static-rails 0.0.6 → 0.0.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/Gemfile.lock +1 -1
- data/README.md +3 -2
- data/lib/generators/templates/static.rb +1 -1
- data/lib/static-rails/configuration.rb +1 -1
- data/lib/static-rails/site_middleware.rb +1 -6
- data/lib/static-rails/site_plus_csrf_middleware.rb +14 -4
- data/lib/static-rails/validates_csrf_token.rb +26 -0
- data/lib/static-rails/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 71c1a0e6ce72ea1feb691e3cbfae0bec8bf723f1512cda383aeae57d56fd9765
|
|
4
|
+
data.tar.gz: 4d8d3c148661b2498ccfeb3677553e94a91c2cb68b5c48ba47aaace89be8adfe
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cc39f818e745f67930b8821dbf3b38cdfd34d33accd25979801a4fbc34df67cdf600e517a2fe806f6094e43bc2e797fcef2aa4b1bb7006f3d75317a26b19ea82
|
|
7
|
+
data.tar.gz: c0879dc6ef5950806aaa662035ac7593a78c334dc578f65bd5e13526d1f4c770a08b9cf1f2b8fc8e21a9d00372876736924e05687e4d33ebbb780acc5b802ea1
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
## 0.0.7
|
|
2
|
+
|
|
3
|
+
* Ensure that CSRF tokens are valid, at the cost of some performance and
|
|
4
|
+
reliance on additional Rails internals. As a result CSRF cookie setting is now
|
|
5
|
+
disabled by default [#6](https://github.com/testdouble/static-rails/pull/6)
|
|
6
|
+
|
|
1
7
|
## 0.0.6
|
|
2
8
|
|
|
3
9
|
* Fix an issue where `ActionDispatch::FileHandler` won't be loaded in the event
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
|
@@ -84,13 +84,14 @@ overall behavior of the gem itself, across all your static sites:
|
|
|
84
84
|
`proxy_requests` is true, that the gem will wait for a response from a static
|
|
85
85
|
site's server on any given request before timing out and raising an error
|
|
86
86
|
|
|
87
|
-
* **config.set_csrf_token_cookie** (Default: `
|
|
87
|
+
* **config.set_csrf_token_cookie** (Default: `false`) when true, the gem's
|
|
88
88
|
middleware will set a cookie named `_csrf_token` with each request of your
|
|
89
89
|
static site. You can use this to set the `'x-csrf-token'` header on any
|
|
90
90
|
requests from your site back to routes hosted by the Rails app that are
|
|
91
91
|
[protected from CSRF
|
|
92
92
|
forgery](https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf)
|
|
93
|
-
(if you're not using Rails' cookie store for sessions
|
|
93
|
+
(if you're not using Rails' cookie store for sessions or you're okay with API
|
|
94
|
+
calls bypassing Rails CSRF, leave this off)
|
|
94
95
|
|
|
95
96
|
### Configuring your static sites themselves
|
|
96
97
|
|
|
@@ -12,7 +12,7 @@ StaticRails.config do |config|
|
|
|
12
12
|
# When true, both the proxy & static asset middleware will set a cookie
|
|
13
13
|
# named "_csrf_token" to the Rails CSRF token, allowing any client-side
|
|
14
14
|
# API requests to take advantage of Rails' request forgery protection
|
|
15
|
-
# config.set_csrf_token_cookie =
|
|
15
|
+
# config.set_csrf_token_cookie = false
|
|
16
16
|
|
|
17
17
|
# The list of static sites you are hosting with static-rails.
|
|
18
18
|
# Note that order matters! Request will be forwarded to the first site that
|
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
require_relative "proxy_middleware"
|
|
2
2
|
require_relative "static_middleware"
|
|
3
3
|
require_relative "determines_whether_to_handle_request"
|
|
4
|
-
require_relative "gets_csrf_token"
|
|
5
4
|
|
|
6
5
|
module StaticRails
|
|
7
6
|
class SiteMiddleware
|
|
@@ -17,7 +16,7 @@ module StaticRails
|
|
|
17
16
|
def call(env)
|
|
18
17
|
return @app.call(env) unless @determines_whether_to_handle_request.call(env)
|
|
19
18
|
|
|
20
|
-
if require_csrf_before_processing_request?
|
|
19
|
+
if require_csrf_before_processing_request?
