Class: ActionDispatch::HostAuthorization
- Inherits:
-
Object
- Object
- ActionDispatch::HostAuthorization
- Defined in:
- lib/action_dispatch/middleware/host_authorization.rb
Overview
This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to.
When a request comes to an unauthorized host, the response_app application will be executed and rendered. If no response_app is given, a default one will run, which responds with 403 Forbidden.
Defined Under Namespace
Classes: Permissions
Constant Summary collapse
- ALLOWED_HOSTS_IN_DEVELOPMENT =
[".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
- PORT_REGEX =
:nodoc:
/(?::\d+)/- IPV4_HOSTNAME =
:nodoc:
/(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/- IPV6_HOSTNAME =
:nodoc:
/(?<host>[a-f0-9]*:[a-f0-9.:]+)/i- IPV6_HOSTNAME_WITH_PORT =
:nodoc:
/\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i- VALID_IP_HOSTNAME =
:nodoc:
Regexp.union( # :nodoc: /\A#{IPV4_HOSTNAME}\z/, /\A#{IPV6_HOSTNAME}\z/, /\A#{IPV6_HOSTNAME_WITH_PORT}\z/, )
- DEFAULT_RESPONSE_APP =
-> env do request = Request.new(env) format = request.xhr? ? "text/plain" : "text/html" template = DebugView.new(host: request.host) body = template.render(template: "rescues/blocked_host", layout: "rescues/layout") [403, { "Content-Type" => "#{format}; charset=#{Response.default_charset}", "Content-Length" => body.bytesize.to_s, }, [body]] end
Instance Method Summary collapse
- #call(env) ⇒ Object
-
#initialize(app, hosts, response_app = nil) ⇒ HostAuthorization
constructor
A new instance of HostAuthorization.
Constructor Details
#initialize(app, hosts, response_app = nil) ⇒ HostAuthorization
Returns a new instance of HostAuthorization.
90 91 92 93 94 |
# File 'lib/action_dispatch/middleware/host_authorization.rb', line 90 def initialize(app, hosts, response_app = nil) @app = app @permissions = Permissions.new(hosts) @response_app = response_app || DEFAULT_RESPONSE_APP end |