static-rails 0.0.5 → 0.0.10

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3159e387c25a9742f063230f554490e70d41e4be4a318eed738e26480c048cb6
4
- data.tar.gz: da86a266cb8bd5559e5ec71d90a84c0ca0539449d8f7259d1ed0654abe3a0c64
3
+ metadata.gz: 7c20abb5a4b37f323a10e55d18ad7a65d0cb4219bf77bf1a9869d2ed0ab8f446
4
+ data.tar.gz: 3ca5e505c0b05eb36846153d0cb6b05947f3359eb1a92c6cfb477d99fc368484
5
5
  SHA512:
6
- metadata.gz: 4be0b00df5deaacc0c414bf743b78b5feff4f589e44b93378d5de40458e9f56733c83315f9e58cfa9d08c0627d26193994bbec01f86b18924e980e7dc8271f3b
7
- data.tar.gz: 1c42430d7193cf13eb21579f5647ecd53f07e010092c2056bef17848aed64a588c8c5919241760fb867e67734d2878559f127c6347b082fe5ef4c77387cc6454
6
+ metadata.gz: eb489b95dfc77757c3e72e3612c7d5fa021393684b230de937355e230778d371468922e1d5277d3d0ef819b106d5ab07db09dc7284b9a6eefe1098baec9dc58e
7
+ data.tar.gz: cbba26724c30fcfec192893973d5ec83de0d50ab719b05c842e457d504319d4658b65688f154566091e8a3bd50c27e8cc7df5bd5ac1645e73b67a821e866150a
@@ -1,3 +1,31 @@
1
+ ## 0.0.10
2
+
3
+ * Change default `cache-control` header for static assets being served from disk
4
+ from `no-cache` to `"public; max-age=31536000"`
5
+
6
+ ## 0.0.9
7
+
8
+ * When using CSRF protection, the artificial path info will now be
9
+ "__static_rails__" instead of a random string, to make logs appear cleaner
10
+ * Attempt to guard against future internal changes to Rails' request forgery
11
+ protection by adding `method_missing` that calls through
12
+
13
+ ## 0.0.8
14
+
15
+ * Add support for the [CSRF
16
+ changes](https://github.com/rails/rails/commit/358ff18975f26e820ea355ec113ffc5228e59af8) in Rails 6.0.3.1
17
+
18
+ ## 0.0.7
19
+
20
+ * Ensure that CSRF tokens are valid, at the cost of some performance and
21
+ reliance on additional Rails internals. As a result CSRF cookie setting is now
22
+ disabled by default [#6](https://github.com/testdouble/static-rails/pull/6)
23
+
24
+ ## 0.0.6
25
+
26
+ * Fix an issue where `ActionDispatch::FileHandler` won't be loaded in the event
27
+ that static-rails is serving compiled assets but Rails is not
28
+
1
29
  ## 0.0.5
2
30
 
3
31
  * Add a site option `compile_404_file_path` to specify a file to be used as a
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- static-rails (0.0.5)
4
+ static-rails (0.0.10)
5
5
  rack-proxy (~> 0.6)
6
6
  railties (>= 5.0.0)
7
7
 
@@ -32,19 +32,18 @@ GEM
32
32
  concurrent-ruby (1.1.6)
33
33
  crass (1.0.6)
34
34
  erubi (1.9.0)
35
- i18n (1.8.2)
35
+ i18n (1.8.3)
36
36
  concurrent-ruby (~> 1.0)
37
- jaro_winkler (1.5.4)
38
37
  loofah (2.5.0)
39
38
  crass (~> 1.0.2)
40
39
  nokogiri (>= 1.5.9)
41
40
  method_source (1.0.0)
42
41
  mini_portile2 (2.4.0)
43
- minitest (5.14.0)
42
+ minitest (5.14.1)
44
43
  nokogiri (1.10.9)
45
44
  mini_portile2 (~> 2.4.0)
46
45
  parallel (1.19.1)
47
- parser (2.7.1.1)
46
+ parser (2.7.1.3)
48
47
  ast (~> 2.4.0)
49
48
  rack (2.2.2)
50
49
  rack-proxy (0.6.5)
@@ -64,26 +63,30 @@ GEM
64
63
  thor (>= 0.20.3, < 2.0)
65
64
  rainbow (3.0.0)
66
65
  rake (13.0.1)
66
+ regexp_parser (1.7.1)
67
67
  rexml (3.2.4)
68
- rubocop (0.80.1)
69
- jaro_winkler (~> 1.5.1)
68
+ rubocop (0.85.1)
70
69
  parallel (~> 1.10)
71
70
  parser (>= 2.7.0.1)
72
71
  rainbow (>= 2.2.2, < 4.0)
72
+ regexp_parser (>= 1.7)
73
73
  rexml
74
+ rubocop-ast (>= 0.0.3)
74
75
  ruby-progressbar (~> 1.7)
75
- unicode-display_width (>= 1.4.0, < 1.7)
76
- rubocop-performance (1.5.2)
76
+ unicode-display_width (>= 1.4.0, < 2.0)
77
+ rubocop-ast (0.0.3)
78
+ parser (>= 2.7.0.1)
79
+ rubocop-performance (1.6.1)
77
80
  rubocop (>= 0.71.0)
78
81
  ruby-progressbar (1.10.1)
79
- standard (0.2.5)
80
- rubocop (~> 0.80.1)
81
- rubocop-performance (~> 1.5.2)
82
+ standard (0.4.7)
83
+ rubocop (~> 0.85.0)
84
+ rubocop-performance (~> 1.6.0)
82
85
  thor (1.0.1)
83
86
  thread_safe (0.3.6)
84
87
  tzinfo (1.2.7)
85
88
  thread_safe (~> 0.1)
86
- unicode-display_width (1.6.1)
89
+ unicode-display_width (1.7.0)
87
90
  zeitwerk (2.3.0)
88
91
 
