go_to_param 1.1.2 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a103b9617231ac26d4b5e82ca46dea4bcfd961cbda378476113d3dcd5ab7303
-  data.tar.gz: 0d805e34c66359b35775edc1e77ac9246b8f5d3b9838755d748f4c3acd1ae44b
+  metadata.gz: 8ef3c76caad7dbf28335798a812644bfd00fc3609f6a59b601552e2d6f3f8915
+  data.tar.gz: eb54119400b07f9dd8bc1104aea81e0c08eed250461a4963f79d4c6e5c9ba113
 SHA512:
-  metadata.gz: 04434b980320f4f2ed8522e9e059973b31b1eb2f5bacb9ad3be482a8e72ddafa859f3974a4385702f973111e25b005377c3865c2696f57f85f0399c1ddf4e1d0
-  data.tar.gz: c7d4929d8f99b889b6680fe3c3383c5bad5d092ddb6d64e0dd704882062360c78f15331a8d4e5764e8731b89f73e3fd32229b5ff90dd9a82bdc5d1e012fe000a
+  metadata.gz: 8c00fa6dc82ce3b7f24802a16a726061e785da10e0b11fbb38acd66a230ae49261f73ef66ee06af926e7d38567408b3889bf8bd8ff2ba448f78b01cf3326ce94
+  data.tar.gz: 298750ed94c196b4b86368f889e41707223b2fd71e35f631b6b90c7cb7aac8ca615d3199b239380941aac191534c22be69d8244e259621df784bc7c844d08b4a

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## 2.0.0
+
+- Remove `id` attribute for input tags generated by `hidden_go_to_tag` and `hidden_go_to_here_tag`, to avoid markup errors when using multiple on the same page.
+- Disallow protocol-relative "//evil.com".
+
+## 1.1.3
+
+- Force MFA for privileged Rubygems actions.
+
 ## 1.1.2
 
 - Fix keyword parameter warning. Thanks to @olleolleolle!

data/lib/go_to_param/version.rb

@@ -1,3 +1,3 @@
 module GoToParam
-  VERSION = "1.1.2"
+  VERSION = "2.0.0"
 end

data/lib/go_to_param.rb

@@ -23,11 +23,11 @@ module GoToParam
   end
 
   def hidden_go_to_tag
-    view_context.hidden_field_tag :go_to, go_to_path
+    view_context.hidden_field_tag :go_to, go_to_path, id: nil
   end
 
   def hidden_go_to_here_tag(additional_query_params = {})
-    view_context.hidden_field_tag :go_to, go_to_here_params(additional_query_params)[:go_to]
+    view_context.hidden_field_tag :go_to, go_to_here_params(additional_query_params)[:go_to], id: nil
   end
 
   def go_to_params(other_params = {})
@@ -62,7 +62,13 @@ module GoToParam
   private
 
   def matches_allowed_redirect_prefixes?
-    GoToParam.allowed_redirect_prefixes.any? { |prefix| go_to_param_value.start_with?(prefix) }
+    value = go_to_param_value
+
+    # Disallow protocol-relative "//evil.com".
+    # Also account for browsers normalizing `\` to `/`: https://github.com/advisories/GHSA-mqqf-5wvp-8fh8
+    return false if value.start_with?("//", "/\\", "\\/", "\\\\")
+
+    GoToParam.allowed_redirect_prefixes.any? { |prefix| value.start_with?(prefix) }
   end
 
   def go_to_here_path(anchor: nil, **additional_query_params)

metadata

@@ -1,78 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: go_to_param
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 2.0.0
 platform: ruby
 authors:
 - Henrik N
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-10-01 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.3'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.3'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-description:
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies: []
 email:
 - henrik@nyh.se
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".gitignore"
 - CHANGELOG.md
-- Gemfile
 - README.md
-- Rakefile
-- go_to_param.gemspec
 - lib/go_to_param.rb
 - lib/go_to_param/version.rb
-- spec/go_to_param_spec.rb
 homepage: ''
 licenses:
 - MIT
-metadata: {}
-post_install_message:
+metadata:
+  rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
 - lib
@@ -87,9 +38,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key:
+rubygems_version: 4.0.10
 specification_version: 4
 summary: Rails "go_to" redirection param utilities.
-test_files:
-- spec/go_to_param_spec.rb
+test_files: []

