subdomainbox 0.3.4 → 0.3.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. data/VERSION +1 -1
  2. data/lib/{secure_xsrf_token.rb → subdomainbox/secure_xsrf_token.rb} +0 -0
  3. data/lib/subdomainbox/subdomainbox.rb +107 -0
  4. data/lib/subdomainbox.rb +2 -107
  5. data/subdomainbox.gemspec +4 -3
  6. metadata +17 -16
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.3.4
1
+ 0.3.5
data/lib/subdomainbox/subdomainbox.rb ADDED
@@ -0,0 +1,107 @@
1
+ module ActionController
2
+ class Base
3
+
4
+ class SubdomainboxDomainViolation < StandardError
5
+ end
6
+
7
+ def self.subdomainbox(box_definitions, options={})
8
+ prepend_before_filter(lambda { subdomainbox(box_definitions) }, options)
9
+ end
10
+
11
+ def self.remove_default_subdomainbox(options={})
12
+ prepend_before_filter(:remove_default_subdomainbox, options)
13
+ end
14
+
15
+ def self.default_subdomainbox(box_definitions)
16
+ before_filter(lambda { default_subdomainbox(box_definitions) }, {})
17
+ end
18
+
19
+ def subdomainbox(box_definitions)
20
+ @remove_default_subdomainbox = true
21
+ subdomain_match = subdomainbox_find_subdomain_match(box_definitions)
22
+ subdomainbox_no_subdomain_match!(box_definitions) if subdomain_match.nil?
23
+ end
24
+
25
+ # for controllers that need to be accessed from many places, that don't need boxing
26
+ # protection, the default subdomain box can be removed (thereby allowing ajax calls
27
+ # from any subdomain)
28
+ #
29
+ def remove_default_subdomainbox
30
+ @remove_default_subdomainbox = true
31
+ end
32
+
33
+ # set up a default subdomain box for all controllers that won't get an explicit subdomain box
34
+ # this protects regular pages that don't get a dedicated subdomain box from being accessed
35
+ # from a subdomain boxed page
36
+ #
37
+ def default_subdomainbox(box_definitions)
38
+ subdomainbox(box_definitions) unless @remove_default_subdomainbox
39
+ end
40
+
41
+ private
42
+
43
+ def subdomainbox_no_subdomain_match!(box_definitions)
44
+ if request.format == 'text/html' && request.get?
45
+ flash[:alert] = flash.now[:alert]
46
+ flash[:notice] = flash.now[:notice]
47
+ flash[:info] = flash.now[:info]
48
+
49
+ allowed = subdomainbox_process_definitions(box_definitions)
50
+ default_definition = allowed.first
51
+ if default_definition.first == ''
52
+ redirect_to(request.protocol + request.domain + request.port_string + request.fullpath)
53
+ else
54
+ allowed_id_name = default_definition.pop
55
+ allowed_id_name = allowed_id_name if allowed_id_name
56
+ default_definition << params[allowed_id_name]
57
+ default_definition.compact!
58
+ default_definition.pop if default_definition.length == 2
59
+
60
+ redirect_to(request.protocol + default_definition.join + '.' + request.domain + request.port_string + request.fullpath)
61
+ end
62
+ else
63
+ raise SubdomainboxDomainViolation.new("subdomain box: #{box_definitions}\nrequest subdomain: #{request.subdomain}")
64
+ end
65
+ end
66
+
67
+ def subdomainbox_find_subdomain_match(box_definitions)
68
+ allowed = subdomainbox_process_definitions(box_definitions)
69
+ matches = allowed.collect do |allowed_subdomain, separator, allowed_id_name|
70
+ subdomainbox_check_subdomain(allowed_subdomain, separator, allowed_id_name)
71
+ end
72
+ matches.compact.first
73
+ end
74
+
75
+ def subdomainbox_check_subdomain(allowed_subdomain, separator, allowed_id_name)
76
+ return nil if allowed_subdomain == '' unless request.subdomain == ''
77
+ allowed_prefix = "#{allowed_subdomain}#{separator}"
78
+ return nil unless request.subdomain.index(allowed_prefix) == 0
79
+
80
+ id = request.subdomain[allowed_prefix.length..-1]
81
+ if allowed_id_name
82
+ return nil if id == ''
83
+ if params.keys.include?(allowed_id_name)
84
+ return nil unless id == params[allowed_id_name]
85
+ else
86
+ params[allowed_id_name] = id
87
+ end
88
+ else
89
+ return nil unless id == ''
90
+ end
91
+ [allowed_subdomain, separator, id]
92
+ end
93
+
94
+ def subdomainbox_process_definitions(box_definitions)
95
+ allowed = []
96
+ box_definitions = [box_definitions] unless box_definitions.is_a?(Array)
97
+ box_definitions.each do |definition|
98
+ discard, allowed_subdomain, separator, allowed_id_name = definition.match(/([^%]*?)(\.?)\%\{([^}]*)\}/).to_a
99
+ allowed_subdomain = definition if allowed_subdomain.nil?
