Add optional middleware for disabling HTTP TRACE

Author: citizen428

README.md

@@ -27,6 +27,12 @@ To get going clone this repository and perform the following steps:
 * [New Relic](https://newrelic.com) is pre configured in `config/newrelic.yml`, 
   but you need to comment in the environment variables for it work on Heroku 
   (lines 10 and 17).
+  
+## Configuration options
+
+| Option                    | Comment                                  |
+| ---                       | ---                                      |
+| Disable HTTP TRACE method | Set BLOCK_HTTP_TRACE env var to true/t/1 |
 
 ## Contents
 

config/application.rb

@@ -2,6 +2,8 @@
 
 require 'rails/all'
 
+require_relative '../lib/rack/reject_methods'
+
 # Require the gems listed in Gemfile, including any gems
 # you've limited to :test, :development, or :production.
 Bundler.require(*Rails.groups)
@@ -31,6 +33,10 @@ class Application < Rails::Application
       g.javascripts false
       g.stylesheets false
       g.view_specs  false
+
+      if ENV['BLOCK_HTTP_TRACE'].in?(%w(true t 1))
+        config.middleware.use Rack::RejectMethods
+      end
     end
   end
 end

lib/rack/reject_methods.rb

@@ -0,0 +1,19 @@
+module Rack
+  class RejectMethods
+    METHOD_BLACKLIST = %w(TRACE).freeze
+
+    def initialize(app)
+      @app = app
+      @blacklist = blacklist
+    end
+
+    def call(env)
+      return @app.call(env) unless @blacklist.include?(env['REQUEST_METHOD'])
+      [405, {}, ["TRACE requests not allowed!\n"]]
+    end
+
+    private def blacklist
+      ENV.fetch('HTTP_METHOD_BLACKLIST'.split(',')) { METHOD_BLACKLIST }
+    end
+  end
+end