data/.gitignore

@@ -1,17 +0,0 @@
-*.gem
-*.rbc
-.bundle
-.config
-.yardoc
-Gemfile.lock
-InstalledFiles
-_yardoc
-coverage
-doc/
-lib/bundler/man
-pkg
-rdoc
-spec/reports
-test/tmp
-test/version_tmp
-tmp

data/Gemfile

@@ -1,4 +0,0 @@
-source 'https://rubygems.org'
-
-# Specify your gem's dependencies in go_to_param.gemspec
-gemspec

data/Rakefile

@@ -1,6 +0,0 @@
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
-
-RSpec::Core::RakeTask.new(:spec)
-
-task :default => :spec

data/go_to_param.gemspec

@@ -1,22 +0,0 @@
-lib = File.expand_path('../lib', __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'go_to_param/version'
-
-Gem::Specification.new do |spec|
-  spec.name          = "go_to_param"
-  spec.version       = GoToParam::VERSION
-  spec.authors       = ["Henrik N"]
-  spec.email         = ["henrik@nyh.se"]
-  spec.summary       = %q{Rails "go_to" redirection param utilities.}
-  spec.homepage      = ""
-  spec.license       = "MIT"
-
-  spec.files         = `git ls-files`.split($/)
-  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
-  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ["lib"]
-
-  spec.add_development_dependency "bundler", ">= 1.3"
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "rspec"
-end

