add IP spoofing protection
This commit is contained in:
parent
86e9828c23
commit
4741e7af48
|
@ -70,6 +70,13 @@ Prevented by:
|
|||
|
||||
* `Rack::Protection::SessionHijacking`
|
||||
|
||||
## IP Spoofing
|
||||
|
||||
|
||||
Prevented by:
|
||||
|
||||
* `Rack::Protection::IPSpoofing`
|
||||
|
||||
# Installation
|
||||
|
||||
gem install rack-protection
|
||||
|
|
|
@ -8,6 +8,7 @@ module Rack
|
|||
autoload :EscapedParams, 'rack/protection/escaped_params'
|
||||
autoload :FormToken, 'rack/protection/form_token'
|
||||
autoload :FrameOptions, 'rack/protection/frame_options'
|
||||
autoload :IPSpoofing, 'rack/protection/ip_spoofing'
|
||||
autoload :JsonCsrf, 'rack/protection/json_csrf'
|
||||
autoload :NoReferrer, 'rack/protection/no_referrer'
|
||||
autoload :PathTraversal, 'rack/protection/path_traversal'
|
||||
|
@ -22,6 +23,7 @@ module Rack
|
|||
Rack::Builder.new do
|
||||
use EscapedParams, options unless except.include? :escaped_params
|
||||
use FrameOptions, options unless except.include? :frame_options
|
||||
use IPSpoofing, options unless except.include? :ip_spoofing
|
||||
use JsonCsrf, options unless except.include? :json_csrf
|
||||
use PathTraversal, options unless except.include? :path_traversal
|
||||
use RemoteToken, options unless except.include? :remote_token
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
require 'rack/protection'
|
||||
|
||||
module Rack
|
||||
module Protection
|
||||
##
|
||||
# Prevented attack:: IP spoofing
|
||||
# Supported browsers:: all
|
||||
# More infos:: http://blog.c22.cc/2011/04/22/surveymonkey-ip-spoofing/
|
||||
#
|
||||
# Detect (some) IP spoofing attacks.
|
||||
class IPSpoofing < Base
|
||||
default_reaction :deny
|
||||
|
||||
def accepts?(env)
|
||||
return true unless env.include? 'HTTP_X_FORWARDED_FOR'
|
||||
ips = env['HTTP_X_FORWARDED_FOR'].split /\s*,\s*/
|
||||
return false if env.include? 'HTTP_CLIENT_IP' and not ips.include? env['HTTP_CLIENT_IP']
|
||||
return false if env.include? 'HTTP_X_REAL_IP' and not ips.include? env['HTTP_X_REAL_IP']
|
||||
true
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,11 @@
|
|||
require File.expand_path('../spec_helper.rb', __FILE__)
|
||||
|
||||
describe Rack::Protection::IPSpoofing do
|
||||
it_behaves_like "any rack application"
|
||||
it 'accepts requests without X-Forward-For header'
|
||||
it 'accepts requests with proper X-Forward-For header'
|
||||
it 'denies requests where the client spoofs X-Forward-For but not the IP'
|
||||
it 'denies requests where the client spoofs the IP but not X-Forward-For'
|
||||
it 'denies requests where IP and X-Forward-For are spoofed but not X-Real-IP'
|
||||
it 'denies requests where X-Real-IP is spoofed'
|
||||
end
|
Loading…
Reference in New Issue