100
+ allowed_id_name = allowed_id_name if allowed_id_name
101
+ allowed << [allowed_subdomain, separator, allowed_id_name]
102
+ end
103
+ allowed
104
+ end
105
+
106
+ end
107
+ end
data/lib/subdomainbox.rb CHANGED
@@ -1,107 +1,2 @@
1
- module ActionController
2
- class Base
3
-
4
- class SubdomainboxDomainViolation < StandardError
5
- end
6
-
7
- def self.subdomainbox(box_definitions, options={})
8
- prepend_before_filter(lambda { subdomainbox(box_definitions) }, options)
9
- end
10
-
11
- def self.remove_default_subdomainbox(options={})
12
- prepend_before_filter(:remove_default_subdomainbox, options)
13
- end
14
-
15
- def self.default_subdomainbox(box_definitions)
16
- before_filter(lambda { default_subdomainbox(box_definitions) }, {})
17
- end
18
-
19
- def subdomainbox(box_definitions)
20
- @remove_default_subdomainbox = true
21
- subdomain_match = subdomainbox_find_subdomain_match(box_definitions)
22
- subdomainbox_no_subdomain_match!(box_definitions) if subdomain_match.nil?
23
- end
24
-
25
- # for controllers that need to be accessed from many places, that don't need boxing
26
- # protection, the default subdomain box can be removed (thereby allowing ajax calls
27
- # from any subdomain)
28
- #
29
- def remove_default_subdomainbox
30
- @remove_default_subdomainbox = true
31
- end
32
-
33
- # set up a default subdomain box for all controllers that won't get an explicit subdomain box
34
- # this protects regular pages that don't get a dedicated subdomain box from being accessed
35
- # from a subdomain boxed page
36
- #
37
- def default_subdomainbox(box_definitions)
38
- subdomainbox(box_definitions) unless @remove_default_subdomainbox
39
- end
40
-
41
- private
42
-
43
- def subdomainbox_no_subdomain_match!(box_definitions)
44
- if request.format == 'text/html' && request.get?
45
- flash[:alert] = flash.now[:alert]
46
- flash[:notice] = flash.now[:notice]
47
- flash[:info] = flash.now[:info]
48
-
49
- allowed = subdomainbox_process_definitions(box_definitions)
50
- default_definition = allowed.first
51
- if default_definition.first == ''
52
- redirect_to(request.protocol + request.domain + request.port_string + request.fullpath)
53
- else
54
- allowed_id_name = default_definition.pop
55
- allowed_id_name = allowed_id_name if allowed_id_name
56
- default_definition << params[allowed_id_name]
57
- default_definition.compact!
58
- default_definition.pop if default_definition.length == 2
59
-
60
- redirect_to(request.protocol + default_definition.join + '.' + request.domain + request.port_string + request.fullpath)
61
- end
62
- else
63
- raise SubdomainboxDomainViolation.new("subdomain box: #{box_definitions}\nrequest subdomain: #{request.subdomain}")
64
- end
65
- end
66
-
67
- def subdomainbox_find_subdomain_match(box_definitions)
68
- allowed = subdomainbox_process_definitions(box_definitions)
69
- matches = allowed.collect do |allowed_subdomain, separator, allowed_id_name|
70
- subdomainbox_check_subdomain(allowed_subdomain, separator, allowed_id_name)
71
- end
72
- matches.compact.first
73
- end
74
-
75
- def subdomainbox_check_subdomain(allowed_subdomain, separator, allowed_id_name)
76
- return nil if allowed_subdomain == '' unless request.subdomain == ''
77
- allowed_prefix = "#{allowed_subdomain}#{separator}"
78
- return nil unless request.subdomain.index(allowed_prefix) == 0
79
-
80
- id = request.subdomain[allowed_prefix.length..-1]
81
- if allowed_id_name
82
- return nil if id == ''
83
- if params.keys.include?(allowed_id_name)
84
- return nil unless id == params[allowed_id_name]
85
- else
86
- params[allowed_id_name] = id
87
- end
88
- else
89
- return nil unless id == ''
90
- end
91
- [allowed_subdomain, separator, id]
92
- end
93
-
94
- def subdomainbox_process_definitions(box_definitions)
95
- allowed = []
96
- box_definitions = [box_definitions] unless box_definitions.is_a?(Array)
97
- box_definitions.each do |definition|
98
- discard, allowed_subdomain, separator, allowed_id_name = definition.match(/([^%]*?)(\.?)\%\{([^}]*)\}/).to_a
99
- allowed_subdomain = definition if allowed_subdomain.nil?
