subdomainbox 0.3.4 → 0.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. data/VERSION +1 -1
  2. data/lib/{secure_xsrf_token.rb → subdomainbox/secure_xsrf_token.rb} +0 -0
  3. data/lib/subdomainbox/subdomainbox.rb +107 -0
  4. data/lib/subdomainbox.rb +2 -107
  5. data/subdomainbox.gemspec +4 -3
  6. metadata +17 -16
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.3.4
1
+ 0.3.5
data/lib/subdomainbox/subdomainbox.rb ADDED
@@ -0,0 +1,107 @@
1
+ module ActionController
2
+ class Base
3
+
4
+ class SubdomainboxDomainViolation < StandardError
5
+ end
6
+
7
+ def self.subdomainbox(box_definitions, options={})
8
+ prepend_before_filter(lambda { subdomainbox(box_definitions) }, options)
9
+ end
10
+
11
+ def self.remove_default_subdomainbox(options={})
12
+ prepend_before_filter(:remove_default_subdomainbox, options)
13
+ end
14
+
15
+ def self.default_subdomainbox(box_definitions)
16
+ before_filter(lambda { default_subdomainbox(box_definitions) }, {})
17
+ end
18
+
19
+ def subdomainbox(box_definitions)
20
+ @remove_default_subdomainbox = true
21
+ subdomain_match = subdomainbox_find_subdomain_match(box_definitions)
22
+ subdomainbox_no_subdomain_match!(box_definitions) if subdomain_match.nil?
23
+ end
24
+
25
+ # for controllers that need to be accessed from many places, that don't need boxing
26
+ # protection, the default subdomain box can be removed (thereby allowing ajax calls
27
+ # from any subdomain)
28
+ #
29
+ def remove_default_subdomainbox
30
+ @remove_default_subdomainbox = true
31
+ end
32
+
33
+ # set up a default subdomain box for all controllers that won't get an explicit subdomain box
34
+ # this protects regular pages that don't get a dedicated subdomain box from being accessed
35
+ # from a subdomain boxed page
36
+ #
37
+ def default_subdomainbox(box_definitions)
38
+ subdomainbox(box_definitions) unless @remove_default_subdomainbox
39
+ end
40
+
41
+ private
42
+
43
+ def subdomainbox_no_subdomain_match!(box_definitions)
44
+ if request.format == 'text/html' && request.get?
45
+ flash[:alert] = flash.now[:alert]
46
+ flash[:notice] = flash.now[:notice]
47
+ flash[:info] = flash.now[:info]
48
+
49
+ allowed = subdomainbox_process_definitions(box_definitions)
50
+ default_definition = allowed.first
51
+ if default_definition.first == ''
52
+ redirect_to(request.protocol + request.domain + request.port_string + request.fullpath)
53
+ else
54
+ allowed_id_name = default_definition.pop
55
+ allowed_id_name = allowed_id_name if allowed_id_name
56
+ default_definition << params[allowed_id_name]
57
+ default_definition.compact!
58
+ default_definition.pop if default_definition.length == 2
59
+
60
+ redirect_to(request.protocol + default_definition.join + '.' + request.domain + request.port_string + request.fullpath)
61
+ end
62
+ else
63
+ raise SubdomainboxDomainViolation.new("subdomain box: #{box_definitions}\nrequest subdomain: #{request.subdomain}")
64
+ end
65
+ end
66
+
67
+ def subdomainbox_find_subdomain_match(box_definitions)
68
+ allowed = subdomainbox_process_definitions(box_definitions)
69
+ matches = allowed.collect do |allowed_subdomain, separator, allowed_id_name|
70
+ subdomainbox_check_subdomain(allowed_subdomain, separator, allowed_id_name)
71
+ end
72
+ matches.compact.first
73
+ end
74
+
75
+ def subdomainbox_check_subdomain(allowed_subdomain, separator, allowed_id_name)
76
+ return nil if allowed_subdomain == '' unless request.subdomain == ''
77
+ allowed_prefix = "#{allowed_subdomain}#{separator}"
78
+ return nil unless request.subdomain.index(allowed_prefix) == 0
79
+
80
+ id = request.subdomain[allowed_prefix.length..-1]
81
+ if allowed_id_name
82
+ return nil if id == ''
83
+ if params.keys.include?(allowed_id_name)
84
+ return nil unless id == params[allowed_id_name]
85
+ else
86
+ params[allowed_id_name] = id
87
+ end
88
+ else
89
+ return nil unless id == ''
90
+ end
91
+ [allowed_subdomain, separator, id]
92
+ end
93
+
94
+ def subdomainbox_process_definitions(box_definitions)
95
+ allowed = []
96
+ box_definitions = [box_definitions] unless box_definitions.is_a?(Array)
97
+ box_definitions.each do |definition|
98
+ discard, allowed_subdomain, separator, allowed_id_name = definition.match(/([^%]*?)(\.?)\%\{([^}]*)\}/).to_a
99
+ allowed_subdomain = definition if allowed_subdomain.nil?
