to verify the requested
+  Host header is authorized.  Using it can prevent DNS rebinding
+  attacks in cases where the application can receive requests for
+  arbitrary hosts.
+
+  To check for authorized hosts in your routing tree, you call the
+  check_host_authorization! method.  For example, if you want to
+  check for authorized hosts after serving requests for public
+  files, you could do:
+
+    plugin :public
+    plugin :host_authorization, 'my-domain-name.example.com'
+
+    route do |r|
+      r.public
+      check_host_authorized!
+
+      # ... rest of routing tree
+    end
+
+  In addition to handling single domain names via a string, you can
+  provide an array of domain names, a regexp to match again, or a
+  proc.
+  
+  By default, requests using unauthorized hosts receive an empty 403
+  response.  If you would like to customize the response, you can
+  pass a block when loading the plugin:
+
+    plugin :host_authorization, 'my-domain-name.example.com' do |r|
+      response.status = 403
+      "Response Body Here"
+    end

data/lib/roda/plugins/host_authorization.rb

@@ -0,0 +1,156 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The host_authorization plugin allows configuring an authorized host or
+    # an array of authorized hosts.  Then in the routing tree, you can check
+    # whether the request uses an authorized host via the +check_host_authorized!+
+    # method.
+    # 
+    # If the request doesn't match one of the authorized hosts, the
+    # request processing stops at that point. Using this plugin can prevent
+    # DNS rebinding attacks if the application can receive requests for
+    # arbitrary hosts.
+    #
+    # By default, an empty response using status 403 will be returned for requests
+    # with unauthorized hosts.
+    #
+    # Because +check_host_authorized!+ is an instance method, you can easily choose
+    # to only check for authorization in certain routes, or to check it after
+    # other processing.  For example, you could check for authorized hosts after
+    # serving static files, since the serving of static files should not be
+    # vulnerable to DNS rebinding attacks.
+    #
+    # = Usage
+    #
+    # In your routing tree, call the +check_host_authorized!+ method at the point you
+    # want to check for authorized hosts:
+    #
+    #   plugin :host_authorization, 'www.example.com'
+    #   plugin :public
+    #
+    #   route do |r|
+    #    r.public
+    #    check_host_authorized!
+    #
+    #    # ...
+    #   end
+    #
+    # = Specifying authorized hosts
+    #
+    # For applications hosted on a single domain name, you can use a single string:
+    #
+    #   plugin :host_authorization, 'www.example.com'
+    #
+    # For applications hosted on multiple domain names, you can use an array of strings:
+    #
+    #   plugin :host_authorization, %w'www.example.com www.example2.com'
+    #
+    # For applications supporting arbitrary subdomains, you can use a regexp. If using
+    # a regexp, make sure you use <tt>\A<tt> and <tt>\z</tt> in your regexp, and restrict
+    # the allowed characters to the minimum required, otherwise you can potentionally
+    # introduce a security issue:
+    #
+    #   plugin :host_authorization, /\A[-0-9a-f]+\.example\.com\z/
+    #
+    # For applications with more complex requirements, you can use a proc.  Similarly
+    # to the regexp case, the proc should be aware the host contains user-submitted
+    # values, and not assume it is in any particular format:
+    #
+    #   plugin :host_authorization, proc{|host| ExternalService.allowed_host?(host)}
+    #
+    # If an array of values is passed as the host argument, the host is authorized if
+    # it matches any value in the array.  All host authorization checks use the
+    # <tt>===</tt> method, which is why it works for strings, regexps, and procs.
+    # It can also work with arbitrary objects that support <tt>===</tt>.
+    #
+    # For security reasons, only the +Host+ header is checked by default.  If you are
+    # sure that your application is being run behind a forwarding proxy that sets the
+    # <tt>X-Forwarded-Host</tt> header, you should enable support for checking that
+    # header using the +:check_forwarded+ option:
+    # 
+    #   plugin :host_authorization, 'www.example.com', check_forwarded: true
+    #
+    # In this case, the trailing host in the <tt>X-Forwarded-Host</tt> header is checked,
+    # which should be the host set by the forwarding proxy closest to the application.
+    # In cases where multiple forwarding proxies are used that append to the
+    # <tt>X-Forwarded-Host</tt> header, you should not use this plugin.
+    #
+    # = Customizing behavior
+    #
+    # By default, an unauthorized host will receive an empty 403 response.  You can
+    # customize this by passing a block when loading the plugin. For example, for
+    # sites using the render plugin, you could return a page that uses your default
+    # layout:
+    #
+    #   plugin :render
+    #   plugin :host_authorization, 'www.example.com' do |r|
+    #     response.status = 403
+    #     view(:content=>"<h1>Forbidden</h1>")
+    #   end
+    #
+    # The block passed to this plugin is treated as a match block.
+    module HostAuthorization
+      def self.configure(app, host, opts=OPTS, &block)
+        app.opts[:host_authorization_host] = host
+        app.opts[:host_authorization_check_forwarded] = opts[:check_forwarded] if opts.key?(:check_forwarded)
+
+        if block
+          app.define_roda_method(:host_authorization_unauthorized, 1, &block)
+        end
+      end
+
+      module InstanceMethods
+        # Check whether the host is authorized.  If not authorized, return a response
+        # immediately based on the plugin block.
+        def check_host_authorization!
+          r = @_request
+          return if host_authorized?(_convert_host_for_authorization(r.env["HTTP_HOST"].to_s.dup))
+
+          if opts[:host_authorization_check_forwarded] && (host = r.env["HTTP_X_FORWARDED_HOST"])
+            if i = host.rindex(',')
+              host = host[i+1, 10000000].to_s
+            end
+            host = _convert_host_for_authorization(host.strip)
+
+            if !host.empty? && host_authorized?(host)
+              return
+            end
+          end
+
+          r.on do
+            host_authorization_unauthorized(r)
+          end
+        end
+
+        private
+
+        # Remove the port information from the passed string (mutates the passed argument).
+        def _convert_host_for_authorization(host)
+          host.sub!(/:\d+\z/, "")
+          host
+        end
+
+        # Whether the host given is one of the authorized hosts for this application.
+        def host_authorized?(host, authorized_host = opts[:host_authorization_host])
+          case authorized_host
+          when Array
+            authorized_host.any?{|auth_host| host_authorized?(host, auth_host)}
+          else
+            authorized_host === host
+          end
+        end
+
+        # Action to take for unauthorized hosts. Sets a 403 status by default.
+        def host_authorization_unauthorized(_)
+          @_response.status = 403
+          nil
+        end
+      end
+    end
+
+    register_plugin(:host_authorization, HostAuthorization)
+  end
+end
+

