Class: Rack::Protection::HostAuthorization

Inherits:
Base
  • Object
show all
Defined in:
lib/rack/protection/host_authorization.rb

Overview

Prevented attack

DNS rebinding and other Host header attacks

Supported browsers

all

More infos

en.wikipedia.org/wiki/DNS_rebinding portswigger.net/web-security/host-header

Blocks HTTP requests with an unrecognized hostname in any of the following HTTP headers: Host, X-Forwarded-Host, Forwarded

If you want to permit a specific hostname, you can pass in as the ‘:permitted_hosts` option:

use Rack::Protection::HostAuthorization, permitted_hosts: ["www.example.org", "sinatrarb.com"]

The ‘:allow_if` option can also be set to a proc to use custom allow/deny logic.

Constant Summary

Constants inherited from Base

Base::DEFAULT_OPTIONS

Instance Attribute Summary

Attributes inherited from Base

#app, #options

Instance Method Summary collapse

Methods inherited from Base

#call, #debug, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn

Constructor Details

#initializeHostAuthorization

Returns a new instance of HostAuthorization.



33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
# File 'lib/rack/protection/host_authorization.rb', line 33

def initialize(*)
  super
  @permitted_hosts = []
  @domain_hosts = []
  @ip_hosts = []
  @all_permitted_hosts = Array(options[:permitted_hosts])

  @all_permitted_hosts.each do |host|
    case host
    when String
      if host.start_with?(DOT)
        domain = host[1..-1]
        @permitted_hosts << domain.downcase
        @domain_hosts << /\A#{SUBDOMAINS}#{Regexp.escape(domain)}\z/i
      else
        @permitted_hosts << host.downcase
      end
    when IPAddr then @ip_hosts << host
    end
  end
end

Instance Method Details

#accepts?(env) ⇒ Boolean

Returns:

  • (Boolean) 


55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 
# File 'lib/rack/protection/host_authorization.rb', line 55

def accepts?(env)
  return true if options[:allow_if]&.call(env)
  return true if @all_permitted_hosts.empty?

  request = Request.new(env)
  origin_host = extract_host(request.host_authority)
  forwarded_host = extract_host(request.forwarded_authority)

  debug env, "#{self.class} " \
             "@all_permitted_hosts=#{@all_permitted_hosts.inspect} " \
             "@permitted_hosts=#{@permitted_hosts.inspect} " \
             "@domain_hosts=#{@domain_hosts.inspect} " \
             "@ip_hosts=#{@ip_hosts.inspect} " \
             "origin_host=#{origin_host.inspect} " \
             "forwarded_host=#{forwarded_host.inspect}"

  if host_permitted?(origin_host)
    if forwarded_host.nil?
      true
    else
      host_permitted?(forwarded_host)
    end
  else
    false
  end
end