123456789_123456789_123456789_123456789_123456789_

Class: Rack::Protection::HostAuthorization

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, Base
Instance Chain:
self, Base
Inherits: Rack::Protection::Base
Defined in: rack-protection/lib/rack/protection/host_authorization.rb

Overview

Prevented attack:: DNS rebinding and other Host header attacks Supported browsers:: all More infos:: https://en.wikipedia.org/wiki/DNS_rebinding https://portswigger.net/web-security/host-header

Blocks HTTP requests with an unrecognized hostname in any of the following HTTP headers: Host, X-Forwarded-Host, Forwarded

If you want to permit a specific hostname, you can pass in as the :permitted_hosts option:

use Rack::Protection::HostAuthorization, permitted_hosts: ["www.example.org", "sinatrarb.com"]

The :allow_if option can also be set to a proc to use custom allow/deny logic.

Constant Summary

Base - Inherited

DEFAULT_OPTIONS

Class Method Summary

Base - Inherited

.default_options, .default_reaction, .new

Instance Attribute Summary

Base - Inherited

#app, #options

Instance Method Summary

Base - Inherited

#accepts?, #call, #debug, #default_options,
#default_reaction

Alias for Base#deny.
#deny, #drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn

Constructor Details

.newHostAuthorization

[ GitHub ] 

  


# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 33



def initialize(*)
  super
  @permitted_hosts = []
  @domain_hosts = []
  @ip_hosts = []
  @all_permitted_hosts = Array(options[:permitted_hosts])

  @all_permitted_hosts.each do |host|
    case host
    when String
      if host.start_with?(DOT)
        domain = host[1..-1]
        @permitted_hosts << domain.downcase
        @domain_hosts << /\A#{SUBDOMAINS}#{Regexp.escape(domain)}\z/i
      else
        @permitted_hosts << host.downcase
      end
    when IPAddr then @ip_hosts << host
    end
  end
end


  







Instance Method Details



  

    #accepts?(env)  ⇒ Boolean 
  



  

    
  





  


  [ GitHub ]


  

  


# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 55



def accepts?(env)
  return true if options[:allow_if]&.call(env)
  return true if @all_permitted_hosts.empty?

  request = Request.new(env)
  origin_host = extract_host(request.host_authority)
  forwarded_host = extract_host(request.forwarded_authority)

  debug env, "#{self.class} " \
             "@all_permitted_hosts=#{@all_permitted_hosts.inspect} " \
             "@permitted_hosts=#{@permitted_hosts.inspect} " \
             "@domain_hosts=#{@domain_hosts.inspect} " \
             "@ip_hosts=#{@ip_hosts.inspect} " \
             "origin_host=#{origin_host.inspect} " \
             "forwarded_host=#{forwarded_host.inspect}"

  if host_permitted?(origin_host)
    if forwarded_host.nil?
      true
    else
      host_permitted?(forwarded_host)
    end
  else
    false
  end
end


  








  

    #domain_match?(host)  ⇒ Boolean  (private)
  



  

    
  





  


  [ GitHub ]


  

  


# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 96



def domain_match?(host)
  return false if host.nil?
  return false if host.start_with?(DOT)

  @domain_hosts.any? { |domain_host| host.match?(domain_host) }
end


  








  

    #exact_match?(host)  ⇒ Boolean  (private)
  



  

    
  





  


  [ GitHub ]


  

  


# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 92



def exact_match?(host)
  @permitted_hosts.include?(host)
end


  








  

    #extract_host(authority)   (private)
  

  [ GitHub ]


  

  


# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 84



def extract_host(authority)
  authority.to_s.split(PORT_REGEXP).first&.downcase
end


  








  

    #host_permitted?(host)  ⇒ Boolean  (private)
  



  

    
  





  


  [ GitHub ]


  

  


# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 88



def host_permitted?(host)
  exact_match?(host) || domain_match?(host) || ip_match?(host)
end


  








  

    #ip_match?(host)  ⇒ Boolean  (private)
  



  

    
  





  


  [ GitHub ]


  

  


# File 'rack-protection/lib/rack/protection/host_authorization.rb', line 103



def ip_match?(host)
  @ip_hosts.any? { |ip_host| ip_host.include?(host) }
rescue IPAddr::InvalidAddressError
  false
end