go_to_param 0.2.0 → 1.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 05ddd7d3e4b2514e5f5136af63f0263f0bde08c9
-  data.tar.gz: 47acd514926425787274fa1452252147007ed803
+SHA256:
+  metadata.gz: 9a103b9617231ac26d4b5e82ca46dea4bcfd961cbda378476113d3dcd5ab7303
+  data.tar.gz: 0d805e34c66359b35775edc1e77ac9246b8f5d3b9838755d748f4c3acd1ae44b
 SHA512:
-  metadata.gz: 2c7e6949c134e0d72dce393533870c28860e8ea44bb51198e42869eba80c36bfee6dc09cb4dd5f288daec909b0f11f31087cfbde871dbbb56d5bcb24241421cb
-  data.tar.gz: ef121087d69984d484e37a647396076cd528eec877889185abf22f5cdff43bc287611bd4543e5707ce6ad635535d90f0044593dc872a2e8df5c89e95c4802de3
+  metadata.gz: 04434b980320f4f2ed8522e9e059973b31b1eb2f5bacb9ad3be482a8e72ddafa859f3974a4385702f973111e25b005377c3865c2696f57f85f0399c1ddf4e1d0
+  data.tar.gz: c7d4929d8f99b889b6680fe3c3383c5bad5d092ddb6d64e0dd704882062360c78f15331a8d4e5764e8731b89f73e3fd32229b5ff90dd9a82bdc5d1e012fe000a

data/CHANGELOG.md

@@ -0,0 +1,13 @@
+# Changelog
+
+## 1.1.2
+
+- Fix keyword parameter warning. Thanks to @olleolleolle!
+
+## 1.1.1
+
+- Don't raise exceptions if given hash params from hack attempts, such as: `go_to[foo]=bar`.
+
+## Earlier
+
+Sorry, no changelog available for earlier versions.

data/README.md

@@ -55,6 +55,8 @@ You can pass additional query parameters to include, which could be suitable if
 
 Note that these parameters always become transformed into a query string: if you're using Ruby on Rails, they won't be interpreted through your route definitions.
 
+You can, however, pass a Rails-style `anchor: "foo"` parameter to set the URL fragment (`/example#foo`).
+
 
