graphql_devise 0.13.5 → 0.13.6

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 005b85ca3899cb7b69c3505680be677fa935f80b3d63480fbf65d7f116775efa
4
- data.tar.gz: 8473a4ff5404ec543f57c9d95ad2844a039ba691865ca2d8fbea15a197f6d9b7
3
+ metadata.gz: e90de970ae686dd8437156a6d830b922c1fe4369c10206532073e5bb3f8f75f8
4
+ data.tar.gz: 3a74fe59c81889eb9f5a4bb42710d4cb7e086b9a9bdbd0e9bd09a370ccd7f435
5
5
  SHA512:
6
- metadata.gz: 1accf0a12781a9b53b0f17f25226c3cd8fb8e31e26e435ce1040a132f83f508e06532c202a3789a90dcb0fd54dd10e72d047c5da1b431bb8d1147c319abc4870
7
- data.tar.gz: 4d5649f9f7d724cfbd6fc8a06e5acf2e0a3196d5f6ef7e8f4d5a569f39ae9978fc3ab6a956c110a19a7c8783b753e61f40aac9b8dcc77100b52ce14b3f6bff1b
6
+ metadata.gz: 0f608b88cf17acc4e8c4d7d54fb4d578afb38d2c7f7a73b9df2cee7b9661cdb6a35b1b45e4a6d7c05e022a334f6c7ed8bf1427b301422c2e27f191a830dde621
7
+ data.tar.gz: 5d5bc1eab5158c5134f18a7f2f85e0653139ee13d67c45efb7050274d41ed6f1a5c2dee0c97c57ca987bd7f74556cbca9ae478b7782aee28f5967308d7bd3c92
@@ -1,5 +1,14 @@
1
1
  # Changelog
2
2
 
3
+ ## [v0.13.6](https://github.com/graphql-devise/graphql_devise/tree/v0.13.6) (2020-12-22)
4
+
5
+ [Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.5...v0.13.6)
6
+
7
+ **Security fixes:**
8
+
9
+ - Possible security issue with password reset and redirectUrl [\#136](https://github.com/graphql-devise/graphql_devise/issues/136)
10
+ - Add redirect whitelist validation to all queries and mutations [\#140](https://github.com/graphql-devise/graphql_devise/pull/140) ([mcelicalderon](https://github.com/mcelicalderon))
11
+
3
12
  ## [v0.13.5](https://github.com/graphql-devise/graphql_devise/tree/v0.13.5) (2020-11-20)
4
13
 
5
14
  [Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.4...v0.13.5)
@@ -1,5 +1,6 @@
1
1
  en:
2
2
  graphql_devise:
3
+ redirect_url_not_allowed: "Redirect to '%{redirect_url}' not allowed."
3
4
  registration_failed: "User couldn't be registered"
4
5
  resource_build_failed: "Resource couldn't be built, execution stopped."
5
6
  not_authenticated: "User is not logged in."
@@ -7,7 +8,6 @@ en:
7
8
  invalid_resource: "Errors present in the resource."
8
9
  registrations:
9
10
  missing_confirm_redirect_url: "Missing 'confirm_success_url' parameter. Required when confirmable module is enabled."
10
- redirect_url_not_allowed: "Redirect to '%{redirect_url}' not allowed."
11
11
  passwords:
12
12
  update_password_error: "Unable to update user password"
13
13
  missing_passwords: "You must fill out the fields labeled 'Password' and 'Password confirmation'."
@@ -7,6 +7,12 @@ module GraphqlDevise
7
7
 
8
8
  private
9
9
 
10
+ def check_redirect_url_whitelist!(redirect_url)
11
+ if blacklisted_redirect_url?(redirect_url)
12
+ raise_user_error(I18n.t('graphql_devise.redirect_url_not_allowed', redirect_url: redirect_url))
13
+ end
14
+ end
15
+
10
16
  def raise_user_error(message)
11
17
  raise GraphqlDevise::UserError, message
12
18
  end
@@ -9,6 +9,8 @@ module GraphqlDevise
9
9
  field :message, String, null: false
10
10
 
11
11
  def resolve(email:, redirect_url:)
12
+ check_redirect_url_whitelist!(redirect_url)
13
+
12
14
  resource = find_confirmable_resource(email)
13
15
 
14
16
  if resource
@@ -9,6 +9,8 @@ module GraphqlDevise
9
9
  field :message, String, null: false
10
10
 
11
11
  def resolve(email:, redirect_url:)
12
+ check_redirect_url_whitelist!(redirect_url)
13
+
12
14
  resource = find_resource(:email, get_case_insensitive_field(:email, email))
13
15
 
14
16
  if resource
@@ -22,9 +22,7 @@ module GraphqlDevise
22
22
  raise_user_error(I18n.t('graphql_devise.registrations.missing_confirm_redirect_url'))
23
23
  end
24
24
 
25
- if blacklisted_redirect_url?(redirect_url)
26
- raise_user_error(I18n.t('graphql_devise.registrations.redirect_url_not_allowed', redirect_url: redirect_url))
27
- end
25
+ check_redirect_url_whitelist!(redirect_url)
28
26
 
