go_to_param 0.3.0 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +8 -1
- data/lib/go_to_param.rb +21 -1
- data/lib/go_to_param/version.rb +1 -1
- data/spec/go_to_param_spec.rb +16 -2
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6fa16c7fe969b722bbc7f884c7b2f1b24df75bb7
|
|
4
|
+
data.tar.gz: 0e7c3acd3d434566ffeb201eb006a43765dad107
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bfccf03b703ea760d1b8ae8a81cd238052248b18f70e3044d76856577edbdc40f304602178d4716774427fde0579d0a19062e7bf1c401509fa401d85978e1ee0
|
|
7
|
+
data.tar.gz: 45575857ba7c020275d9f1384264b13a4c4892afaefc30864babf7b206197c2f6362b303bf872b8e3b129036d91a0edb546b8244d0a0c45114670371c5c1d26c
|
data/README.md
CHANGED
|
@@ -114,7 +114,13 @@ class SessionsController < ActionController::Base
|
|
|
114
114
|
end
|
|
115
115
|
```
|
|
116
116
|
|
|
117
|
-
Returns nil if the parameter value is not a relative path, to counter phishing attempts like `/login?go_to=http://evil.com/success_now_give_me_your_cc_details`.
|
|
117
|
+
Returns `nil` if the parameter value is not a relative path, to counter phishing attempts like `/login?go_to=http://evil.com/success_now_give_me_your_cc_details`.
|
|
118
|
+
|
|
119
|
+
If you need to allow some external URLs, that can be configured. You could do this in e.g. a `config/initializers/go_to.rb` file:
|
|
120
|
+
|
|
121
|
+
``` ruby
|
|
122
|
+
GoToParam.allow_redirect_prefix("myapp://")
|
|
123
|
+
```
|
|
118
124
|
|
|
119
125
|
### go_to_path_or
|
|
120
126
|
|
|
@@ -139,6 +145,7 @@ Or install it yourself as:
|
|
|
139
145
|
|
|
140
146
|
$ gem install go_to_param
|
|
141
147
|
|
|
148
|
+
|
|
142
149
|
## License
|
|
143
150
|
|
|
144
151
|
Copyright (c) 2013 Henrik Nyh
|
data/lib/go_to_param.rb
CHANGED
|
@@ -2,6 +2,20 @@ require "cgi"
|
|
|
2
2
|
require "go_to_param/version"
|
|
3
3
|
|
|
4
4
|
module GoToParam
|
|
5
|
+
def self.allow_redirect_prefix(prefix)
|
|
6
|
+
allowed_redirect_prefixes << prefix
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def self.allowed_redirect_prefixes
|
|
10
|
+
reset_allowed_redirect_prefixes unless @allowed_redirect_prefixes
|
|
11
|
+
@allowed_redirect_prefixes
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
# Mostly for tests…
|
|
15
|
+
def self.reset_allowed_redirect_prefixes
|
|
16
|
+
@allowed_redirect_prefixes = [ "/" ]
|
|
17
|
+
end
|
|
18
|
+
|
|
5
19
|
def self.included(klass)
|
|
6
20
|
klass.helper_method :hidden_go_to_tag, :hidden_go_to_here_tag,
|
|
7
21
|
:go_to_params, :go_to_here_params,
|
|
@@ -31,8 +45,10 @@ module GoToParam
|
|
|
31
45
|
end
|
|
32
46
|
|
|
33
47
|
def go_to_path
|
|
48
|
+
return nil if go_to_param_value.nil?
|
|
49
|
+
|
|
34
50
|
# Avoid phishing redirects.
|
|
35
|
-
if
|
|
51
|
+
if matches_allowed_redirect_prefixes?
|
|
36
52
|
go_to_param_value
|
|
37
53
|
else
|
|
38
54
|
nil
|
|
@@ -45,6 +61,10 @@ module GoToParam
|
|
|
45
61
|
|
|
46
62
|
private
|
|
47
63
|
|
|
64
|
+
def matches_allowed_redirect_prefixes?
|
|
65
|
+
GoToParam.allowed_redirect_prefixes.any? { |prefix| go_to_param_value.start_with?(prefix) }
|
|
66
|
+
end
|
|
67
|
+
|
|
48
68
|
def go_to_here_path(additional_query_params = {})
|
|
49
69
|
if request.get?
|
|
50
70
|
_go_to_add_query_string_from_hash(_go_to_fullpath, additional_query_params)
|
data/lib/go_to_param/version.rb
CHANGED
data/spec/go_to_param_spec.rb
CHANGED
|
@@ -15,6 +15,8 @@ class FakeController
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
describe GoToParam do
|
|
18
|
+
after { GoToParam.reset_allowed_redirect_prefixes }
|
|
19
|
+
|
|
18
20
|
let(:controller) { FakeController.new }
|
|
19
21
|
|
|
20
22
|
describe "#hidden_go_to_tag" do
|
|
@@ -101,7 +103,7 @@ describe GoToParam do
|
|
|
101
103
|
|
|
102
104
|
it "makes sure the go_to path is valid UTF-8" do
|
|
103
105
|
weird_path = "\xE0\x80\x80weird\330stuff".force_encoding("ASCII-8BIT")
|
|
104
|
-
replacement = "\uFFFD" # The Unicode
|
|
106
|
+
replacement = "\uFFFD" # The Unicode "Replacement Character".
|
|
105
107
|
|
|
106
108
|
controller.request = double(get?: true, fullpath: weird_path)
|
|
107
109
|
|
|
@@ -126,6 +128,13 @@ describe GoToParam do
|
|
|
126
128
|
controller.params = { go_to: "http://evil.com", id: "1" }
|
|
127
129
|
expect(controller.go_to_path).to be_nil
|
|
128
130
|
end
|
|
131
|
+
|
|
132
|
+
it "respects custom allowed redirect prefixes" do
|
|
133
|
+
GoToParam.allow_redirect_prefix("myapp://")
|
|
134
|
+
|
|
135
|
+
controller.params = { go_to: "myapp://", id: "1" }
|
|
136
|
+
expect(controller.go_to_path).to eq("myapp://")
|
|
137
|
+
end
|
|
129
138
|
end
|
|
130
139
|
|
|
131
140
|
describe "#go_to_path_or" do
|
|
@@ -138,7 +147,12 @@ describe GoToParam do
|
|
|
138
147
|
expect(controller.go_to_path_or("/default")).to eq("/example")
|
|
139
148
|
end
|
|
140
149
|
|
|
141
|
-
it "
|
|
150
|
+
it "falls back if the go_to param is blank" do
|
|
151
|
+
controller.params = { go_to: "", id: "1" }
|
|
152
|
+
expect(controller.go_to_path_or("/default")).to eq("/default")
|
|
153
|
+
end
|
|
154
|
+
|
|
155
|
+
it "falls back if the go_to param is not allowed" do
|
|
142
156
|
controller.params = { go_to: "http://evil.com", id: "1" }
|
|
143
157
|
expect(controller.go_to_path_or("/default")).to eq("/default")
|
|
144
158
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: go_to_param
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 1.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Henrik N
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-
|
|
11
|
+
date: 2015-12-10 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|