ssrf_filter 1.0.7 → 1.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 17984597a9ad2c3dd852793334951478090086e5c6b7f86d67cf827fa98bff4c
-  data.tar.gz: 99c09e926f2b2c3a040dd0deed245ebb005f6cb242a185a7bca15592183f0b82
+  metadata.gz: 315ab29498751c0bb60964f06932464d8663ec66e50ed403b04c2e19c9fce5e6
+  data.tar.gz: 8b3475337b149bf8e04dd11e379e9c0698f74d05528524fea847ed996aff405c
 SHA512:
-  metadata.gz: ad60b8c2efaca1de0b7d89de0102eef87d23c65d1c6b73e674092e7740e8c5fe1a006801c648529bf9150eb590df9b3c160af519b666176f41697ef69218918e
-  data.tar.gz: '062843311bfdb75b9de842fb29e4864da4a4acc4c41d454fec593ee3c0a86f306cddd30d4cc9c46b6d6b169b2e3e3480c2e8499cb637eaf97d96afa534b41569'
+  metadata.gz: 299b91d225b906faa91a1ebd4a8ad32ce46889deaeffa89d5a7488b871310e68ed7f73332c9ee25fd0ff3d01a25dd949907a390e8ce44926910657e2fa054f3e
+  data.tar.gz: 89b6051cb2a8f232336e1e25e95a5898c71ba4439f582224452effbcc41b3a68af13d1e16d855f8ebb7634c013fefd3301c661d5d6bf72f3d98894feb867f47f

data/lib/ssrf_filter/patch/ssl_socket.rb

@@ -1,45 +1,62 @@
+# frozen_string_literal: true
+
 class SsrfFilter
   module Patch
     module SSLSocket
-      # When fetching a url we'd like to have the following workflow:
-      # 1) resolve the hostname www.example.com, and choose a public ip address to connect to
-      # 2) connect to that specific ip address, to prevent things like DNS TOCTTOU bugs or other trickery
-      #
-      # Ideally this would happen by the ruby http library giving us control over DNS resolution,
-      # but it doesn't. Instead, when making the request we set the uri.hostname to the chosen ip address,
-      # and send a 'Host' header of the original hostname, i.e. connect to 'http://93.184.216.34/' and send
-      # a 'Host: www.example.com' header.
-      #
-      # This works for the http case, http://www.example.com. For the https case, this causes certificate
-      # validation failures, since the server certificate for https://www.example.com will not have a
-      # Subject Alternate Name for 93.184.216.34.
-      #
-      # Thus we perform the monkey-patch below, modifying SSLSocket's `post_connection_check(hostname)`
-      # and `hostname=(hostname)` methods:
-      # If our fiber local variable is set, use that for the hostname instead, otherwise behave as usual.
-      # The only time the variable will be set is if you are executing inside a `with_forced_hostname` block,
-      # which is used in ssrf_filter.rb.
-      #
-      # An alternative approach could be to pass in our own OpenSSL::X509::Store with a custom
-      # `verify_callback` to the ::Net::HTTP.start call, but this would require reimplementing certification
-      # validation, which is dangerous. This way we can piggyback on the existing validation and simply pretend
-      # that we connected to the desired hostname.
-
       def self.apply!
         return if instance_variable_defined?(:@patched_ssl_socket)
 
         @patched_ssl_socket = true
 
         ::OpenSSL::SSL::SSLSocket.class_eval do
+          # When fetching a url we'd like to have the following workflow:
+          # 1) resolve the hostname www.example.com, and choose a public ip address to connect to
+          # 2) connect to that specific ip address, to prevent things like DNS TOCTTOU bugs or other trickery
+          #
+          # Ideally this would happen by the ruby http library giving us control over DNS resolution,
+          # but it doesn't. Instead, when making the request we set the uri.hostname to the chosen ip address,
+          # and send a 'Host' header of the original hostname, i.e. connect to 'http://93.184.216.34/' and send
+          # a 'Host: www.example.com' header.
+          #
+          # This works for the http case, http://www.example.com. For the https case, this causes certificate
+          # validation failures, since the server certificate for https://www.example.com will not have a
+          # Subject Alternate Name for 93.184.216.34.
+          #
+          # Thus we perform the monkey-patch below, modifying SSLSocket's `post_connection_check(hostname)`
+          # and `hostname=(hostname)` methods:
+          # If our fiber local variable is set, use that for the hostname instead, otherwise behave as usual.
+          # The only time the variable will be set is if you are executing inside a `with_forced_hostname` block,
+          # which is used in ssrf_filter.rb.
+          #
+          # An alternative approach could be to pass in our own OpenSSL::X509::Store with a custom
+          # `verify_callback` to the ::Net::HTTP.start call, but this would require reimplementing certification
+          # validation, which is dangerous. This way we can piggyback on the existing validation and simply pretend
+          # that we connected to the desired hostname.
+
           original_post_connection_check = instance_method(:post_connection_check)
           define_method(:post_connection_check) do |hostname|
-            original_post_connection_check.bind(self).call(::Thread.current[::SsrfFilter::FIBER_LOCAL_KEY] || hostname)
+            original_post_connection_check.bind(self).call(::Thread.current[::SsrfFilter::FIBER_HOSTNAME_KEY] ||
+              hostname)
           end
 
