From 2ee53942bb84520b0427bac06aff890969e3ac0e Mon Sep 17 00:00:00 2001 From: Kacper Madej Date: Wed, 15 Jan 2020 15:32:45 +0100 Subject: [PATCH 1/7] Scrub headers according to the SDK spec --- lib/castle/configuration.rb | 8 +- lib/castle/extractors/headers.rb | 38 ++++++--- spec/lib/castle/client_spec.rb | 8 +- spec/lib/castle/configuration_spec.rb | 20 +---- spec/lib/castle/context/default_spec.rb | 19 ++--- spec/lib/castle/extractors/headers_spec.rb | 89 +++++++++++++++++----- spec/spec_helper.rb | 11 ++- 7 files changed, 123 insertions(+), 70 deletions(-) diff --git a/lib/castle/configuration.rb b/lib/castle/configuration.rb index ab45118f..f3930d61 100644 --- a/lib/castle/configuration.rb +++ b/lib/castle/configuration.rb @@ -9,6 +9,9 @@ class Configuration FAILOVER_STRATEGY = :allow REQUEST_TIMEOUT = 500 # in milliseconds FAILOVER_STRATEGIES = %i[allow deny challenge throw].freeze + # @note this value is not assigned anymore. + # If you want to customize which headers you send to Castle, + # we suggest using these values as a good default. WHITELISTED = [ 'User-Agent', 'Accept-Language', @@ -24,7 +27,6 @@ class Configuration 'X-Forwarded-For', 'CF_CONNECTING_IP' ].freeze - BLACKLISTED = ['HTTP_COOKIE'].freeze attr_accessor :host, :port, :request_timeout, :url_prefix attr_reader :api_secret, :whitelisted, :blacklisted, :failover_strategy @@ -36,8 +38,8 @@ def initialize self.host = HOST self.port = PORT self.url_prefix = URL_PREFIX - self.whitelisted = WHITELISTED - self.blacklisted = BLACKLISTED + self.whitelisted = [] + self.blacklisted = [] self.api_secret = '' end diff --git a/lib/castle/extractors/headers.rb b/lib/castle/extractors/headers.rb index 84017134..414737a3 100644 --- a/lib/castle/extractors/headers.rb +++ b/lib/castle/extractors/headers.rb @@ -4,23 +4,43 @@ module Castle module Extractors # used for extraction of cookies and headers from the request class Headers + # Headers that we will never scrub, even if they land on the configuration blacklist. + ALWAYS_INCLUDED_HEADERS = %w[User-Agent] + + # Headers that will always be scrubbed, even if whitelisted. + ALWAYS_SCRUBBED_HEADERS = %w[Cookie Authorization] + + CONTENT_LENGTH = 'CONTENT_LENGTH' + + HTTP_HEADER_PREFIX = 'HTTP_' + + private_constant :ALWAYS_INCLUDED_HEADERS, :ALWAYS_SCRUBBED_HEADERS, + :CONTENT_LENGTH, :HTTP_HEADER_PREFIX + + # @param request [Rack::Request] def initialize(request) - @request = request - @request_env = @request.env + @request_env = request.env @formatter = HeaderFormatter.new end # Serialize HTTP headers + # @return [Hash] def call - @request_env.keys.each_with_object({}) do |header, acc| - name = @formatter.call(header) + @request_env.keys.each_with_object({}) do |env_header, acc| + next unless env_header.start_with?(HTTP_HEADER_PREFIX) || env_header == CONTENT_LENGTH + + header = @formatter.call(env_header) - if Castle.config.whitelisted.include?(name) && !Castle.config.blacklisted.include?(name) - acc[name] = @request_env[header] + if ALWAYS_SCRUBBED_HEADERS.include?(header) + acc[header] = true + elsif ALWAYS_INCLUDED_HEADERS.include?(header) + acc[header] = @request_env[env_header] + elsif Castle.config.blacklisted.include?(header) + acc[header] = true + elsif Castle.config.whitelisted.empty? || Castle.config.whitelisted.include?