strict_request_uri 1.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 738571a4631e7084c03451d4fd855a6c3cc0ed70
+  data.tar.gz: ac07e480bb801f3ff018354ea1589243415b66a3
+SHA512:
+  metadata.gz: 582c0060f97ccfb5dba596ab0c9d8a4f5c23acf364a57d7b21077ff66c20cd42a020f4e2d0380dff439c876ee88a00ff9b349099e4b576f19cc92e3a35e14835
+  data.tar.gz: 36eb35790951f82a32eba98f78feed081d5b9558010089950ab28cae62f5ebe37230415cbc83a7f658ee63223a0bc83881260e2b71ea8df8e7b13cb1d92382e5

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/.rspec

@@ -0,0 +1 @@
+--color

data/.travis.yml

@@ -0,0 +1,8 @@
+rvm:
+- 2.1
+- 2.2
+- 2.3.0
+- jruby-9.0
+sudo: false
+cache: bundler
+script: bundle exec rspec

data/Gemfile

@@ -0,0 +1,12 @@
+source "http://rubygems.org"
+
+gem 'rack', '~> 1'
+
+group :development do
+  gem 'gemfury'
+  gem "rspec", "~> 3.0"
+  gem "rdoc", "~> 3.12"
+  gem "bundler", "~> 1.0"
+  gem "jeweler", "~> 2.2.1"
+  gem "simplecov", ">= 0"
+end

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2016 WeTransfer
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,56 @@
+# strict_request_uri
+
+[![Build Status](https://travis-ci.org/WeTransfer/strict_request_uri.svg?branch=master)](https://travis-ci.org/WeTransfer/strict_request_uri)
+
+![Nasty URL](images/strict_uri.png)
+
+Reject requests with an invalid REQUEST_URI at the gate.
+Some HTTP clients will happily append raw junk bytes to your URL before doing a request. Others
+will first append junk, and then URL-encode it.
+
+What you want for a valid URL is something that is
+
+* properly URL-encoded
+* is valid UTF-8 once URL-decoded
+
+This gem provides a Rack middleware that is going to try to decode REQUEST_URI, and if it
+cannot be decoded, an error page will be rendered instead.
+
+    use StrictRequestUri do |env|
+      # You can use the preserved invalid path+qs to do additional checks/logging
+      logger.warn "Invalid URL received"
+      logger.warn env['strict_uri.original_invalid_url']
+      
+      # You can also render a suggestion or redirect based on the suggested fixed URL.
+      # The fixed URL will have all junk at the end removed until the string becomes a valid URL.
+      logger.warn "Suggested instead:"
+      logger.warn env['strict_uri.proposed_fixed_url']
+      
+      [400, {'Content-Type' => 'text/plain'}, ['This is a no go mate']]
+    end
+
+Note that `PATH_INFO` and `QUERY_STRING` variables in Rack env are going to be replaced
+with something harmless (because they get used to render self-URLs and so on).
+
+You can also use it in your Rails middleware stack, and render a controller in return
+
+    Rails.application.config.middleware.insert_after 'Warden::Manager', StrictRequestUri do | env |
+      ErrorPagesController.action(:invalid_url).call(env)
+    end
+
+
+## Contributing to strict_request_uri
+ 
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet.
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it.
+* Fork the project.
+* Start a feature/bugfix branch.
+* Commit and push until you are happy with your contribution.
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+## Copyright
+
+Copyright (c) 2016 WeTransfer. See LICENSE.txt for
+further details.
+

data/Rakefile

@@ -0,0 +1,69 @@
+# encoding: utf-8
+
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+
+require_relative 'lib/strict_request_uri'
+
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  gem.version = StrictRequestUri::VERSION
+  gem.name = "strict_request_uri"
+  gem.homepage = "https://github.com/WeTransfer/strict_request_uri"
+  gem.license = "MIT"
+  gem.description = %Q{Reject Rack requests with an invalid URL}
+  gem.summary = %Q{and show an error page instead}
+  gem.email = "me@julik.nl"
+  gem.authors = ["Julik Tarkhanov"]
+  # dependencies defined in Gemfile
+end
+# Jeweler::RubygemsDotOrgTasks.new
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = FileList['spec/**/*_spec.rb']
+end
+
+desc "Code coverage detail"
+task :simplecov do
+  ENV['COVERAGE'] = "true"
+  Rake::Task['spec'].execute
+end
+
+task :default => :spec
+
+require 'rdoc/task'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "strict_request_uri #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+namespace :fury do
+  desc "Pick up the .gem file from pkg/ and push it to Gemfury"
+  task :release do
+    # IMPORTANT: You need to have the `fury` gem installed, and you need to be logged in.
+    # Please DO READ about "impersonation", which is how you push to your company account instead
+    # of your personal account!
+    # https://gemfury.com/help/collaboration#impersonation
+    paths = Dir.glob(__dir__ + '/pkg/*.gem')
+    if paths.length != 1
+      raise "Must have found only 1 .gem path, but found %s" % paths.inspect
+    end
+    escaped_gem_path = Shellwords.escape(paths.shift)
+    `fury push #{escaped_gem_path} --as=wetransfer`
+  end
+end
+task :release => [:clean, 'gemspec:generate', 'git:release', :build, 'fury:release']

