Class: Rack::Protection::HostAuthorization
| Relationships & Source Files | |
| Super Chains via Extension / Inclusion / Inheritance | |
|
Class Chain:
self,
Base
|
|
|
Instance Chain:
self,
Base
|
|
| Inherits: |
Rack::Protection::Base
|
| Defined in: | rack-protection/lib/rack/protection/host_authorization.rb |
Overview
- Prevented attack
DNS rebinding and other Host header attacks
- Supported browsers
all
- More info
Blocks HTTP requests with an unrecognized hostname in any of the following HTTP headers: Host, X-Forwarded-Host, Forwarded, based on Request#forwarded_authority and Request#host_authority.
Options
[:permitted_hosts] an Array of hosts to allow. Elements can be as follows: [String not starting with a dot] a hostname that must be a case-insensitive match to allow the request. [String starting with a dot] allow matches from the entire domain, including any subdomain. [IPAddr] Specific IP or IP Range to allow (based on #include?). Note that no DNS lookup is done - this is just based on the value of the HTTP header.
[:allow_if] a Proc that, if it returns true, allows the request regardless of the value of :permitted_hosts. Default value is nil, meaning :permitted_hosts is respected and there are no exceptions. [Rack::Protection::Base options] options supported by Rack::Protection::Base may affect this middleware.
Example: Allow specific hosts
use Rack::Protection::HostAuthorization, permitted_hosts: ["www.example.org", "sinatrarb.com"]
Example: Allow all subdomains
use Rack::Protection::HostAuthorization, permitted_hosts: [".example.org", ".sinatrarb.com"]
Example: Allow an IP range
use Rack::Protection::HostAuthorization, permitted_hosts: [ IPAddr.new("192.168.2.0/16") ]
The :allow_if option can also be set to a proc to use custom allow/deny logic.
Constant Summary
-
DOT =
private
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 50'.' -
PORT_REGEXP =
private
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 51/:\d+\z/.freeze
-
SUBDOMAINS =
private
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 52/[a-z0-9\-.]+/.freeze
Base - Inherited
Class Method Summary
- .new ⇒ HostAuthorization constructor
Base - Inherited
| .default_options | Used by subclasses to declare default values for options they require. |
| .default_reaction | Used by subclasses to declare default reaction when a request is rejected. |
| .new | |
Instance Attribute Summary
Instance Method Summary
- #accepts?(env) ⇒ Boolean
- #domain_match?(host) ⇒ Boolean private
- #exact_match?(host) ⇒ Boolean private
- #extract_host(authority) private
- #host_permitted?(host) ⇒ Boolean private
- #ip_match?(host) ⇒ Boolean private
Base - Inherited
| #accepts?, #call, #debug, #default_options, | |
| #default_reaction | Alias for Base#deny. |
| #deny | Deny the request. |
| #drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer, | |
| #report | When used as a reaction (with option reaction: :report), any rejected request will be allowed through, and a warning is omitted (note that warnings will not be shown if the :logging option has been set to false). |
| #safe?, #secure_compare, #session, #session?, #warn | |
Constructor Details
.new ⇒ HostAuthorization
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 60
def initialize(*) super @permitted_hosts = [] @domain_hosts = [] @ip_hosts = [] @all_permitted_hosts = Array([:permitted_hosts]) @all_permitted_hosts.each do |host| case host when String if host.start_with?(DOT) domain = host[1..-1] @permitted_hosts << domain.downcase @domain_hosts << /\A#{SUBDOMAINS}#{Regexp.escape(domain)}\z/i else @permitted_hosts << host.downcase end when IPAddr then @ip_hosts << host end end end
Instance Method Details
#accepts?(env) ⇒ Boolean
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 82
def accepts?(env) return true if [:allow_if]&.call(env) return true if @all_permitted_hosts.empty? request = Request.new(env) origin_host = extract_host(request.) forwarded_host = extract_host(request.) debug env, "#{self.class} " \ "@all_permitted_hosts=#{@all_permitted_hosts.inspect} " \ "@permitted_hosts=#{@permitted_hosts.inspect} " \ "@domain_hosts=#{@domain_hosts.inspect} " \ "@ip_hosts=#{@ip_hosts.inspect} " \ "origin_host=#{origin_host.inspect} " \ "forwarded_host=#{forwarded_host.inspect}" if host_permitted?(origin_host) if forwarded_host.nil? true else host_permitted?(forwarded_host) end else false end end
#domain_match?(host) ⇒ Boolean (private)
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 123
def domain_match?(host) return false if host.nil? return false if host.start_with?(DOT) @domain_hosts.any? { |domain_host| host.match?(domain_host) } end
#exact_match?(host) ⇒ Boolean (private)
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 119
def exact_match?(host) @permitted_hosts.include?(host) end
#extract_host(authority) (private)
[ GitHub ]# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 111
def extract_host() .to_s.split(PORT_REGEXP).first&.downcase end
#host_permitted?(host) ⇒ Boolean (private)
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 115
def host_permitted?(host) exact_match?(host) || domain_match?(host) || ip_match?(host) end
#ip_match?(host) ⇒ Boolean (private)
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 130
def ip_match?(host) @ip_hosts.any? { |ip_host| ip_host.include?(host) } rescue IPAddr::InvalidAddressError false end