           if method_defined?(:hostname=)
             original_hostname = instance_method(:hostname=)
             define_method(:hostname=) do |hostname|
-              original_hostname.bind(self).call(::Thread.current[::SsrfFilter::FIBER_LOCAL_KEY] || hostname)
+              original_hostname.bind(self).call(::Thread.current[::SsrfFilter::FIBER_HOSTNAME_KEY] || hostname)
+            end
+          end
+
+          # This patch is the successor to https://github.com/arkadiyt/ssrf_filter/pull/54
+          # Due to some changes in Ruby's net/http library (namely https://github.com/ruby/net-http/pull/36),
+          # the SSLSocket in the request was no longer getting `s.hostname` set.
+          # The original fix tried to monkey-patch the Regexp class to cause the original code path to execute,
+          # but this caused other problems (like https://github.com/arkadiyt/ssrf_filter/issues/61)
+          # This fix attempts a different approach to set the hostname on the socket
+          original_initialize = instance_method(:initialize)
+          define_method(:initialize) do |*args|
+            original_initialize.bind(self).call(*args)
+            if ::Thread.current.key?(::SsrfFilter::FIBER_HOSTNAME_KEY)
+              self.hostname = ::Thread.current[::SsrfFilter::FIBER_HOSTNAME_KEY]
             end
           end
         end

data/lib/ssrf_filter/ssrf_filter.rb

@@ -10,7 +10,9 @@ class SsrfFilter
     mask_addr = ipaddr.instance_variable_get('@mask_addr')
     raise ArgumentError, 'Invalid mask' if mask_addr.zero?
 
-    mask_addr >>= 1 while (mask_addr & 0x1).zero?
+    while (mask_addr & 0x1).zero?
+      mask_addr >>= 1
+    end
 
     length = 0
     while mask_addr & 0x1 == 0x1
@@ -70,16 +72,19 @@ class SsrfFilter
     ::Resolv.getaddresses(hostname).map { |ip| ::IPAddr.new(ip) }
   end
 
+  DEFAULT_ALLOW_UNFOLLOWED_REDIRECTS = false
   DEFAULT_MAX_REDIRECTS = 10
 
   VERB_MAP = {
     get: ::Net::HTTP::Get,
     put: ::Net::HTTP::Put,
     post: ::Net::HTTP::Post,
-    delete: ::Net::HTTP::Delete
+    delete: ::Net::HTTP::Delete,
+    head: ::Net::HTTP::Head,
+    patch: ::Net::HTTP::Patch
   }.freeze
 
-  FIBER_LOCAL_KEY = :__ssrf_filter_hostname
+  FIBER_HOSTNAME_KEY = :__ssrf_filter_hostname
 
   class Error < ::StandardError
   end
@@ -99,17 +104,18 @@ class SsrfFilter
   class CRLFInjection < Error
   end
 
-  %i[get put post delete].each do |method|
+  %i[get put post delete head patch].each do |method|
     define_singleton_method(method) do |url, options = {}, &block|
       ::SsrfFilter::Patch::SSLSocket.apply!
-      ::SsrfFilter::Patch::HTTPGenericRequest.apply!
 
