ssrf_filter 1.0.1 → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/ssrf_filter/ssrf_filter.rb +17 -0
- data/lib/ssrf_filter/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b2fc0cf2f5ff4aabb135f53097a1acde319aea21
|
|
4
|
+
data.tar.gz: e64612c1c5bf85747f5549128e505c7dfdfdf3f9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8e9828a7a39e4a354d565ddf7d058d087b4b71841525d0963a3139d92340c4f0422d316f6db9ede9cfa789ad5f8942eeba77e5f627d9c775dcf3d5b2f8f5b649
|
|
7
|
+
data.tar.gz: 7296ca44593dca4f48e8eefd84212c79fbb7a355e2fe270c74527d93aecbc0d98c2ce5f81c7efa0dff14413460a949cab4c968e585e82b17f670627fb0eac1bb
|
|
@@ -93,6 +93,9 @@ class SsrfFilter
|
|
|
93
93
|
class TooManyRedirects < Error
|
|
94
94
|
end
|
|
95
95
|
|
|
96
|
+
class CRLFInjection < Error
|
|
97
|
+
end
|
|
98
|
+
|
|
96
99
|
%i[get put post delete].each do |method|
|
|
97
100
|
define_singleton_method(method) do |url, options = {}, &block|
|
|
98
101
|
original_url = url
|
|
@@ -166,6 +169,7 @@ class SsrfFilter
|
|
|
166
169
|
request.body = options[:body] if options[:body]
|
|
167
170
|
|
|
168
171
|
block.call(request) if block_given?
|
|
172
|
+
validate_request(request)
|
|
169
173
|
|
|
170
174
|
use_ssl = uri.scheme == 'https'
|
|
171
175
|
with_forced_hostname(hostname) do
|
|
@@ -176,6 +180,19 @@ class SsrfFilter
|
|
|
176
180
|
end
|
|
177
181
|
private_class_method :fetch_once
|
|
178
182
|
|
|
183
|
+
def self.validate_request(request)
|
|
184
|
+
# RFC822 allows multiline "folded" headers:
|
|
185
|
+
# https://tools.ietf.org/html/rfc822#section-3.1
|
|
186
|
+
# In practice if any user input is ever supplied as a header key/value, they'll get
|
|
187
|
+
# arbitrary header injection and possibly connect to a different host, so we block it
|
|
188
|
+
request.each do |header, value|
|
|
189
|
+
if header.count("\r\n") != 0 || value.count("\r\n") != 0
|
|
190
|
+
raise CRLFInjection, "CRLF injection in header #{header} with value #{value}"
|
|
191
|
+
end
|
|
192
|
+
end
|
|
193
|
+
end
|
|
194
|
+
private_class_method :validate_request
|
|
195
|
+
|
|
179
196
|
def self.patch_ssl_socket!
|
|
180
197
|
return if instance_variable_defined?(:@patched_ssl_socket)
|
|
181
198
|
|
data/lib/ssrf_filter/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ssrf_filter
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Arkadiy Tetelman
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-08-04 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler-audit
|
|
@@ -124,7 +124,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
124
124
|
version: '0'
|
|
125
125
|
requirements: []
|
|
126
126
|
rubyforge_project:
|
|
127
|
-
rubygems_version: 2.6
|
|
127
|
+
rubygems_version: 2.4.6
|
|
128
128
|
signing_key:
|
|
129
129
|
specification_version: 4
|
|
130
130
|
summary: A gem that makes it easy to prevent server side request forgery (SSRF) attacks
|