 ### hidden_go_to_tag
 
@@ -114,7 +116,13 @@ class SessionsController < ActionController::Base
 end
 ```
 
-Returns nil if the parameter value is not a relative path, to counter phishing attempts like `/login?go_to=http://evil.com/success_now_give_me_your_cc_details`.
+Returns `nil` if the parameter value is not a relative path, to counter phishing attempts like `/login?go_to=http://evil.com/success_now_give_me_your_cc_details`.
+
+If you need to allow some external URLs, that can be configured. You could do this in e.g. a `config/initializers/go_to.rb` file:
+
+``` ruby
+GoToParam.allow_redirect_prefix("myapp://")
+```
 
 ### go_to_path_or
 
@@ -139,6 +147,7 @@ Or install it yourself as:
 
     $ gem install go_to_param
 
+
 ## License
 
 Copyright (c) 2013 Henrik Nyh

data/go_to_param.gemspec

@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "bundler", ">= 1.3"
   spec.add_development_dependency "rake"
   spec.add_development_dependency "rspec"
 end

data/lib/go_to_param.rb

@@ -2,6 +2,20 @@ require "cgi"
 require "go_to_param/version"
 
 module GoToParam
+  def self.allow_redirect_prefix(prefix)
+    allowed_redirect_prefixes << prefix
+  end
+
+  def self.allowed_redirect_prefixes
+    reset_allowed_redirect_prefixes unless @allowed_redirect_prefixes
+    @allowed_redirect_prefixes
+  end
+
+  # Mostly for tests…
+  def self.reset_allowed_redirect_prefixes
+    @allowed_redirect_prefixes = [ "/" ]
+  end
+
   def self.included(klass)
     klass.helper_method :hidden_go_to_tag, :hidden_go_to_here_tag,
       :go_to_params, :go_to_here_params,
@@ -21,7 +35,7 @@ module GoToParam
   end
 
   def go_to_here_params(additional_query_params = {})
-    path = go_to_here_path(additional_query_params)
+    path = go_to_here_path(**additional_query_params)
 
     if path
       { go_to: path }
@@ -31,8 +45,10 @@ module GoToParam
   end
 
   def go_to_path
+    return nil if go_to_param_value.nil?
+
     # Avoid phishing redirects.
-    if go_to_param_value.to_s.start_with?("/")
+    if matches_allowed_redirect_prefixes?
       go_to_param_value
     else
       nil
@@ -45,16 +61,23 @@ module GoToParam
 
   private
 
-  def go_to_here_path(additional_query_params = {})
+  def matches_allowed_redirect_prefixes?
+    GoToParam.allowed_redirect_prefixes.any? { |prefix| go_to_param_value.start_with?(prefix) }
+  end
+
+  def go_to_here_path(anchor: nil, **additional_query_params)
     if request.get?
-      _go_to_add_query_string_from_hash(request.fullpath, additional_query_params)
+      path_without_anchor = _go_to_add_query_string_from_hash(_go_to_fullpath, additional_query_params)
+      anchor ? path_without_anchor + "#" + anchor : path_without_anchor
     else
       nil
     end
   end
 
   def go_to_param_value
-    params[:go_to]
+    # We use `to_s` to avoid "not a string" type errors from hack attempts where a hash is passed, e.g. "go_to[foo]=bar".
+    value = params[:go_to].to_s
+    value == "" ? nil : value
   end
 
   # Named this way to avoid conflicts. TODO: http://thepugautomatic.com/2014/02/private-api/
@@ -67,4 +90,11 @@ module GoToParam
       [ path, separator, query_string ].join
     end
   end
+
+  # Prevent encoding errors ("incompatible character encodings: UTF-8 and ASCII-8BIT") for certain malformed requests.
+  # Inspired by https://github.com/discourse/discourse/commit/090dc80f8a23dbb3ad703efbac990aa917c06505
+  def _go_to_fullpath
+    path = request.fullpath
+    path.dup.force_encoding("UTF-8").scrub
+  end
 end

data/lib/go_to_param/version.rb

@@ -1,3 +1,3 @@
 module GoToParam
-  VERSION = "0.2.0"
+  VERSION = "1.1.2"
 end

data/spec/go_to_param_spec.rb

@@ -1,25 +1,29 @@
 require_relative "../lib/go_to_param"
 
-class FakeController
-  attr_accessor :params, :view_context, :request
+describe GoToParam do
+  let(:controller_klass) do
+    Class.new do
+      attr_accessor :params, :view_context, :request
 
-  def self.helper_method(*methods)
-    @helper_methods = methods
-  end
+      def self.helper_method(*methods)
+        @helper_methods = methods
+      end
+
+      def self.helper_methods
+        @helper_methods
+      end
 
-  def self.helper_methods
-    @helper_methods
+      include GoToParam
+    end
   end
 
-  include GoToParam
-end
+  after { GoToParam.reset_allowed_redirect_prefixes }
 
-describe GoToParam do
-  let(:controller) { FakeController.new }
+  let(:controller) { controller_klass.new }
 
   describe "#hidden_go_to_tag" do
     it "becomes a helper method" do
-      expect(FakeController.helper_methods).to include :hidden_go_to_tag