data/lib/strict_request_uri.rb

@@ -0,0 +1,103 @@
+require 'rack'
+
+# Sometimes junk gets appended to the URLs clicked in e-mails.
+# This junk then gets sent by browsers undecoded, and causes Unicode-related
+# exceptions when the full request URI or path is rebuilt for ActionDispatch.
+#
+# We can fix this by iteratively removing bytes from the end of the URL until it becomes parseable.
+#
+# We do however answer to those URLs with a 400 to indicate clients that those requests are not
+# welcome. This also allows us to tell the users that they are using a URL which is in fact
+# not really valid.
+class StrictRequestUri
+  VERSION = '1.0.2'
+  
+  # Inits the middleware. The optional proc should be a Rack application that 
+  # will render the error page. To make a controller render that page,
+  # use <ControllerClass>.action()
+  #
+  #   use RequestUriCleanup do | env |
+  #       ErrorsController.action(:invalid_request).call(env)
+  #   end
+  def initialize(app, &error_page_rack_app)
+    @app = app
+    @error_page_app = if error_page_rack_app
+      error_page_rack_app
+    else
+      ->(env) { [400, {'Content-Type' => 'text/plain'}, ['Invalid request URI']] }
+    end
+  end
+  
+  def call(env)
+    # Compose the original URL, taking care not to treat it as UTF8.
+    # Do not use Rack::Request since it is not really needed for this
+    # (and _might be doing something with strings that we do not necessarily want).
+    # For instance, Rack::Request does regexes when you ask it for the REQUEST_URI
+    tainted_url = reconstruct_original_url(env)
+    return @app.call(env) if string_parses_to_url?(tainted_url)
+    
+    # At this point we know the URL is fishy.
+    referer = to_utf8(env['HTTP_REFERER'] || '(unknown)')
+    env['rack.errors'].puts("Invalid URL received from referer #{referer}") if env['rack.errors']
+    
+    # Save the original URL so that the error page can use it
+    env['strict_uri.original_invalid_url'] = tainted_url
+    env['strict_uri.proposed_fixed_url'] = 
+      truncate_bytes_at_end_until_parseable(tainted_url)
+    
+    # Strictly speaking, the parts we are going to put into QUERY_STRING and PATH_INFO
+    # should _only_ be used for rendering the error page, and that's it.
+    # 
+    # We can therefore wipe them clean.
+    env['PATH_INFO'] = '/invalid-url'
+    env['QUERY_STRING'] = ''
+    
+    # And render the error page using the provided error app.
+    @error_page_app.call(env)
+  end
+  
+  private
+  
+  # Reconstruct the original URL from the Rack env variables, converting them to
+  # binary encoding before joining them together. This ensures the "bad" bits stay
+  # broken and no errors are raised. 
+  def reconstruct_original_url(env)
+    original_url_components = env.values_at('SCRIPT_NAME', 'PATH_INFO')
+    unless env['QUERY_STRING'].empty?
+      original_url_components << '?'
+      original_url_components << env['QUERY_STRING']
+    end
+    original_url_components.map{|e| e.unpack("C*").pack("C*") }.join
+  end
+  
+  def string_parses_to_url?(string)
+    # We can have two sorts of possible damage.
+    # First sort is when raw garbage bytes just get added to the URL.
+    # This can be caught by attempting to parse the URL with URI().
+    parsed_uri = URI(string)
+    # The second kind of damage is when there _is_ in fact a normal URL-encoded
+    # character, which URI() will happily swallow - but this character is not valid
+    # UTF-8 and will make the Rails router crash. For our purposes it _also_ means
+    # the URL has been damaged bayound repair.
+    decoded_uri = Rack::Utils.unescape(string).unpack("U*")
+    true
+  rescue URI::InvalidURIError, ArgumentError
+    false
+  end
+  
+  def to_utf8(str, repl_char='?')
+    str.encode(Encoding::UTF_8, invalid: :replace, undef: :replace, replace: repl_char)
+  end
+  
+  # Chops off one byte from the given string iteratively, until the string can be parsed
+  # using URI() _and_ decoded using Rack::Utils.unescape.
+  def truncate_bytes_at_end_until_parseable(str)
+    cutoff = -1
+    until str.empty? do
+      str = str[0..cutoff]
+      return str if string_parses_to_url?(str)
+      cutoff -= 1
+    end
+    ''
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,9 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+
+require 'rspec'
+require 'strict_request_uri'
+
+RSpec.configure do |config|
+  config.order = 'random'
+end

