During a recent pen test, our application was found to be vulnerable to a Host
header poisoning atttack, in which a "bad" hostname can be injected into the
request headers and passed back to the client, where it may be used to redirect
users (or in any scenario where `url_for` is used or the `location` is passed
back to the client)

Using a built-in feature in Rails 6 rails/rails#33145
we are able to only allow known hostnames to be passed on from a request header
into the application.

…eturning results #21123 (#796)

* escape postgres regex characters

* rails 6 config.hosts issue

* update config to handle changes from rails/rails#33145

Rails 6 has a new feature to prevent "DNS Rebinding" attacks, described
in rails/rails#33145, by allowing specific
hostnames to be added to an allowed list, "config.host" in the
"config/application.rb" file. If the hostname of the request does not
match a name in "config.host" the request is rejected.

By default, the "config.host" allow list is not set, and allows
connections for any host.

As part of the LIBITD-1870, the "config.host" allow list was added to
use the "HOST" environment variable. Added a "K8s_INTERNAL_HOST"
environment variable, which is added to the "config.host" in the
"config/application.rb" file, if present. This enables the
Kubernetes internal host name to be set in the k8s-umd-handle
configuration.

In the "env_example" file, provided a default value of "umd-handle-app"
for the "K8S_INTERNAL_HOST", as that seems likely to be correct
(and does not matter in the local development environment).

https://issues.umd.edu/browse/LIBITD-1906

The Host Authorization middleware protects against DNS rebinding.
This middleware is primarily targeted at the development environment:

> It is included in the development environment by default ... In other
environments Rails.application.config.hosts is empty and no Host header
checks will be done.
rails/rails#33145

If someone decides to call `config.hosts.clear` because it's "only
development", we should warn them they are vulnerable to DNS rebinding.

The Host Authorization middleware protects against DNS rebinding.
This middleware is primarily targeted at the development environment:

> It is included in the development environment by default ... In other
environments Rails.application.config.hosts is empty and no Host header
checks will be done.
rails/rails#33145

If someone decides to call `config.hosts.clear` because it's "only
development", we should warn them they are vulnerable to DNS rebinding.

Configure config.hosts in development to avoid DNS binding attacks

This is configured only in development based on recommendation of the
Rails guide, and to allow us to manage whitelisting via our infrastructure
in hosted environments.

More here:
* https://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html#new-config-hosts-setting
* rails/rails#33145 (comment)

Includes the following:
* Upgrade sqlite to be compatible with Rails version

We had an old version of sqlite pinned, seemingly due to a previous
incompatibility with Rails 5.2.2. This has since been fixed and we
need a new version of sqlite for Rails 6, so it gets unpinned and updated.

* Begin autoloading via zeitwork

In Rails 6, there is a new autoloader called zeitwerk. It is more
strict about where it expects constants to live - one class per file,
and each file should live in a directory structure that matches its
constant name (e.g. "Pender::Store" should be at "pender/store.rb", not
"pender_store.rb".

This commit begins using the Zeitwork autoloader by setting the following
in the application config: `config.load_defaults 6.0` and then updates
our lib constants to a directory structure that can be autoloaded. Since
we had an inconsistent module name, I also consolidated LapisConstants
into Lapis::, and created Pender::Exception::x as a bucket for all of our
Pender-related exceptions module, since they had to be split into their own
files but it made sense to give a way for them to be loaded as a set
(eg "pender/exception" by creating "pender/exception.rb").

The autoloading can be checked by running: `bin/rails zeitwerk:check`

More here: https://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html#upgrading-from-rails-5-2-to-rails-6-0

* Remove represent_boolean_as_integer = true, since it is now default and will be removed in 6.1

* Remove usage of ActionView::Base.new and replace with ApplicationController.render

This was causing errors because we were passing a Pathname of views to ActionView::Base.new,
and the constructor has changed to expect a lookup context. We were also receiving related
deprecation warnings (`DEPRECATION WARNING: ActionView::Base instances should be constructed
with a lookup context, assignments, and a controller.`)

We have two options to address this: passing in a lookup context to ActionView::Base, or
using ApplicationController.render. It seemed to me like we could use the latter and it
was a bit simpler of an interface, so I decided to move forward with that approach.

https://github.com/rails/rails/blob/v6.0.3.3/actionview/lib/action_view/base.rb#L258
https://stackoverflow.com/a/63865988

* Bundles URI-related errors so that we can more easily catch them

* Silences warnings from constant redefinition

Upgrades Bundler and explicitly declares Net HTTP gem so that
we stop getting so many warnings. Might be able to remove gem
declaration in Ruby 3.0.

References:
* ruby/net-imap#16
* codeforamerica/vita-min@835591e

* Add Spring to speed up development and tests

* Avoid autoloading constants during initialization

In Rails 6.0, autoloading constants during initialization has been deprecated.
This means that we should be explicitly requiring any constant that is used
in config/initializers rather than relying on autoload.

We were receiving warning signs about PenderConfig, ApiKey, and ApplicationRecord,
all of which were triggered by the inclusion of PenderConfig in the Airbrake
initializer. To address, I explicitly required each.

More information here:
* https://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html#upgrading-from-rails-5-2-to-rails-6-0
* https://bill.harding.blog/2021/07/22/rails-6-1-deprecation-warning-initialization-autoloaded-the-constants-what-to-do-about-it/

* Configure config.hosts in development to avoid DNS binding attacks

This is configured only in development based on recommendation of the
Rails guide, and to allow us to manage whitelisting via our infrastructure
in hosted environments.