+      expect(controller_klass.helper_methods).to include :hidden_go_to_tag
     end
 
     it "adds a hidden field tag" do
@@ -34,7 +38,7 @@ describe GoToParam do
 
   describe "#hidden_go_to_here_tag" do
     it "becomes a helper method" do
-      expect(FakeController.helper_methods).to include :hidden_go_to_here_tag
+      expect(controller_klass.helper_methods).to include :hidden_go_to_here_tag
     end
 
     it "adds a hidden field tag" do
@@ -59,7 +63,7 @@ describe GoToParam do
 
   describe "#go_to_params" do
     it "becomes a helper method" do
-      expect(FakeController.helper_methods).to include :go_to_params
+      expect(controller_klass.helper_methods).to include :go_to_params
     end
 
     it "includes the go_to parameter" do
@@ -77,7 +81,7 @@ describe GoToParam do
 
   describe "#go_to_here_params" do
     it "becomes a helper method" do
-      expect(FakeController.helper_methods).to include :go_to_here_params
+      expect(controller_klass.helper_methods).to include :go_to_here_params
     end
 
     it "gets the request path as the go_to parameter" do
@@ -99,11 +103,27 @@ describe GoToParam do
       expect(controller.go_to_here_params(bar: 3)).to eq({ go_to: "/example?foo&bar=3" })
     end
 
+    it "accepts an anchor parameter" do
+      controller.request = double(get?: true, fullpath: "/example")
+      expect(controller.go_to_here_params(foo: "foo", anchor: "bar")).to eq({ go_to: "/example?foo=foo#bar" })
+    end
+
+    it "makes sure the go_to path is valid UTF-8" do
+      weird_path = "\xE0\x80\x80weird\330stuff".force_encoding("ASCII-8BIT")
+      replacement = "\uFFFD"  # The Unicode "Replacement Character".
+
+      controller.request = double(get?: true, fullpath: weird_path)
+
+      go_to_value = controller.go_to_here_params[:go_to]
+
+      expect(go_to_value.encoding).to eq(Encoding::UTF_8)
+      expect(go_to_value).to eq("#{replacement}#{replacement}#{replacement}weird#{replacement}stuff")
+    end
   end
 
   describe "#go_to_path" do
     it "becomes a helper method" do
-      expect(FakeController.helper_methods).to include :go_to_path
+      expect(controller_klass.helper_methods).to include :go_to_path
     end
 
     it "is the go_to parameter value" do
@@ -115,11 +135,23 @@ describe GoToParam do
       controller.params = { go_to: "http://evil.com", id: "1" }
       expect(controller.go_to_path).to be_nil
     end
+
+    it "is nil when given a hash" do
+      controller.params = { go_to: { evil: "true" }, id: "1" }
+      expect(controller.go_to_path).to be_nil
+    end
+
+    it "respects custom allowed redirect prefixes" do
+      GoToParam.allow_redirect_prefix("myapp://")
+
+      controller.params = { go_to: "myapp://", id: "1" }
+      expect(controller.go_to_path).to eq("myapp://")
+    end
   end
 
   describe "#go_to_path_or" do
     it "becomes a helper method" do
-      expect(FakeController.helper_methods).to include :go_to_path_or
+      expect(controller_klass.helper_methods).to include :go_to_path_or
     end
 
     it "is the go_to parameter value" do
@@ -127,7 +159,12 @@ describe GoToParam do
       expect(controller.go_to_path_or("/default")).to eq("/example")
     end
 
-    it "is the passed-in value if the parameter value is not a relative path" do
+    it "falls back if the go_to param is blank" do
+      controller.params = { go_to: "", id: "1" }
+      expect(controller.go_to_path_or("/default")).to eq("/default")
+    end
+
+    it "falls back if the go_to param is not allowed" do
       controller.params = { go_to: "http://evil.com", id: "1" }
       expect(controller.go_to_path_or("/default")).to eq("/default")
     end

metadata

@@ -1,27 +1,27 @@
 --- !ruby/object:Gem::Specification
 name: go_to_param
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 1.1.2
 platform: ruby
 authors:
 - Henrik N
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-05-20 00:00:00.000000000 Z
+date: 2020-10-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.3'
 - !ruby/object:Gem::Dependency
@@ -52,7 +52,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+description:
 email:
 - henrik@nyh.se
 executables: []
@@ -60,6 +60,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- CHANGELOG.md
 - Gemfile
 - README.md
 - Rakefile
@@ -71,7 +72,7 @@ homepage: ''
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -86,9 +87,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.2.2
-signing_key: 
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: Rails "go_to" redirection param utilities.
 test_files: