doorkeeper 4.2.5 → 4.2.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 990a2d9feaf3dd9945bac2a76742b719521e12c8
-  data.tar.gz: 6a9e2f52ad07979a02040219f7a1f25c9768e353
+  metadata.gz: b4b94e7f1fb4975a36ad84ccfda9bcfb0b5e2bd7
+  data.tar.gz: fc5914c689e55572a9313caa07f2644c29f37574
 SHA512:
-  metadata.gz: 641cb1c261a315bd330719a00ba622dbfd61c973f30124698db92ee33b3ff88314d4636e459fd367b73fffdd49da945307e3947a243bdbaf710f9a76a9c1759f
-  data.tar.gz: cb2ff264f9e2e175bd3ed311d54ea24603d16f36b51bf4cdbb56fe4fe855e3785f668b9f0e8a5692ae85bc8057daaa47f14fde8c7cca367c6f08a6dce97bfb54
+  metadata.gz: f90cc508667ce0ec9693925a187fbc9ae5b9eeaf95b74648c9981ceea9eaef305d9981f75d48a8b8f0e00929bcc748a51da4b013b814ffa8a9344a4fc44257e1
+  data.tar.gz: 433cafea0488b8d0ab2d7d9b164b9510191f9a6d6534443674064e60c8ea2c0007494a9015b8c9d96a44b603182217496d4221db752c21d1cc5e56b1e377ae86

data/.travis.yml

@@ -6,6 +6,7 @@ rvm:
   - 2.1
   - 2.2.6
   - 2.3.3
+  - 2.4.0
 
 before_install:
   - gem install bundler -v '~> 1.10'

data/NEWS.md

@@ -2,6 +2,10 @@
 
 User-visible changes worth mentioning.
 
+## master
+
+- [#970] Escape certain attributes in authorization forms.
+
 ## 4.2.5
 
 - [#936] Deprecate `Doorkeeper#configured?`, `Doorkeeper#database_installed?`, and

data/README.md

@@ -1,4 +1,4 @@
-# Doorkeeper - awesome oauth provider for your Rails app.
+# Doorkeeper - awesome OAuth2 provider for your Rails app.
 
 [![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=master)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
 [![Dependency Status](https://gemnasium.com/doorkeeper-gem/doorkeeper.svg?travis)](https://gemnasium.com/doorkeeper-gem/doorkeeper)

data/RELEASING.md

@@ -1,17 +1,10 @@
 # Releasing doorkeeper
 
+How to release doorkeeper in five easy steps!
+
 1. Update `lib/doorkeeper/version.rb` file accordingly.
 2. Update `NEWS.md` to reflect the changes since last release.
-3. Commit changes. There shouldn’t be code changes, and thus CI doesn’t need to
-   run, you can then add “[ci skip]” to the commit message.
-4. Tag the release: `git tag vVERSION -m "Release vVERSION"`
-5. Push changes: `git push && git push --tags`
-6. Build and publish the gem:
-
-   ```bash
-   gem build doorkeeper.gemspec
-   gem push doorkeeper-*.gem
-   ```
-
-7. Announce the new release, making sure to say “thank you” to the contributors
+3. Commit changes: `git commit -am 'Bump to vVERSION'`
+4. Run `rake release`
+5. Announce the new release, making sure to say “thank you” to the contributors
    who helped shape this version!

data/app/views/doorkeeper/applications/_form.html.erb

@@ -21,7 +21,7 @@
       </span>
       <% if Doorkeeper.configuration.native_redirect_uri %>
           <span class="help-block">
-            <%= raw t('doorkeeper.applications.help.native_redirect_uri', native_redirect_uri: "<code>#{ Doorkeeper.configuration.native_redirect_uri }</code>") %>
+            <%= raw t('doorkeeper.applications.help.native_redirect_uri', native_redirect_uri: content_tag(:code) { Doorkeeper.configuration.native_redirect_uri }) %>
           </span>
       <% end %>
     </div>

data/app/views/doorkeeper/authorizations/new.html.erb

@@ -4,7 +4,7 @@
 
 <main role="main">
   <p class="h4">
-    <%= raw t('.prompt', client_name: "<strong class=\"text-info\">#{ @pre_auth.client.name }</strong>") %>
+    <%= raw t('.prompt', client_name: content_tag(:strong, class: 'text-info') { @pre_auth.client.name }) %>
   </p>
 
   <% if @pre_auth.scopes.count > 0 %>

data/doorkeeper.gemspec

@@ -26,5 +26,4 @@ Gem::Specification.new do |s|
   s.add_development_dependency "generator_spec", "~> 0.9.3"
   s.add_development_dependency "rake", ">= 11.3.0"
   s.add_development_dependency "rspec-rails"
-  s.add_development_dependency "timecop", "~> 0.8.1"
 end

data/lib/doorkeeper/errors.rb

@@ -1,21 +1,39 @@
 module Doorkeeper
   module Errors
     class DoorkeeperError < StandardError
+      def type
+        message
+      end
     end
 
     class InvalidAuthorizationStrategy < DoorkeeperError
+      def type
+        :unsupported_response_type
+      end
     end
 
     class InvalidTokenReuse < DoorkeeperError
+      def type
+        :invalid_request
+      end
     end
 
     class InvalidGrantReuse < DoorkeeperError
+      def type
+        :invalid_grant
+      end
     end
 
     class InvalidTokenStrategy < DoorkeeperError
+      def type
+        :unsupported_grant_type
+      end
     end
 
     class MissingRequestStrategy < DoorkeeperError
+      def type
+        :invalid_request
+      end
     end
 
     class UnableToGenerateToken < DoorkeeperError

data/lib/doorkeeper/helpers/controller.rb

@@ -34,22 +34,7 @@ module Doorkeeper
       end
 
       def get_error_response_from_exception(exception)
-        error_name = case exception
-                     when Errors::InvalidTokenStrategy
-                       :unsupported_grant_type
-                     when Errors::InvalidAuthorizationStrategy
-                       :unsupported_response_type
-                     when Errors::MissingRequestStrategy
-                       :invalid_request
-                     when Errors::InvalidTokenReuse
-                       :invalid_request
-                     when Errors::InvalidGrantReuse
-                       :invalid_grant
-                     when Errors::DoorkeeperError
-                       exception.message
-                     end
-
-        OAuth::ErrorResponse.new name: error_name, state: params[:state]
+        OAuth::ErrorResponse.new name: exception.type, state: params[:state]
       end
 
       def handle_token_exception(exception)

data/lib/doorkeeper/version.rb

@@ -1,3 +1,3 @@
 module Doorkeeper
-  VERSION = "4.2.5".freeze
+  VERSION = "4.2.6".freeze
 end

data/spec/controllers/authorizations_controller_spec.rb

@@ -3,9 +3,24 @@ require 'spec_helper_integration'
 describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
   include AuthorizationRequestHelper
 
-  def fragments(param)
-    fragment = URI.parse(response.location).fragment
-    Rack::Utils.parse_query(fragment)[param]
+  if Rails::VERSION::MAJOR == 5
+    class ActionDispatch::TestResponse
+      def query_params
+        @_query_params ||= begin
+          fragment = URI.parse(location).fragment
+          Rack::Utils.parse_query(fragment)
+        end
+      end
+    end
+  else
+    class ActionController::TestResponse
+      def query_params
+        @_query_params ||= begin
+          fragment = URI.parse(location).fragment
+          Rack::Utils.parse_query(fragment)
+        end
+      end
+    end
   end
 
   def translated_error_message(key)
@@ -35,15 +50,15 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
 
     it 'includes access token in fragment' do
-      expect(fragments('access_token')).to eq(Doorkeeper::AccessToken.first.token)
+      expect(response.query_params['access_token']).to eq(Doorkeeper::AccessToken.first.token)
     end
 
     it 'includes token type in fragment' do
-      expect(fragments('token_type')).to eq('bearer')
+      expect(response.query_params['token_type']).to eq('bearer')
     end
 
     it 'includes token expiration in fragment' do
-      expect(fragments('expires_in').to_i).to eq(2.hours.to_i)
+      expect(response.query_params['expires_in'].to_i).to eq(2.hours.to_i)
     end
 
     it 'issues the token for the current client' do
@@ -70,15 +85,15 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
 
     it 'does not include access token in fragment' do
-      expect(fragments('access_token')).to be_nil
+      expect(response.query_params['access_token']).to be_nil
     end
 
     it 'includes error in fragment' do
-      expect(fragments('error')).to eq('invalid_scope')
+      expect(response.query_params['error']).to eq('invalid_scope')
     end
 
     it 'includes error description in fragment' do
-      expect(fragments('error_description')).to eq(translated_error_message(:invalid_scope))
+      expect(response.query_params['error_description']).to eq(translated_error_message(:invalid_scope))
     end
 
     it 'does not issue any access token' do
@@ -95,7 +110,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
 
     it 'returns the existing access token in a fragment' do
-      expect(fragments('access_token')).to eq(access_token.token)
+      expect(response.query_params['access_token']).to eq(access_token.token)
     end
 
     it 'does not creates a new access token' do
@@ -169,11 +184,11 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
 
     it 'includes token type in fragment' do
-      expect(fragments('token_type')).to eq('bearer')
+      expect(response.query_params['token_type']).to eq('bearer')
     end
 
     it 'includes token expiration in fragment' do
-      expect(fragments('expires_in').to_i).to eq(2.hours.to_i)
+      expect(response.query_params['expires_in'].to_i).to eq(2.hours.to_i)
     end
 
     it 'issues the token for the current client' do

data/spec/lib/models/expirable_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'timecop'
 require 'active_support/time'
 require 'doorkeeper/models/concerns/expirable'
 

data/spec/requests/flows/authorization_code_errors_spec.rb

@@ -1,9 +1,10 @@
 require 'spec_helper_integration'
 
 feature 'Authorization Code Flow Errors' do
+  let(:client_params) { {} }
   background do
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
-    client_exists
+    client_exists client_params
     create_resource_owner
     sign_in
   end
@@ -12,6 +13,15 @@ feature 'Authorization Code Flow Errors' do
     access_grant_should_not_exist
   end
 
+  context "with a client trying to xss resource owner" do
+    let(:client_name) { "<div id='xss'>XSS</div>" }
+    let(:client_params) { { name: client_name } }
+    scenario "resource owner visit authorization endpoint" do
+      visit authorization_endpoint_url(client: @client)
+      expect(page).not_to have_css("#xss")
+    end
+  end
+
   context 'when access was denied' do
     scenario 'redirects with error' do
       visit authorization_endpoint_url(client: @client)

data/spec/spec_helper_integration.rb

@@ -16,7 +16,6 @@ require 'capybara/rspec'
 require 'dummy/config/environment'
 require 'rspec/rails'
 require 'generator_spec/test_case'
-require 'timecop'
 require 'database_cleaner'
 
 # Load JRuby SQLite3 if in that platform

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 4.2.5
+  version: 4.2.6
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-02-12 00:00:00.000000000 Z
+date: 2017-05-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -124,20 +124,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: timecop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.8.1
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.8.1
 description: Doorkeeper is an OAuth 2 provider for Rails and Grape.
 email:
 - me@jonathanmoss.me
@@ -400,7 +386,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: OAuth 2 provider for Rails and Grape