removing Rack::Runtime from the default stack.
The runtime header is a potential target for timing attacks since it returns the amount of time spent on the server (eliminating network speed). Total time is also not accurate for streaming responses. The middleware can be added back via: ```ruby config.middleware.ues ::Rack::Runtime ```
This commit is contained in:
parent
55e6d2f0e3
commit
37423e4ff8
@ -188,7 +188,6 @@ An API application comes with the following middlewares by default:
|
||||
- `ActiveSupport::Cache::Strategy::LocalCache::Middleware`
|
||||
- `ActionDispatch::RequestId`
|
||||
- `Rails::Rack::Logger`
|
||||
- `Rack::Runtime`
|
||||
- `ActionDispatch::ShowExceptions`
|
||||
- `ActionDispatch::DebugExceptions`
|
||||
- `ActionDispatch::RemoteIp`
|
||||
|
@ -412,7 +412,7 @@ Ruby version 2.2.2 (x86_64-linux)
|
||||
RubyGems version 2.4.6
|
||||
Rack version 1.6
|
||||
JavaScript Runtime Node.js (V8)
|
||||
Middleware Rack::Sendfile, ActionDispatch::Static, Rack::Lock, #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x007ffd131a7c88>, Rack::Runtime, Rack::MethodOverride, ActionDispatch::RequestId, Rails::Rack::Logger, ActionDispatch::ShowExceptions, ActionDispatch::DebugExceptions, ActionDispatch::RemoteIp, ActionDispatch::Reloader, ActionDispatch::Callbacks, ActiveRecord::Migration::CheckPending, ActiveRecord::ConnectionAdapters::ConnectionManagement, ActiveRecord::QueryCache, ActionDispatch::Cookies, ActionDispatch::Session::CookieStore, ActionDispatch::Flash, Rack::Head, Rack::ConditionalGet, Rack::ETag
|
||||
Middleware Rack::Sendfile, ActionDispatch::Static, Rack::Lock, #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x007ffd131a7c88>, Rack::MethodOverride, ActionDispatch::RequestId, Rails::Rack::Logger, ActionDispatch::ShowExceptions, ActionDispatch::DebugExceptions, ActionDispatch::RemoteIp, ActionDispatch::Reloader, ActionDispatch::Callbacks, ActiveRecord::Migration::CheckPending, ActiveRecord::ConnectionAdapters::ConnectionManagement, ActiveRecord::QueryCache, ActionDispatch::Cookies, ActionDispatch::Session::CookieStore, ActionDispatch::Flash, Rack::Head, Rack::ConditionalGet, Rack::ETag
|
||||
Application root /home/foobar/commandsapp
|
||||
Environment development
|
||||
Database adapter sqlite3
|
||||
|
@ -106,7 +106,6 @@ use Rack::Sendfile
|
||||
use ActionDispatch::Static
|
||||
use Rack::Lock
|
||||
use #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x000000029a0838>
|
||||
use Rack::Runtime
|
||||
use Rack::MethodOverride
|
||||
use ActionDispatch::RequestId
|
||||
use Rails::Rack::Logger
|
||||
|
@ -1,3 +1,6 @@
|
||||
* Removed Rack::Runtime from the default stack. It can be added back via
|
||||
`config.middleware.use ::Rack::Runtime`.
