RubyGems - google_sign_in - Versions diffs - 1.3.0 → 1.3.1 - Mend

google_sign_in 1.3.0 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

checksums.yaml +4 -4
data/lib/google_sign_in/redirect_protector.rb +14 -7
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 16eb49d978d32c5adbbf335592b9e79c21c3190ac7c84a20c178de66a6e78ace
-  data.tar.gz: d4b2e3f1e01fc1b2087f47014fd52b8922176c679a799327024fbf98c43651e4
+  metadata.gz: dfe05cd0a40d687c9ae015737635dd5eb33cb2f5deb77db5b1f37deb82a661b8
+  data.tar.gz: 3e13c0115dd7e72abf34f2f372d5029a45e9c43e6bc990d202e3621edc3646b4
 SHA512:
-  metadata.gz: '0389d4328829b546676d7ce5f228ab87d0d1db25abfb1a616b8232b9233d7766520f517c276b933e302e88eaddaf805e7ccb7c36af05a1a328f885f5c563e234'
-  data.tar.gz: 363d2af3de4f85988a605cfd3ca5ff63b247a572d9d4bf6b6c8e9097f1c00892f8a421b86c710b2cfd6625b716d161cc93c57a375795dc1a05df96509329696b
+  metadata.gz: de8d6086555c8e1a4c236c1f9fef9731d49a30d83fbdfae5f545e9b52e0728614c6ba361e37811e8d787b980234712f55a35e1a5d94ac4381eb0ab07071d363d
+  data.tar.gz: a1c90d9c4f4542b92afbacab1fa400b699783f8e0108669f76cfa07f37dafe63011d949b9a59b6ce4393c9fdc2ea75d195b412d895e5c3b537720498f5186e44

data/lib/google_sign_in/redirect_protector.rb CHANGED Viewed

@@ -9,20 +9,27 @@ module GoogleSignIn
     QUALIFIED_URL_PATTERN = /\A#{URI::DEFAULT_PARSER.make_regexp}\z/
     def ensure_same_origin(target, source)
-      if (target =~ QUALIFIED_URL_PATTERN && origin_of(target) == origin_of(source)) ||
-         target =~ URI::DEFAULT_PARSER.regexp[:ABS_PATH]
-        return
+      unless uri_same_origin?(target, source) || absolute_path?(target)
+        raise Violation, "Redirect target #{target.inspect} does not have same origin as request #{source.inspect}"
       end
-      raise Violation, "Redirect target #{target.inspect} does not have same origin as request (expected #{origin_of(source)})"
     end
     private
+      def uri_same_origin?(target, source)
+        target =~ QUALIFIED_URL_PATTERN && origin_of(target) == origin_of(source)
+      rescue ArgumentError, URI::Error
+        false
+      end
+      def absolute_path?(target)
+        target =~ URI::DEFAULT_PARSER.regexp[:ABS_PATH] && URI(target).host.nil? && !target.start_with?("//")
+      rescue ArgumentError, URI::Error
+        false
+      end
       def origin_of(url)
         uri = URI(url)
         "#{uri.scheme}://#{uri.host}:#{uri.port}"
-      rescue ArgumentError
-        nil
       end
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: google_sign_in
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.3.1
 platform: ruby
 authors:
 - David Heinemeier Hansson