100
- allowed_id_name = allowed_id_name if allowed_id_name
101
- allowed << [allowed_subdomain, separator, allowed_id_name]
102
- end
103
- allowed
104
- end
105
-
106
- end
107
- end
1
+ require 'subdomainbox/subdomainbox.rb'
2
+ require 'subdomainbox/secure_xsrf_token.rb'
data/subdomainbox.gemspec CHANGED
@@ -5,11 +5,11 @@
5
5
 
6
6
  Gem::Specification.new do |s|
7
7
  s.name = "subdomainbox"
8
- s.version = "0.3.4"
8
+ s.version = "0.3.5"
9
9
 
10
10
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
11
  s.authors = ["Daniel Nelson"]
12
- s.date = "2013-03-17"
12
+ s.date = "2013-03-18"
13
13
  s.description = "use subdomains to prevent XSS from accessing your entire application if it should happen to be injected into some page in your app"
14
14
  s.email = "dnelson@centresource.com"
15
15
  s.extra_rdoc_files = [
@@ -27,8 +27,9 @@ Gem::Specification.new do |s|
27
27
  "Rakefile",
28
28
  "VERSION",
29
29
  "lib/generators/subdomainbox_generator.rb",
30
- "lib/secure_xsrf_token.rb",
31
30
  "lib/subdomainbox.rb",
31
+ "lib/subdomainbox/secure_xsrf_token.rb",
32
+ "lib/subdomainbox/subdomainbox.rb",
32
33
  "spec/secure_xsrf_token_spec.rb",
33
34
  "spec/spec_helper.rb",
34
35
  "spec/subdomainbox_spec.rb",
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: subdomainbox
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.4
4
+ version: 0.3.5
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,11 +9,11 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-03-17 00:00:00.000000000 Z
12
+ date: 2013-03-18 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: uuidtools
16
- requirement: &2160198280 !ruby/object:Gem::Requirement
16
+ requirement: &2156257140 !ruby/object:Gem::Requirement
17
17
  none: false
18
18
  requirements:
19
19
  - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
21
21
  version: '0'
22
22
  type: :runtime
23
23
  prerelease: false
24
- version_requirements: *2160198280
24
+ version_requirements: *2156257140
25
25
  - !ruby/object:Gem::Dependency
26
26
  name: rspec
27
- requirement: &2160196760 !ruby/object:Gem::Requirement
27
+ requirement: &2156255820 !ruby/object:Gem::Requirement
28
28
  none: false
29
29
  requirements:
30
30
  - - =
@@ -32,10 +32,10 @@ dependencies:
32
32
  version: 2.10.0
33
33
  type: :development
34
34
  prerelease: false
35
- version_requirements: *2160196760
35
+ version_requirements: *2156255820
36
36
  - !ruby/object:Gem::Dependency
37
37
  name: jeweler
38
- requirement: &2160193740 !ruby/object:Gem::Requirement
38
+ requirement: &2155991220 !ruby/object:Gem::Requirement
39
39
  none: false
40
40
  requirements:
41
41
  - - ~>
@@ -43,10 +43,10 @@ dependencies:
43
43
  version: 1.8.4
44
44
  type: :development
45
45
  prerelease: false
46
- version_requirements: *2160193740
46
+ version_requirements: *2155991220
47
47
  - !ruby/object:Gem::Dependency
48
48
  name: pry
49
- requirement: &2160192440 !ruby/object:Gem::Requirement
49
+ requirement: &2155989560 !ruby/object:Gem::Requirement
50
50
  none: false
51
51
  requirements:
52
52
  - - ! '>='
@@ -54,10 +54,10 @@ dependencies:
54
54
  version: '0'
55
55
  type: :development
56
56
  prerelease: false
57
- version_requirements: *2160192440
57
+ version_requirements: *2155989560
58
58
  - !ruby/object:Gem::Dependency
59
59
  name: pry-nav
60
- requirement: &2160212580 !ruby/object:Gem::Requirement
60
+ requirement: &2155988340 !ruby/object:Gem::Requirement
61
61
  none: false
62
62
  requirements:
63
63
  - - ! '>='
@@ -65,10 +65,10 @@ dependencies:
65
65
  version: '0'
66
66
  type: :development
67
67
  prerelease: false
68
- version_requirements: *2160212580
68
+ version_requirements: *2155988340
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: pry-stack_explorer
71
- requirement: &2160211400 !ruby/object:Gem::Requirement
71
+ requirement: &2155986300 !ruby/object:Gem::Requirement
72
72
  none: false
73
73
  requirements:
74
74
  - - ! '>='
@@ -76,7 +76,7 @@ dependencies:
76
76
  version: '0'
77
77
  type: :development
78
78
  prerelease: false
79
- version_requirements: *2160211400
79
+ version_requirements: *2155986300
80
80
  description: use subdomains to prevent XSS from accessing your entire application
81
81
  if it should happen to be injected into some page in your app
82
82
  email: dnelson@centresource.com
@@ -96,8 +96,9 @@ files:
96
96
  - Rakefile
97
97
  - VERSION
98
98
  - lib/generators/subdomainbox_generator.rb
99
- - lib/secure_xsrf_token.rb
100
99
  - lib/subdomainbox.rb
100
+ - lib/subdomainbox/secure_xsrf_token.rb
101
+ - lib/subdomainbox/subdomainbox.rb
101
102
  - spec/secure_xsrf_token_spec.rb
102
103
  - spec/spec_helper.rb
103
104
  - spec/subdomainbox_spec.rb
@@ -117,7 +118,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
117
118
  version: '0'
118
119
  segments:
119
120
  - 0
120
- hash: 3532359577434066762
121
+ hash: 4167418132178979479
121
122
  required_rubygems_version: !ruby/object:Gem::Requirement
122
123
  none: false
123
124
  requirements: