RubyGems - go_sso - Versions diffs - 0.5.8 → 0.5.10 - Mend

go_sso 0.5.8 → 0.5.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/go_sso/controllers/helpers.rb +1 -1
data/lib/go_sso/middleware.rb +27 -2
data/lib/go_sso/version.rb +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fd3b3fb5b7b7ac16da845dd17e71ad1efec05c78af8589441a05b4c32257e2c4
-  data.tar.gz: 9030fc306149139592ad074def983b88cd124fd9ad6269385cfb45d2dd1829c0
+  metadata.gz: 56c0025727bac46c3e5aa9a3c7239e261a05f59ad67a632b9e26dd5c3675a7b0
+  data.tar.gz: 32f92f53dc0cfe892bd06289e189ec6f6e89821d3db24033b2f8ad1e6f50f661
 SHA512:
-  metadata.gz: 6aa1b8e5866239c3b079a2f5b11e99db9f66a8d4eb6ebd4873eb7d262c75e104d88c7e7fe9dc43a0b5c34cdde9b04280265cb8aae26c7b7fd814c1ac3ecd4579
-  data.tar.gz: f8370f36052282c58fbffe43209b55ad2310df3673ad6c83f3f6768b18d6b8fdc53335b59be759e707a78d78a6f7d1594210d16c17b2fae283914ff921c1d9c4
+  metadata.gz: 31e77cbef690424689e44a45fab403d4c9a210f890d902cbad69ad13eb4d25b0fd1283f5fb03851378083a595062d8ac717b3e26c269d0cf4a380c953746128c
+  data.tar.gz: 8875f600d150648361bb60fadcaa7857faab15cbf205e4d9e398b63ff85ee7c8bf604598a8f0fe2542f5b040da4c0be64d33371b10c1fdff354703429c4775b9

data/lib/go_sso/controllers/helpers.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module GoSso
       extend ActiveSupport::Concern
       included do
-        helper_method :current_sso_user
+        helper_method :current_sso_user if respond_to?(:helper_method)
         rescue_from GoSso::FailedToOpenConnection do
           render json: {

data/lib/go_sso/middleware.rb CHANGED Viewed

@@ -39,7 +39,9 @@ module GoSso
     end
     def request_call
-      session[:go_sso_referrer] = request.params["redirect_url"] || request.referrer || request.base_url
+      session[:go_sso_referrer] = safe_redirect_target(request.params["redirect_url"]) ||
+                                  safe_redirect_target(request.referrer) ||
+                                  request.base_url
       if GoSso.test_mode?
         redirect client_callback_path
@@ -50,7 +52,9 @@ module GoSso
     def logout_call
       set_sso_token(nil)
-      redirect request.params["redirect_url"] || request.referrer || request.base_url
+      redirect safe_redirect_target(request.params["redirect_url"]) ||
+               safe_redirect_target(request.referrer) ||
+               request.base_url
     end
     def callback_call
@@ -108,5 +112,26 @@ module GoSso
     def url_options
       { script_name: request.script_name, protocol: "https" }
     end
+    # Reject values that could either crash JSON cookie serialization
+    # (invalid UTF-8) or trigger an open redirect (off-host targets,
+    # protocol-relative URLs, non-http(s) schemes). Returns nil to fall
+    # back to the safe default in the caller.
+    def safe_redirect_target(url)
+      return nil unless url.is_a?(String)
+      return nil unless url.dup.force_encoding(Encoding::UTF_8).valid_encoding?
+      return nil if url.empty?
+      return nil if url.start_with?("//")
+      uri = URI.parse(url) rescue nil
+      return nil unless uri
+      if uri.absolute?
+        return nil unless %w[http https].include?(uri.scheme)
+        return nil unless uri.host&.casecmp(GoSso::Current.host.to_s) == 0
+      end
+      url
+    end
   end
 end

data/lib/go_sso/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module GoSso
-  VERSION = '0.5.8'
+  VERSION = '0.5.10'
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: go_sso
 version: !ruby/object:Gem::Version
-  version: 0.5.8
+  version: 0.5.10
 platform: ruby
 authors:
 - Yi Feng