       original_url = url
-      scheme_whitelist = options[:scheme_whitelist] || DEFAULT_SCHEME_WHITELIST
-      resolver = options[:resolver] || DEFAULT_RESOLVER
-      max_redirects = options[:max_redirects] || DEFAULT_MAX_REDIRECTS
+      scheme_whitelist = options.fetch(:scheme_whitelist, DEFAULT_SCHEME_WHITELIST)
+      resolver = options.fetch(:resolver, DEFAULT_RESOLVER)
+      allow_unfollowed_redirects = options.fetch(:allow_unfollowed_redirects, DEFAULT_ALLOW_UNFOLLOWED_REDIRECTS)
+      max_redirects = options.fetch(:max_redirects, DEFAULT_MAX_REDIRECTS)
       url = url.to_s
 
+      response = nil
       (max_redirects + 1).times do
         uri = URI(url)
 
@@ -124,18 +130,12 @@ class SsrfFilter
         public_addresses = ip_addresses.reject(&method(:unsafe_ip_address?))
         raise PrivateIPAddress, "Hostname '#{hostname}' has no public ip addresses" if public_addresses.empty?
 
-        response = fetch_once(uri, public_addresses.sample.to_s, method, options, &block)
-
-        case response
-        when ::Net::HTTPRedirection then
-          url = response['location']
-          # Handle relative redirects
-          url = "#{uri.scheme}://#{hostname}:#{uri.port}#{url}" if url.start_with?('/')
-        else
-          return response
-        end
+        response, url = fetch_once(uri, public_addresses.sample.to_s, method, options, &block)
+        return response if url.nil?
       end
 
+      return response if allow_unfollowed_redirects
+
       raise TooManyRedirects, "Got #{max_redirects} redirects fetching #{original_url}"
     end
   end
@@ -169,7 +169,7 @@ class SsrfFilter
 
   def self.fetch_once(uri, ip, verb, options, &block)
     if options[:params]
-      params = uri.query ? ::Hash[::URI.decode_www_form(uri.query)] : {}
+      params = uri.query ? ::URI.decode_www_form(uri.query).to_h : {}
       params.merge!(options[:params])
       uri.query = ::URI.encode_www_form(params)
     end
@@ -186,15 +186,26 @@ class SsrfFilter
 
     request.body = options[:body] if options[:body]
 
-    block.call(request) if block_given?
+    options[:request_proc].call(request) if options[:request_proc].respond_to?(:call)
     validate_request(request)
 
     http_options = options[:http_options] || {}
     http_options[:use_ssl] = (uri.scheme == 'https')
 
     with_forced_hostname(hostname) do
-      ::Net::HTTP.start(uri.hostname, uri.port, http_options) do |http|
-        http.request(request)
+      ::Net::HTTP.start(uri.hostname, uri.port, **http_options) do |http|
+        response = http.request(request) do |res|
+          block&.call(res)
+        end
+        case response
+        when ::Net::HTTPRedirection
+          url = response['location']
+          # Handle relative redirects
+          url = "#{uri.scheme}://#{hostname}:#{uri.port}#{url}" if url.start_with?('/')
+        else
+          url = nil
+        end
+        return response, url
       end
     end
   end
@@ -214,10 +225,10 @@ class SsrfFilter
   private_class_method :validate_request
 
   def self.with_forced_hostname(hostname, &_block)
-    ::Thread.current[FIBER_LOCAL_KEY] = hostname
+    ::Thread.current[FIBER_HOSTNAME_KEY] = hostname
     yield
   ensure
-    ::Thread.current[FIBER_LOCAL_KEY] = nil
+    ::Thread.current[FIBER_HOSTNAME_KEY] = nil
   end
   private_class_method :with_forced_hostname
 end

data/lib/ssrf_filter/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 class SsrfFilter
-  VERSION = '1.0.7'.freeze
+  VERSION = '1.1.2'
 end