100
+ allowed_id_name = allowed_id_name if allowed_id_name
101
+ allowed << [allowed_subdomain, separator, allowed_id_name]
102
+ end
103
+ allowed
104
+ end
105
+
106
+ end
107
+ end
data/lib/subdomainbox.rb CHANGED
@@ -1,107 +1,2 @@
1
- module ActionController
2
- class Base
3
-
4
- class SubdomainboxDomainViolation < StandardError
5
- end
6
-
7
- def self.subdomainbox(box_definitions, options={})
8
- prepend_before_filter(lambda { subdomainbox(box_definitions) }, options)
9
- end
10
-
11
- def self.remove_default_subdomainbox(options={})
12
- prepend_before_filter(:remove_default_subdomainbox, options)
13
- end
14
-
15
- def self.default_subdomainbox(box_definitions)
16
- before_filter(lambda { default_subdomainbox(box_definitions) }, {})
17
- end
18
-
19
- def subdomainbox(box_definitions)
20
- @remove_default_subdomainbox = true
21
- subdomain_match = subdomainbox_find_subdomain_match(box_definitions)
22
- subdomainbox_no_subdomain_match!(box_definitions) if subdomain_match.nil?
23
- end
24
-
25
- # for controllers that need to be accessed from many places, that don't need boxing
26
- # protection, the default subdomain box can be removed (thereby allowing ajax calls
27
- # from any subdomain)
28
- #
29
- def remove_default_subdomainbox
30
- @remove_default_subdomainbox = true
31
- end
32
-
33
- # set up a default subdomain box for all controllers that won't get an explicit subdomain box
34
- # this protects regular pages that don't get a dedicated subdomain box from being accessed
35
- # from a subdomain boxed page
36
- #
37
- def default_subdomainbox(box_definitions)
38
- subdomainbox(box_definitions) unless @remove_default_subdomainbox
39
- end
40
-
41
- private
42
-
43
- def subdomainbox_no_subdomain_match!(box_definitions)
44
- if request.format == 'text/html' && request.get?
45
- flash[:alert] = flash.now[:alert]
46
- flash[:notice] = flash.now[:notice]
47
- flash[:info] = flash.now[:info]
48
-
49
- allowed = subdomainbox_process_definitions(box_definitions)
50
- default_definition = allowed.first
51
- if default_definition.first == ''
52
- redirect_to(request.protocol + request.domain + request.port_string + request.fullpath)
53
- else
54
- allowed_id_name = default_definition.pop
55
- allowed_id_name = allowed_id_name if allowed_id_name
56
- default_definition << params[allowed_id_name]
57
- default_definition.compact!
58
- default_definition.pop if default_definition.length == 2
59
-
60
- redirect_to(request.protocol + default_definition.join + '.' + request.domain + request.port_string + request.fullpath)
61
- end
62
- else
63
- raise SubdomainboxDomainViolation.new("subdomain box: #{box_definitions}\nrequest subdomain: #{request.subdomain}")
64
- end
65
- end
66
-
67
- def subdomainbox_find_subdomain_match(box_definitions)
68
- allowed = subdomainbox_process_definitions(box_definitions)
69
- matches = allowed.collect do |allowed_subdomain, separator, allowed_id_name|
70
- subdomainbox_check_subdomain(allowed_subdomain, separator, allowed_id_name)
71
- end
72
- matches.compact.first
73
- end
74
-
75
- def subdomainbox_check_subdomain(allowed_subdomain, separator, allowed_id_name)
76
- return nil if allowed_subdomain == '' unless request.subdomain == ''
77
- allowed_prefix = "#{allowed_subdomain}#{separator}"
78
- return nil unless request.subdomain.index(allowed_prefix) == 0
79
-
80
- id = request.subdomain[allowed_prefix.length..-1]
81
- if allowed_id_name
82
- return nil if id == ''
83
- if params.keys.include?(allowed_id_name)
84
- return nil unless id == params[allowed_id_name]
85
- else
86
- params[allowed_id_name] = id
87
- end
88
- else
89
- return nil unless id == ''
90
- end
91
- [allowed_subdomain, separator, id]
92
- end
93
-
94
- def subdomainbox_process_definitions(box_definitions)
95
- allowed = []
96
- box_definitions = [box_definitions] unless box_definitions.is_a?(Array)
97
- box_definitions.each do |definition|
98
- discard, allowed_subdomain, separator, allowed_id_name = definition.match(/([^%]*?)(\.?)\%\{([^}]*)\}/).to_a
99
- allowed_subdomain = definition if allowed_subdomain.nil?
