Class: ActionDispatch::HostAuthorization

Inherits:

Object

Object
ActionDispatch::HostAuthorization

Defined in:: lib/action_dispatch/middleware/host_authorization.rb

Overview

This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to, and is passed the options set in config.host_authorization.

Requests can opt-out of Host Authorization with exclude:

config.host_authorization = { exclude: ->(request) { request.path =~ /healthcheck/ } }

When a request comes to an unauthorized host, the response_app application will be executed and rendered. If no response_app is given, a default one will run, which responds with 403 Forbidden.

Defined Under Namespace

Classes: Permissions

Constant Summary collapse

DEFAULT_RESPONSE_APP =

-> env do
  request = Request.new(env)

  format = request.xhr? ? "text/plain" : "text/html"
  template = DebugView.new(host: request.host)
  body = template.render(template: "rescues/blocked_host", layout: "rescues/layout")

  [403, {
    "Content-Type" => "#{format}; charset=#{Response.default_charset}",
    "Content-Length" => body.bytesize.to_s,
  }, [body]]
end

Instance Method Summary collapse

#call(env) ⇒ Object
#initialize(app, hosts, deprecated_response_app = nil, exclude: nil, response_app: nil) ⇒ HostAuthorization constructor

A new instance of HostAuthorization.

Constructor Details

#initialize(app, hosts, deprecated_response_app = nil, exclude: nil, response_app: nil) ⇒ `HostAuthorization`

Returns a new instance of HostAuthorization.

# File 'lib/action_dispatch/middleware/host_authorization.rb', line 74

def initialize(app, hosts, deprecated_response_app = nil, exclude: nil, response_app: nil)
  @app = app
  @permissions = Permissions.new(hosts)
  @exclude = exclude

  unless deprecated_response_app.nil?
    ActiveSupport::Deprecation.warn(<<-MSG.squish)
      `action_dispatch.hosts_response_app` is deprecated and will be ignored in Rails 6.2.
      Use the Host Authorization `response_app` setting instead.
    MSG

    response_app ||= deprecated_response_app
  end

  @response_app = response_app || DEFAULT_RESPONSE_APP
end

Instance Method Details

#call(env) ⇒ `Object`

# File 'lib/action_dispatch/middleware/host_authorization.rb', line 91

def call(env)
  return @app.call(env) if @permissions.empty?

  request = Request.new(env)

  if authorized?(request) || excluded?(request)
    mark_as_authorized(request)
    @app.call(env)
  else
    @response_app.call(env)
  end
end