doorkeeper 4.4.1 → 4.4.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of doorkeeper might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: b9ce63cc5f416a440c8cbe59270d0d144d2b46f8
4
- data.tar.gz: 967e49192bf978a3c22997fd9d239b3046dddda3
3
+ metadata.gz: c92e80cb652104645d4ec7634af2c3699f90da68
4
+ data.tar.gz: 3d3e22b8dfa7288c8a120645db4cc4193809d60f
5
5
  SHA512:
6
- metadata.gz: cc82ecfb4737159081c5bb1aedff072522ae2b191272e1eb00966b6a999e2ab99ea094fe4fa7c1924ee344e33978b6b436af37cabde22a4ac5f3a67e240737a1
7
- data.tar.gz: d1e5bf52498a3ccbcf5fdc8ea9bb4ab99e3a17c16ee2ecac860e4ffe720a63375b9c9a7e347d9564dee625a4fd8804723c3dad97340f6a2f31132fde06a0e548
6
+ metadata.gz: e6546445a2ab9db13ff53fe16633b8769f1c70b1b76931e9709346984cb8aed18eec91a5a4fa29c2f06786999c0e87697897064603a918b868bd55b32874faa8
7
+ data.tar.gz: 7717301a83ea02e249e8cc121bd0894cb08fafa272340715829de78020bb6428d3d8c7764ed5200c7e22ecf9bb99c5f206503ae938e89ed1817620c1f42388cd
data/NEWS.md CHANGED
@@ -4,6 +4,9 @@ User-visible changes worth mentioning.
4
4
 
5
5
  ## master
6
6
 
7
+ ## 4.4.2
8
+ - [#1130] Backport fix for native redirect_uri from 5.x.
9
+
7
10
  ## 4.4.1
8
11
 
9
12
  - [#1127] Backport token type to comply with the RFC6750 specification.
@@ -3,6 +3,7 @@ module Doorkeeper
3
3
  module Helpers
4
4
  module URIChecker
5
5
  def self.valid?(url)
6
+ return true if native_uri?(url)
6
7
  uri = as_uri(url)
7
8
  uri.fragment.nil? && !uri.host.nil? && !uri.scheme.nil?
8
9
  rescue URI::InvalidURIError
@@ -57,9 +57,11 @@ module Doorkeeper
57
57
 
58
58
  # TODO: test uri should be matched against the client's one
59
59
  def validate_redirect_uri
60
- return false unless redirect_uri.present?
61
- Helpers::URIChecker.native_uri?(redirect_uri) ||
62
- Helpers::URIChecker.valid_for_authorization?(redirect_uri, client.redirect_uri)
60
+ return false if redirect_uri.blank?
61
+
62
+ Helpers::URIChecker.valid_for_authorization?(
63
+ redirect_uri, client.redirect_uri
64
+ )
63
65
  end
64
66
  end
65
67
  end
@@ -28,7 +28,7 @@ HEREDOC
28
28
  # Semantic versioning
29
29
  MAJOR = 4
30
30
  MINOR = 4
31
- TINY = 1
31
+ TINY = 2
32
32
 
33
33
  # Full version number
34
34
  STRING = [MAJOR, MINOR, TINY].compact.join('.')
@@ -104,5 +104,20 @@ module Doorkeeper::OAuth
104
104
  expect(subject.error).to eq(:invalid_grant)
105
105
  end
106
106
  end
107
+
108
+ context "when redirect_uri is the native one" do
109
+ let(:redirect_uri) { 'urn:ietf:wg:oauth:2.0:oob' }
110
+
111
+ it "invalidates when redirect_uri of the grant is not native" do
112
+ subject.validate
113
+ expect(subject.error).to eq(:invalid_grant)
114
+ end
115
+
116
+ it "validates when redirect_uri of the grant is also native" do
117
+ allow(grant).to receive(:redirect_uri) { redirect_uri }
118
+ subject.validate
119
+ expect(subject.error).to eq(nil)
120
+ end
121
+ end
107
122
  end
108
123
  end
@@ -5,6 +5,11 @@ require 'doorkeeper/oauth/helpers/uri_checker'
5
5
  module Doorkeeper::OAuth::Helpers
6
6
  describe URIChecker do
7
7
  describe '.valid?' do
8
+ it 'is valid for native uris' do
9
+ uri = 'urn:ietf:wg:oauth:2.0:oob'
10
+ expect(URIChecker.valid?(uri)).to be_truthy
11
+ end
12
+
8
13
  it 'is valid for valid uris' do
9
14
  uri = 'http://app.co'
10
15
  expect(URIChecker.valid?(uri)).to be_truthy
@@ -123,14 +123,19 @@ module Doorkeeper::OAuth
123
123
  expect(subject.scopes).to eq(Scopes.from_string('default'))
124
124
  end
125
125
 
126
- it 'accepts test uri' do
127
- subject.redirect_uri = 'urn:ietf:wg:oauth:2.0:oob'
128
- expect(subject).to be_authorizable
129
- end
126
+ context 'with native redirect uri' do
127
+ let(:native_redirect_uri) { 'urn:ietf:wg:oauth:2.0:oob' }
130
128
 
131
- it 'matches the redirect uri against client\'s one' do
132
- subject.redirect_uri = 'http://nothesame.com'
133
- expect(subject).not_to be_authorizable
129
+ it 'accepts redirect_uri when it matches with the client' do
130
+ subject.redirect_uri = native_redirect_uri
131
+ allow(subject.client).to receive(:redirect_uri) { native_redirect_uri }
132
+ expect(subject).to be_authorizable
133
+ end
134
+
135
+ it 'invalidates redirect_uri when it does\'n match with the client' do
136
+ subject.redirect_uri = native_redirect_uri
137
+ expect(subject).not_to be_authorizable
138
+ end
134
139
  end
135
140
 
136
141
  it 'stores the state' do
@@ -266,6 +266,23 @@ module Doorkeeper
266
266
  let(:confidential) { false }
267
267
  it { expect(subject).to eq(false) }
268
268
  end
269
+
270
+ context 'when the application does not support confidentiality' do
271
+ let(:confidential) { false }
272
+
273
+ before { allow(Application).to receive(:supports_confidentiality?).and_return(false) }
274
+
275
+ it 'warns of the CVE' do
276
+ expect(ActiveSupport::Deprecation).to receive(:warn).with(
277
+ 'You are susceptible to security bug ' \
278
+ 'CVE-2018-1000211. Please follow instructions outlined in ' \
279
+ 'Doorkeeper::CVE_2018_1000211_WARNING'
280
+ )
281
+ Application.new.confidential
282
+ end
283
+
284
+ it { expect(subject).to eq(true) }
285
+ end
269
286
  end
270
287
 
271
288
  describe :supports_confidentiality? do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: doorkeeper
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.4.1
4
+ version: 4.4.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
11
11
  autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2018-07-27 00:00:00.000000000 Z
14
+ date: 2018-08-20 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: railties