ssrf_filter 1.0.5 → 1.0.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 59270dd5ca4e6fdf5e70fc74e2c1593eea7cd861
-  data.tar.gz: f23dbbcc57ea0114ae1220e22f93b5f1fa7910da
+SHA256:
+  metadata.gz: 3ad08c7683abaf9c1cce31358e91eebd54e2276911da99c3d7bdbc1481ec6a8f
+  data.tar.gz: 4993290726f69399264c18dfe8b4ef1c908b78c726f0cfb5dcbc5b9c09043ead
 SHA512:
-  metadata.gz: c6ed09a682cd405c1cf06429b173f87965ff67231bd748a9520ee4c9fe8ed27d84df373abd917c3c25935dfcee984f5cc5c1b4b327548accd3694b6587ce9249
-  data.tar.gz: 73697be1c1619bda43e8fc7c517380f0f40155de9f20012d79390a58ef9122bec392a443661e0ffae93fb48a04a6aa6bc874b8a7aea9d1a59a1e8c460c317881
+  metadata.gz: 522368253a813feb3ac735f419b8d9fe6ac3b006debf3e3c003f6909d809b5b51af06ccc9c42b7cd8d18e90d54a298d3a39fee0514304a1c3a2a1ffd1d54580d
+  data.tar.gz: 21cd1fe841b77536db7e51e9cddc94b7ed96305bf766bb16df77e5b83029a6b6c44e042d1036ae52a135419e72ae70ec1155c471fdc6596eb9dab07809e54e36

data/lib/ssrf_filter/patch/http_generic_request.rb

@@ -0,0 +1,83 @@
+require 'stringio'
+
+class SsrfFilter
+  module Patch
+    module HTTPGenericRequest
+      # Ruby had a bug in its Http library where if you set a custom `Host` header on a request it would get
+      # overwritten. This was tracked in:
+      # https://bugs.ruby-lang.org/issues/10054
+      # and resolved with the commit:
+      # https://github.com/ruby/ruby/commit/70a2eb63999265ff7e8d46d1f5b410c8ee3d30d7#diff-5c08b4ae27d2294a8294a27ff9af4a85
+      # Versions of Ruby that don't have this fix applied will fail to connect to certain hosts via SsrfFilter. The
+      # patch below backports the fix from the linked commit.
+
+      def self.should_apply?
+        # Check if the patch needs to be applied:
+        # The Ruby bug was that HTTPGenericRequest#exec overwrote the Host header, so this snippet checks
+        # if we can reproduce that behavior. It does not actually open any network connections.
+
+        uri = URI('https://www.example.com')
+        request = ::Net::HTTPGenericRequest.new('HEAD', false, false, uri)
+        request['host'] = '127.0.0.1'
+        request.exec(StringIO.new, '1.1', '/')
+        request['host'] == uri.hostname
+      end
+
+      # Apply the patch from the linked commit onto ::Net::HTTPGenericRequest. Since this is 3rd party code,
+      # disable code coverage and rubocop linting for this section.
+      # :nocov:
+      # rubocop:disable all
+      def self.apply!
+        return if instance_variable_defined?(:@checked_http_generic_request)
+        @checked_http_generic_request = true
+        return unless should_apply?
+
+        ::Net::HTTPGenericRequest.class_eval do
+          def exec(sock, ver, path)
+            if @body
+              send_request_with_body sock, ver, path, @body
+            elsif @body_stream
+              send_request_with_body_stream sock, ver, path, @body_stream
+            elsif @body_data
+              send_request_with_body_data sock, ver, path, @body_data
+            else
+              write_header sock, ver, path
+            end
+          end
+
+          def update_uri(addr, port, ssl)
+            # reflect the connection and @path to @uri
+            return unless @uri
+
+            if ssl
+              scheme = 'https'.freeze
+              klass = URI::HTTPS
+            else
+              scheme = 'http'.freeze
+              klass = URI::HTTP
+            end
+
+            if host = self['host']
+              host.sub!(/:.*/s, ''.freeze)
+            elsif host = @uri.host
+            else
+             host = addr
+            end
+            # convert the class of the URI
+            if @uri.is_a?(klass)
+              @uri.host = host
+              @uri.port = port
+            else
+              @uri = klass.new(
+                scheme, @uri.userinfo,
+                host, port, nil,
+                @uri.path, nil, @uri.query, nil)
+            end
+          end
+        end
+      end
+      # rubocop:enable all
+      # :nocov:
+    end
+  end
+end

