RubyGems - wafris - Versions diffs - 2.0.0 → 2.0.1 - Mend

wafris 2.0.0 → 2.0.1

Files changed (8) hide show

checksums.yaml +4 -4
data/lib/wafris/ip_resolver.rb +30 -0
data/lib/wafris/middleware.rb +18 -55
data/lib/wafris/proxy_filter.rb +24 -0
data/lib/wafris/version.rb +1 -1
data/lib/wafris/wafris_request.rb +33 -0
data/lib/wafris.rb +3 -2
metadata +5 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f0dfe47e533d91f974d391af755f1bd8e148808cbfe86dd6755b839201282b47
-  data.tar.gz: bd7135922d96fa7789cc65dbd47635c4b1e84a4e7b27a6b4dde5a1a00cc15ac8
+  metadata.gz: 856e806ccf66f3810f2395de0062e005940bb8c06f66987b8ec3670126fb9dac
+  data.tar.gz: 24278b15cb5178ac90cce1cfdd35769d508cca5dd21fb655f79a23629c18ab91
 SHA512:
-  metadata.gz: 0c1e66690ca97e6f9a9349f1960f92f5376175660bebc9a172eabe849af6806d4c5f278f1765a22b36ce75797a757bf9cb3719a58446aaa5fa8fe0356c348cf0
-  data.tar.gz: 35a3e86f1f3c63ec38c3d67adbfb952fa89a062dad78450bfd365f45c1a1607f689e104e2c7ef6faac3a00461e07022d041e5d2f667396ad81baa3af30be8acf
+  metadata.gz: fa60b8e07f6960d69fd79a50661e25b8fdfd47a1d364bdfdb0e6d398117d36ebfa845f98475b8db4a9d102d317c50e5379acf249cfd10d5cba645f176d6a9e2e
+  data.tar.gz: 647bc36e84bf57c3f076ca83101cdf59e0d03cf3d51f3c39feb53af5be936b6e74368a9810ba6612e2149576f41dd25eb8fa92b2cc85bdda8d62afda0db8e4cd

data/lib/wafris/ip_resolver.rb ADDED Viewed

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+module Wafris
+  class IpResolver
+    # List of possible IP headers in order of priority
+    IP_HEADERS = %w[
+      HTTP_X_REAL_IP
+      HTTP_X_TRUE_CLIENT_IP
+      HTTP_FLY_CLIENT_IP
+      HTTP_CF_CONNECTING_IP
+    ].freeze
+    def initialize(request)
+      @request_env = request.env
+      @ip = request.ip
+    end
+    def resolve
+      return @request_env[ip_header] if ip_header
+      @ip
+    end
+    private
+    def ip_header
+      IP_HEADERS.find { |header| @request_env[header] }
+    end
+  end
+end

data/lib/wafris/middleware.rb CHANGED Viewed

@@ -1,80 +1,43 @@
 # frozen_string_literal: true
 module Wafris
   class Middleware
     def initialize(app)
       @app = app
+      ProxyFilter.set_filter
     end
     def call(env)
-      user_defined_proxies = ENV['TRUSTED_PROXY_RANGES'].split(',') if ENV['TRUSTED_PROXY_RANGES']
-      valid_ipv4_octet = /\.(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])/
-      trusted_proxies = Regexp.union(
-        /\A127#{valid_ipv4_octet}{3}\z/,                          # localhost IPv4 range 127.x.x.x, per RFC-3330
-        /\A::1\z/,                                                # localhost IPv6 ::1
-        /\Af[cd][0-9a-f]{2}(?::[0-9a-f]{0,4}){0,7}\z/i,           # private IPv6 range fc00 .. fdff
-        /\A10#{valid_ipv4_octet}{3}\z/,                           # private IPv4 range 10.x.x.x
-        /\A172\.(1[6-9]|2[0-9]|3[01])#{valid_ipv4_octet}{2}\z/,   # private IPv4 range 172.16.0.0 .. 172.31.255.255
-        /\A192\.168#{valid_ipv4_octet}{2}\z/,                     # private IPv4 range 192.168.x.x
-        /\Alocalhost\z|\Aunix(\z|:)/i,                            # localhost hostname, and unix domain sockets
-        *user_defined_proxies
-      )
-      Rack::Request.ip_filter = lambda { |ip| trusted_proxies.match?(ip) }
       request = Rack::Request.new(env)
-      # Forcing UTF-8 encoding on all strings for Sqlite3 compatibility
-      # List of possible IP headers in order of priority
-      ip_headers = [
-        'HTTP_X_REAL_IP',
-        'HTTP_X_TRUE_CLIENT_IP',
-        'HTTP_FLY_CLIENT_IP',
-        'HTTP_CF_CONNECTING_IP'
-      ]
-      # Find the first header that is present in the environment
-      ip_header = ip_headers.find { |header| env[header] }
-      # Use the found header or fallback to remote_ip if none of the headers are present
-      ip = (ip_header ? env[ip_header] : request.ip).force_encoding('UTF-8')
-      user_agent = request.user_agent ? request.user_agent.force_encoding('UTF-8') : nil
-      path = request.path.force_encoding('UTF-8')
-      parameters = Rack::Utils.build_query(request.params).force_encoding('UTF-8')
-      host = request.host.to_s.force_encoding('UTF-8')
-      request_method = String.new(request.request_method).force_encoding('UTF-8')
-      # Submitted for evaluation
-      headers = env.each_with_object({}) { |(k, v), h| h[k] = v.force_encoding('UTF-8') if k.start_with?('HTTP_') }
-      body = request.body.read
-      request_id = env.fetch('action_dispatch.request_id', SecureRandom.uuid.to_s)
-      request_timestamp = Time.now.utc.to_i
-      treatment = Wafris.evaluate(ip, user_agent, path, parameters, host, request_method, headers, body, request_id, request_timestamp)
+      wafris_request = WafrisRequest.new(request, env)
+      treatment = Wafris.evaluate(
+        wafris_request.ip,
+        wafris_request.user_agent,
+        wafris_request.path,
+        wafris_request.parameters,
+        wafris_request.host,
+        wafris_request.request_method,
+        wafris_request.headers,
+        wafris_request.body,
+        wafris_request.request_id,
+        wafris_request.request_timestamp
+      )
-      # These values match what the client tests expect (200, 404, 403, 500
+      # These values match what the client tests expect (200, 404, 403, 500)
       if treatment == 'Allowed' || treatment == 'Passed'
-        @app.call(env)
+        @app.call(env)
       elsif treatment == 'Blocked'
         [403, { 'content-type' => 'text/plain' }, ['Blocked']]
       else
-        #ap request
+        #ap request
         [500, { 'content-type' => 'text/plain' }, ['Error']]
       end
     rescue StandardError => e
       LogSuppressor.puts_log "[Wafris] Detailed Error: #{e.class} - #{e.message}"
       LogSuppressor.puts_log "[Wafris] Backtrace: #{e.backtrace.join("\n")}"
       @app.call(env)
     end
   end
 end