89
92
  PLATFORMS
data/README.md CHANGED
@@ -84,13 +84,14 @@ overall behavior of the gem itself, across all your static sites:
84
84
  `proxy_requests` is true, that the gem will wait for a response from a static
85
85
  site's server on any given request before timing out and raising an error
86
86
 
87
- * **config.set_csrf_token_cookie** (Default: `true`) when true, the gem's
87
+ * **config.set_csrf_token_cookie** (Default: `false`) when true, the gem's
88
88
  middleware will set a cookie named `_csrf_token` with each request of your
89
89
  static site. You can use this to set the `'x-csrf-token'` header on any
90
90
  requests from your site back to routes hosted by the Rails app that are
91
91
  [protected from CSRF
92
92
  forgery](https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf)
93
- (if you're not using Rails' cookie store for sessions, turn this off)
93
+ (if you're not using Rails' cookie store for sessions or you're okay with API
94
+ calls bypassing Rails CSRF, leave this off)
94
95
 
95
96
  ### Configuring your static sites themselves
96
97
 
@@ -12,7 +12,7 @@ StaticRails.config do |config|
12
12
  # When true, both the proxy & static asset middleware will set a cookie
13
13
  # named "_csrf_token" to the Rails CSRF token, allowing any client-side
14
14
  # API requests to take advantage of Rails' request forgery protection
15
- # config.set_csrf_token_cookie = true
15
+ # config.set_csrf_token_cookie = false
16
16
 
17
17
  # The list of static sites you are hosting with static-rails.
18
18
  # Note that order matters! Request will be forwarded to the first site that
@@ -30,7 +30,7 @@ module StaticRails
30
30
  @proxy_requests = !Rails.env.production?
31
31
  @serve_compiled_assets = Rails.env.production?
32
32
  @ping_server_timeout = 5
33
- @set_csrf_token_cookie = true
33
+ @set_csrf_token_cookie = false
34
34
  end
35
35
 
36
36
  attr_reader :sites
@@ -1,15 +1,31 @@
1
+ require_relative "request_forgery_protection_fallback"
2
+
1
3
  module StaticRails
2
4
  class GetsCsrfToken
5
+ include RequestForgeryProtectionFallback
6
+
3
7
  def call(req)
4
8
  masked_authenticity_token(req.session)
5
9
  end
6
10
 
7
11
  private
8
12
 
13
+ def csrf_token_hmac(session, identifier)
14
+ ActionController::RequestForgeryProtection.instance_method(:csrf_token_hmac).bind(self).call(session, identifier)
15
+ end
16
+
17
+ def mask_token(raw_token)
18
+ ActionController::RequestForgeryProtection.instance_method(:mask_token).bind(self).call(raw_token)
19
+ end
20
+
9
21
  def masked_authenticity_token(session, form_options: {})
10
22
  ActionController::RequestForgeryProtection.instance_method(:masked_authenticity_token).bind(self).call(session, form_options)
11
23
  end
12
24
 
25
+ def global_csrf_token(session)
26
+ ActionController::RequestForgeryProtection.instance_method(:global_csrf_token).bind(self).call(session)
27
+ end
28
+
13
29
  def real_csrf_token(session)
14
30
  ActionController::RequestForgeryProtection.instance_method(:real_csrf_token).bind(self).call(session)
15
31
  end
@@ -17,7 +17,6 @@ module StaticRails
17
17
 
