Introduce a guard against DNS rebinding attacks

The ActionDispatch::HostAuthorization is a new middleware that prevent against DNS rebinding and other Host header attacks. By default it is included only in the development environment with the following configuration: Rails.application.config.hosts = [ IPAddr.new("0.0.0.0/0"), # All IPv4 addresses. IPAddr.new("::/0"), # All IPv6 addresses. "localhost" # The localhost reserved domain. ] In other environments, `Rails.application.config.hosts` is empty and no Host header checks will be done. If you want to guard against header attacks on production, you have to manually permit the allowed hosts with: Rails.application.config.hosts << "product.com" The host of a request is checked against the hosts entries with the case operator (#===), which lets hosts support entries of type RegExp, Proc and IPAddr to name a few. Here is an example with a regexp. # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << /.*\.product\.com/ A special case is supported that allows you to permit all sub-domains: # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << ".product.com"
author: Genadi Samokovarov <gsamokovarov@gmail.com> 2018-06-14 11:09:00 +0300
committer: Genadi Samokovarov <gsamokovarov@gmail.com> 2018-12-15 20:18:51 +0200
commit: 07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f (patch)
tree: f6c0bde72b359af9ca6a8e4a1937bc4b2a848563 /railties/test
parent: ce48b5a366482d4b4c4c053e1e39e79d71987197 (diff)
download: rails-07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f.tar.gz
rails-07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f.tar.bz2
rails-07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f.zip
2 files changed, 10 insertions, 6 deletions
diff --git a/railties/test/application/middleware_test.rb b/railties/test/application/middleware_test.rb
index 631f5bac7f..a6396d3509 100644
--- a/railties/test/application/middleware_test.rb
+++ b/railties/test/application/middleware_test.rb
@@ -26,6 +26,7 @@ module ApplicationTests
 
       assert_equal [
         "Webpacker::DevServerProxy",
+        "ActionDispatch::HostAuthorization",
         "Rack::Sendfile",
         "ActionDispatch::Static",
         "ActionDispatch::Executor",
@@ -58,6 +59,7 @@ module ApplicationTests
 
       assert_equal [
         "Webpacker::DevServerProxy",
+        "ActionDispatch::HostAuthorization",
         "Rack::Sendfile",
         "ActionDispatch::Static",
         "ActionDispatch::Executor",
@@ -140,7 +142,7 @@ module ApplicationTests
       add_to_config "config.ssl_options = { redirect: { host: 'example.com' } }"
       boot!
 
-      assert_equal [{ redirect: { host: "example.com" } }], Rails.application.middleware[1].args
+      assert_equal [{ redirect: { host: "example.com" } }], Rails.application.middleware[2].args
     end
 
     test "removing Active Record omits its middleware" do
@@ -224,7 +226,7 @@ module ApplicationTests
     test "insert middleware after" do
       add_to_config "config.middleware.insert_after Rack::Sendfile, Rack::Config"
       boot!
-      assert_equal "Rack::Config", middleware.third
+      assert_equal "Rack::Config", middleware.fourth
     end
 
     test "unshift middleware" do
@@ -236,19 +238,19 @@ module ApplicationTests
     test "Rails.cache does not respond to middleware" do
       add_to_config "config.cache_store = :memory_store"
       boot!
-      assert_equal "Rack::Runtime", middleware.fifth
+      assert_equal "Rack::Runtime", middleware[5]
     end
 
     test "Rails.cache does respond to middleware" do
       boot!
-      assert_equal "ActiveSupport::Cache::Strategy::LocalCache", middleware.fifth
-      assert_equal "Rack::Runtime", middleware[5]
+      assert_equal "ActiveSupport::Cache::Strategy::LocalCache", middleware[5]
+      assert_equal "Rack::Runtime", middleware[6]
     end
 
     test "insert middleware before" do
       add_to_config "config.middleware.insert_before Rack::Sendfile, Rack::Config"
       boot!
-      assert_equal "Rack::Config", middleware.second
+      assert_equal "Rack::Config", middleware.third
     end
 
     test "can't change middleware after it's built" do
diff --git a/railties/test/isolation/abstract_unit.rb b/railties/test/isolation/abstract_unit.rb
index d4eed69a87..39c936428f 100644
--- a/railties/test/isolation/abstract_unit.rb
+++ b/railties/test/isolation/abstract_unit.rb
@@ -197,6 +197,7 @@ module TestHelpers
       end
 
       add_to_config <<-RUBY
+        config.hosts << proc { true }
         config.eager_load = false
         config.session_store :cookie_store, key: "_myapp_session"
         config.active_support.deprecation = :log
@@ -220,6 +221,7 @@ module TestHelpers
       @app = Class.new(Rails::Application) do
         def self.name; "RailtiesTestApp"; end
       end
+      @app.config.hosts << proc { true }
       @app.config.eager_load = false
       @app.config.session_store :cookie_store, key: "_myapp_session"
       @app.config.active_support.deprecation = :log
author	Genadi Samokovarov <gsamokovarov@gmail.com>	2018-06-14 11:09:00 +0300
committer	Genadi Samokovarov <gsamokovarov@gmail.com>	2018-12-15 20:18:51 +0200
commit	07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f (patch)
tree	f6c0bde72b359af9ca6a8e4a1937bc4b2a848563 /railties/test
parent	ce48b5a366482d4b4c4c053e1e39e79d71987197 (diff)
download	rails-07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f.tar.gz rails-07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f.tar.bz2 rails-07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f.zip