ssrf_filter 1.0.1 → 1.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/ssrf_filter/ssrf_filter.rb +17 -0
- data/lib/ssrf_filter/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b2fc0cf2f5ff4aabb135f53097a1acde319aea21
|
|
4
|
+
data.tar.gz: e64612c1c5bf85747f5549128e505c7dfdfdf3f9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8e9828a7a39e4a354d565ddf7d058d087b4b71841525d0963a3139d92340c4f0422d316f6db9ede9cfa789ad5f8942eeba77e5f627d9c775dcf3d5b2f8f5b649
|
|
7
|
+
data.tar.gz: 7296ca44593dca4f48e8eefd84212c79fbb7a355e2fe270c74527d93aecbc0d98c2ce5f81c7efa0dff14413460a949cab4c968e585e82b17f670627fb0eac1bb
|
|
@@ -93,6 +93,9 @@ class SsrfFilter
|
|
|
93
93
|
class TooManyRedirects < Error
|
|
94
94
|
end
|
|
95
95
|
|
|
96
|
+
class CRLFInjection < Error
|
|
97
|
+
end
|
|
98
|
+
|
|
96
99
|
%i[get put post delete].each do |method|
|
|
97
100
|
define_singleton_method(method) do |url, options = {}, &block|
|
|
98
101
|
original_url = url
|
|
@@ -166,6 +169,7 @@ class SsrfFilter
|
|
|
166
169
|
request.body = options[:body] if options[:body]
|
|
167
170
|
|
|
168
171
|
block.call(request) if block_given?
|
|
172
|
+
validate_request(request)
|
|
169
173
|
|
|
170
174
|
use_ssl = uri.scheme == 'https'
|
|
171
175
|
with_forced_hostname(hostname) do
|
|
@@ -176,6 +180,19 @@ class SsrfFilter
|
|
|
176
180
|
end
|
|
177
181
|
private_class_method :fetch_once
|
|
178
182
|
|
|
183
|
+
def self.validate_request(request)
|
|
184
|
+
# RFC822 allows multiline "folded" headers:
|
|
185
|
+
# https://tools.ietf.org/html/rfc822#section-3.1
|
|
186
|
+
# In practice if any user input is ever supplied as a header key/value, they'll get
|
|
187
|
+
# arbitrary header injection and possibly connect to a different host, so we block it
|
|
188
|
+
request.each do |header, value|
|
|
189
|
+
if header.count("\r\n") != 0 || value.count("\r\n") != 0
|
|
190
|
+
raise CRLFInjection, "CRLF injection in header #{header} with value #{value}"
|
|
191
|
+
end
|
|
192
|
+
end
|
|
193
|
+
end
|
|
194
|
+
private_class_method :validate_request
|
|
195
|
+
|
|
179
196
|
def self.patch_ssl_socket!
|
|
180
197
|
return if instance_variable_defined?(:@patched_ssl_socket)
|
|
181
198
|
|
data/lib/ssrf_filter/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ssrf_filter
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Arkadiy Tetelman
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-08-04 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler-audit
|
|
@@ -124,7 +124,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
124
124
|
version: '0'
|
|
125
125
|
requirements: []
|
|
126
126
|
rubyforge_project:
|
|
127
|
-
rubygems_version: 2.6
|
|
127
|
+
rubygems_version: 2.4.6
|
|
128
128
|
signing_key:
|
|
129
129
|
specification_version: 4
|
|
130
130
|
summary: A gem that makes it easy to prevent server side request forgery (SSRF) attacks
|