data/lib/ssrf_filter/patch/ssl_socket.rb

@@ -0,0 +1,49 @@
+class SsrfFilter
+  module Patch
+    module SSLSocket
+      # When fetching a url we'd like to have the following workflow:
+      # 1) resolve the hostname www.example.com, and choose a public ip address to connect to
+      # 2) connect to that specific ip address, to prevent things like DNS TOCTTOU bugs or other trickery
+      #
+      # Ideally this would happen by the ruby http library giving us control over DNS resolution,
+      # but it doesn't. Instead, when making the request we set the uri.hostname to the chosen ip address,
+      # and send a 'Host' header of the original hostname, i.e. connect to 'http://93.184.216.34/' and send
+      # a 'Host: www.example.com' header.
+      #
+      # This works for the http case, http://www.example.com. For the https case, this causes certificate
+      # validation failures, since the server certificate for https://www.example.com will not have a
+      # Subject Alternate Name for 93.184.216.34.
+      #
+      # Thus we perform the monkey-patch below, modifying SSLSocket's `post_connection_check(hostname)`
+      # and `hostname=(hostname)` methods:
+      # If our fiber local variable is set, use that for the hostname instead, otherwise behave as usual.
+      # The only time the variable will be set is if you are executing inside a `with_forced_hostname` block,
+      # which is used in ssrf_filter.rb.
+      #
+      # An alternative approach could be to pass in our own OpenSSL::X509::Store with a custom
+      # `verify_callback` to the ::Net::HTTP.start call, but this would require reimplementing certification
+      # validation, which is dangerous. This way we can piggyback on the existing validation and simply pretend
+      # that we connected to the desired hostname.
+
+      def self.apply!
+        return if instance_variable_defined?(:@patched_ssl_socket)
+
+        @patched_ssl_socket = true
+
+        ::OpenSSL::SSL::SSLSocket.class_eval do
+          original_post_connection_check = instance_method(:post_connection_check)
+          define_method(:post_connection_check) do |hostname|
+            original_post_connection_check.bind(self).call(::Thread.current[::SsrfFilter::FIBER_LOCAL_KEY] || hostname)
+          end
+
+          if method_defined?(:hostname=)
+            original_hostname = instance_method(:hostname=)
+            define_method(:hostname=) do |hostname|
+              original_hostname.bind(self).call(::Thread.current[::SsrfFilter::FIBER_LOCAL_KEY] || hostname)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ssrf_filter/ssrf_filter.rb

@@ -53,11 +53,12 @@ class SsrfFilter
     ::IPAddr.new('2002::/16'), # 6to4
     ::IPAddr.new('fc00::/7'), # Unique local address
     ::IPAddr.new('fe80::/10'), # Link-local address
-    ::IPAddr.new('ff00::/8'), # Multicast
+    ::IPAddr.new('ff00::/8') # Multicast
   ] + IPV4_BLACKLIST.flat_map do |ipaddr|
     prefixlen = prefixlen_from_ipaddr(ipaddr)
 
-    ipv4_compatible = ipaddr.ipv4_compat.mask(96 + prefixlen)
+    # Don't call ipaddr.ipv4_compat because it prints out a deprecation warning on ruby 2.5+
+    ipv4_compatible = IPAddr.new(ipaddr.to_i, Socket::AF_INET6).mask(96 + prefixlen)
     ipv4_mapped = ipaddr.ipv4_mapped.mask(80 + prefixlen)
 
     [ipv4_compatible, ipv4_mapped]
@@ -75,7 +76,9 @@ class SsrfFilter
     get: ::Net::HTTP::Get,
     put: ::Net::HTTP::Put,
     post: ::Net::HTTP::Post,
-    delete: ::Net::HTTP::Delete
+    delete: ::Net::HTTP::Delete,
+    head: ::Net::HTTP::Head,
+    patch: ::Net::HTTP::Patch
   }.freeze
 
   FIBER_LOCAL_KEY = :__ssrf_filter_hostname
@@ -98,8 +101,11 @@ class SsrfFilter
   class CRLFInjection < Error
   end
 
-  %i[get put post delete].each do |method|
+  %i[get put post delete head patch].each do |method|
     define_singleton_method(method) do |url, options = {}, &block|
+      ::SsrfFilter::Patch::SSLSocket.apply!
+      ::SsrfFilter::Patch::HTTPGenericRequest.apply!
+
       original_url = url
       scheme_whitelist = options[:scheme_whitelist] || DEFAULT_SCHEME_WHITELIST
       resolver = options[:resolver] || DEFAULT_RESOLVER
@@ -185,9 +191,11 @@ class SsrfFilter
     block.call(request) if block_given?
     validate_request(request)
 
-    use_ssl = uri.scheme == 'https'
+    http_options = options[:http_options] || {}
+    http_options[:use_ssl] = (uri.scheme == 'https')
+
     with_forced_hostname(hostname) do
-      ::Net::HTTP.start(uri.hostname, uri.port, use_ssl: use_ssl) do |http|
+      ::Net::HTTP.start(uri.hostname, uri.port, http_options) do |http|
         http.request(request)
       end
     end
@@ -207,52 +215,7 @@ class SsrfFilter
   end
   private_class_method :validate_request
 
