Module: WebPushPatch

Defined in:
lib/freedom_patches/web_push_request.rb

Overview

This is a patch to avoid the direct use of ‘Net::HTTP` in the `webpush` gem and instead rely on `FinalDestination::HTTP` which protects us from DNS rebinding attacks as well as server side forgery requests.

This patch is considered temporary until we can decide on a longer term solution. In the meantime, we need to patch the SSRF vulnerability being exposed by this gem.

Instance Method Summary collapse

Instance Method Details

#performObject 



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 
# File 'lib/freedom_patches/web_push_request.rb', line 9

def perform
  http = FinalDestination::HTTP.new(uri.host, uri.port, *proxy_options)
  http.use_ssl = true
  http.ssl_timeout = @options[:ssl_timeout] unless @options[:ssl_timeout].nil?
  http.open_timeout = @options[:open_timeout] unless @options[:open_timeout].nil?
  http.read_timeout = @options[:read_timeout] unless @options[:read_timeout].nil?

  req = FinalDestination::HTTP::Post.new(uri.request_uri, headers)
  req.body = body

  resp = http.request(req)
  verify_response(resp)

  resp
end