100
- allowed_id_name = allowed_id_name if allowed_id_name
101
- allowed << [allowed_subdomain, separator, allowed_id_name]
102
- end
103
- allowed
104
- end
105
-
106
- end
107
- end
1
+ require 'subdomainbox/subdomainbox.rb'
2
+ require 'subdomainbox/secure_xsrf_token.rb'
data/subdomainbox.gemspec CHANGED
@@ -5,11 +5,11 @@
5
5
 
6
6
  Gem::Specification.new do |s|
7
7
  s.name = "subdomainbox"
8
- s.version = "0.3.4"
8
+ s.version = "0.3.5"
9
9
 
10
10
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
11
  s.authors = ["Daniel Nelson"]
12
- s.date = "2013-03-17"
12
+ s.date = "2013-03-18"
13
13
  s.description = "use subdomains to prevent XSS from accessing your entire application if it should happen to be injected into some page in your app"
14
14
  s.email = "dnelson@centresource.com"
15
15
  s.extra_rdoc_files = [
@@ -27,8 +27,9 @@ Gem::Specification.new do |s|
27
27
  "Rakefile",
28
28
  "VERSION",
29
29
  "lib/generators/subdomainbox_generator.rb",
30
- "lib/secure_xsrf_token.rb",
31
30
  "lib/subdomainbox.rb",
31
+ "lib/subdomainbox/secure_xsrf_token.rb",
32
+ "lib/subdomainbox/subdomainbox.rb",
32
33
  "spec/secure_xsrf_token_spec.rb",
33
34
  "spec/spec_helper.rb",
34
35
  "spec/subdomainbox_spec.rb",
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: subdomainbox
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.4
4
+ version: 0.3.5
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,11 +9,11 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-03-17 00:00:00.000000000 Z
12
+ date: 2013-03-18 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: uuidtools
16
- requirement: &2160198280 !ruby/object:Gem::Requirement
16
+ requirement: &2156257140 !ruby/object:Gem::Requirement
17
17
  none: false
18
18
  requirements:
19
19
  - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
21
21
  version: '0'
22
22
  type: :runtime
23
23
  prerelease: false
24
- version_requirements: *2160198280
24
+ version_requirements: *2156257140
25
25
  - !ruby/object:Gem::Dependency
26
26
  name: rspec
27
- requirement: &2160196760 !ruby/object:Gem::Requirement
27
+ requirement: &2156255820 !ruby/object:Gem::Requirement
28
28
  none: false
29
29
  requirements:
30
30
  - - =
@@ -32,10 +32,10 @@ dependencies:
32
32
  version: 2.10.0
33
33
  type: :development
34
34
  prerelease: false
35
- version_requirements: *2160196760
35
+ version_requirements: *2156255820
36
36
  - !ruby/object:Gem::Dependency
37
37
  name: jeweler
38
- requirement: &2160193740 !ruby/object:Gem::Requirement
38
+ requirement: &2155991220 !ruby/object:Gem::Requirement
39
39
  none: false
40
40
  requirements:
41
41
  - - ~>
@@ -43,10 +43,10 @@ dependencies:
43
43
  version: 1.8.4
44
44
  type: :development
45
45
  prerelease: false
46
- version_requirements: *2160193740
46
+ version_requirements: *2155991220
47
47
  - !ruby/object:Gem::Dependency
48
48
  name: pry
49
- requirement: &2160192440 !ruby/object:Gem::Requirement
49
+ requirement: &2155989560 !ruby/object:Gem::Requirement
50
50
  none: false
51
51
  requirements:
52
52
  - - ! '>='
@@ -54,10 +54,10 @@ dependencies:
54
54
  version: '0'
55
55
  type: :development
56
56
  prerelease: false
57
- version_requirements: *2160192440
57
+ version_requirements: *2155989560
58
58
  - !ruby/object:Gem::Dependency
59
59
  name: pry-nav
60
- requirement: &2160212580 !ruby/object:Gem::Requirement
60
+ requirement: &2155988340 !ruby/object:Gem::Requirement
61
61
  none: false
62
62
  requirements:
63
63
  - - ! '>='
@@ -65,10 +65,10 @@ dependencies:
65
65
  version: '0'
66
66
  type: :development
67
67
  prerelease: false
68
- version_requirements: *2160212580
68
+ version_requirements: *2155988340
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: pry-stack_explorer
71
- requirement: &2160211400 !ruby/object:Gem::Requirement
71
+ requirement: &2155986300 !ruby/object:Gem::Requirement
72
72
  none: false
73
73
  requirements:
74
74
  - - ! '>='
@@ -76,7 +76,7 @@ dependencies:
76
76
  version: '0'
77
77
  type: :development
78
78
  prerelease: false
79
- version_requirements: *2160211400
79
+ version_requirements: *2155986300
80
80
  description: use subdomains to prevent XSS from accessing your entire application
81
81
  if it should happen to be injected into some page in your app
82
82
  email: dnelson@centresource.com
@@ -96,8 +96,9 @@ files:
96
96
  - Rakefile
97
97
  - VERSION
98
98
  - lib/generators/subdomainbox_generator.rb
99
- - lib/secure_xsrf_token.rb
100
99
  - lib/subdomainbox.rb
100
+ - lib/subdomainbox/secure_xsrf_token.rb
101
+ - lib/subdomainbox/subdomainbox.rb
101
102
  - spec/secure_xsrf_token_spec.rb
102
103
  - spec/spec_helper.rb
103
104
  - spec/subdomainbox_spec.rb
@@ -117,7 +118,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
117
118
  version: '0'
118
119
  segments:
119
120
  - 0
120
- hash: 3532359577434066762
121
+ hash: 4167418132178979479
121
122
  required_rubygems_version: !ruby/object:Gem::Requirement
122
123
  none: false
123
124
  requirements: