unicorn-lockdown 1.1.0 → 1.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +18 -0
- data/files/rc.unicorn +3 -11
- data/files/rc.unicorn.71 +21 -0
- data/files/unicorn_lockdown_add.rb +8 -4
- data/files/unicorn_lockdown_setup.rb +5 -1
- data/lib/unicorn-lockdown.rb +6 -3
- data/lib/unveiler.rb +28 -6
- metadata +8 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1d6578be3b39fdc48fdc0acaab810ef3029bc4e3f6484ecd3585d8dbf5b11d67
|
4
|
+
data.tar.gz: 6e7f7ceff3497829eb86504d03c2cf243a331ced69331da2c8d18ec518366ff9
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 171877502073283aaefaf6724065ea3057dca70c6bc2e84363c093c57be916421b72d631b54e52aaed2ad4a332b31ac07d8560307efda170372458f4e7d27331
|
7
|
+
data.tar.gz: 357794d05df3022e0511b20db4dc72b6021e176b217b085959fdf8bce4eada097dca3a41c80576c312ddd54c640329decda5a6402a09b1d3481d4a4d4bbe9bdb
|
data/CHANGELOG
CHANGED
@@ -1,3 +1,21 @@
|
|
1
|
+
= 1.3.0 (2024-05-22)
|
2
|
+
|
3
|
+
* Eagerly require strscan to avoid issues if it is lazy loaded by rack's multipart parser (jeremyevans)
|
4
|
+
|
5
|
+
* Avoid string literal modifications to avoid warnings on Ruby 3.4 (jeremyevans)
|
6
|
+
|
7
|
+
* Remove X-XSS-Protection from generated nginx files, as MDN now recommends against it (jeremyevans)
|
8
|
+
|
9
|
+
= 1.2.0 (2022-11-16)
|
10
|
+
|
11
|
+
* Remove access_log format from generated nginx configurations (jeremyevans)
|
12
|
+
|
13
|
+
* Create and unveil the coverage directory when using SimpleCov with Unveiler (jeremyevans)
|
14
|
+
|
15
|
+
* Add getpw to default master_execpledge, necessary on OpenBSD 7.2+ (jeremyevans)
|
16
|
+
|
17
|
+
* Support OpenBSD 7.2 daemon_execdir for setting directory (jeremyevans)
|
18
|
+
|
1
19
|
= 1.1.0 (2022-07-18)
|
2
20
|
|
3
21
|
* Make unveiler still pledge if SimpleCov is loaded, but update pledge promises (jeremyevans)
|
data/files/rc.unicorn
CHANGED
@@ -2,20 +2,12 @@
|
|
2
2
|
|
3
3
|
daemon="/usr/local/bin/unicorn"
|
4
4
|
daemon_flags="-c ${unicorn_conf} -D ${rackup_file}"
|
5
|
-
|
6
|
-
[ -n "${unicorn_dir}" ] || rc_err "$0: unicorn_dir is not set"
|
7
|
-
[ -n "${unicorn_app}" ] || rc_err "$0: unicorn_app is not set"
|
5
|
+
rc_stop_signal=QUIT
|
8
6
|
|
9
7
|
. /etc/rc.d/rc.subr
|
10
8
|
|
11
9
|
pexp="ruby[0-9][0-9]: unicorn-$unicorn_app-master .*"
|
12
|
-
|
13
|
-
|
14
|
-
${rcexec} "cd ${unicorn_dir} && ${daemon} ${daemon_flags}"
|
15
|
-
}
|
16
|
-
|
17
|
-
rc_stop() {
|
18
|
-
pkill -QUIT -T "${daemon_rtable}" -xf "${pexp}"
|
19
|
-
}
|
10
|
+
[ -n "${daemon_execdir}" ] || _rc_err "$0: daemon_execdir is not set"
|
11
|
+
[ -n "${unicorn_app}" ] || _rc_err "$0: unicorn_app is not set"
|
20
12
|
|
21
13
|
rc_cmd $1
|
data/files/rc.unicorn.71
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
[ -z "${unicorn_conf}" ] && unicorn_conf=unicorn.conf
|
2
|
+
|
3
|
+
daemon="/usr/local/bin/unicorn"
|
4
|
+
daemon_flags="-c ${unicorn_conf} -D ${rackup_file}"
|
5
|
+
|
6
|
+
[ -n "${unicorn_dir}" ] || rc_err "$0: unicorn_dir is not set"
|
7
|
+
[ -n "${unicorn_app}" ] || rc_err "$0: unicorn_app is not set"
|
8
|
+
|
9
|
+
. /etc/rc.d/rc.subr
|
10
|
+
|
11
|
+
