feat: setup rack-protection

Signed-off-by: Gil Desmarais <[email protected]>

Author: gildesmarais

.rubocop.yml

@@ -11,8 +11,6 @@ AllCops:
 Metrics/BlockLength:
   Exclude:
     - Rakefile
-  ExcludedMethods:
-    - route
 
 Naming/RescuedExceptionsVariableName:
   PreferredName: error

Gemfile

@@ -14,6 +14,7 @@ gem 'html2rss-configs', github: 'html2rss/html2rss-configs'
 gem 'erubi'
 gem 'parallel'
 gem 'rack-cache'
+gem 'rack-protection'
 gem 'rack-timeout'
 gem 'rack-unreloader'
 gem 'roda'

Gemfile.lock

@@ -11,6 +11,7 @@ GEM
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
     ast (2.4.2)
+    base64 (0.2.0)
     byebug (11.1.3)
     concurrent-ruby (1.3.4)
     crass (1.0.6)
@@ -73,6 +74,9 @@ GEM
     rack (3.1.7)
     rack-cache (1.17.0)
       rack (>= 0.4)
+    rack-protection (4.0.0)
+      base64 (>= 0.1.0)
+      rack (>= 3.0.0, < 4)
     rack-timeout (0.7.0)
     rack-unreloader (2.1.0)
     rainbow (3.1.1)
@@ -158,6 +162,7 @@ DEPENDENCIES
   parallel
   puma
   rack-cache
+  rack-protection
   rack-timeout
   rack-unreloader
   rake

config.ru

@@ -3,21 +3,24 @@
 require 'rubygems'
 require 'bundler/setup'
 require 'rack-timeout'
+require 'rack/protection'
+require 'rack/protection/path_traversal'
 
 use Rack::Timeout
-
-dev = ENV.fetch('RACK_ENV', nil) == 'development'
+use Rack::Protection
+use Rack::Protection::PathTraversal
 
 requires = Dir['app/**/*.rb']
 
-if dev
+if ENV.fetch('RACK_ENV', nil) == 'development'
   require 'logger'
+  require 'rack/unreloader'
+
   logger = Logger.new($stdout)
 
-  require 'rack/unreloader'
   Unreloader = Rack::Unreloader.new(subclasses: %w[Roda Html2rss],
                                     logger:,
-                                    reload: dev) do
+                                    reload: true) do
                                       Html2rss::Web::App
                                     end
   Unreloader.require('app.rb') { 'Html2rss::Web::App' }