data/spec/strict_request_uri_spec.rb

@@ -0,0 +1,205 @@
+require_relative 'spec_helper'
+
+describe StrictRequestUri do
+  context 'with a good URL' do
+    it 'returns the downstream response for URLs without a query string' do
+      env_with_valid_chars = {
+        'SCRIPT_NAME' => 'myscript',
+        'PATH_INFO' => '/items/457',
+        'QUERY_STRING' => ''
+      }
+      app = ->(env) {
+        expect(env['QUERY_STRING']).to eq('')
+        expect(env['SCRIPT_NAME']).to eq('myscript')
+        expect(env['PATH_INFO']).to eq('/items/457')
+        :total_success
+      }
+      expect(described_class.new(app).call(env_with_valid_chars)).to eq(:total_success)
+    end
+  
+    it 'returns the downstream response for URLs with a query string' do
+      env_with_valid_chars = {
+        'SCRIPT_NAME' => 'myscript',
+        'PATH_INFO' => '/items/457',
+        'QUERY_STRING' => 'foo=bar'
+      }
+      app = ->(env) {
+        expect(env['QUERY_STRING']).to eq('foo=bar')
+        expect(env['SCRIPT_NAME']).to eq('myscript')
+        expect(env['PATH_INFO']).to eq('/items/457')
+        :total_success
+      }
+      expect(described_class.new(app).call(env_with_valid_chars)).to eq(:total_success)
+    end
+  end
+  
+  context 'with a garbage URL' do
+    it 'calls the default error app if none was set' do
+      # All of those 3 components are required as per Rack spec
+      env_with_invalid_chars = {
+        'SCRIPT_NAME' => '',
+        'PATH_INFO' => [107, 17, 52, 140].pack("C*"),
+        'QUERY_STRING' => '',
+      }
+    
+      middleware = described_class.new(nil) # will raise if the wrapped app is called
+      status, headers, body = middleware.call(env_with_invalid_chars)
+      expect(status).to eq(400)
+      expect(headers).to eq({'Content-Type' => 'text/plain'})
+      expect(body).to eq(['Invalid request URI'])
+    end
+  
+    it 'with junk after the path calls the error app instead' do
+      # The related bug ticket - https://www.assembla.com/spaces/wetransfer-2-0/tickets/1568
+      script_name = 'myscript'
+      valid_part = '/items/457'
+      invalid_part = [107, 17, 52, 140].pack("C*")
+      invalid_path_info = valid_part.encode(Encoding::BINARY) + invalid_part
+    
+      expect {
+        invalid_path_info.encode(Encoding::UTF_8)
+      }.to raise_error(Encoding::UndefinedConversionError)
+    
+      # All of those 3 components are required as per Rack spec
+      env_with_invalid_chars = {
+        'SCRIPT_NAME' => script_name,
+        'PATH_INFO' => invalid_path_info,
+        'QUERY_STRING' => '',
+        'rack.errors' => double('IO')
+      }
+    
+      # Do not render from the controller since we do not have a complete Rack env hash initialized.
+      # Instead, sneak in our own testing Proc.
+      error_handling_app = ->(env) {
+        # Make sure those are now safe to concat with each other
+        expect(env['SCRIPT_NAME']).to eq("myscript")
+        expect(env['PATH_INFO']).to eq("/invalid-url")
+        expect(env['QUERY_STRING']).to eq('')
+      
+        # Make sure the original broken URL is stashed somewhere for the error page to act on
+        expect(env['strict_uri.original_invalid_url']).to include(script_name)
+        expect(env['strict_uri.original_invalid_url']).to include(invalid_path_info)
+        expect(env['strict_uri.proposed_fixed_url']).to eq("myscript/items/457k")
+      
+        # Ensure those are valid - if this call raises the spec will fail
+        env['PATH_INFO'].encode(Encoding::UTF_8)
+      
+        [200, {'Content-Type' => 'text/plain'}, ['This is an error message']]
+      }
+      
+      expect(env_with_invalid_chars['rack.errors']).to receive(:puts).
+        with("Invalid URL received from referer (unknown)")
+    
+      middleware = described_class.new(nil, &error_handling_app) # will raise if the wrapped app is called
+      status, headers, body = middleware.call(env_with_invalid_chars)
+      expect(status).to eq(200)
+      expect(headers).to eq({'Content-Type' => 'text/plain'})
+    end
+
+    it 'after the query string calls the error app instead' do
+      # The related bug ticket - https://www.assembla.com/spaces/wetransfer-2-0/tickets/1568
+      script_name = 'myscript'
+      valid_path_info = '/items/457'
+      query_string = 'foo=bar&baz=bad'
