Class: ActionDispatch::HostAuthorization
- Inherits:
-
Object
- Object
- ActionDispatch::HostAuthorization
- Defined in:
- lib/action_dispatch/middleware/host_authorization.rb
Overview
# Action Dispatch HostAuthorization
This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to, and is passed the options set in ‘config.host_authorization`.
Requests can opt-out of Host Authorization with ‘exclude`:
config. = { exclude: ->(request) { request.path =~ /healthcheck/ } }
When a request comes to an unauthorized host, the ‘response_app` application will be executed and rendered. If no `response_app` is given, a default one will run. The default response app logs blocked host info with level ’error’ and responds with ‘403 Forbidden`. The body of the response contains debug info if `config.consider_all_requests_local` is set to true, otherwise the body is empty.
Defined Under Namespace
Classes: DefaultResponseApp, Permissions
Constant Summary collapse
- ALLOWED_HOSTS_IN_DEVELOPMENT =
[".localhost", ".test", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
- PORT_REGEX =
:nodoc:
/(?::\d+)/
- SUBDOMAIN_REGEX =
:nodoc:
/(?:[a-z0-9-]+\.)/i
- IPV4_HOSTNAME =
:nodoc:
/(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/
- IPV6_HOSTNAME =
:nodoc:
/(?<host>[a-f0-9]*:[a-f0-9.:]+)/i
- IPV6_HOSTNAME_WITH_PORT =
:nodoc:
/\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i
- VALID_IP_HOSTNAME =
:nodoc:
Regexp.union( # :nodoc: /\A#{IPV4_HOSTNAME}\z/, /\A#{IPV6_HOSTNAME}\z/, /\A#{IPV6_HOSTNAME_WITH_PORT}\z/, )
Instance Method Summary collapse
- #call(env) ⇒ Object
-
#initialize(app, hosts, exclude: nil, response_app: nil) ⇒ HostAuthorization
constructor
A new instance of HostAuthorization.
Constructor Details
#initialize(app, hosts, exclude: nil, response_app: nil) ⇒ HostAuthorization
Returns a new instance of HostAuthorization.
127 128 129 130 131 132 133 |
# File 'lib/action_dispatch/middleware/host_authorization.rb', line 127 def initialize(app, hosts, exclude: nil, response_app: nil) @app = app @permissions = Permissions.new(hosts) @exclude = exclude @response_app = response_app || DefaultResponseApp.new end |
Instance Method Details
#call(env) ⇒ Object
135 136 137 138 139 140 141 142 143 144 145 146 147 148 |
# File 'lib/action_dispatch/middleware/host_authorization.rb', line 135 def call(env) return @app.call(env) if @permissions.empty? request = Request.new(env) hosts = blocked_hosts(request) if hosts.empty? || excluded?(request) (request) @app.call(env) else env["action_dispatch.blocked_hosts"] = hosts @response_app.call(env) end end |