From 121f05f9d5485a5befb74fa1a7e8d14ad482b64d Mon Sep 17 00:00:00 2001
From: Gil Desmarais <git@desmarais.de>
Date: Fri, 16 Aug 2024 23:07:15 +0200
Subject: [PATCH] feat: setup rack-protection

Signed-off-by: Gil Desmarais <git@desmarais.de>
---
 .rubocop.yml |  2 --
 Gemfile      |  1 +
 Gemfile.lock |  5 +++++
 config.ru    | 13 ++++++++-----
 4 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/.rubocop.yml b/.rubocop.yml
index 57ebd90..ea2258a 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -11,8 +11,6 @@ AllCops:
 Metrics/BlockLength:
   Exclude:
     - Rakefile
-  ExcludedMethods:
-    - route
 
 Naming/RescuedExceptionsVariableName:
   PreferredName: error
diff --git a/Gemfile b/Gemfile
index 87c56a7..b9b146c 100644
--- a/Gemfile
+++ b/Gemfile
@@ -14,6 +14,7 @@ gem 'html2rss-configs', github: 'html2rss/html2rss-configs'
 gem 'erubi'
 gem 'parallel'
 gem 'rack-cache'
+gem 'rack-protection'
 gem 'rack-timeout'
 gem 'rack-unreloader'
 gem 'roda'
diff --git a/Gemfile.lock b/Gemfile.lock
index cba2840..d062506 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -11,6 +11,7 @@ GEM
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
     ast (2.4.2)
+    base64 (0.2.0)
     byebug (11.1.3)
     concurrent-ruby (1.3.4)
     crass (1.0.6)
@@ -73,6 +74,9 @@ GEM
     rack (3.1.7)
     rack-cache (1.17.0)
       rack (>= 0.4)
+    rack-protection (4.0.0)
+      base64 (>= 0.1.0)
+      rack (>= 3.0.0, < 4)
     rack-timeout (0.7.0)
     rack-unreloader (2.1.0)
     rainbow (3.1.1)
@@ -158,6 +162,7 @@ DEPENDENCIES
   parallel
   puma
   rack-cache
+  rack-protection
   rack-timeout
   rack-unreloader
   rake
diff --git a/config.ru b/config.ru
index 270d545..b59729b 100644
--- a/config.ru
+++ b/config.ru
@@ -3,21 +3,24 @@
 require 'rubygems'
 require 'bundler/setup'
 require 'rack-timeout'
+require 'rack/protection'
+require 'rack/protection/path_traversal'
 
 use Rack::Timeout
-
-dev = ENV.fetch('RACK_ENV', nil) == 'development'
+use Rack::Protection
+use Rack::Protection::PathTraversal
 
 requires = Dir['app/**/*.rb']
 
-if dev
+if ENV.fetch('RACK_ENV', nil) == 'development'
   require 'logger'
+  require 'rack/unreloader'
+
   logger = Logger.new($stdout)
 
-  require 'rack/unreloader'
   Unreloader = Rack::Unreloader.new(subclasses: %w[Roda Html2rss],
                                     logger:,
-                                    reload: dev) do
+                                    reload: true) do
                                       Html2rss::Web::App
                                     end
   Unreloader.require('app.rb') { 'Html2rss::Web::App' }