Class: ActionDispatch::HostAuthorization

Inherits:
Object
  • Object
show all
Defined in:
lib/action_dispatch/middleware/host_authorization.rb

Overview

# Action Dispatch HostAuthorization

This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to, and is passed the options set in ‘config.host_authorization`.

Requests can opt-out of Host Authorization with ‘exclude`:

config.host_authorization = { exclude: ->(request) { request.path =~ /healthcheck/ } }

When a request comes to an unauthorized host, the ‘response_app` application will be executed and rendered. If no `response_app` is given, a default one will run. The default response app logs blocked host info with level ’error’ and responds with ‘403 Forbidden`. The body of the response contains debug info if `config.consider_all_requests_local` is set to true, otherwise the body is empty.

Defined Under Namespace

Classes: DefaultResponseApp, Permissions

Constant Summary collapse

ALLOWED_HOSTS_IN_DEVELOPMENT =
[".localhost", ".test", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
PORT_REGEX =

:nodoc:

/(?::\d+)/
SUBDOMAIN_REGEX =

:nodoc:

/(?:[a-z0-9-]+\.)/i
IPV4_HOSTNAME =

:nodoc:

/(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/
IPV6_HOSTNAME =

:nodoc:

/(?<host>[a-f0-9]*:[a-f0-9.:]+)/i
IPV6_HOSTNAME_WITH_PORT =

:nodoc:

/\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i
VALID_IP_HOSTNAME =

:nodoc:

Regexp.union( # :nodoc:
  /\A#{IPV4_HOSTNAME}\z/,
  /\A#{IPV6_HOSTNAME}\z/,
  /\A#{IPV6_HOSTNAME_WITH_PORT}\z/,
)

Instance Method Summary collapse

Constructor Details

#initialize(app, hosts, exclude: nil, response_app: nil) ⇒ HostAuthorization

Returns a new instance of HostAuthorization.



127
128
129
130
131
132
133
# File 'lib/action_dispatch/middleware/host_authorization.rb', line 127

def initialize(app, hosts, exclude: nil, response_app: nil)
  @app = app
  @permissions = Permissions.new(hosts)
  @exclude = exclude

  @response_app = response_app || DefaultResponseApp.new
end

Instance Method Details

#call(env) ⇒ Object



135
136
137
138
139
140
141
142
143
144
145
146
147
148
# File 'lib/action_dispatch/middleware/host_authorization.rb', line 135

def call(env)
  return @app.call(env) if @permissions.empty?

  request = Request.new(env)
  hosts = blocked_hosts(request)

  if hosts.empty? || excluded?(request)
    mark_as_authorized(request)
    @app.call(env)
  else
    env["action_dispatch.blocked_hosts"] = hosts
    @response_app.call(env)
  end
end