18
18
  server_store = ServerStore.instance
19
19
  server_store.ensure_all_servers_are_started
20
- server_store.ensure_servers_are_up
21
20
 
22
21
  req = Rack::Request.new(env)
23
22
  if (req.get? || req.head?) && (site = @matches_request_to_static_site.call(req))
@@ -0,0 +1,19 @@
1
+ module StaticRails
2
+ module RequestForgeryProtectionFallback
3
+ def method_missing(method_name, *args, **kwargs, &blk)
4
+ if respond_to?(method_name)
5
+ ActionController::RequestForgeryProtection.instance_method(method_name).bind(self).call(*args, **kwargs, &blk)
6
+ else
7
+ super
8
+ end
9
+ end
10
+
11
+ def respond_to?(method_name, *args)
12
+ ActionController::RequestForgeryProtection.instance_method(method_name) || super
13
+ end
14
+
15
+ def respond_to_missing?(method_name, *args)
16
+ ActionController::RequestForgeryProtection.instance_method(method_name) || super
17
+ end
18
+ end
19
+ end
@@ -16,10 +16,6 @@ module StaticRails
16
16
  @servers[site] ||= Server.new(site)
17
17
  end
18
18
 
19
- def ensure_servers_are_up
20
- @servers.values.each(&:start)
21
- end
22
-
23
19
  private
24
20
 
25
21
  def initialize
@@ -1,11 +1,10 @@
1
1
  require_relative "proxy_middleware"
2
2
  require_relative "static_middleware"
3
3
  require_relative "determines_whether_to_handle_request"
4
- require_relative "gets_csrf_token"
5
4
 
6
5
  module StaticRails
7
6
  class SiteMiddleware
8
- PATH_INFO_OBFUSCATION = "JujJVj31M3SpzTjIGBJ2-3iE0lKXOIOlbLuk9Lxwe-Ll2uLuwH5KD8dmt1MqyZ"
7
+ PATH_INFO_OBFUSCATION = "__static-rails__"
9
8
 
10
9
  def initialize(app)
11
10
  @app = app
@@ -17,7 +16,7 @@ module StaticRails
17
16
  def call(env)
18
17
  return @app.call(env) unless @determines_whether_to_handle_request.call(env)
19
18
 
20
- if require_csrf_before_processing_request? && !csrf_token_is_set?(env)
19
+ if require_csrf_before_processing_request?
21
20
  # You might be asking yourself what the hell is going on here. In short,
22
21
  # This middleware sits at the top of the stack, which is too early to
23
22
  # set a CSRF token in a cookie. Therefore, we've placed a subclass of
@@ -41,7 +40,7 @@ module StaticRails
41
40
  #
42
41
  # (By the way, this was all Matthew Draper's bright idea. You can
43
42
  # compliment him here: https://github.com/matthewd )
44
- @app.call(env.merge("PATH_INFO" => env["PATH_INFO"] + PATH_INFO_OBFUSCATION))
43
+ @app.call(env.merge("PATH_INFO" => PATH_INFO_OBFUSCATION + env["PATH_INFO"]))
45
44
  elsif StaticRails.config.proxy_requests
46
45
  @proxy_middleware.call(env)
47
46
  elsif StaticRails.config.serve_compiled_assets
@@ -55,9 +54,5 @@ module StaticRails
55
54
  def require_csrf_before_processing_request?
56
55
  StaticRails.config.set_csrf_token_cookie
57
56
  end
58
-
59
- def csrf_token_is_set?(env)
60
- Rack::Request.new(env).cookies.has_key?("_csrf_token")
61
- end
62
57
  end
63
58
  end
@@ -1,30 +1,34 @@
1
1
  require_relative "site_middleware"
2
2
  require_relative "determines_whether_to_handle_request"
3
+ require_relative "validates_csrf_token"
3
4
  require_relative "gets_csrf_token"
4
5
 
5
6
  module StaticRails
6
7
  class SitePlusCsrfMiddleware < SiteMiddleware
7
8
  def initialize(app)
8
9
  @determines_whether_to_handle_request = DeterminesWhetherToHandleRequest.new
10
+ @validates_csrf_token = ValidatesCsrfToken.new
9
11
  @gets_csrf_token = GetsCsrfToken.new
10
12
  super
11
13
  end
12
14
 
13
15
  def call(env)
14
- return @app.call(env) unless @determines_whether_to_handle_request.call(env)
16
+ return @app.call(env) unless env["PATH_INFO"]&.start_with?(PATH_INFO_OBFUSCATION) || @determines_whether_to_handle_request.call(env)
15
17
 