+      invalid_part = [107, 17, 52, 140].pack("C*")
+      invalid_qs = query_string.encode(Encoding::BINARY) + invalid_part
+    
+      expect {
+        invalid_qs.encode(Encoding::UTF_8)
+      }.to raise_error(Encoding::UndefinedConversionError)
+    
+      # All of those 3 components are required as per Rack spec
+      env_with_invalid_chars = {
+        'SCRIPT_NAME' => script_name,
+        'PATH_INFO' => valid_path_info,
+        'QUERY_STRING' => invalid_qs,
+        'HTTP_REFERER' => 'https://megacorp.co/webmail.asp',
+        'rack.errors' => double('IO')
+      }
+    
+      error_handling_app = ->(env) {
+        # Make sure those are now safe to concat with each other
+        expect(env['SCRIPT_NAME']).to eq("myscript")
+        expect(env['PATH_INFO']).to eq("/invalid-url")
+        expect(env['QUERY_STRING']).to eq('')
+      
+        expect(env['strict_uri.original_invalid_url']).to include(valid_path_info)
+        expect(env['strict_uri.original_invalid_url']).to include(invalid_qs)
+      
+        # Ensure those are valid - if this call raises the spec will fail
+        env['QUERY_STRING'].encode(Encoding::UTF_8)
+      
+        [200, {'Content-Type' => 'text/plain'}, ['This is an error message']]
+      }
+      expect(env_with_invalid_chars['rack.errors']).to receive(:puts).
+        with('Invalid URL received from referer https://megacorp.co/webmail.asp')
+      
+      # nil  will raise if the wrapped app is called
+      middleware = described_class.new(nil, &error_handling_app)
+      status, headers, body = middleware.call(env_with_invalid_chars)
+      expect(status).to eq(200)
+      expect(headers).to eq({'Content-Type' => 'text/plain'})
+    end
+  end
+
+  context 'with production examples of garbled PATH_INFO' do
+    it 'triggers with URL-encoded bytes that are invalid UTF-8 when decoded' do
+      # Example from production - here at the end of the url you have
+      # \xC2 in percent-encoded form, which cannot be converted to UTF-8.
+      # If we let it through, it _can_ be rendered using request.original_url
+      # but _cannot_ be used by Journey when url_for is called.
+      #
+      # So we have to intercept this as well. 
+      path = '/downloads/918ab1e20586c0b4e1875b3789b84ec720150615173920' +
+        '/a480d026f46b0f0533cec47545cd5e2820150615173920/0130a0%C2'
+      fake_action = ->(env) {
+        # Make sure those are now safe to concat with each other
+        expect(env['SCRIPT_NAME']).to eq('')
+        expect(env['PATH_INFO']).to eq('/invalid-url')
+        expect(env['QUERY_STRING']).to eq('')
+        
+        expect(env['strict_uri.original_invalid_url']).not_to be_nil
+        expect(env['strict_uri.proposed_fixed_url']).to match(/\/0130a0$/)
+        expect(env['strict_uri.proposed_fixed_url']).to match(/^\/downloads\//)
+        [200, :h, :b]
+      }
+      invalid_env = {
+        'SCRIPT_NAME' => '',
+        'PATH_INFO' => path,
+        'QUERY_STRING' => '',
+      }
+      # nil will raise if the wrapped app is called
+      middleware = described_class.new(nil, &fake_action)
+      status, headers, body = middleware.call(invalid_env)
+      expect(status).to eq(200)
+      expect(headers).to eq(:h)
+    end
+    
+    it 'triggers with raw bytes that cannot be URL-decoded' do
+      # Example from production - just random gunk appended to the end of the URL
+      path = '/downloads/918ab1e20586c0b4e1875b3789b84ec720150615173920' +
+        '/a480d026f46b0f0533cec47545cd5e2820150615173920/0130a' + '���'
+      
+      fake_action = ->(env) {
+        # Make sure those are now safe to concat with each other
+        expect(env['SCRIPT_NAME']).to eq('')
+        expect(env['PATH_INFO']).to eq('/invalid-url')
+        expect(env['QUERY_STRING']).to eq('')
+        
+        expect(env['request_uri_cleanup.original_invalid_url']).not_to be_nil
+        expect(env['request_uri_cleanup.proposed_fixed_url']).to match(/^\/downloads\//)
+        expect(env['request_uri_cleanup.proposed_fixed_url']).to match(/0130$/)
+        
+        [200, :h, :b]
+      }
+      invalid_env = {
+        'SCRIPT_NAME' => '',
+        'PATH_INFO' => path,
+        'QUERY_STRING' => '',
+      }
+      middleware = described_class.new(nil)
+      status, headers, body = middleware.call(invalid_env)
+      expect(status).to eq(400)
+    end
+  end
+end