pexp="ruby[0-9][0-9]: unicorn-$unicorn_app-master .*"
|
12
|
+
|
13
|
+
rc_start() {
|
14
|
+
${rcexec} "cd ${unicorn_dir} && ${daemon} ${daemon_flags}"
|
15
|
+
}
|
16
|
+
|
17
|
+
rc_stop() {
|
18
|
+
pkill -QUIT -T "${daemon_rtable}" -xf "${pexp}"
|
19
|
+
}
|
20
|
+
|
21
|
+
rc_cmd $1
|
@@ -146,7 +146,7 @@ Unicorn.lockdown(self,
|
|
146
146
|
# More pledges may be needed depending on application
|
147
147
|
:pledge=>'rpath prot_exec inet unix flock',
|
148
148
|
:master_pledge=>'rpath prot_exec cpath wpath inet proc exec',
|
149
|
-
:master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock',
|
149
|
+
:master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock getpw',
|
150
150
|
|
151
151
|
# More unveils may be needed depending on application
|
152
152
|
:unveil=>{
|
@@ -169,7 +169,7 @@ upstream #{app}_unicorn {
|
|
169
169
|
}
|
170
170
|
server {
|
171
171
|
server_name #{app};
|
172
|
-
access_log #{nginx_access_log_file}
|
172
|
+
access_log #{nginx_access_log_file};
|
173
173
|
error_log #{nginx_error_log_file} warn;
|
174
174
|
root #{dir}/public;
|
175
175
|
error_page 500 503 /500.html;
|
@@ -180,7 +180,6 @@ server {
|
|
180
180
|
proxy_redirect off;
|
181
181
|
add_header X-Content-Type-Options nosniff;
|
182
182
|
add_header X-Frame-Options deny;
|
183
|
-
add_header X-XSS-Protection "1; mode=block";
|
184
183
|
try_files $uri @#{app}_unicorn;
|
185
184
|
location @#{app}_unicorn {
|
186
185
|
proxy_pass http://#{app}_unicorn;
|
@@ -212,12 +211,17 @@ end
|
|
212
211
|
# Setup /etc/rc.d/unicorn_* file for daemon management
|
213
212
|
unless File.file?(rc_file)
|
214
213
|
puts "Creating #{rc_file}"
|
214
|
+
|
215
|
+
# :nocov:
|
216
|
+
dir_var = `/usr/bin/uname -r` < '7.2' ? 'unicorn_dir' : 'daemon_execdir'
|
217
|
+
# :nocov:
|
218
|
+
|
215
219
|
File.binwrite(rc_file, <<END)
|
216
220
|
#!/bin/ksh
|
217
221
|
|
218
222
|
daemon_user=#{user}
|
223
|
+
#{dir_var}=#{dir}
|
219
224
|
unicorn_app=#{app}
|
220
|
-
unicorn_dir=#{dir}
|
221
225
|
#{unicorn}#{rackup}
|
222
226
|
. /etc/rc.d/rc.unicorn
|
223
227
|
END
|
@@ -68,7 +68,11 @@ end
|
|
68
68
|
# Setup rc.unicorn file
|
69
69
|
unless File.file?(rc_unicorn_file)
|
70
70
|
puts "Creating #{rc_unicorn_file}"
|
71
|
-
|
71
|
+
filename = File.join(File.dirname(__dir__), 'files', 'rc.unicorn')
|
72
|
+
# :nocov:
|
73
|
+
filename << ".71" if `/usr/bin/uname -r` < '7.2'
|
74
|
+
# :nocov:
|
75
|
+
File.binwrite(rc_unicorn_file, File.binread(filename))
|
72
76
|
File.chmod(0644, rc_unicorn_file)
|
73
77
|
chown.(root_id, root_id, rc_unicorn_file)
|
74
78
|
end
|
data/lib/unicorn-lockdown.rb
CHANGED
@@ -8,10 +8,13 @@
|
|
8
8
|
require 'pledge'
|
9
9
|
require 'unveil'
|
10
10
|
|
11
|
+
# Eagerly require strscan, lazily loaded by rack's multipart parser
|
12
|
+
require 'strscan'
|
13
|
+
|
11
14
|
# Load common encodings
|
12
|
-
"\255".force_encoding('ISO8859-1').encode('UTF-8')
|
13
|
-
''.force_encoding('UTF-16LE')
|
14
|
-
''.force_encoding('UTF-16BE')
|
15
|
+
"\255".dup.force_encoding('ISO8859-1').encode('UTF-8')
|
16
|
+
''.dup.force_encoding('UTF-16LE')
|
17
|
+
''.dup.force_encoding('UTF-16BE')
