This repository has been archived by the owner on May 16, 2021. It is now read-only.
/
base.rb
executable file
·114 lines (93 loc) · 2.82 KB
/
base.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
require 'rack/protection'
require 'digest'
require 'logger'
require 'uri'
module Rack
module Protection
class Base
DEFAULT_OPTIONS = {
:reaction => :default_reaction, :logging => true,
:message => 'Forbidden', :encryptor => Digest::SHA1,
:session_key => 'rack.session', :status => 403,
:allow_empty_referrer => true
}
attr_reader :app, :options
def self.default_options(options)
define_method(:default_options) { super().merge(options) }
end
def self.default_reaction(reaction)
alias_method(:default_reaction, reaction)
end
def default_options
DEFAULT_OPTIONS
end
def initialize(app, options = {})
@app, @options = app, default_options.merge(options)
end
def safe?(env)
%w[GET HEAD OPTIONS TRACE].include? env['REQUEST_METHOD']
end
def accepts?(env)
raise NotImplementedError, "#{self.class} implementation pending"
end
def call(env)
unless accepts? env
warn env, "attack prevented by #{self.class}"
result = react env
end
result or app.call(env)
end
def react(env)
result = send(options[:reaction], env)
result if Array === result and result.size == 3
end
def warn(env, message)
return unless options[:logging]
l = options[:logger] || env['rack.logger'] || ::Logger.new(env['rack.errors'])
l.warn(message)
end
def deny(env)
[options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
end
def session?(env)
env.include? options[:session_key]
end
def session(env)
return env[options[:session_key]] if session? env
fail "you need to set up a session middleware *before* #{self.class}"
end
def drop_session(env)
session(env).clear if session? env
end
def referrer(env)
ref = env['HTTP_REFERER'].to_s
return if !options[:allow_empty_referrer] and ref.empty?
URI.parse(ref).host || Request.new(env).host
end
def origin(env)
env['HTTP_ORIGIN'] || env['HTTP_X_ORIGIN']
end
def random_string(secure = defined? SecureRandom)
secure ? SecureRandom.hex(32) : "%032x" % rand(2**128-1)
rescue NotImplementedError
random_string false
end
def encrypt(value)
options[:encryptor].hexdigest value.to_s
end
alias default_reaction deny
def html?(headers)
if type = headers.detect { |k,v| k.downcase == 'content-type' }
case type.last[/^\w+\/\w+/]
when 'text/html', 'application/xhtml'
true
else
false
end
else
false
end
end
end
end
end