From 166da3084d5532fdc5d9676e2df0f11259b94594 Mon Sep 17 00:00:00 2001 From: rhymes Date: Sat, 11 Jul 2020 18:01:34 +0200 Subject: [PATCH 1/4] Replace origin_whitelist with origin_permitted --- .../lib/rack/protection/http_origin.rb | 15 +++++++++++---- .../spec/lib/rack/protection/http_origin_spec.rb | 6 +++--- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/rack-protection/lib/rack/protection/http_origin.rb b/rack-protection/lib/rack/protection/http_origin.rb index e47bdd0481..d0eca28dee 100644 --- a/rack-protection/lib/rack/protection/http_origin.rb +++ b/rack-protection/lib/rack/protection/http_origin.rb @@ -9,11 +9,11 @@ module Protection # http://tools.ietf.org/html/draft-abarth-origin # # Does not accept unsafe HTTP requests when value of Origin HTTP request header - # does not match default or whitelisted URIs. + # does not match default or permitted URIs. # - # If you want to whitelist a specific domain, you can pass in as the `:origin_whitelist` option: + # If you want to permit a specific domain, you can pass in as the `:origin_permitted` option: # - # use Rack::Protection, origin_whitelist: ["http://localhost:3000", "http://127.0.01:3000"] + # use Rack::Protection, origin_permitted: ["http://localhost:3000", "http://127.0.01:3000"] # # The `:allow_if` option can also be set to a proc to use custom allow/deny logic. class HttpOrigin < Base @@ -32,7 +32,14 @@ def accepts?(env) return true unless origin = env['HTTP_ORIGIN'] return true if base_url(env) == origin return true if options[:allow_if] && options[:allow_if].call(env) - Array(options[:origin_whitelist]).include? origin + + if options.key? :origin_whitelist + warn "Rack::Protection origin_whitelist option is deprecated and will be removed, " \ + "use origin_whitelist instead.\n" + end + + permitted_origins = options[:origin_permitted] || options[:origin_whitelist] + Array(permitted_origins).include? origin end end diff --git a/rack-protection/spec/lib/rack/protection/http_origin_spec.rb b/rack-protection/spec/lib/rack/protection/http_origin_spec.rb index 3b05fb4b27..8b4797d9a5 100644 --- a/rack-protection/spec/lib/rack/protection/http_origin_spec.rb +++ b/rack-protection/spec/lib/rack/protection/http_origin_spec.rb @@ -15,7 +15,7 @@ end %w(GET HEAD).each do |method| - it "accepts #{method} requests with non-whitelisted Origin" do + it "accepts #{method} requests with non-permitted Origin" do expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com')).to be_ok end end @@ -31,13 +31,13 @@ end %w(POST PUT DELETE).each do |method| - it "denies #{method} requests with non-whitelisted Origin" do + it "denies #{method} requests with non-permitted Origin" do expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com')).not_to be_ok end it "accepts #{method} requests with whitelisted Origin" do mock_app do - use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://www.friend.com'] + use Rack::Protection::HttpOrigin, :origin_permitted => ['http://www.friend.com'] run DummyApp end expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://www.friend.com')).to be_ok From 472b61045d84e9f7e7b1869badd2c3d8cb4fac0c Mon Sep 17 00:00:00 2001 From: rhymes Date: Sat, 11 Jul 2020 18:29:05 +0200 Subject: [PATCH 2/4] Replace origin_permitted with permitted_origins --- rack-protection/lib/rack/protection/http_origin.rb | 6 +++--- .../spec/lib/rack/protection/http_origin_spec.rb | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rack-protection/lib/rack/protection/http_origin.rb b/rack-protection/lib/rack/protection/http_origin.rb index d0eca28dee..dab87c7400 100644 --- a/rack-protection/lib/rack/protection/http_origin.rb +++ b/rack-protection/lib/rack/protection/http_origin.rb @@ -11,9 +11,9 @@ module Protection # Does not accept unsafe HTTP requests when value of Origin HTTP request header # does not match default or permitted URIs. # - # If you want to permit a specific domain, you can pass in as the `:origin_permitted` option: + # If you want to permit a specific domain, you can pass in as the `:permitted_origins` option: # - # use Rack::Protection, origin_permitted: ["http://localhost:3000", "http://127.0.01:3000"] + # use Rack::Protection, permitted_origins: ["http://localhost:3000", "http://127.0.01:3000"] # # The `:allow_if` option can also be set to a proc to use custom allow/deny logic. class HttpOrigin < Base @@ -38,7 +38,7 @@ def accepts?(env) "use origin_whitelist instead.\n" end - permitted_origins = options[:origin_permitted] || options[:origin_whitelist] + permitted_origins = options[:permitted_origins] || options[:origin_whitelist] Array(permitted_origins).include? origin end diff --git a/rack-protection/spec/lib/rack/protection/http_origin_spec.rb b/rack-protection/spec/lib/rack/protection/http_origin_spec.rb index 8b4797d9a5..d6260c70b8 100644 --- a/rack-protection/spec/lib/rack/protection/http_origin_spec.rb +++ b/rack-protection/spec/lib/rack/protection/http_origin_spec.rb @@ -37,7 +37,7 @@ it "accepts #{method} requests with whitelisted Origin" do mock_app do - use Rack::Protection::HttpOrigin, :origin_permitted => ['http://www.friend.com'] + use Rack::Protection::HttpOrigin, :permitted_origins => ['http://www.friend.com'] run DummyApp end expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://www.friend.com')).to be_ok From bb9a4937912cfd264c8fa3af5f010d70c9447e67 Mon Sep 17 00:00:00 2001 From: rhymes Date: Sun, 12 Jul 2020 15:27:50 +0200 Subject: [PATCH 3/4] Fix warning message --- rack-protection/lib/rack/protection/http_origin.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rack-protection/lib/rack/protection/http_origin.rb b/rack-protection/lib/rack/protection/http_origin.rb index dab87c7400..e25f1a9ccd 100644 --- a/rack-protection/lib/rack/protection/http_origin.rb +++ b/rack-protection/lib/rack/protection/http_origin.rb @@ -35,7 +35,7 @@ def accepts?(env) if options.key? :origin_whitelist warn "Rack::Protection origin_whitelist option is deprecated and will be removed, " \ - "use origin_whitelist instead.\n" + "use permitted_origins instead.\n" end permitted_origins = options[:permitted_origins] || options[:origin_whitelist] From 05ad7c5d3e0204d0b5c44b9ac288bd6f8998f3e6 Mon Sep 17 00:00:00 2001 From: rhymes Date: Sun, 12 Jul 2020 15:54:08 +0200 Subject: [PATCH 4/4] Change parameter keyword syntax --- rack-protection/spec/lib/rack/protection/http_origin_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rack-protection/spec/lib/rack/protection/http_origin_spec.rb b/rack-protection/spec/lib/rack/protection/http_origin_spec.rb index d6260c70b8..b32429fde9 100644 --- a/rack-protection/spec/lib/rack/protection/http_origin_spec.rb +++ b/rack-protection/spec/lib/rack/protection/http_origin_spec.rb @@ -37,7 +37,7 @@ it "accepts #{method} requests with whitelisted Origin" do mock_app do - use Rack::Protection::HttpOrigin, :permitted_origins => ['http://www.friend.com'] + use Rack::Protection::HttpOrigin, permitted_origins: ['http://www.friend.com'] run DummyApp end expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://www.friend.com')).to be_ok