From ea4f6198111bc75d1bb32bb15f0cae1ab65a6de6 Mon Sep 17 00:00:00 2001 From: Zach Margolis Date: Fri, 8 Sep 2017 10:39:52 -0400 Subject: [PATCH] Filter headers via Middleware **Why**: The values are untrusted --- Gemfile | 1 + Gemfile.lock | 2 ++ config/application.rb | 2 ++ spec/requests/headers_spec.rb | 9 +++++++++ 4 files changed, 14 insertions(+) create mode 100644 spec/requests/headers_spec.rb diff --git a/Gemfile b/Gemfile index 751f733bb0b..d694ca787f6 100644 --- a/Gemfile +++ b/Gemfile @@ -31,6 +31,7 @@ gem 'phony_rails' gem 'premailer-rails' gem 'proofer', github: '18F/identity-proofer-gem', branch: 'master' gem 'rack-cors', require: 'rack/cors' +gem 'rack-headers_filter' gem 'rack-timeout' gem 'readthis' gem 'redis-session-store', github: '18F/redis-session-store', branch: 'master' diff --git a/Gemfile.lock b/Gemfile.lock index e79488ee61d..4bf4b3f6f4e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -415,6 +415,7 @@ GEM rack-attack (5.0.1) rack rack-cors (0.4.1) + rack-headers_filter (0.0.1) rack-mini-profiler (0.10.5) rack (>= 1.2.0) rack-protection (2.0.0) @@ -714,6 +715,7 @@ DEPENDENCIES proofer! pry-byebug rack-cors + rack-headers_filter rack-mini-profiler rack-test rack-timeout diff --git a/config/application.rb b/config/application.rb index 59cd2d469da..b851ce627c5 100644 --- a/config/application.rb +++ b/config/application.rb @@ -33,6 +33,8 @@ class Application < Rails::Application event.payload.except(:params, :headers) end + config.middleware.insert_before 0, Rack::HeadersFilter + config.middleware.insert_before 0, Rack::Cors do allow do origins '*' diff --git a/spec/requests/headers_spec.rb b/spec/requests/headers_spec.rb new file mode 100644 index 00000000000..70d91a9d9f5 --- /dev/null +++ b/spec/requests/headers_spec.rb @@ -0,0 +1,9 @@ +require 'rails_helper' + +RSpec.describe 'Headers' do + it 'does not reflect header host values' do + get root_path, headers: { 'X-Forwarded-Host' => 'evil.com' } + + expect(response.body).to_not include('evil.com') + end +end