Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add HostAuthorization rack-protection middleware #2053

Merged
merged 34 commits into from
Nov 18, 2024
Merged

Add HostAuthorization rack-protection middleware #2053

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
fb2d76d
Add `permitted_hosts` setting
dentarg Nov 5, 2024
b5df6e1
Split bad/good cases in `HostAuthorization` specs
dentarg Nov 8, 2024
492589f
Less brittle `HostAuthorization` specs
dentarg Nov 8, 2024
841ee31
Simplify `HostAuthorization` tests for Sinatra
dentarg Nov 8, 2024
d2293d9
Document `HostAuthorization` in rack-protection README
dentarg Nov 8, 2024
c9c2625
Expose all the options for `HostAuthorization`
dentarg Nov 8, 2024
6e3711e
Test with multiple hostnames in headers
dentarg Nov 8, 2024
1701645
Improve test descriptions
dentarg Nov 8, 2024
071358e
Port should not matter for `HostAuthorization`
dentarg Nov 8, 2024
856d8e6
No need for `Rack::Protection::HostAuthorization.forwarded?` now
dentarg Nov 8, 2024
ffaf412
Support for `IPAddr` hosts
dentarg Nov 8, 2024
44dd856
Always look at the `Host` header
dentarg Nov 12, 2024
76e614a
Better grouping of `HostAuthorization` specs
dentarg Nov 12, 2024
e6264be
Test with more exotic header values
dentarg Nov 12, 2024
d179c0c
Support for subdomains
dentarg Nov 12, 2024
4652ad2
Support `Forwarded` header in `#forwarded?`
dentarg Nov 12, 2024
a167d8b
Use the same `require` order as other protections
dentarg Nov 13, 2024
3d5383d
Better `allow_if` example in tests
dentarg Nov 13, 2024
dd73d0e
`HostAuthorization` development settings
dentarg Nov 13, 2024
8466a9e
Test with `nil` `HTTP_HOST`
dentarg Nov 13, 2024
1081bf8
Fix typo in README
dentarg Nov 14, 2024
85d2079
Mention `IPAddr` objects
dentarg Nov 14, 2024
801e821
Add (optional) debug logging in `HostAuthorization`
dentarg Nov 14, 2024
579a2e6
Fix incorrect test description
dentarg Nov 15, 2024
affc961
Use keyword argument for `mock_app` helper
dentarg Nov 15, 2024
543bac2
Better test description
dentarg Nov 15, 2024
b1bf256
Fix typo in test description
dentarg Nov 15, 2024
9f0d130
Reject invalid hostnames
dentarg Nov 17, 2024
5947a6d
Document `host_authorization` defaults
dentarg Nov 17, 2024
b29d698
Lint `HostAuthorization` middleware
dentarg Nov 18, 2024
5ba1250
Lint `HostAuthorization` specs
dentarg Nov 18, 2024
3059727
Avoid `warning: character class has '-' without escape: ...`
dentarg Nov 18, 2024
4dfd160
Silence `Style/SafeNavigationChainLength` cop
dentarg Nov 18, 2024
7697337
No need to silence `SafeNavigationChainLength` cop
dentarg Nov 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Support Forwarded header in #forwarded? 
Related to #2011
  • Loading branch information
@dentarg
dentarg committed Nov 12, 2024
commit 4652ad260d89048a15bbd75c1e1f942531724979
2 changes: 1 addition & 1 deletion lib/sinatra/base.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ def preferred_type(*types)
alias secure? ssl?

def forwarded?
get_header(Request::HTTP_X_FORWARDED_HOST)
!forwarded_authority.nil?
end

def safe?
Expand Down
8 changes: 8 additions & 0 deletions test/request_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,14 @@ class RequestTest < Minitest::Test
assert request.forwarded?
end

it 'respects Forwarded header with host key' do
request = Sinatra::Request.new('HTTP_FORWARDED' => 'host=example.com')
assert request.forwarded?

request = Sinatra::Request.new('HTTP_FORWARDED' => 'for=192.0.2.60;proto=http;by=203.0.113.43')
refute request.forwarded?
end

it 'respects X-Forwarded-Proto header for proxied SSL' do
request = Sinatra::Request.new('HTTP_X_FORWARDED_PROTO' => 'https')
assert request.secure?
Expand Down