subdomainbox 0.3.3 → 0.3.4
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +1 -1
- data/VERSION +1 -1
- data/lib/subdomainbox.rb +22 -25
- data/spec/subdomainbox_spec.rb +10 -0
- data/subdomainbox.gemspec +2 -2
- metadata +15 -15
data/README.md
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
subdomainbox
|
|
2
2
|
============
|
|
3
3
|
|
|
4
|
-
Subdomain boxing was inspired by Egor Homakov's [post on pageboxing](http://homakov.blogspot.com/2013/02/pagebox-website-gatekeeper.html). Subdomain boxing limits the reach of any XSS attacks. If an attacker manages to insert javascript onto a page of your application, the javascript on that page will be unable to read data from or post data to any pages on different subdomains in your application. POST protection is achieved by creating a separate CSRF token for each subdomain. CSRF protection is also strengthened by changing the CSRF token based on session id.
|
|
4
|
+
Subdomain boxing was inspired by Egor Homakov's [post on pageboxing](http://homakov.blogspot.com/2013/02/pagebox-website-gatekeeper.html). Subdomain boxing limits the reach of any XSS attacks. If an attacker manages to insert javascript onto a page of your application, the javascript on that page will be unable to read data from or post data to any pages on different subdomains in your application. POST protection is achieved by creating a separate CSRF token for each subdomain. CSRF protection is also strengthened by changing the CSRF token based on session id (request.session_options[:id]).
|
|
5
5
|
|
|
6
6
|
The subdomainbox gem is simple to add even to existing Rails applications:
|
|
7
7
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.3.
|
|
1
|
+
0.3.4
|
data/lib/subdomainbox.rb
CHANGED
|
@@ -18,9 +18,8 @@ module ActionController
|
|
|
18
18
|
|
|
19
19
|
def subdomainbox(box_definitions)
|
|
20
20
|
@remove_default_subdomainbox = true
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
subdomainbox_no_subdomain_match!(allowed) if subdomain_match.nil?
|
|
21
|
+
subdomain_match = subdomainbox_find_subdomain_match(box_definitions)
|
|
22
|
+
subdomainbox_no_subdomain_match!(box_definitions) if subdomain_match.nil?
|
|
24
23
|
end
|
|
25
24
|
|
|
26
25
|
# for controllers that need to be accessed from many places, that don't need boxing
|
|
@@ -41,34 +40,32 @@ module ActionController
|
|
|
41
40
|
|
|
42
41
|
private
|
|
43
42
|
|
|
44
|
-
def subdomainbox_no_subdomain_match!(
|
|
45
|
-
if request.format == 'text/html'
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
else
|
|
55
|
-
allowed_id_name = default_definition.pop
|
|
56
|
-
allowed_id_name = allowed_id_name if allowed_id_name
|
|
57
|
-
default_definition << params[allowed_id_name]
|
|
58
|
-
default_definition.compact!
|
|
59
|
-
default_definition.pop if default_definition.length == 2
|
|
60
|
-
|
|
61
|
-
redirect_to(request.protocol + default_definition.join + '.' + request.domain + request.port_string + request.fullpath)
|
|
62
|
-
end
|
|
43
|
+
def subdomainbox_no_subdomain_match!(box_definitions)
|
|
44
|
+
if request.format == 'text/html' && request.get?
|
|
45
|
+
flash[:alert] = flash.now[:alert]
|
|
46
|
+
flash[:notice] = flash.now[:notice]
|
|
47
|
+
flash[:info] = flash.now[:info]
|
|
48
|
+
|
|
49
|
+
allowed = subdomainbox_process_definitions(box_definitions)
|
|
50
|
+
default_definition = allowed.first
|
|
51
|
+
if default_definition.first == ''
|
|
52
|
+
redirect_to(request.protocol + request.domain + request.port_string + request.fullpath)
|
|
63
53
|
else
|
|
64
|
-
|
|
54
|
+
allowed_id_name = default_definition.pop
|
|
55
|
+
allowed_id_name = allowed_id_name if allowed_id_name
|
|
56
|
+
default_definition << params[allowed_id_name]
|
|
57
|
+
default_definition.compact!
|
|
58
|
+
default_definition.pop if default_definition.length == 2
|
|
59
|
+
|
|
60
|
+
redirect_to(request.protocol + default_definition.join + '.' + request.domain + request.port_string + request.fullpath)
|
|
65
61
|
end
|
|
66
62
|
else
|
|
67
|
-
raise SubdomainboxDomainViolation.new
|
|
63
|
+
raise SubdomainboxDomainViolation.new("subdomain box: #{box_definitions}\nrequest subdomain: #{request.subdomain}")
|
|
68
64
|
end
|
|
69
65
|
end
|
|
70
66
|
|
|
71
|
-
def subdomainbox_find_subdomain_match(
|
|
67
|
+
def subdomainbox_find_subdomain_match(box_definitions)
|
|
68
|
+
allowed = subdomainbox_process_definitions(box_definitions)
|
|
72
69
|
matches = allowed.collect do |allowed_subdomain, separator, allowed_id_name|
|
|
73
70
|
subdomainbox_check_subdomain(allowed_subdomain, separator, allowed_id_name)
|
|
74
71
|
end
|
data/spec/subdomainbox_spec.rb
CHANGED
|
@@ -297,6 +297,16 @@ describe ActionController::Base do
|
|
|
297
297
|
controller.subdomainbox(['activities', 'pets'])
|
|
298
298
|
}.should raise_error(ActionController::Base::SubdomainboxDomainViolation)
|
|
299
299
|
end
|
|
300
|
+
|
|
301
|
+
it "the exception message should indicate the allowed and the requested subdomains" do
|
|
302
|
+
request.stub(:subdomain).and_return('houses.abc')
|
|
303
|
+
begin
|
|
304
|
+
controller.subdomainbox(['activities', 'pets'])
|
|
305
|
+
rescue ActionController::Base::SubdomainboxDomainViolation => e
|
|
306
|
+
e.message.should include('["activities", "pets"]')
|
|
307
|
+
e.message.should include('houses.abc')
|
|
308
|
+
end
|
|
309
|
+
end
|
|
300
310
|
end
|
|
301
311
|
end
|
|
302
312
|
|
data/subdomainbox.gemspec
CHANGED
|
@@ -5,11 +5,11 @@
|
|
|
5
5
|
|
|
6
6
|
Gem::Specification.new do |s|
|
|
7
7
|
s.name = "subdomainbox"
|
|
8
|
-
s.version = "0.3.