data/strict_request_uri.gemspec

@@ -0,0 +1,71 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+# stub: strict_request_uri 1.0.2 ruby lib
+
+Gem::Specification.new do |s|
+  s.name = "strict_request_uri"
+  s.version = "1.0.2"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.require_paths = ["lib"]
+  s.authors = ["Julik Tarkhanov"]
+  s.date = "2016-11-25"
+  s.description = "Reject Rack requests with an invalid URL"
+  s.email = "me@julik.nl"
+  s.extra_rdoc_files = [
+    "LICENSE.txt",
+    "README.md"
+  ]
+  s.files = [
+    ".document",
+    ".rspec",
+    ".travis.yml",
+    "Gemfile",
+    "LICENSE.txt",
+    "README.md",
+    "Rakefile",
+    "images/icon.png",
+    "images/strict_uri.png",
+    "lib/strict_request_uri.rb",
+    "spec/spec_helper.rb",
+    "spec/strict_request_uri_spec.rb",
+    "strict_request_uri.gemspec"
+  ]
+  s.homepage = "https://github.com/WeTransfer/strict_request_uri"
+  s.licenses = ["MIT"]
+  s.rubygems_version = "2.4.5.1"
+  s.summary = "and show an error page instead"
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 4
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<rack>, ["~> 1"])
+      s.add_development_dependency(%q<gemfury>, [">= 0"])
+      s.add_development_dependency(%q<rspec>, ["~> 3.0"])
+      s.add_development_dependency(%q<rdoc>, ["~> 3.12"])
+      s.add_development_dependency(%q<bundler>, ["~> 1.0"])
+      s.add_development_dependency(%q<jeweler>, ["~> 2.2.1"])
+      s.add_development_dependency(%q<simplecov>, [">= 0"])
+    else
+      s.add_dependency(%q<rack>, ["~> 1"])
+      s.add_dependency(%q<gemfury>, [">= 0"])
+      s.add_dependency(%q<rspec>, ["~> 3.0"])
+      s.add_dependency(%q<rdoc>, ["~> 3.12"])
+      s.add_dependency(%q<bundler>, ["~> 1.0"])
+      s.add_dependency(%q<jeweler>, ["~> 2.2.1"])
+      s.add_dependency(%q<simplecov>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<rack>, ["~> 1"])
+    s.add_dependency(%q<gemfury>, [">= 0"])
+    s.add_dependency(%q<rspec>, ["~> 3.0"])
+    s.add_dependency(%q<rdoc>, ["~> 3.12"])
+    s.add_dependency(%q<bundler>, ["~> 1.0"])
+    s.add_dependency(%q<jeweler>, ["~> 2.2.1"])
+    s.add_dependency(%q<simplecov>, [">= 0"])
+  end
+end
+

metadata

@@ -0,0 +1,156 @@
+--- !ruby/object:Gem::Specification
+name: strict_request_uri
+version: !ruby/object:Gem::Version
+  version: 1.0.2
+platform: ruby
+authors:
+- Julik Tarkhanov
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-11-25 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: gemfury
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: jeweler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.1
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Reject Rack requests with an invalid URL
+email: me@julik.nl
+executables: []
+extensions: []
+extra_rdoc_files:
+- LICENSE.txt
+- README.md
+files:
+- ".document"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- images/icon.png
+- images/strict_uri.png
+- lib/strict_request_uri.rb
+- spec/spec_helper.rb
+- spec/strict_request_uri_spec.rb
+- strict_request_uri.gemspec
+homepage: https://github.com/WeTransfer/strict_request_uri
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: and show an error page instead
+test_files: []