Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace origin_whitelist with permitted_origins #1625

Merged
merged 4 commits into from Jul 12, 2020
Merged

Replace origin_whitelist with permitted_origins #1625

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
166da30
Replace origin_whitelist with origin_permitted
rhymes Jul 11, 2020
472b610
Replace origin_permitted with permitted_origins
rhymes Jul 11, 2020
bb9a493
Fix warning message
rhymes Jul 12, 2020
05ad7c5
Change parameter keyword syntax
rhymes Jul 12, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
15 changes: 11 additions & 4 deletions rack-protection/lib/rack/protection/http_origin.rb
View file
Open in desktop
Expand Up @@ -9,11 +9,11 @@ module Protection
# http://tools.ietf.org/html/draft-abarth-origin
#
# Does not accept unsafe HTTP requests when value of Origin HTTP request header
# does not match default or whitelisted URIs.
# does not match default or permitted URIs.
#
# If you want to whitelist a specific domain, you can pass in as the `:origin_whitelist` option:
# If you want to permit a specific domain, you can pass in as the `:permitted_origins` option:
#
# use Rack::Protection, origin_whitelist: ["http://localhost:3000", "http://127.0.01:3000"]
# use Rack::Protection, permitted_origins: ["http://localhost:3000", "http://127.0.01:3000"]
#
# The `:allow_if` option can also be set to a proc to use custom allow/deny logic.
class HttpOrigin < Base
Expand All @@ -32,7 +32,14 @@ def accepts?(env)
return true unless origin = env['HTTP_ORIGIN']
return true if base_url(env) == origin
return true if options[:allow_if] && options[:allow_if].call(env)
Array(options[:origin_whitelist]).include? origin

if options.key? :origin_whitelist
warn "Rack::Protection origin_whitelist option is deprecated and will be removed, " \
"use permitted_origins instead.\n"
end

permitted_origins = options[:permitted_origins] || options[:origin_whitelist]
Array(permitted_origins).include? origin
end

end
Expand Down
6 changes: 3 additions & 3 deletions rack-protection/spec/lib/rack/protection/http_origin_spec.rb
View file
Open in desktop
Expand Up @@ -15,7 +15,7 @@
end

%w(GET HEAD).each do |method|
it "accepts #{method} requests with non-whitelisted Origin" do
it "accepts #{method} requests with non-permitted Origin" do
expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com')).to be_ok
end
end
Expand All @@ -31,13 +31,13 @@
end

%w(POST PUT DELETE).each do |method|
it "denies #{method} requests with non-whitelisted Origin" do
it "denies #{method} requests with non-permitted Origin" do
expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com')).not_to be_ok
end

it "accepts #{method} requests with whitelisted Origin" do
mock_app do
use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://www.friend.com']
use Rack::Protection::HttpOrigin, :permitted_origins => ['http://www.friend.com']
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

perimitted_origins: ['http://www.friend.com'] ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done :)

run DummyApp
end
expect(send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://www.friend.com')).to be_ok
Expand Down