-  def self.patch_ssl_socket!
-    return if instance_variable_defined?(:@patched_ssl_socket)
-
-    # What we'd like to do is have the following workflow:
-    # 1) resolve the hostname www.example.com, and choose a public ip address to connect to
-    # 2) connect to that specific ip address, to prevent things like DNS TOCTTOU bugs or other trickery
-    #
-    # Ideally this would happen by the ruby http library giving us control over DNS resolution,
-    # but it doesn't. Instead, when making the request we set the uri.hostname to the chosen ip address,
-    # and send a 'Host' header of the original hostname, i.e. connect to 'http://93.184.216.34/' and send
-    # a 'Host: www.example.com' header.
-    #
-    # This works for the http case, http://www.example.com. For the https case, this causes certificate
-    # validation failures, since the server certificate does not have a Subject Alternate Name for 93.184.216.34.
-    #
-    # Thus we perform the monkey-patch below, modifying SSLSocket's `post_connection_check(hostname)`
-    # and `hostname=(hostname)` methods:
-    # If our fiber local variable is set, use that for the hostname instead, otherwise behave as usual.
-    # The only time the variable will be set is if you are executing inside a `with_forced_hostname` block,
-    # which is used above.
-    #
-    # An alternative approach could be to pass in our own OpenSSL::X509::Store with a custom
-    # `verify_callback` to the ::Net::HTTP.start call, but this would require reimplementing certification
-    # validation, which is dangerous. This way we can piggyback on the existing validation and simply pretend
-    # that we connected to the desired hostname.
-
-    ::OpenSSL::SSL::SSLSocket.class_eval do
-      original_post_connection_check = instance_method(:post_connection_check)
-      define_method(:post_connection_check) do |hostname|
-        original_post_connection_check.bind(self).call(::Thread.current[FIBER_LOCAL_KEY] || hostname)
-      end
-
-      if method_defined?(:hostname=)
-        original_hostname = instance_method(:hostname=)
-        define_method(:hostname=) do |hostname|
-          original_hostname.bind(self).call(::Thread.current[FIBER_LOCAL_KEY] || hostname)
-        end
-      end
-    end
-
-    @patched_ssl_socket = true
-  end
-  private_class_method :patch_ssl_socket!
-
   def self.with_forced_hostname(hostname, &_block)
-    patch_ssl_socket!
     ::Thread.current[FIBER_LOCAL_KEY] = hostname
     yield
   ensure

data/lib/ssrf_filter/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 class SsrfFilter
-  VERSION = '1.0.5'.freeze
+  VERSION = '1.0.8'.freeze
 end

data/lib/ssrf_filter.rb

@@ -1,4 +1,6 @@
 # frozen_string_literal: true
 
+require 'ssrf_filter/patch/http_generic_request'
+require 'ssrf_filter/patch/ssl_socket'
 require 'ssrf_filter/ssrf_filter'
 require 'ssrf_filter/version'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ssrf_filter
 version: !ruby/object:Gem::Version
-  version: 1.0.5
+  version: 1.0.8
 platform: ruby
 authors:
 - Arkadiy Tetelman
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-01-18 00:00:00.000000000 Z
+date: 2022-08-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler-audit
@@ -16,85 +16,143 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: 0.6.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: 0.6.1
 - !ruby/object:Gem::Dependency
   name: coveralls
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: 0.8.22
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: 0.8.22
+- !ruby/object:Gem::Dependency
+  name: psych
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 3.8.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 3.8.0
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 3.2.0
+        version: 3.5.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.5.1
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: public_suffix
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.0.5
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.0.5
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.2.4
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
       - !ruby/object:Gem::Version
-        version: 3.2.0
+        version: 3.2.4
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.52.0
+        version: 0.50.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.52.0
+        version: 0.50.0
 description: A gem that makes it easy to prevent server side request forgery (SSRF)
   attacks
-email: 
+email:
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
 - lib/ssrf_filter.rb
+- lib/ssrf_filter/patch/http_generic_request.rb
+- lib/ssrf_filter/patch/ssl_socket.rb
 - lib/ssrf_filter/ssrf_filter.rb
 - lib/ssrf_filter/version.rb
 homepage: https://github.com/arkadiyt/ssrf_filter
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -109,9 +167,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.14
-signing_key: 
+rubygems_version: 3.2.15
+signing_key:
 specification_version: 4
 summary: A gem that makes it easy to prevent server side request forgery (SSRF) attacks
 test_files: []