Class: ActionDispatch::HostAuthorization
| Relationships & Source Files | |
| Namespace Children | |
|
Classes:
| |
| Inherits: | Object |
| Defined in: | actionpack/lib/action_dispatch/middleware/host_authorization.rb |
Overview
This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to, and is passed the options set in config.host_authorization.
Requests can opt-out of Host Authorization with exclude:
config. = { exclude: ->(request) { request.path =~ /healthcheck/ } }When a request comes to an unauthorized host, the response_app application will be executed and rendered. If no response_app is given, a default one will run. The default response app logs blocked host info with level ‘error’ and responds with 403 Forbidden. The body of the response contains debug info if config.consider_all_requests_local is set to true, otherwise the body is empty.
Constant Summary
-
ALLOWED_HOSTS_IN_DEVELOPMENT =
# File 'actionpack/lib/action_dispatch/middleware/host_authorization.rb', line 23[".localhost", ".test", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
-
IPV4_HOSTNAME =
Internal use only
# File 'actionpack/lib/action_dispatch/middleware/host_authorization.rb', line 26/(?<host>\d\.\d\.\d\.\d)#{PORT_REGEX}?/ -
IPV6_HOSTNAME =
Internal use only
# File 'actionpack/lib/action_dispatch/middleware/host_authorization.rb', line 27/(?<host>[a-f0-9]*:[a-f0-9.:]+)/i -
IPV6_HOSTNAME_WITH_PORT =
Internal use only
# File 'actionpack/lib/action_dispatch/middleware/host_authorization.rb', line 28/\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i -
PORT_REGEX =
Internal use only
# File 'actionpack/lib/action_dispatch/middleware/host_authorization.rb', line 24/(?::\d+)/ -
SUBDOMAIN_REGEX =
Internal use only
# File 'actionpack/lib/action_dispatch/middleware/host_authorization.rb', line 25/(?:[a-z0-9-]+\.)/i -
VALID_IP_HOSTNAME =
Internal use only
# File 'actionpack/lib/action_dispatch/middleware/host_authorization.rb', line 29Regexp.union( # :nodoc: /\A#{IPV4_HOSTNAME}\z/, /\A#{IPV6_HOSTNAME}\z/, /\A#{IPV6_HOSTNAME_WITH_PORT}\z/, )
Class Method Summary
Instance Method Summary
- #call(env)
- #blocked_hosts(request) private
- #excluded?(request) ⇒ Boolean private
- #mark_as_authorized(request) private
Constructor Details
.new(app, hosts, exclude: nil, response_app: nil) ⇒ HostAuthorization
# File 'actionpack/lib/action_dispatch/middleware/host_authorization.rb', line 127
def initialize(app, hosts, exclude: nil, response_app: nil) @app = app @permissions = Permissions.new(hosts) @exclude = exclude @response_app = response_app || DefaultResponseApp.new end
Instance Method Details
#blocked_hosts(request) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/middleware/host_authorization.rb', line 151
def blocked_hosts(request) hosts = [] origin_host = request.get_header("HTTP_HOST") hosts << origin_host unless @permissions.allows?(origin_host) forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last hosts << forwarded_host unless forwarded_host.blank? || @permissions.allows?(forwarded_host) hosts end
#call(env)
[ GitHub ]# File 'actionpack/lib/action_dispatch/middleware/host_authorization.rb', line 135
def call(env) return @app.call(env) if @permissions.empty? request = Request.new(env) hosts = blocked_hosts(request) if hosts.empty? || excluded?(request) (request) @app.call(env) else env["action_dispatch.blocked_hosts"] = hosts @response_app.call(env) end end
#excluded?(request) ⇒ Boolean (private)
# File 'actionpack/lib/action_dispatch/middleware/host_authorization.rb', line 163
def excluded?(request) @exclude && @exclude.call(request) end
#mark_as_authorized(request) (private)
[ GitHub ]# File 'actionpack/lib/action_dispatch/middleware/host_authorization.rb', line 167
def (request) request.set_header("action_dispatch.authorized_host", request.host) end