data/spec/go_to_param_spec.rb

@@ -1,172 +0,0 @@
-require_relative "../lib/go_to_param"
-
-describe GoToParam do
-  let(:controller_klass) do
-    Class.new do
-      attr_accessor :params, :view_context, :request
-
-      def self.helper_method(*methods)
-        @helper_methods = methods
-      end
-
-      def self.helper_methods
-        @helper_methods
-      end
-
-      include GoToParam
-    end
-  end
-
-  after { GoToParam.reset_allowed_redirect_prefixes }
-
-  let(:controller) { controller_klass.new }
-
-  describe "#hidden_go_to_tag" do
-    it "becomes a helper method" do
-      expect(controller_klass.helper_methods).to include :hidden_go_to_tag
-    end
-
-    it "adds a hidden field tag" do
-      controller.params = { go_to: "/example", id: "1" }
-      view = double
-      controller.view_context = view
-
-      expect(view).to receive(:hidden_field_tag).with(:go_to, "/example")
-      controller.hidden_go_to_tag
-    end
-  end
-
-  describe "#hidden_go_to_here_tag" do
-    it "becomes a helper method" do
-      expect(controller_klass.helper_methods).to include :hidden_go_to_here_tag
-    end
-
-    it "adds a hidden field tag" do
-      controller.request = double(get?: true, fullpath: "/example")
-      view = double
-      controller.view_context = view
-
-      expect(view).to receive(:hidden_field_tag).with(:go_to, "/example")
-      controller.hidden_go_to_here_tag
-    end
-
-    # Tested in more detail in #go_to_here_params.
-    it "accepts additional query parameters" do
-      controller.request = double(get?: true, fullpath: "/example?a=1")
-      view = double
-      controller.view_context = view
-
-      expect(view).to receive(:hidden_field_tag).with(:go_to, "/example?a=1&b=1+2")
-      controller.hidden_go_to_here_tag(b: "1 2")
-    end
-  end
-
-  describe "#go_to_params" do
-    it "becomes a helper method" do
-      expect(controller_klass.helper_methods).to include :go_to_params
-    end
-
-    it "includes the go_to parameter" do
-      controller.params = { go_to: "/example", id: "1" }
-
-      expect(controller.go_to_params).to eq({ go_to: "/example" })
-    end
-
-    it "accepts additional parameters" do
-      controller.params = { go_to: "/example", id: "1" }
-
-      expect(controller.go_to_params(a: "b")).to eq({ go_to: "/example", a: "b" })
-    end
-  end
-
-  describe "#go_to_here_params" do
-    it "becomes a helper method" do
-      expect(controller_klass.helper_methods).to include :go_to_here_params
-    end
-
-    it "gets the request path as the go_to parameter" do
-      controller.request = double(get?: true, fullpath: "/example")
-      expect(controller.go_to_here_params).to eq({ go_to: "/example" })
-    end
-
-    it "returns an empty hash for a non-GET request" do
-      controller.request = double(get?: false, fullpath: "/example")
-      expect(controller.go_to_here_params).to eq({})
-    end
-
-    it "accepts additional query parameters" do
-      controller.request = double(get?: true, fullpath: "/example")
-      expect(controller.go_to_here_params(foo: "1 2", bar: 3)).to eq({ go_to: "/example?foo=1+2&bar=3" })
-
-      # Handles pre-existing "?"
-      controller.request = double(get?: true, fullpath: "/example?foo")
-      expect(controller.go_to_here_params(bar: 3)).to eq({ go_to: "/example?foo&bar=3" })
-    end
-
-    it "accepts an anchor parameter" do
-      controller.request = double(get?: true, fullpath: "/example")
-      expect(controller.go_to_here_params(foo: "foo", anchor: "bar")).to eq({ go_to: "/example?foo=foo#bar" })
-    end
-
-    it "makes sure the go_to path is valid UTF-8" do
-      weird_path = "\xE0\x80\x80weird\330stuff".force_encoding("ASCII-8BIT")
-      replacement = "\uFFFD"  # The Unicode "Replacement Character".
-
-      controller.request = double(get?: true, fullpath: weird_path)
-
-      go_to_value = controller.go_to_here_params[:go_to]
-
-      expect(go_to_value.encoding).to eq(Encoding::UTF_8)
-      expect(go_to_value).to eq("#{replacement}#{replacement}#{replacement}weird#{replacement}stuff")
-    end
-  end
-
-  describe "#go_to_path" do
-    it "becomes a helper method" do
-      expect(controller_klass.helper_methods).to include :go_to_path
-    end
-
-    it "is the go_to parameter value" do
-      controller.params = { go_to: "/example", id: "1" }
-      expect(controller.go_to_path).to eq("/example")
-    end
-
-    it "is nil if the parameter value is not a relative path" do
-      controller.params = { go_to: "http://evil.com", id: "1" }
-      expect(controller.go_to_path).to be_nil
-    end
-
-    it "is nil when given a hash" do
-      controller.params = { go_to: { evil: "true" }, id: "1" }
-      expect(controller.go_to_path).to be_nil
-    end
-
-    it "respects custom allowed redirect prefixes" do
-      GoToParam.allow_redirect_prefix("myapp://")
-
-      controller.params = { go_to: "myapp://", id: "1" }
-      expect(controller.go_to_path).to eq("myapp://")
-    end
-  end
-
-  describe "#go_to_path_or" do
-    it "becomes a helper method" do
-      expect(controller_klass.helper_methods).to include :go_to_path_or
-    end
-
-    it "is the go_to parameter value" do
-      controller.params = { go_to: "/example", id: "1" }
-      expect(controller.go_to_path_or("/default")).to eq("/example")
-    end
-
-    it "falls back if the go_to param is blank" do
-      controller.params = { go_to: "", id: "1" }
-      expect(controller.go_to_path_or("/default")).to eq("/default")
-    end
-
-    it "falls back if the go_to param is not allowed" do
-      controller.params = { go_to: "http://evil.com", id: "1" }
-      expect(controller.go_to_path_or("/default")).to eq("/default")
-    end
-  end
-end