|
||||
|
||||
* Add fail fast to `bin/rails test`
|
||||
|
||||
Adding `--fail-fast` or `-f` when running tests will interrupt the run on
|
||||
|
@ -63,7 +63,7 @@ module Bootstrap
|
||||
Rails.cache = ActiveSupport::Cache.lookup_store(config.cache_store)
|
||||
|
||||
if Rails.cache.respond_to?(:middleware)
|
||||
config.middleware.insert_before(::Rack::Runtime, Rails.cache.middleware)
|
||||
config.middleware.insert_before(::ActionDispatch::RequestId, Rails.cache.middleware)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -47,7 +47,6 @@ def build_stack
|
||||
end
|
||||
end
|
||||
|
||||
middleware.use ::Rack::Runtime
|
||||
middleware.use ::Rack::MethodOverride unless config.api_only
|
||||
middleware.use ::ActionDispatch::RequestId
|
||||
|
||||
|
@ -27,9 +27,8 @@ def app
|
||||
"Rack::Sendfile",
|
||||
"ActionDispatch::Static",
|
||||
"ActionDispatch::LoadInterlock",
|
||||
"ActiveSupport::Cache::Strategy::LocalCache",
|
||||
"Rack::Runtime",
|
||||
"Rack::MethodOverride",
|
||||
"ActiveSupport::Cache::Strategy::LocalCache",
|
||||
"ActionDispatch::RequestId",
|
||||
"Rails::Rack::Logger", # must come after Rack::MethodOverride to properly log overridden methods
|
||||
"ActionDispatch::ShowExceptions",
|
||||
@ -59,7 +58,6 @@ def app
|
||||
"ActionDispatch::Static",
|
||||
"ActionDispatch::LoadInterlock",
|
||||
"ActiveSupport::Cache::Strategy::LocalCache",
|
||||
"Rack::Runtime",
|
||||
"ActionDispatch::RequestId",
|
||||
"Rails::Rack::Logger", # must come after Rack::MethodOverride to properly log overridden methods
|
||||
"ActionDispatch::ShowExceptions",
|
||||
@ -168,19 +166,19 @@ def app
|
||||
end
|
||||
|
||||
test "can delete a middleware from the stack even if insert_before is added after delete" do
|
||||
add_to_config "config.middleware.delete Rack::Runtime"
|
||||
add_to_config "config.middleware.insert_before(Rack::Runtime, Rack::Config)"
|
||||
add_to_config "config.middleware.delete ActionDispatch::ShowExceptions"
|
||||
add_to_config "config.middleware.insert_before(ActionDispatch::ShowExceptions, Rack::Config)"
|
||||
boot!
|
||||
assert middleware.include?("Rack::Config")
|
||||
assert_not middleware.include?("Rack::Runtime")
|
||||
assert_not middleware.include?("ActionDispatch::ShowExceptions")
|
||||
end
|
||||
|
||||
test "can delete a middleware from the stack even if insert_after is added after delete" do
|
||||
add_to_config "config.middleware.delete Rack::Runtime"
|
||||
add_to_config "config.middleware.insert_after(Rack::Runtime, Rack::Config)"
|
||||
add_to_config "config.middleware.delete ActionDispatch::ShowExceptions"
|
||||
add_to_config "config.middleware.insert_after(ActionDispatch::ShowExceptions, Rack::Config)"
|
||||
boot!
|
||||
assert middleware.include?("Rack::Config")
|
||||
assert_not middleware.include?("Rack::Runtime")
|
||||
assert_not middleware.include?("ActionDispatch::ShowExceptions")
|
||||
end
|
||||
|
||||
test "includes exceptions middlewares even if action_dispatch.show_exceptions is disabled" do
|
||||
@ -218,12 +216,12 @@ def app
|
||||
test "Rails.cache does not respond to middleware" do
|
||||
add_to_config "config.cache_store = :memory_store"
|
||||
boot!
|
||||
assert_equal "Rack::Runtime", middleware.fourth
|
||||
assert_equal "Rack::MethodOverride", middleware.fourth
|
||||
end
|
||||
|
||||
test "Rails.cache does respond to middleware" do
|
||||
boot!
|
||||
assert_equal "Rack::Runtime", middleware.fifth
|
||||
assert_equal "ActiveSupport::Cache::Strategy::LocalCache", middleware.fifth
|
||||
end
|
||||
|
||||
test "insert middleware before" do
|
||||
|
Loading…
Reference in New Issue
Block a user