More here:
* https://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html#new-config-hosts-setting
* rails/rails#33145 (comment)

* Use RequestHelper.request_url for all requests

In the Ruby 2.7 upgrade, we began using Addressable for URIs. This
resulted in some unexpected behavior when Net::HTTP.get_request was
used, beacuse Addressable::URI goes down a different code path than
URI because it is not recognized as a URI. THis was causing warnings
in Open Telemetry (because Addressable::URI made its way to target,
as opposed to the path) and potentially caused us to make incorrect
requests.

This standardizes the way we make requests across the application
when we don't need to set custom headers, using the non-shortcut
version of constructing Net::HTTP requests.

I'd like to further refactor this in the future - skipping unnecessary
lines (like teasing apart responsibilities of html_options, since we
often only use the User Agent) - and allowing for the pass-in of custom
headers, since we still use Net::HTTP to construct reqeusts elsewhere.

CV2-2668

Includes the following:
* Upgrade sqlite to be compatible with Rails version

We had an old version of sqlite pinned, seemingly due to a previous
incompatibility with Rails 5.2.2. This has since been fixed and we
need a new version of sqlite for Rails 6, so it gets unpinned and updated.

* Begin autoloading via zeitwork

In Rails 6, there is a new autoloader called zeitwerk. It is more
strict about where it expects constants to live - one class per file,
and each file should live in a directory structure that matches its
constant name (e.g. "Pender::Store" should be at "pender/store.rb", not
"pender_store.rb".

This commit begins using the Zeitwork autoloader by setting the following
in the application config: `config.load_defaults 6.0` and then updates
our lib constants to a directory structure that can be autoloaded. Since
we had an inconsistent module name, I also consolidated LapisConstants
into Lapis::, and created Pender::Exception::x as a bucket for all of our
Pender-related exceptions module, since they had to be split into their own
files but it made sense to give a way for them to be loaded as a set
(eg "pender/exception" by creating "pender/exception.rb").

The autoloading can be checked by running: `bin/rails zeitwerk:check`

More here: https://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html#upgrading-from-rails-5-2-to-rails-6-0

* Remove represent_boolean_as_integer = true, since it is now default and will be removed in 6.1

* Remove usage of ActionView::Base.new and replace with ApplicationController.render

This was causing errors because we were passing a Pathname of views to ActionView::Base.new,
and the constructor has changed to expect a lookup context. We were also receiving related
deprecation warnings (`DEPRECATION WARNING: ActionView::Base instances should be constructed
with a lookup context, assignments, and a controller.`)

We have two options to address this: passing in a lookup context to ActionView::Base, or
using ApplicationController.render. It seemed to me like we could use the latter and it
was a bit simpler of an interface, so I decided to move forward with that approach.

https://github.com/rails/rails/blob/v6.0.3.3/actionview/lib/action_view/base.rb#L258
https://stackoverflow.com/a/63865988

* Bundles URI-related errors so that we can more easily catch them

* Silences warnings from constant redefinition

Upgrades Bundler and explicitly declares Net HTTP gem so that
we stop getting so many warnings. Might be able to remove gem
declaration in Ruby 3.0.

References:
* ruby/net-imap#16
* codeforamerica/vita-min@835591e

* Add Spring to speed up development and tests

* Avoid autoloading constants during initialization

In Rails 6.0, autoloading constants during initialization has been deprecated.
This means that we should be explicitly requiring any constant that is used
in config/initializers rather than relying on autoload.

We were receiving warning signs about PenderConfig, ApiKey, and ApplicationRecord,
all of which were triggered by the inclusion of PenderConfig in the Airbrake
initializer. To address, I explicitly required each.

More information here:
* https://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html#upgrading-from-rails-5-2-to-rails-6-0
* https://bill.harding.blog/2021/07/22/rails-6-1-deprecation-warning-initialization-autoloaded-the-constants-what-to-do-about-it/

* Configure config.hosts in development to avoid DNS binding attacks

This is configured only in development based on recommendation of the
Rails guide, and to allow us to manage whitelisting via our infrastructure
in hosted environments.

More here:
* https://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html#new-config-hosts-setting
* rails/rails#33145 (comment)

* Use RequestHelper.request_url for all requests

In the Ruby 2.7 upgrade, we began using Addressable for URIs. This
resulted in some unexpected behavior when Net::HTTP.get_request was
used, beacuse Addressable::URI goes down a different code path than
URI because it is not recognized as a URI. THis was causing warnings
in Open Telemetry (because Addressable::URI made its way to target,
as opposed to the path) and potentially caused us to make incorrect
requests.

This standardizes the way we make requests across the application
when we don't need to set custom headers, using the non-shortcut
version of constructing Net::HTTP requests.

I'd like to further refactor this in the future - skipping unnecessary
lines (like teasing apart responsibilities of html_options, since we
often only use the User Agent) - and allowing for the pass-in of custom
headers, since we still use Net::HTTP to construct reqeusts elsewhere.

CV2-2668

- nginx.conf
  - フロントエンドへ遷移する処理を下部に移動
- application.rb
  - Hostヘッダーチェックを許可する処理を追加

参考:
https://knowledge.sakura.ad.jp/16082/
https://docs.docker.jp/engine/userguide/networking/dockernetworks.html
https://docs.docker.com/engine/network/
https://qiita.com/masaxyz_labo/items/ac27d652e301e212e8ce
https://railsguides.jp/configuring.html#actiondispatch-hostauthorization
rails/rails#33145

If a forwarded header is present, that's what Rack::Request#host
returns. Applications may be making decisions based on the Host header,
even when the forwarded header is present, so we should ensure both
headers are permitted.

Reference: rails/rails#33145 (comment)