123456789_123456789_123456789_123456789_123456789_

Class: Rack::Protection::HostAuthorization

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, Base
Instance Chain:
self, Base
Inherits: Rack::Protection::Base
Defined in: rack-protection/lib/rack/protection/host_authorization.rb

Overview

Prevented attack

DNS rebinding and other Host header attacks

Supported browsers

all

More info

Blocks HTTP requests with an unrecognized hostname in any of the following HTTP headers: Host, X-Forwarded-Host, Forwarded, based on Request#forwarded_authority and Request#host_authority.

Options

[:permitted_hosts] an Array of hosts to allow. Elements can be as follows: [String not starting with a dot] a hostname that must be a case-insensitive match to allow the request. [String starting with a dot] allow matches from the entire domain, including any subdomain. [IPAddr] Specific IP or IP Range to allow (based on #include?). Note that no DNS lookup is done - this is just based on the value of the HTTP header.

[:allow_if] a Proc that, if it returns true, allows the request regardless of the value of :permitted_hosts. Default value is nil, meaning :permitted_hosts is respected and there are no exceptions. [Rack::Protection::Base options] options supported by Rack::Protection::Base may affect this middleware.

Example: Allow specific hosts

use Rack::Protection::HostAuthorization, permitted_hosts: ["www.example.org", "sinatrarb.com"]

Example: Allow all subdomains

use Rack::Protection::HostAuthorization, permitted_hosts: [".example.org", ".sinatrarb.com"]

Example: Allow an IP range

use Rack::Protection::HostAuthorization, permitted_hosts: [ IPAddr.new("192.168.2.0/16") ]

The :allow_if option can also be set to a proc to use custom allow/deny logic.

Constant Summary

Base - Inherited

DEFAULT_OPTIONS

Class Method Summary

Base - Inherited

.default_options

Used by subclasses to declare default values for options they require.

.default_reaction

Used by subclasses to declare default reaction when a request is rejected.

.new

Instance Attribute Summary

Base - Inherited

Instance Method Summary

Base - Inherited

#accepts?, #call, #debug, #default_options,
#default_reaction

Alias for Base#deny.

#deny

Deny the request.

#drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer,
#report

When used as a reaction (with option reaction: :report), any rejected request will be allowed through, and a warning is omitted (note that warnings will not be shown if the :logging option has been set to false).

#safe?, #secure_compare, #session, #session?, #warn

Constructor Details

.newHostAuthorization

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 60

def initialize(*)
  super
  @permitted_hosts = []
  @domain_hosts = []
  @ip_hosts = []
  @all_permitted_hosts = Array(options[:permitted_hosts])

  @all_permitted_hosts.each do |host|
    case host
    when String
      if host.start_with?(DOT)
        domain = host[1..-1]
        @permitted_hosts << domain.downcase
        @domain_hosts << /\A#{SUBDOMAINS}#{Regexp.escape(domain)}\z/i
      else
        @permitted_hosts << host.downcase
      end
    when IPAddr then @ip_hosts << host
    end
  end
end

Instance Method Details

#accepts?(env) ⇒ Boolean

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 82

def accepts?(env)
  return true if options[:allow_if]&.call(env)
  return true if @all_permitted_hosts.empty?

  request = Request.new(env)
  origin_host = extract_host(request.host_authority)
  forwarded_host = extract_host(request.forwarded_authority)

  debug env, "#{self.class} " \
             "@all_permitted_hosts=#{@all_permitted_hosts.inspect} " \
             "@permitted_hosts=#{@permitted_hosts.inspect} " \
             "@domain_hosts=#{@domain_hosts.inspect} " \
             "@ip_hosts=#{@ip_hosts.inspect} " \
             "origin_host=#{origin_host.inspect} " \
             "forwarded_host=#{forwarded_host.inspect}"

  if host_permitted?(origin_host)
    if forwarded_host.nil?
      true
    else
      host_permitted?(forwarded_host)
    end
  else
    false
  end
end

#domain_match?(host) ⇒ Boolean (private)

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 123

def domain_match?(host)
  return false if host.nil?
  return false if host.start_with?(DOT)

  @domain_hosts.any? { |domain_host| host.match?(domain_host) }
end

#exact_match?(host) ⇒ Boolean (private)

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 119

def exact_match?(host)
  @permitted_hosts.include?(host)
end

#extract_host(authority) (private)

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 111

def extract_host(authority)
  authority.to_s.split(PORT_REGEXP).first&.downcase
end

#host_permitted?(host) ⇒ Boolean (private)

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 115

def host_permitted?(host)
  exact_match?(host) || domain_match?(host) || ip_match?(host)
end

#ip_match?(host) ⇒ Boolean (private)

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 130

def ip_match?(host)
  @ip_hosts.any? { |ip_host| ip_host.include?(host) }
rescue IPAddr::InvalidAddressError
  false
end