(header) + acc[header] = @request_env[env_header] else - # When a header is not whitelisted or blacklisted, we're not suppose to send - # it's value but we should send it's name to indicate it's presence - acc[name] = true + acc[header] = true end end end diff --git a/spec/lib/castle/client_spec.rb b/spec/lib/castle/client_spec.rb index d362c123..393fc1d4 100644 --- a/spec/lib/castle/client_spec.rb +++ b/spec/lib/castle/client_spec.rb @@ -22,13 +22,7 @@ let(:headers) do { - 'Rack.version': true, 'Rack.input': true, 'Rack.errors': true, - 'Rack.multithread': true, 'Rack.multiprocess': true, 'Rack.run-Once': true, - 'Request-Method': true, 'Server-Name': true, 'Server-Port': true, - 'Query-String': true, 'Path-Info': true, 'Rack.url-Scheme': true, - 'Https': true, 'Script-Name': true, 'Content-Length': true, - 'User-Agent': ua, 'X-Forwarded-For': ip.to_s, 'Rack.request.cookie-Hash': true, - 'Rack.request.cookie-String': true, 'Cookie': true + 'Content-Length': '0', 'User-Agent': ua, 'X-Forwarded-For': ip.to_s, 'Cookie': true } end let(:context) do diff --git a/spec/lib/castle/configuration_spec.rb b/spec/lib/castle/configuration_spec.rb index a625c7e6..db9a2ab3 100644 --- a/spec/lib/castle/configuration_spec.rb +++ b/spec/lib/castle/configuration_spec.rb @@ -77,7 +77,7 @@ describe 'whitelisted' do it do - expect(config.whitelisted.size).to be_eql(13) + expect(config.whitelisted.size).to be_eql(0) end context 'with setter' do @@ -88,19 +88,11 @@ expect(config.whitelisted).to be_eql(['Header']) end end - - context 'when appending' do - before do - config.whitelisted += ['header'] - end - it { expect(config.whitelisted).to be_include('Header') } - it { expect(config.whitelisted.size).to be_eql(14) } - end end describe 'blacklisted' do it do - expect(config.blacklisted.size).to be_eql(1) + expect(config.blacklisted.size).to be_eql(0) end context 'with setter' do @@ -111,14 +103,6 @@ expect(config.blacklisted).to be_eql(['Header']) end end - - context 'when appending' do - before do - config.blacklisted += ['header'] - end - it { expect(config.blacklisted).to be_include('Header') } - it { expect(config.blacklisted.size).to be_eql(2) } - end end describe 'failover_strategy' do diff --git a/spec/lib/castle/context/default_spec.rb b/spec/lib/castle/context/default_spec.rb index cfe090dd..780bb6df 100644 --- a/spec/lib/castle/context/default_spec.rb +++ b/spec/lib/castle/context/default_spec.rb @@ -9,8 +9,8 @@ let(:env) do Rack::MockRequest.env_for('/', 'HTTP_X_FORWARDED_FOR' => ip, - 'HTTP-Accept-Language' => 'en', - 'HTTP-User-Agent' => 'test', + 'HTTP_ACCEPT_LANGUAGE' => 'en', + 'HTTP_USER_AGENT' => 'test', 'HTTP_COOKIE' => "__cid=#{cookie_id};other=efgh") end let(:request) { Rack::Request.new(env) } @@ -23,18 +23,15 @@ it { expect(default_context[:active]).to be_eql(true) } it { expect(default_context[:origin]).to be_eql('web') } - it { + it do expect(default_context[:headers]).to be_eql( - 'Rack.version' => true, 'Rack.input' => true, 'Rack.errors' => true, - 'Rack.multithread' => true, 'Rack.multiprocess' => true, 'Rack.run-Once' => true, - 'Request-Method' => true, 'Server-Name' => true, 'Server-Port' => true, - 'Query-String' => true, 'Path-Info' => true, 'Rack.url-Scheme' => true, - 