data/lib/ssrf_filter.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'ssrf_filter/patch/http_generic_request'
 require 'ssrf_filter/patch/ssl_socket'
 require 'ssrf_filter/ssrf_filter'
 require 'ssrf_filter/version'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ssrf_filter
 version: !ruby/object:Gem::Version
-  version: 1.0.7
+  version: 1.1.2
 platform: ruby
 authors:
 - Arkadiy Tetelman
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-10-21 00:00:00.000000000 Z
+date: 2023-09-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler-audit
@@ -16,87 +16,143 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.1
+        version: 0.9.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.1
+        version: 0.9.1
 - !ruby/object:Gem::Dependency
-  name: coveralls
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.22
+        version: 3.12.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.22
+        version: 3.12.0
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.8.0
+        version: 1.35.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.8.0
+        version: 1.35.0
 - !ruby/object:Gem::Dependency
-  name: webmock
+  name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.5.1
+        version: 2.12.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.5.1
+        version: 2.12.1
 - !ruby/object:Gem::Dependency
-  name: rubocop
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.22.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.22.0
+- !ruby/object:Gem::Dependency
+  name: simplecov-lcov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.65.0
+        version: 0.8.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.65.0
+        version: 0.8.0
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.18.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.18.0
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A gem that makes it easy to prevent server side request forgery (SSRF)
   attacks
-email: 
+email:
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
 - lib/ssrf_filter.rb
-- lib/ssrf_filter/patch/http_generic_request.rb
 - lib/ssrf_filter/patch/ssl_socket.rb
 - lib/ssrf_filter/ssrf_filter.rb
 - lib/ssrf_filter/version.rb
 homepage: https://github.com/arkadiyt/ssrf_filter
 licenses:
 - MIT
-metadata: {}
-post_install_message: 
+metadata:
+  rubygems_mfa_required: 'true'
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -104,15 +160,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.0.0
+      version: 2.6.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.3.7
+signing_key:
 specification_version: 4
 summary: A gem that makes it easy to prevent server side request forgery (SSRF) attacks
 test_files: []

data/lib/ssrf_filter/patch/http_generic_request.rb

@@ -1,83 +0,0 @@
-require 'stringio'
-
-class SsrfFilter
-  module Patch
-    module HTTPGenericRequest
-      # Ruby had a bug in its Http library where if you set a custom `Host` header on a request it would get
-      # overwritten. This was tracked in:
-      # https://bugs.ruby-lang.org/issues/10054
-      # and resolved with the commit:
-      # https://github.com/ruby/ruby/commit/70a2eb63999265ff7e8d46d1f5b410c8ee3d30d7#diff-5c08b4ae27d2294a8294a27ff9af4a85
-      # Versions of Ruby that don't have this fix applied will fail to connect to certain hosts via SsrfFilter. The
-      # patch below backports the fix from the linked commit.
-
-      def self.should_apply?
-        # Check if the patch needs to be applied:
-        # The Ruby bug was that HTTPGenericRequest#exec overwrote the Host header, so this snippet checks
-        # if we can reproduce that behavior. It does not actually open any network connections.
-
-        uri = URI('https://www.example.com')
-        request = ::Net::HTTPGenericRequest.new('HEAD', false, false, uri)
-        request['host'] = '127.0.0.1'
-        request.exec(StringIO.new, '1.1', '/')
-        request['host'] == uri.hostname
-      end
-
-      # Apply the patch from the linked commit onto ::Net::HTTPGenericRequest. Since this is 3rd party code,
-      # disable code coverage and rubocop linting for this section.
-      # :nocov:
-      # rubocop:disable all
-      def self.apply!
-        return if instance_variable_defined?(:@checked_http_generic_request)
-        @checked_http_generic_request = true
-        return unless should_apply?
-
-        ::Net::HTTPGenericRequest.class_eval do
-          def exec(sock, ver, path)
-            if @body
-              send_request_with_body sock, ver, path, @body
-            elsif @body_stream
-              send_request_with_body_stream sock, ver, path, @body_stream
-            elsif @body_data
-              send_request_with_body_data sock, ver, path, @body_data
-            else
-              write_header sock, ver, path
-            end
-          end
-
-          def update_uri(addr, port, ssl)
-            # reflect the connection and @path to @uri
-            return unless @uri
-
-            if ssl
-              scheme = 'https'.freeze
-              klass = URI::HTTPS
-            else
-              scheme = 'http'.freeze
-              klass = URI::HTTP
-            end
-
-            if host = self['host']
-              host.sub!(/:.*/s, ''.freeze)
-            elsif host = @uri.host
-            else
-             host = addr
-            end
-            # convert the class of the URI
-            if @uri.is_a?(klass)
-              @uri.host = host
-              @uri.port = port
-            else
-              @uri = klass.new(
-                scheme, @uri.userinfo,
-                host, port, nil,
-                @uri.path, nil, @uri.query, nil)
-            end
-          end
-        end
-      end
-      # rubocop:enable all
-      # :nocov:
-    end
-  end
-end