|
|
8
|
+
s.version = "0.3.4"
|
|
9
9
|
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
|
11
11
|
s.authors = ["Daniel Nelson"]
|
|
12
|
-
s.date = "2013-03-
|
|
12
|
+
s.date = "2013-03-17"
|
|
13
13
|
s.description = "use subdomains to prevent XSS from accessing your entire application if it should happen to be injected into some page in your app"
|
|
14
14
|
s.email = "dnelson@centresource.com"
|
|
15
15
|
s.extra_rdoc_files = [
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: subdomainbox
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.4
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,11 +9,11 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2013-03-
|
|
12
|
+
date: 2013-03-17 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: uuidtools
|
|
16
|
-
requirement: &
|
|
16
|
+
requirement: &2160198280 !ruby/object:Gem::Requirement
|
|
17
17
|
none: false
|
|
18
18
|
requirements:
|
|
19
19
|
- - ! '>='
|
|
@@ -21,10 +21,10 @@ dependencies:
|
|
|
21
21
|
version: '0'
|
|
22
22
|
type: :runtime
|
|
23
23
|
prerelease: false
|
|
24
|
-
version_requirements: *
|
|
24
|
+
version_requirements: *2160198280
|
|
25
25
|
- !ruby/object:Gem::Dependency
|
|
26
26
|
name: rspec
|
|
27
|
-
requirement: &
|
|
27
|
+
requirement: &2160196760 !ruby/object:Gem::Requirement
|
|
28
28
|
none: false
|
|
29
29
|
requirements:
|
|
30
30
|
- - =
|
|
@@ -32,10 +32,10 @@ dependencies:
|
|
|
32
32
|
version: 2.10.0
|
|
33
33
|
type: :development
|
|
34
34
|
prerelease: false
|
|
35
|
-
version_requirements: *
|
|
35
|
+
version_requirements: *2160196760
|
|
36
36
|
- !ruby/object:Gem::Dependency
|
|
37
37
|
name: jeweler
|
|
38
|
-
requirement: &
|
|
38
|
+
requirement: &2160193740 !ruby/object:Gem::Requirement
|
|
39
39
|
none: false
|
|
40
40
|
requirements:
|
|
41
41
|
- - ~>
|
|
@@ -43,10 +43,10 @@ dependencies:
|
|
|
43
43
|
version: 1.8.4
|
|
44
44
|
type: :development
|
|
45
45
|
prerelease: false
|
|
46
|
-
version_requirements: *
|
|
46
|
+
version_requirements: *2160193740
|
|
47
47
|
- !ruby/object:Gem::Dependency
|
|
48
48
|
name: pry
|
|
49
|
-
requirement: &
|
|
49
|
+
requirement: &2160192440 !ruby/object:Gem::Requirement
|
|
50
50
|
none: false
|
|
51
51
|
requirements:
|
|
52
52
|
- - ! '>='
|
|
@@ -54,10 +54,10 @@ dependencies:
|
|
|
54
54
|
version: '0'
|
|
55
55
|
type: :development
|
|
56
56
|
prerelease: false
|
|
57
|
-
version_requirements: *
|
|
57
|
+
version_requirements: *2160192440
|
|
58
58
|
- !ruby/object:Gem::Dependency
|
|
59
59
|
name: pry-nav
|
|
60
|
-
requirement: &
|
|
60
|
+
requirement: &2160212580 !ruby/object:Gem::Requirement
|
|
61
61
|
none: false
|
|
62
62
|
requirements:
|
|
63
63
|
- - ! '>='
|
|
@@ -65,10 +65,10 @@ dependencies:
|
|
|
65
65
|
version: '0'
|
|
66
66
|
type: :development
|
|
67
67
|
prerelease: false
|
|
68
|
-
version_requirements: *
|
|
68
|
+
version_requirements: *2160212580
|
|
69
69
|
- !ruby/object:Gem::Dependency
|
|
70
70
|
name: pry-stack_explorer
|
|
71
|
-
requirement: &
|
|
71
|
+
requirement: &2160211400 !ruby/object:Gem::Requirement
|
|
72
72
|
none: false
|
|
73
73
|
requirements:
|
|
74
74
|
- - ! '>='
|
|
@@ -76,7 +76,7 @@ dependencies:
|
|
|
76
76
|
version: '0'
|
|
77
77
|
type: :development
|
|
78
78
|
prerelease: false
|
|
79
|
-
version_requirements: *
|
|
79
|
+
version_requirements: *2160211400
|
|
80
80
|
description: use subdomains to prevent XSS from accessing your entire application
|
|
81
81
|
if it should happen to be injected into some page in your app
|
|
82
82
|
email: dnelson@centresource.com
|
|
@@ -117,7 +117,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
117
117
|
version: '0'
|
|
118
118
|
segments:
|
|
119
119
|
- 0
|
|
120
|
-
hash:
|
|
120
|
+
hash: 3532359577434066762
|
|
121
121
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
122
122
|
none: false
|
|
123
123
|
requirements:
|