'Https' => true, 'Script-Name' => true, 'Content-Length' => true, - 'X-Forwarded-For' => '1.2.3.4', 'Accept-Language' => 'en', 'User-Agent' => 'test', - 'Rack.request.cookie-Hash' => true, 'Rack.request.cookie-String' => true, + 'X-Forwarded-For' => '1.2.3.4', + 'Accept-Language' => 'en', + 'User-Agent' => 'test', + 'Content-Length' => '0', 'Cookie' => true ) - } + end it { expect(default_context[:ip]).to be_eql(ip) } it { expect(default_context[:library][:name]).to be_eql('castle-rb') } it { expect(default_context[:library][:version]).to be_eql(version) } diff --git a/spec/lib/castle/extractors/headers_spec.rb b/spec/lib/castle/extractors/headers_spec.rb index bf97f15c..002581e8 100644 --- a/spec/lib/castle/extractors/headers_spec.rb +++ b/spec/lib/castle/extractors/headers_spec.rb @@ -1,32 +1,85 @@ # frozen_string_literal: true describe Castle::Extractors::Headers do - subject(:extractor) { described_class.new(request) } + subject(:headers) { described_class.new(request).call } let(:client_id) { 'abcd' } let(:env) do - Rack::MockRequest.env_for('/', - 'HTTP_X_FORWARDED_FOR' => '1.2.3.4', - 'HTTP_OK' => 'OK', - 'TEST' => '1', - 'HTTP_COOKIE' => "__cid=#{client_id};other=efgh") + Rack::MockRequest.env_for( + '/', + 'Action-Dispatch.request.content-Type' => 'application/json', + 'HTTP_AUTHORIZATION' => 'Basic 123456', + 'HTTP_COOKIE' => "__cid=#{client_id};other=efgh", + 'HTTP_OK' => 'OK', + 'HTTP_ACCEPT' => 'application/json', + 'HTTP_X_FORWARDED_FOR' => '1.2.3.4', + 'HTTP_USER_AGENT' => 'Mozilla 1234', + 'TEST' => '1', + ) end let(:request) { Rack::Request.new(env) } - describe 'extract http headers with whitelisted and blacklisted support' do - before do - Castle.config.whitelisted += ['TEST'] + context 'when whitelist is not set in the configuration' do + it do + is_expected.to eq( + 'Accept' => 'application/json', + 'Authorization' => true, + 'Cookie' => true, + 'Content-Length' => '0', + 'Ok' => 'OK', + 'User-Agent' => 'Mozilla 1234', + 'X-Forwarded-For' => '1.2.3.4' + ) end + end + + context 'when whitelist is set in the configuration' do + before { Castle.config.whitelisted = %w[Accept OK] } + it do - expect(extractor.call).to eql( - 'Test' => '1', 'Ok' => true, 'Rack.version' => true, - 'Rack.input' => true, 'Rack.errors' => true, 'Rack.multithread' => true, - 'Rack.multiprocess' => true, 'Rack.run-Once' => true, 'Request-Method' => true, - 'Server-Name' => true, 'Server-Port' => true, 'Query-String' => true, - 'Path-Info' => true, 'Rack.url-Scheme' => true, 'Https' => true, - 'Script-Name' => true, 'Content-Length' => true, 'X-Forwarded-For' => '1.2.3.4', - 'Cookie' => true - ) + is_expected.to eq( + 'Accept' => 'application/json', + 'Authorization' => true, + 'Cookie' => true, + 'Content-Length' => true, + 'Ok' => 'OK', + 'User-Agent' => 'Mozilla 1234', + 'X-Forwarded-For' => true + ) + end + end + + context 'when blacklist is set in the configuration' do + context 'and includes User-Agent' do + before { Castle.config.blacklisted = %w[User-Agent] } + + it do + is_expected.to eq( + 'Accept' => 'application/json', + 'Authorization' => true, + 'Cookie' => true, + 'Content-Length' => '0', + 'Ok' => 'OK', + 'User-Agent' => 'Mozilla 1234', + 'X-Forwarded-For' => '1.2.3.4' + ) + end + end + + context 