16
18
  env = env.merge(
17
- "PATH_INFO" => env["PATH_INFO"].gsub(/#{PATH_INFO_OBFUSCATION}/, "")
19
+ "PATH_INFO" => env["PATH_INFO"].gsub(/^#{PATH_INFO_OBFUSCATION}/, "")
18
20
  )
19
21
  status, headers, body = super(env)
20
22
 
21
23
  if StaticRails.config.set_csrf_token_cookie
22
24
  req = Rack::Request.new(env)
23
25
  res = Rack::Response.new(body, status, headers)
24
- res.set_cookie("_csrf_token", {
25
- value: @gets_csrf_token.call(req),
26
- path: "/"
27
- })
26
+ if needs_new_csrf_token?(req)
27
+ res.set_cookie("_csrf_token", {
28
+ value: @gets_csrf_token.call(req),
29
+ path: "/"
30
+ })
31
+ end
28
32
  res.finish
29
33
  else
30
34
  [status, headers, body]
@@ -36,5 +40,11 @@ module StaticRails
36
40
  def require_csrf_before_processing_request?
37
41
  false
38
42
  end
43
+
44
+ private
45
+
46
+ def needs_new_csrf_token?(req)
47
+ !req.cookies.has_key?("_csrf_token") || !@validates_csrf_token.call(req)
48
+ end
39
49
  end
40
50
  end
@@ -1,4 +1,5 @@
1
1
  require "rack-proxy"
2
+ require "action_dispatch/middleware/static"
2
3
 
3
4
  require_relative "matches_request_to_static_site"
4
5
 
@@ -32,7 +33,10 @@ module StaticRails
32
33
  # See: actionpack/lib/action_dispatch/middleware/static.rb
33
34
  def file_handler_for(site)
34
35
  @file_handlers[site] ||= ActionDispatch::FileHandler.new(
35
- StaticRails.config.app.root.join(site.compile_dir).to_s
36
+ StaticRails.config.app.root.join(site.compile_dir).to_s,
37
+ headers: {
38
+ "cache-control" => "public; max-age=31536000"
39
+ }
36
40
  )
37
41
  end
38
42
 
@@ -0,0 +1,33 @@
1
+ require_relative "request_forgery_protection_fallback"
2
+
3
+ module StaticRails
4
+ class ValidatesCsrfToken
5
+ include RequestForgeryProtectionFallback
6
+
7
+ def call(req)
8
+ valid_authenticity_token?(req.session, req.cookies["_csrf_token"])
9
+ end
10
+
11
+ private
12
+
13
+ [
14
+ :compare_with_global_token,
15
+ :global_csrf_token,
16
+ :csrf_token_hmac,
17
+ :valid_authenticity_token?,
18
+ :unmask_token,
19
+ :compare_with_real_token,
20
+ :valid_per_form_csrf_token?,
21
+ :xor_byte_strings,
22
+ :real_csrf_token
23
+ ].each do |method|
24
+ define_method method do |*args, **kwargs, &blk|
25
+ ActionController::RequestForgeryProtection.instance_method(method).bind(self).call(*args, **kwargs, &blk)
26
+ end
27
+ end
28
+
29
+ def per_form_csrf_tokens
30
+ false
31
+ end
32
+ end
33
+ end
@@ -1,3 +1,3 @@
1
1
  module StaticRails
2
- VERSION = "0.0.5"
2
+ VERSION = "0.0.10"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: static-rails
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.5
4
+ version: 0.0.10
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Searls
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2020-05-21 00:00:00.000000000 Z
11
+ date: 2020-06-11 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: railties
@@ -69,12 +69,14 @@ files:
69
69
  - lib/static-rails/proxy_middleware.rb
70
70
  - lib/static-rails/rack_server_check.rb
71
71
  - lib/static-rails/railtie.rb
72
+ - lib/static-rails/request_forgery_protection_fallback.rb
72
73
  - lib/static-rails/server.rb
73
74
  - lib/static-rails/server_store.rb
74
75
  - lib/static-rails/site.rb
75
76
  - lib/static-rails/site_middleware.rb
76
77
  - lib/static-rails/site_plus_csrf_middleware.rb
77
78
  - lib/static-rails/static_middleware.rb
79
+ - lib/static-rails/validates_csrf_token.rb
78
80
  - lib/static-rails/version.rb
79
81
  - lib/static-rails/waits_for_connection.rb
80
82
  - lib/tasks/static-rails.rake