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 42
+  RodaMinorVersion = 43
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.42.0
+  version: 3.43.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-12 00:00:00.000000000 Z
+date: 2021-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -213,6 +213,7 @@ extra_rdoc_files:
 - doc/release_notes/3.40.0.txt
 - doc/release_notes/3.41.0.txt
 - doc/release_notes/3.42.0.txt
+- doc/release_notes/3.43.0.txt
 - doc/release_notes/3.5.0.txt
 - doc/release_notes/3.6.0.txt
 - doc/release_notes/3.7.0.txt
@@ -262,6 +263,7 @@ files:
 - doc/release_notes/3.40.0.txt
 - doc/release_notes/3.41.0.txt
 - doc/release_notes/3.42.0.txt
+- doc/release_notes/3.43.0.txt
 - doc/release_notes/3.5.0.txt
 - doc/release_notes/3.6.0.txt
 - doc/release_notes/3.7.0.txt
@@ -312,6 +314,7 @@ files:
 - lib/roda/plugins/header_matchers.rb
 - lib/roda/plugins/heartbeat.rb
 - lib/roda/plugins/hooks.rb
+- lib/roda/plugins/host_authorization.rb
 - lib/roda/plugins/indifferent_params.rb
 - lib/roda/plugins/json.rb
 - lib/roda/plugins/json_parser.rb
@@ -401,7 +404,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.2.15
 signing_key: 
 specification_version: 4
 summary: Routing tree web toolkit