|
|
21
20
|
# You might be asking yourself what the hell is going on here. In short,
|
|
22
21
|
# This middleware sits at the top of the stack, which is too early to
|
|
23
22
|
# set a CSRF token in a cookie. Therefore, we've placed a subclass of
|
|
@@ -55,9 +54,5 @@ module StaticRails
|
|
|
55
54
|
def require_csrf_before_processing_request?
|
|
56
55
|
StaticRails.config.set_csrf_token_cookie
|
|
57
56
|
end
|
|
58
|
-
|
|
59
|
-
def csrf_token_is_set?(env)
|
|
60
|
-
Rack::Request.new(env).cookies.has_key?("_csrf_token")
|
|
61
|
-
end
|
|
62
57
|
end
|
|
63
58
|
end
|
|
@@ -1,11 +1,13 @@
|
|
|
1
1
|
require_relative "site_middleware"
|
|
2
2
|
require_relative "determines_whether_to_handle_request"
|
|
3
|
+
require_relative "validates_csrf_token"
|
|
3
4
|
require_relative "gets_csrf_token"
|
|
4
5
|
|
|
5
6
|
module StaticRails
|
|
6
7
|
class SitePlusCsrfMiddleware < SiteMiddleware
|
|
7
8
|
def initialize(app)
|
|
8
9
|
@determines_whether_to_handle_request = DeterminesWhetherToHandleRequest.new
|
|
10
|
+
@validates_csrf_token = ValidatesCsrfToken.new
|
|
9
11
|
@gets_csrf_token = GetsCsrfToken.new
|
|
10
12
|
super
|
|
11
13
|
end
|
|
@@ -21,10 +23,12 @@ module StaticRails
|
|
|
21
23
|
if StaticRails.config.set_csrf_token_cookie
|
|
22
24
|
req = Rack::Request.new(env)
|
|
23
25
|
res = Rack::Response.new(body, status, headers)
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
26
|
+
if needs_new_csrf_token?(req)
|
|
27
|
+
res.set_cookie("_csrf_token", {
|
|
28
|
+
value: @gets_csrf_token.call(req),
|
|
29
|
+
path: "/"
|
|
30
|
+
})
|
|
31
|
+
end
|
|
28
32
|
res.finish
|
|
29
33
|
else
|
|
30
34
|
[status, headers, body]
|
|
@@ -36,5 +40,11 @@ module StaticRails
|
|
|
36
40
|
def require_csrf_before_processing_request?
|
|
37
41
|
false
|
|
38
42
|
end
|
|
43
|
+
|
|
44
|
+
private
|
|
45
|
+
|
|
46
|
+
def needs_new_csrf_token?(req)
|
|
47
|
+
!req.cookies.has_key?("_csrf_token") || !@validates_csrf_token.call(req)
|
|
48
|
+
end
|
|
39
49
|
end
|
|
40
50
|
end
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
module StaticRails
|
|
2
|
+
class ValidatesCsrfToken
|
|
3
|
+
def call(req)
|
|
4
|
+
valid_authenticity_token?(req.session, req.cookies["_csrf_token"])
|
|
5
|
+
end
|
|
6
|
+
|
|
7
|
+
private
|
|
8
|
+
|
|
9
|
+
[
|
|
10
|
+
:valid_authenticity_token?,
|
|
11
|
+
:unmask_token,
|
|
12
|
+
:compare_with_real_token,
|
|
13
|
+
:valid_per_form_csrf_token?,
|
|
14
|
+
:xor_byte_strings,
|
|
15
|
+
:real_csrf_token
|
|
16
|
+
].each do |method|
|
|
17
|
+
define_method method do |*args, **kwargs, &blk|
|
|
18
|
+
ActionController::RequestForgeryProtection.instance_method(method).bind(self).call(*args, **kwargs, &blk)
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def per_form_csrf_tokens
|
|
23
|
+
false
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
end
|
data/lib/static-rails/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: static-rails
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Justin Searls
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-05-
|
|
11
|
+
date: 2020-05-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: railties
|
|
@@ -75,6 +75,7 @@ files:
|
|
|
75
75
|
- lib/static-rails/site_middleware.rb
|
|
76
76
|
- lib/static-rails/site_plus_csrf_middleware.rb
|
|
77
77
|
- lib/static-rails/static_middleware.rb
|
|
78
|
+
- lib/static-rails/validates_csrf_token.rb
|
|
78
79
|
- lib/static-rails/version.rb
|
|
79
80
|
- lib/static-rails/waits_for_connection.rb
|
|
80
81
|
- lib/tasks/static-rails.rake
|