doorkeeper 4.4.1 → 4.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b9ce63cc5f416a440c8cbe59270d0d144d2b46f8
-  data.tar.gz: 967e49192bf978a3c22997fd9d239b3046dddda3
+  metadata.gz: c92e80cb652104645d4ec7634af2c3699f90da68
+  data.tar.gz: 3d3e22b8dfa7288c8a120645db4cc4193809d60f
 SHA512:
-  metadata.gz: cc82ecfb4737159081c5bb1aedff072522ae2b191272e1eb00966b6a999e2ab99ea094fe4fa7c1924ee344e33978b6b436af37cabde22a4ac5f3a67e240737a1
-  data.tar.gz: d1e5bf52498a3ccbcf5fdc8ea9bb4ab99e3a17c16ee2ecac860e4ffe720a63375b9c9a7e347d9564dee625a4fd8804723c3dad97340f6a2f31132fde06a0e548
+  metadata.gz: e6546445a2ab9db13ff53fe16633b8769f1c70b1b76931e9709346984cb8aed18eec91a5a4fa29c2f06786999c0e87697897064603a918b868bd55b32874faa8
+  data.tar.gz: 7717301a83ea02e249e8cc121bd0894cb08fafa272340715829de78020bb6428d3d8c7764ed5200c7e22ecf9bb99c5f206503ae938e89ed1817620c1f42388cd

data/NEWS.md

@@ -4,6 +4,9 @@ User-visible changes worth mentioning.
 
 ## master
 
+## 4.4.2
+- [#1130] Backport fix for native redirect_uri from 5.x.
+
 ## 4.4.1
 
 - [#1127] Backport token type to comply with the RFC6750 specification.

data/lib/doorkeeper/oauth/helpers/uri_checker.rb

@@ -3,6 +3,7 @@ module Doorkeeper
     module Helpers
       module URIChecker
         def self.valid?(url)
+          return true if native_uri?(url)
           uri = as_uri(url)
           uri.fragment.nil? && !uri.host.nil? && !uri.scheme.nil?
         rescue URI::InvalidURIError

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -57,9 +57,11 @@ module Doorkeeper
 
       # TODO: test uri should be matched against the client's one
       def validate_redirect_uri
-        return false unless redirect_uri.present?
-        Helpers::URIChecker.native_uri?(redirect_uri) ||
-          Helpers::URIChecker.valid_for_authorization?(redirect_uri, client.redirect_uri)
+        return false if redirect_uri.blank?
+
+        Helpers::URIChecker.valid_for_authorization?(
+          redirect_uri, client.redirect_uri
+        )
       end
     end
   end

data/lib/doorkeeper/version.rb

@@ -28,7 +28,7 @@ HEREDOC
     # Semantic versioning
     MAJOR = 4
     MINOR = 4
-    TINY = 1
+    TINY = 2
 
     # Full version number
     STRING = [MAJOR, MINOR, TINY].compact.join('.')

data/spec/lib/oauth/authorization_code_request_spec.rb

@@ -104,5 +104,20 @@ module Doorkeeper::OAuth
         expect(subject.error).to eq(:invalid_grant)
       end
     end
+
+    context "when redirect_uri is the native one" do
+      let(:redirect_uri) { 'urn:ietf:wg:oauth:2.0:oob' }
+
+      it "invalidates when redirect_uri of the grant is not native" do
+        subject.validate
+        expect(subject.error).to eq(:invalid_grant)
+      end
+
+      it "validates when redirect_uri of the grant is also native" do
+        allow(grant).to receive(:redirect_uri) { redirect_uri }
+        subject.validate
+        expect(subject.error).to eq(nil)
+      end
+    end
   end
 end

data/spec/lib/oauth/helpers/uri_checker_spec.rb

@@ -5,6 +5,11 @@ require 'doorkeeper/oauth/helpers/uri_checker'
 module Doorkeeper::OAuth::Helpers
   describe URIChecker do
     describe '.valid?' do
+      it 'is valid for native uris' do
+        uri = 'urn:ietf:wg:oauth:2.0:oob'
+        expect(URIChecker.valid?(uri)).to be_truthy
+      end
+
       it 'is valid for valid uris' do
         uri = 'http://app.co'
         expect(URIChecker.valid?(uri)).to be_truthy

data/spec/lib/oauth/pre_authorization_spec.rb

@@ -123,14 +123,19 @@ module Doorkeeper::OAuth
       expect(subject.scopes).to eq(Scopes.from_string('default'))
     end
 
-    it 'accepts test uri' do
-      subject.redirect_uri = 'urn:ietf:wg:oauth:2.0:oob'
-      expect(subject).to be_authorizable
-    end
+    context 'with native redirect uri' do
+      let(:native_redirect_uri) { 'urn:ietf:wg:oauth:2.0:oob' }
 
-    it 'matches the redirect uri against client\'s one' do
-      subject.redirect_uri = 'http://nothesame.com'
-      expect(subject).not_to be_authorizable
+      it 'accepts redirect_uri when it matches with the client' do
+        subject.redirect_uri = native_redirect_uri
+        allow(subject.client).to receive(:redirect_uri) { native_redirect_uri }
+        expect(subject).to be_authorizable
+      end
+
+      it 'invalidates redirect_uri when it does\'n match with the client' do
+        subject.redirect_uri = native_redirect_uri
+        expect(subject).not_to be_authorizable
+      end
     end
 
     it 'stores the state' do

data/spec/models/doorkeeper/application_spec.rb

@@ -266,6 +266,23 @@ module Doorkeeper
         let(:confidential) { false }
         it { expect(subject).to eq(false) }
       end
+
+      context 'when the application does not support confidentiality' do
+        let(:confidential) { false }
+
+        before { allow(Application).to receive(:supports_confidentiality?).and_return(false) }
+
+        it 'warns of the CVE' do
+          expect(ActiveSupport::Deprecation).to receive(:warn).with(
+            'You are susceptible to security bug ' \
+            'CVE-2018-1000211. Please follow instructions outlined in ' \
+            'Doorkeeper::CVE_2018_1000211_WARNING'
+          )
+          Application.new.confidential
+        end
+
+        it { expect(subject).to eq(true) }
+      end
     end
 
     describe :supports_confidentiality? do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 4.4.1
+  version: 4.4.2
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-07-27 00:00:00.000000000 Z
+date: 2018-08-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties