From 2ddeb831e40c0a9abda53ee1ffcd721f9fc03382 Mon Sep 17 00:00:00 2001 From: Seth Vargo Date: Mon, 13 Jul 2015 13:07:18 -0400 Subject: [PATCH 1/2] Update middleman-hashicorp --- website/Gemfile.lock | 47 ++++++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 21 deletions(-) diff --git a/website/Gemfile.lock b/website/Gemfile.lock index 9448c1f9a..232c9286b 100644 --- a/website/Gemfile.lock +++ b/website/Gemfile.lock @@ -1,6 +1,6 @@ GIT remote: git://github.com/hashicorp/middleman-hashicorp.git - revision: 7796ba44d303ac8e1b566e855e2766e6d0f695fc + revision: 76f0f284ad44cea0457484ea83467192f02daf87 specs: middleman-hashicorp (0.1.0) bootstrap-sass (~> 3.3) @@ -11,6 +11,7 @@ GIT middleman-minify-html (~> 3.4) middleman-syntax (~> 2.0) rack-contrib (~> 1.2) + rack-protection (~> 1.5) rack-rewrite (~> 1.5) rack-ssl-enforcer (~> 0.2) redcarpet (~> 3.2) @@ -20,18 +21,18 @@ GIT GEM remote: https://rubygems.org/ specs: - activesupport (4.1.10) + activesupport (4.1.12) i18n (~> 0.6, >= 0.6.9) json (~> 1.7, >= 1.7.7) minitest (~> 5.1) thread_safe (~> 0.1) tzinfo (~> 1.1) - autoprefixer-rails (5.2.0) + autoprefixer-rails (5.2.1) execjs json - bootstrap-sass (3.3.4.1) + bootstrap-sass (3.3.5.1) autoprefixer-rails (>= 5.0.0.1) - sass (>= 3.2.19) + sass (>= 3.3.0) builder (3.2.2) celluloid (0.16.0) timers (~> 4.0.0) @@ -53,14 +54,15 @@ GEM sass (>= 3.3.0, < 3.5) compass-import-once (1.0.5) sass (>= 3.2, < 3.5) - daemons (1.2.2) + daemons (1.2.3) em-websocket (0.5.1) eventmachine (>= 0.12.9) http_parser.rb (~> 0.6.0) erubis (2.7.0) eventmachine (1.0.7) execjs (2.5.2) - ffi (1.9.8) + ffi (1.9.10) + git-version-bump (0.15.1) haml (4.0.6) tilt hike (1.2.3) @@ -71,11 +73,11 @@ GEM http_parser.rb (0.6.0) i18n (0.7.0) json (1.8.3) - kramdown (1.7.0) + kramdown (1.8.0) less (2.6.0) commonjs (~> 0.2.7) - libv8 (3.16.14.7) - listen (2.10.0) + libv8 (3.16.14.11) + listen (2.10.1) celluloid (~> 0.16.0) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) @@ -118,17 +120,20 @@ GEM middleman-core (~> 3.2) rouge (~> 1.0) minitest (5.7.0) - multi_json (1.11.1) + multi_json (1.11.2) padrino-helpers (0.12.5) i18n (~> 0.6, >= 0.6.7) padrino-support (= 0.12.5) tilt (~> 1.4.1) padrino-support (0.12.5) activesupport (>= 3.1) - rack (1.6.1) - rack-contrib (1.2.0) - rack (>= 0.9.1) - rack-livereload (0.3.15) + rack (1.6.4) + rack-contrib (1.3.0) + git-version-bump (~> 0.15) + rack (~> 1.4) + rack-livereload (0.3.16) + rack + rack-protection (1.5.3) rack rack-rewrite (1.5.1) rack-ssl-enforcer (0.2.8) @@ -137,11 +142,11 @@ GEM rb-fsevent (0.9.5) rb-inotify (0.9.5) ffi (>= 0.5.0) - redcarpet (3.3.1) - ref (1.0.5) - rouge (1.9.0) - sass (3.4.14) - sprockets (2.12.3) + redcarpet (3.3.2) + ref (2.0.0) + rouge (1.9.1) + sass (3.4.16) + sprockets (2.12.4) hike (~> 1.2) multi_json (~> 1.0) rack (~> 1.0) @@ -177,4 +182,4 @@ DEPENDENCIES middleman-hashicorp! BUNDLED WITH - 1.10.3 + 1.10.5 From d86a608db818ec427a993a77d9ebc42d42fd89fd Mon Sep 17 00:00:00 2001 From: Seth Vargo Date: Mon, 13 Jul 2015 13:07:24 -0400 Subject: [PATCH 2/2] Use Rack::Protection --- website/config.ru | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/website/config.ru b/website/config.ru index 5cf4e322d..669f200cf 100644 --- a/website/config.ru +++ b/website/config.ru @@ -3,6 +3,17 @@ require "rack/contrib/not_found" require "rack/contrib/response_headers" require "rack/contrib/static_cache" require "rack/contrib/try_static" +require "rack/protection" + +# Protect against various bad things +use Rack::Protection::JsonCsrf +use Rack::Protection::RemoteReferrer +use Rack::Protection::HttpOrigin +use Rack::Protection::EscapedParams +use Rack::Protection::XSSHeader +use Rack::Protection::FrameOptions +use Rack::Protection::PathTraversal +use Rack::Protection::IPSpoofing # Properly compress the output if the client can handle it. use Rack::Deflater