data/lib/wafris/proxy_filter.rb ADDED Viewed

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+module Wafris
+  module ProxyFilter
+    def self.set_filter
+      user_defined_proxies = ENV['TRUSTED_PROXY_RANGES'].split(',') if ENV['TRUSTED_PROXY_RANGES']
+      valid_ipv4_octet = /\.(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])/
+      trusted_proxies = Regexp.union(
+        /\A127#{valid_ipv4_octet}{3}\z/,                          # localhost IPv4 range 127.x.x.x, per RFC-3330
+        /\A::1\z/,                                                # localhost IPv6 ::1
+        /\Af[cd][0-9a-f]{2}(?::[0-9a-f]{0,4}){0,7}\z/i,           # private IPv6 range fc00 .. fdff
+        /\A10#{valid_ipv4_octet}{3}\z/,                           # private IPv4 range 10.x.x.x
+        /\A172\.(1[6-9]|2[0-9]|3[01])#{valid_ipv4_octet}{2}\z/,   # private IPv4 range 172.16.0.0 .. 172.31.255.255
+        /\A192\.168#{valid_ipv4_octet}{2}\z/,                     # private IPv4 range 192.168.x.x
+        /\Alocalhost\z|\Aunix(\z|:)/i,                            # localhost hostname, and unix domain sockets
+        *user_defined_proxies
+      )
+      Rack::Request.ip_filter = lambda { |ip| trusted_proxies.match?(ip) }
+    end
+  end
+end

data/lib/wafris/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Wafris
-  VERSION = "2.0.0"
+  VERSION = "2.0.1"
 end

data/lib/wafris/wafris_request.rb ADDED Viewed

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+module Wafris
+  class WafrisRequest
+    attr_reader :ip, :user_agent, :path, :parameters, :host, :request_method,
+                :headers, :body, :request_id, :request_timestamp
+    def initialize(request, env)
+      @ip = encode_to_utf8(IpResolver.new(request).resolve)
+      @user_agent = encode_to_utf8(request.user_agent)
+      @path = encode_to_utf8(request.path)
+      @parameters = encode_to_utf8(Rack::Utils.build_query(request.params))
+      @host = encode_to_utf8(request.host.to_s)
+      @request_method = encode_to_utf8(request.request_method)
+      @headers = extract_headers(env)
+      @body = request.body.read
+      @request_id = env.fetch('action_dispatch.request_id', SecureRandom.uuid.to_s)
+      @request_timestamp = Time.now.utc.to_i
+    end
+    private
+    def extract_headers(env)
+      env.each_with_object({}) do |(k, v), h|
+        h[k] = encode_to_utf8(v) if k.start_with?('HTTP_')
+      end
+    end
+    def encode_to_utf8(value)
+      value&.dup&.force_encoding('UTF-8')
+    end
+  end
+end

data/lib/wafris.rb CHANGED Viewed

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 require 'rails'
 require 'sqlite3'
 require 'ipaddr'
@@ -10,9 +9,11 @@ require 'awesome_print'
 require 'wafris/configuration'
 require 'wafris/middleware'
 require 'wafris/log_suppressor'
+require 'wafris/proxy_filter'
+require 'wafris/ip_resolver'
+require 'wafris/wafris_request'
 require 'wafris/railtie' if defined?(Rails::Railtie)
-ActiveSupport::Deprecation.behavior = :silence
 module Wafris
   class << self

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: wafris
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.0.1
 platform: ruby
 authors:
 - Michael Buckbee
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-07-17 00:00:00.000000000 Z
+date: 2024-09-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -179,10 +179,13 @@ extra_rdoc_files: []
 files:
 - lib/wafris.rb
 - lib/wafris/configuration.rb
+- lib/wafris/ip_resolver.rb
 - lib/wafris/log_suppressor.rb
 - lib/wafris/middleware.rb
+- lib/wafris/proxy_filter.rb
 - lib/wafris/railtie.rb
 - lib/wafris/version.rb
+- lib/wafris/wafris_request.rb
 homepage:
 licenses:
 - Elastic-2.0