go_to_param 0.3.0 → 1.0.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 8ff657dfce2b1757a637ff58b8614803f96415b4
4
- data.tar.gz: 446aaba35e959473a3ec0df17e3ada34ee91a831
3
+ metadata.gz: 6fa16c7fe969b722bbc7f884c7b2f1b24df75bb7
4
+ data.tar.gz: 0e7c3acd3d434566ffeb201eb006a43765dad107
5
5
  SHA512:
6
- metadata.gz: 0d882496e336ab925a45599ad950c2c2541c8b6a3b798eea41b1cf75aa7982747b0c9a3481c4c9e17090deb3ed84d3610b5f74054497ac79b3b422ac95ee7e9e
7
- data.tar.gz: 405bed370bc54b4a81c0ddecc8968ad31ea3e7d0de39207433ec77b65651fd296026299a474196a9410db868f97862c79796f1a9f465c3cb13a53ddb055c3461
6
+ metadata.gz: bfccf03b703ea760d1b8ae8a81cd238052248b18f70e3044d76856577edbdc40f304602178d4716774427fde0579d0a19062e7bf1c401509fa401d85978e1ee0
7
+ data.tar.gz: 45575857ba7c020275d9f1384264b13a4c4892afaefc30864babf7b206197c2f6362b303bf872b8e3b129036d91a0edb546b8244d0a0c45114670371c5c1d26c
data/README.md CHANGED
@@ -114,7 +114,13 @@ class SessionsController < ActionController::Base
114
114
  end
115
115
  ```
116
116
 
117
- Returns nil if the parameter value is not a relative path, to counter phishing attempts like `/login?go_to=http://evil.com/success_now_give_me_your_cc_details`.
117
+ Returns `nil` if the parameter value is not a relative path, to counter phishing attempts like `/login?go_to=http://evil.com/success_now_give_me_your_cc_details`.
118
+
119
+ If you need to allow some external URLs, that can be configured. You could do this in e.g. a `config/initializers/go_to.rb` file:
120
+
121
+ ``` ruby
122
+ GoToParam.allow_redirect_prefix("myapp://")
123
+ ```
118
124
 
119
125
  ### go_to_path_or
120
126
 
@@ -139,6 +145,7 @@ Or install it yourself as:
139
145
 
140
146
  $ gem install go_to_param
141
147
 
148
+
142
149
  ## License
143
150
 
144
151
  Copyright (c) 2013 Henrik Nyh
data/lib/go_to_param.rb CHANGED
@@ -2,6 +2,20 @@ require "cgi"
2
2
  require "go_to_param/version"
3
3
 
4
4
  module GoToParam
5
+ def self.allow_redirect_prefix(prefix)
6
+ allowed_redirect_prefixes << prefix
7
+ end
8
+
9
+ def self.allowed_redirect_prefixes
10
+ reset_allowed_redirect_prefixes unless @allowed_redirect_prefixes
11
+ @allowed_redirect_prefixes
12
+ end
13
+
14
+ # Mostly for tests…
15
+ def self.reset_allowed_redirect_prefixes
16
+ @allowed_redirect_prefixes = [ "/" ]
17
+ end
18
+
5
19
  def self.included(klass)
6
20
  klass.helper_method :hidden_go_to_tag, :hidden_go_to_here_tag,
7
21
  :go_to_params, :go_to_here_params,
@@ -31,8 +45,10 @@ module GoToParam
31
45
  end
32
46
 
33
47
  def go_to_path
48
+ return nil if go_to_param_value.nil?
49
+
34
50
  # Avoid phishing redirects.
35
- if go_to_param_value.to_s.start_with?("/")
51
+ if matches_allowed_redirect_prefixes?
36
52
  go_to_param_value
37
53
  else
38
54
  nil
@@ -45,6 +61,10 @@ module GoToParam
45
61
 
46
62
  private
47
63
 
64
+ def matches_allowed_redirect_prefixes?
65
+ GoToParam.allowed_redirect_prefixes.any? { |prefix| go_to_param_value.start_with?(prefix) }
66
+ end
67
+
48
68
  def go_to_here_path(additional_query_params = {})
49
69
  if request.get?
50
70
  _go_to_add_query_string_from_hash(_go_to_fullpath, additional_query_params)
@@ -1,3 +1,3 @@
1
1
  module GoToParam
2
- VERSION = "0.3.0"
2
+ VERSION = "1.0.0"
3
3
  end
@@ -15,6 +15,8 @@ class FakeController
15
15
  end
16
16
 
17
17
  describe GoToParam do
18
+ after { GoToParam.reset_allowed_redirect_prefixes }
19
+
18
20
  let(:controller) { FakeController.new }
19
21
 
20
22
  describe "#hidden_go_to_tag" do
@@ -101,7 +103,7 @@ describe GoToParam do
101
103
 
102
104
  it "makes sure the go_to path is valid UTF-8" do
103
105
  weird_path = "\xE0\x80\x80weird\330stuff".force_encoding("ASCII-8BIT")
104
- replacement = "\uFFFD" # The Unicode 'Replacement Character'
106
+ replacement = "\uFFFD" # The Unicode "Replacement Character".
105
107
 
106
108
  controller.request = double(get?: true, fullpath: weird_path)
107
109
 
@@ -126,6 +128,13 @@ describe GoToParam do
126
128
  controller.params = { go_to: "http://evil.com", id: "1" }
127
129
  expect(controller.go_to_path).to be_nil
128
130
  end
131
+
132
+ it "respects custom allowed redirect prefixes" do
133
+ GoToParam.allow_redirect_prefix("myapp://")
134
+
135
+ controller.params = { go_to: "myapp://", id: "1" }
136
+ expect(controller.go_to_path).to eq("myapp://")
137
+ end
129
138
  end
130
139
 
131
140
  describe "#go_to_path_or" do
@@ -138,7 +147,12 @@ describe GoToParam do
138
147
  expect(controller.go_to_path_or("/default")).to eq("/example")
139
148
  end
140
149
 
141
- it "is the passed-in value if the parameter value is not a relative path" do
150
+ it "falls back if the go_to param is blank" do
151
+ controller.params = { go_to: "", id: "1" }
152
+ expect(controller.go_to_path_or("/default")).to eq("/default")
153
+ end
154
+
155
+ it "falls back if the go_to param is not allowed" do
142
156
  controller.params = { go_to: "http://evil.com", id: "1" }
143
157
  expect(controller.go_to_path_or("/default")).to eq("/default")
144
158
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: go_to_param
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.0
4
+ version: 1.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Henrik N
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-07-26 00:00:00.000000000 Z
11
+ date: 2015-12-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler