RubyGems - go_sso - Versions diffs - 0.5.7 → 0.5.9 - Mend

go_sso 0.5.7 → 0.5.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dc53ee5f651b028c9c5eff100af5707a5166d7040eb2f415beebf5b2568e89d0
-  data.tar.gz: 9d30581465647c10a93c72f8cead449302e12447c60ff55d47d317329453c592
+  metadata.gz: 29f3d54e6659473f6789dab9172a3d8c7800448782daaab961407f673499a6b0
+  data.tar.gz: 91a0b671cb93eede2bf50ec46bfc8f68d3bd48ac4669c8b1f2a9d6a07fbcda67
 SHA512:
-  metadata.gz: 54335b52741f2ebe5bd66db64653bfb12da8b3ca4e5f548771b050f27130ff447fcd37c100adbb18f19c9a33f5cc27edc64d3c5a58fb4a4397fb7bb4f9f0ac66
-  data.tar.gz: cb1b290595b73090fdd35b06b88821d36cedd58a19779daee76daa9a0a1cd193b186bab23b1afb857701129596ae4d135a09aab1bb9b7b6eb40a01f8e4751bdf
+  metadata.gz: 677cc57a7d920d4100341114975c63a3bae27c1d688b946b1df5849a4dd6e9959063071f6e60e0308492f1f007e8ac52c8631b4c8139c6b44856ec57f8428fd3
+  data.tar.gz: c2dc18923f404779aa405a1aea3ceaaba35bd40e317a76eda7ed5aee0acb2ea1a3001a9542778984909536ccda2fad19ce095356848a5d94c902f0d55426468a

data/lib/go_sso/middleware.rb CHANGED Viewed

@@ -39,7 +39,9 @@ module GoSso
     end
     def request_call
-      session[:go_sso_referrer] = request.params["redirect_url"] || request.referrer || request.base_url
+      session[:go_sso_referrer] = safe_redirect_target(request.params["redirect_url"]) ||
+                                  safe_redirect_target(request.referrer) ||
+                                  request.base_url
       if GoSso.test_mode?
         redirect client_callback_path
@@ -50,7 +52,9 @@ module GoSso
     def logout_call
       set_sso_token(nil)
-      redirect request.params["redirect_url"] || request.referrer || request.base_url
+      redirect safe_redirect_target(request.params["redirect_url"]) ||
+               safe_redirect_target(request.referrer) ||
+               request.base_url
     end
     def callback_call
@@ -108,5 +112,26 @@ module GoSso
     def url_options
       { script_name: request.script_name, protocol: "https" }
     end
+    # Reject values that could either crash JSON cookie serialization
+    # (invalid UTF-8) or trigger an open redirect (off-host targets,
+    # protocol-relative URLs, non-http(s) schemes). Returns nil to fall
+    # back to the safe default in the caller.
+    def safe_redirect_target(url)
+      return nil unless url.is_a?(String)
+      return nil unless url.dup.force_encoding(Encoding::UTF_8).valid_encoding?
+      return nil if url.empty?
+      return nil if url.start_with?("//")
+      uri = URI.parse(url) rescue nil
+      return nil unless uri
+      if uri.absolute?
+        return nil unless %w[http https].include?(uri.scheme)
+        return nil unless uri.host&.casecmp(GoSso::Current.host.to_s) == 0
+      end
+      url
+    end
   end
 end

data/lib/go_sso/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module GoSso
-  VERSION = '0.5.7'
+  VERSION = '0.5.9'
 end

metadata CHANGED Viewed

@@ -1,45 +1,44 @@
 --- !ruby/object:Gem::Specification
 name: go_sso
 version: !ruby/object:Gem::Version
-  version: 0.5.7
+  version: 0.5.9
 platform: ruby
 authors:
 - Yi Feng
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-05-27 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: oauth2
+  name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.4.0
+        version: 7.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.4.0
+        version: 7.2.0
 - !ruby/object:Gem::Dependency
-  name: sqlite3
+  name: oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
+        version: 2.0.0
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
-  name: pry
+  name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -53,7 +52,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: simplecov
+  name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -67,7 +66,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: mocha
+  name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -81,7 +80,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: appraisal
+  name: mocha
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -95,7 +94,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: dotenv-rails
+  name: appraisal
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -131,7 +130,6 @@ homepage: https://github.com/yfxie/go_sso
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -146,8 +144,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Summary of GoSso.
 test_files: []