'and includes a different header' do + before { Castle.config.blacklisted = %w[Accept] } + + it do + is_expected.to eq( + 'Accept' => true, + 'Authorization' => true, + 'Cookie' => true, + 'Content-Length' => '0', + 'Ok' => 'OK', + 'User-Agent' => 'Mozilla 1234', + 'X-Forwarded-For' => '1.2.3.4' + ) + end end end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index a539a209..ab5f920d 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -12,11 +12,14 @@ require 'castle' -Castle.configure do |config| - config.api_secret = 'secret' -end - WebMock.disable_net_connect!(allow_localhost: true) RSpec.configure do |config| + config.before(:each) do + Castle.instance_variable_set(:@configuration, Castle::Configuration.new) + + Castle.configure do |cfg| + cfg.api_secret = 'secret' + end + end end From 851f8e2f11da11215ad01bd506c3d15985fe2c00 Mon Sep 17 00:00:00 2001 From: Kacper Madej Date: Wed, 15 Jan 2020 15:44:40 +0100 Subject: [PATCH 2/7] Update README and add one more spec --- README.md | 27 +++++++++++++++------- lib/castle/configuration.rb | 18 --------------- spec/lib/castle/extractors/headers_spec.rb | 11 +++++++++ 3 files changed, 30 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index dd6ac95b..a298d864 100644 --- a/README.md +++ b/README.md @@ -67,15 +67,26 @@ Castle.configure do |config| # Whitelisted and Blacklisted headers are case insensitive and allow to use _ and - as a separator, http prefixes are removed # Whitelisted headers - # @note In case of the whitelist, we won't send the values of other headers but we will send their names - config.whitelisted = ['X_HEADER'] - # or append to default - config.whitelisted += ['http-x-header'] - - # Blacklisted headers take advantage over whitelisted elements + # By default, the SDK sends all HTTP headers, except for Cookie and Authorization. + # If you decide to use a whitelist, the SDK will: + # - always send the User-Agent header + # - send scrubbed values of non-whitelisted headers + # - send proper values of whitelisted headers. + # @example + # config.whitelisted = ['X_HEADER'] + # # will send { 'User-Agent' => 'Chrome', 'X_HEADER' => 'proper value', 'Any-Other-Header' => true } + # + # We highly suggest using blacklist instead of whitelist, so that Castle can use as many data points + # as possible to secure your users. If you want to use the whitelist, this is the minimal + # amount of headers we recommend: + config.whitelisted = %w[Accept Accept-Charset Accept-Datetime Accept-Encoding Accept-Language + Cache-Control Connection Content-Length Content-Type Cookie Host Origin + Pragma Referer TE Upgrade-Insecure-Requests User-Agent X-Castle-Client-Id] + + # Blacklisted headers take precedence over whitelisted elements + # We always blacklist Cookie and Authentication headers. If you use any other headers that + # might contain sensitive information, you should blacklist them. config.blacklisted = ['HTTP-X-header'] - # or append to default - config.blacklisted += ['X_HEADER'] end ``` diff --git a/lib/castle/configuration.rb b/lib/castle/configuration.rb index f3930d61..cfbcbb88 100644 --- a/lib/castle/configuration.rb +++ b/lib/castle/configuration.rb @@ -9,24 +9,6 @@ class Configuration FAILOVER_STRATEGY = :allow REQUEST_TIMEOUT = 500 # in milliseconds FAILOVER_STRATEGIES = %i[allow deny challenge throw].freeze - # @note this value is not assigned anymore. - # If you want to customize which headers you send to Castle, - # we suggest using these values as a good default. - WHITELISTED = [ - 'User-Agent', - 'Accept-Language', - 'Accept-Encoding', - 'Accept-Charset', - 'Accept', - 'Accept-Datetime', - 'X-Forwarded-For', - 'Forwarded', - 'X-Forwarded', - 'X-Real-IP', - 'REMOTE_ADDR', - 'X-Forwarded-For', - 'CF_CONNECTING_IP' - ].freeze attr_accessor :host, :port, :request_timeout, :url_prefix attr_reader :api_secret, :whitelisted, :blacklisted, :failover_strategy diff --git a/spec/lib/castle/extractors/headers_spec.rb b/spec/lib/castle/extractors/headers_spec.rb index 002581e8..d6e2cfd5 100644 --- a/spec/lib/castle/extractors/headers_spec.rb +++ b/spec/lib/castle/extractors/headers_spec.rb @@ -82,4 +82,15 @@ end end end + + context 'when a header is both whitelisted and blacklisted' do + before do + Castle.config.whitelisted = %w[Accept] + Castle.config.blacklisted = %w[Accept] + end + + it do + expect(headers['Accept']).to eq(true) + end + end end From 7d398ac2c5648e6ec2c80647d16a6d7161399968 Mon Sep 17 00:00:00 2001 From: Kacper Madej Date: Wed, 15 Jan 2020 15:59:30 +0100 Subject: [PATCH 3/7] Provide the default whitelist as a constant --- README.md | 4 +--- lib/castle/configuration.rb | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a298d864..38b58bde 100644 --- a/README.md +++ b/README.md @@ -79,9 +79,7 @@ Castle.configure do |config| # We highly suggest using blacklist instead of whitelist, so that Castle can use as many data points # as possible to secure your users. If you want to use the whitelist, this is the minimal # amount of headers we recommend: - config.whitelisted = %w[Accept Accept-Charset Accept-Datetime Accept-Encoding Accept-Language - Cache-Control Connection Content-Length Content-Type Cookie Host Origin - Pragma Referer TE Upgrade-Insecure-Requests User-Agent X-Castle-Client-Id] + config.whitelisted = Castle::Configuration::DEFAULT_WHITELIST # Blacklisted headers take precedence over whitelisted elements # We always blacklist Cookie and Authentication headers. If you use any other headers that diff --git a/lib/castle/configuration.rb b/lib/castle/configuration.rb index cfbcbb88..96ffc2d8 100644 --- a/lib/castle/configuration.rb +++ b/lib/castle/configuration.rb @@ -10,6 +10,24 @@ class Configuration REQUEST_TIMEOUT = 500 # in milliseconds FAILOVER_STRATEGIES = %i[allow deny challenge throw].freeze + # @note this value is not assigned as we don't recommend using a whitelist. If you need to use + # one, this constant is provided as a good default. + DEFAULT_WHITELIST = %w[ + Accept + Accept-Charset + Accept-Encoding + Accept-Language + Cache-Control + Connection + Content-Length + Content-Type + Host + Origin + Pragma + Referer + X-Castle-Client-Id + ].freeze + attr_accessor :host, :port, :request_timeout, :url_prefix attr_reader :api_secret, :whitelisted, :blacklisted, :failover_strategy From 265508addd2c50e38e2ee262aa523ae9cd97cf79 Mon Sep 17 00:00:00 2001 From: Kacper Madej Date: Wed, 15 Jan 2020 16:03:08 +0100 Subject: [PATCH 4/7] Make Coditsu happy --- lib/castle/extractors/headers.rb | 6 +- spec/lib/castle/context/default_spec.rb | 2 + spec/lib/castle/extractors/headers_spec.rb | 70 ++++++++++------------ spec/spec_helper.rb | 2 +- 4 files changed, 38 insertions(+), 42 deletions(-) diff --git a/lib/castle/extractors/headers.rb b/lib/castle/extractors/headers.rb index 414737a3..edfb0810 100644 --- a/lib/castle/extractors/headers.rb +++ b/lib/castle/extractors/headers.rb @@ -5,13 +5,15 @@ module Extractors # used for extraction of cookies and headers from the request class Headers # Headers that we will never scrub, even if they land on the configuration blacklist. - ALWAYS_INCLUDED_HEADERS = %w[User-Agent] + ALWAYS_INCLUDED_HEADERS = %w[User-Agent].freeze # Headers that will always be scrubbed, even if whitelisted. - ALWAYS_SCRUBBED_HEADERS = %w[Cookie Authorization] + ALWAYS_SCRUBBED_HEADERS = %w[Cookie Authorization].freeze + # Rack does not add the HTTP_ prefix to Content-Length for some reason CONTENT_LENGTH = 'CONTENT_LENGTH' + # Prefix that Rack adds for HTTP headers HTTP_HEADER_PREFIX = 'HTTP_' private_constant :ALWAYS_INCLUDED_HEADERS, :ALWAYS_SCRUBBED_HEADERS, diff --git a/spec/lib/castle/context/default_spec.rb b/spec/lib/castle/context/default_spec.rb index 780bb6df..fd183a09 100644 --- a/spec/lib/castle/context/default_spec.rb +++ b/spec/lib/castle/context/default_spec.rb @@ -23,6 +23,7 @@ it { expect(default_context[:active]).to be_eql(true) } it { expect(default_context[:origin]).to be_eql('web') } + it do expect(default_context[:headers]).to be_eql( 'X-Forwarded-For' => '1.2.3.4', @@ -32,6 +33,7 @@ 'Cookie' => true ) end + it { expect(default_context[:ip]).to be_eql(ip) } it { expect(default_context[:library][:name]).to be_eql('castle-rb') } it { expect(default_context[:library][:version]).to be_eql(version) } diff --git a/spec/lib/castle/extractors/headers_spec.rb b/spec/lib/castle/extractors/headers_spec.rb index d6e2cfd5..c67adeb6 100644 --- a/spec/lib/castle/extractors/headers_spec.rb +++ b/spec/lib/castle/extractors/headers_spec.rb @@ -14,22 +14,20 @@ 'HTTP_ACCEPT' => 'application/json', 'HTTP_X_FORWARDED_FOR' => '1.2.3.4', 'HTTP_USER_AGENT' => 'Mozilla 1234', - 'TEST' => '1', + 'TEST' => '1' ) end let(:request) { Rack::Request.new(env) } context 'when whitelist is not set in the configuration' do it do - is_expected.to eq( - 'Accept' => 'application/json', - 'Authorization' => true, - 'Cookie' => true, - 'Content-Length' => '0', - 'Ok' => 'OK', - 'User-Agent' => 'Mozilla 1234', - 'X-Forwarded-For' => '1.2.3.4' - ) + is_expected.to eq('Accept' => 'application/json', + 'Authorization' => true, + 'Cookie' => true, + 'Content-Length' => '0', + 'Ok' => 'OK', + 'User-Agent' => 'Mozilla 1234', + 'X-Forwarded-For' => '1.2.3.4') end end @@ -37,48 +35,42 @@ before { Castle.config.whitelisted = %w[Accept OK] } it do - is_expected.to eq( - 'Accept' => 'application/json', - 'Authorization' => true, - 'Cookie' => true, - 'Content-Length' => true, - 'Ok' => 'OK', - 'User-Agent' => 'Mozilla 1234', - 'X-Forwarded-For' => true - ) + is_expected.to eq('Accept' => 'application/json', + 'Authorization' => true, + 'Cookie' => true, + 'Content-Length' => true, + 'Ok' => 'OK', + 'User-Agent' => 'Mozilla 1234', + 'X-Forwarded-For' => true) end end context 'when blacklist is set in the configuration' do - context 'and includes User-Agent' do + context 'with a User-Agent' do before { Castle.config.blacklisted = %w[User-Agent] } it do - is_expected.to eq( - 'Accept' => 'application/json', - 'Authorization' => true, - 'Cookie' => true, - 'Content-Length' => '0', - 'Ok' => 'OK', - 'User-Agent' => 'Mozilla 1234', - 'X-Forwarded-For' => '1.2.3.4' - ) + is_expected.to eq('Accept' => 'application/json', + 'Authorization' => true, + 'Cookie' => true, + 'Content-Length' => '0', + 'Ok' => 'OK', + 'User-Agent' => 'Mozilla 1234', + 'X-Forwarded-For' => '1.2.3.4') end end - context 'and includes a different header' do + context 'with a different header' do before { Castle.config.blacklisted = %w[Accept] } it do - is_expected.to eq( - 'Accept' => true, - 'Authorization' => true, - 'Cookie' => true, - 'Content-Length' => '0', - 'Ok' => 'OK', - 'User-Agent' => 'Mozilla 1234', - 'X-Forwarded-For' => '1.2.3.4' - ) + is_expected.to eq('Accept' => true, + 'Authorization' => true, + 'Cookie' => true, + 'Content-Length' => '0', + 'Ok' => 'OK', + 'User-Agent' => 'Mozilla 1234', + 'X-Forwarded-For' => '1.2.3.4') end end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index ab5f920d..cc2d71b8 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -15,7 +15,7 @@ WebMock.disable_net_connect!(allow_localhost: true) RSpec.configure do |config| - config.before(:each) do + config.before do Castle.instance_variable_set(:@configuration, Castle::Configuration.new) Castle.configure do |cfg| From dbd5e94e6c87d828f7a113e1e3b731999aa868a5 Mon Sep 17 00:00:00 2001 From: Kacper Madej Date: Wed, 15 Jan 2020 16:08:31 +0100 Subject: [PATCH 5/7] Use the current list of recommended headers --- lib/castle/configuration.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/castle/configuration.rb b/lib/castle/configuration.rb index 96ffc2d8..3672e535 100644 --- a/lib/castle/configuration.rb +++ b/lib/castle/configuration.rb @@ -15,6 +15,7 @@ class Configuration DEFAULT_WHITELIST = %w[ Accept Accept-Charset + Accept-Datetime Accept-Encoding Accept-Language Cache-Control @@ -25,6 +26,8 @@ class Configuration Origin Pragma Referer + TE + Upgrade-Insecure-Requests X-Castle-Client-Id ].freeze From b9baf456fb0770ed0d30eb9d774badffc3851fea Mon Sep 17 00:00:00 2001 From: Kacper Madej Date: Wed, 15 Jan 2020 17:32:08 +0100 Subject: [PATCH 6/7] Freeze tables --- lib/castle/configuration.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/castle/configuration.rb b/lib/castle/configuration.rb index 3672e535..012104ec 100644 --- a/lib/castle/configuration.rb +++ b/lib/castle/configuration.rb @@ -41,8 +41,8 @@ def initialize self.host = HOST self.port = PORT self.url_prefix = URL_PREFIX - self.whitelisted = [] - self.blacklisted = [] + self.whitelisted = [].freeze + self.blacklisted = [].freeze self.api_secret = '' end From d7b48bde4a4efe94770fe2893958e2832d383cfc Mon Sep 17 00:00:00 2001 From: Kacper Madej Date: Wed, 15 Jan 2020 17:33:19 +0100 Subject: [PATCH 7/7] Add changelog entry --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a1bbb24d..78627b86 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ ## master +**Bug fixes**: + +- [#168](https://github.com/castle/castle-ruby/pull/168) do not apply whitelisting by default + ## 3.6.0 (2020-01-07) **BREAKING CHANGES:**