|
15
18
|
|
16
19
|
class Unicorn::HttpServer
|
17
20
|
# The file name in which to store request information.
|
data/lib/unveiler.rb
CHANGED
@@ -1,10 +1,13 @@
|
|
1
1
|
require 'pledge'
|
2
2
|
require 'unveil'
|
3
3
|
|
4
|
+
# Eagerly require strscan, lazily loaded by rack's multipart parser
|
5
|
+
require 'strscan'
|
6
|
+
|
4
7
|
# Load encodings
|
5
|
-
"\255".force_encoding('ISO8859-1').encode('UTF-8')
|
6
|
-
''.force_encoding('UTF-16LE')
|
7
|
-
''.force_encoding('UTF-16BE')
|
8
|
+
"\255".dup.force_encoding('ISO8859-1').encode('UTF-8')
|
9
|
+
''.dup.force_encoding('UTF-16LE')
|
10
|
+
''.dup.force_encoding('UTF-16BE')
|
8
11
|
|
9
12
|
# Don't run external diff program for failures
|
10
13
|
Minitest::Assertions.diff = false if defined?(Minitest::Assertions)
|
@@ -27,16 +30,35 @@ module Unveiler
|
|
27
30
|
end
|
28
31
|
end
|
29
32
|
|
30
|
-
Pledge.unveil(unveil)
|
31
|
-
|
32
33
|
# :nocov:
|
33
34
|
if defined?(SimpleCov)
|
34
35
|
# :nocov:
|
35
|
-
# If running coverage tests, add necessary pledges for
|
36
|
+
# If running coverage tests, add necessary pledges and unveils for
|
36
37
|
# coverage testing to work.
|
38
|
+
dir = SimpleCov.coverage_dir
|
39
|
+
unveil[dir] = 'rwc'
|
40
|
+
|
41
|
+
# Unveil read access to the entire current directory, since any part
|
42
|
+
# that has covered code needs to be read to generate the coverage
|
43
|
+
# information.
|
44
|
+
unveil['.'] = 'r'
|
45
|
+
|
46
|
+
if defined?(Gem)
|
47
|
+
# Unveil access to the simplecov-html gem, since that is used by default
|
48
|
+
# to build the coverage pages.
|
49
|
+
unveil['simplecov-html'] = :gem
|
50
|
+
end
|
51
|
+
|
52
|
+
# :nocov:
|
53
|
+
# Must create directory before attempting to unveil it.
|
54
|
+
# When running unveiler tests, the coverage directory is already created.
|
55
|
+
Dir.mkdir(dir) unless File.directory?(dir)
|
56
|
+
# :nocov:
|
57
|
+
|
37
58
|
pledge = (pledge.split + %w'rpath wpath cpath flock').uniq.join(' ')
|
38
59
|
end
|
39
60
|
|
61
|
+
Pledge.unveil(unveil)
|
40
62
|
Pledge.pledge(pledge)
|
41
63
|
end
|
42
64
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: unicorn-lockdown
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jeremy Evans
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2024-05-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: pledge
|
@@ -94,7 +94,7 @@ dependencies:
|
|
94
94
|
- - ">="
|
95
95
|
- !ruby/object:Gem::Version
|
96
96
|
version: '0'
|
97
|
-
description:
|
97
|
+
description:
|
98
98
|
email: code@jeremyevans.net
|
99
99
|
executables:
|
100
100
|
- unicorn-lockdown-add
|
@@ -108,6 +108,7 @@ files:
|
|
108
108
|
- bin/unicorn-lockdown-add
|
109
109
|
- bin/unicorn-lockdown-setup
|
110
110
|
- files/rc.unicorn
|
111
|
+
- files/rc.unicorn.71
|
111
112
|
- files/unicorn_lockdown_add.rb
|
112
113
|
- files/unicorn_lockdown_setup.rb
|
113
114
|
- lib/rack/email_exceptions.rb
|
@@ -122,7 +123,7 @@ metadata:
|
|
122
123
|
changelog_uri: https://github.com/jeremyevans/unicorn-lockdown/blob/master/CHANGELOG
|
123
124
|
mailing_list_uri: https://github.com/jeremyevans/unicorn-lockdown/discussions
|
124
125
|
source_code_uri: https://github.com/jeremyevans/unicorn-lockdown
|
125
|
-
post_install_message:
|
126
|
+
post_install_message:
|
126
127
|
rdoc_options: []
|
127
128
|
require_paths:
|
128
129
|
- lib
|
@@ -137,8 +138,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
137
138
|
- !ruby/object:Gem::Version
|
138
139
|
version: '0'
|
139
140
|
requirements: []
|
140
|
-
rubygems_version: 3.
|
141
|
-
signing_key:
|
141
|
+
rubygems_version: 3.5.9
|
142
|
+
signing_key:
|
142
143
|
specification_version: 4
|
143
144
|
summary: Helper library for running Unicorn with fork+exec/unveil/pledge on OpenBSD
|
144
145
|
test_files: []
|