29
27
  resource.skip_confirmation_notification! if resource.respond_to?(:skip_confirmation_notification!)
30
28
 
@@ -27,6 +27,7 @@ module GraphqlDevise
27
27
  )
28
28
 
29
29
  if redirect_url.present?
30
+ check_redirect_url_whitelist!(redirect_url)
30
31
  controller.redirect_to(resource.build_auth_url(redirect_url, built_redirect_headers))
31
32
  else
32
33
  set_auth_headers(resource)
@@ -7,6 +7,8 @@ module GraphqlDevise
7
7
  argument :redirect_url, String, required: true
8
8
 
9
9
  def resolve(confirmation_token:, redirect_url:)
10
+ check_redirect_url_whitelist!(redirect_url)
11
+
10
12
  resource = resource_class.confirm_by_token(confirmation_token)
11
13
 
12
14
  if resource.errors.empty?
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module GraphqlDevise
4
- VERSION = '0.13.5'.freeze
4
+ VERSION = '0.13.6'.freeze
5
5
  end
@@ -39,6 +39,8 @@ DeviseTokenAuth.setup do |config|
39
39
 
40
40
  config.default_confirm_success_url = 'https://google.com'
41
41
 
42
+ config.redirect_whitelist = ['https://google.com']
43
+
42
44
  # By default we will use callbacks for single omniauth.
43
45
  # It depends on fields like email, provider and uid.
44
46
  # config.default_callbacks = true
@@ -9,7 +9,6 @@ RSpec.describe 'Additional Mutations' do
9
9
  let(:password) { Faker::Internet.password }
10
10
  let(:password_confirmation) { password }
11
11
  let(:email) { Faker::Internet.email }
12
- let(:redirect) { Faker::Internet.url }
13
12
 
14
13
  context 'when using the user model' do
15
14
  let(:query) do
@@ -9,7 +9,7 @@ RSpec.describe 'Resend confirmation' do
9
9
  let!(:user) { create(:user, confirmed_at: nil, email: 'mwallace@wallaceinc.com') }
10
10
  let(:email) { user.email }
11
11
  let(:id) { user.id }
12
- let(:redirect) { Faker::Internet.url }
12
+ let(:redirect) { 'https://google.com' }
13
13
  let(:query) do
14
14
  <<-GRAPHQL
15
15
  mutation {
@@ -23,6 +23,21 @@ RSpec.describe 'Resend confirmation' do
23
23
  GRAPHQL
24
24
  end
25
25
 
26
+ context 'when redirect_url is not whitelisted' do
27
+ let(:redirect) { 'https://not-safe.com' }
28
+
29
+ it 'returns a not whitelisted redirect url error' do
30
+ expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
31
+
32
+ expect(json_response[:errors]).to containing_exactly(
33
+ hash_including(
34
+ message: "Redirect to '#{redirect}' not allowed.",
35
+ extensions: { code: 'USER_ERROR' }
36
+ )
37
+ )
38
+ end
39
+ end
40
+
26
41
  context 'when params are correct' do
27
42
  context 'when using the gem schema' do
28
43
  it 'sends an email to the user with confirmation url and returns a success message' do
@@ -7,7 +7,7 @@ RSpec.describe 'Send Password Reset Requests' do
7
7
 
8
8
  let!(:user) { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
9
9
  let(:email) { user.email }
10
- let(:redirect_url) { Faker::Internet.url }
10
+ let(:redirect_url) { 'https://google.com' }
11
11
  let(:query) do
12
12
  <<-GRAPHQL
13
13
  mutation {
@@ -21,6 +21,21 @@ RSpec.describe 'Send Password Reset Requests' do
21
21
  GRAPHQL
22
22
  end
23
23
 
24
+ context 'when redirect_url is not whitelisted' do
25
+ let(:redirect_url) { 'https://not-safe.com' }
26
+
27
+ it 'returns a not whitelisted redirect url error' do
28
+ expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
29
+
30
+ expect(json_response[:errors]).to containing_exactly(
31
+ hash_including(
32
+ message: "Redirect to '#{redirect_url}' not allowed.",
33
+ extensions: { code: 'USER_ERROR' }
34
+ )
35
+ )
36
+ end
37
+ end
38
+
24
39
  context 'when params are correct' do
25
40
  context 'when using the gem schema' do
26
41
  it 'sends password reset email' do
@@ -8,7 +8,7 @@ RSpec.describe 'Sign Up process' do
8
8
  let(:name) { Faker::Name.name }
9
9
  let(:password) { Faker::Internet.password }
10
10
  let(:email) { Faker::Internet.email }
11
- let(:redirect) { Faker::Internet.url }
11
+ let(:redirect) { 'https://google.com' }
12
12
 
13
13
  context 'when using the user model' do
14
14
  let(:query) do
@@ -31,6 +31,24 @@ RSpec.describe 'Sign Up process' do
31
31
  GRAPHQL
32
32
  end
33
33
 
34
+ context 'when redirect_url is not whitelisted' do
35
+ let(:redirect) { 'https://not-safe.com' }
36
+
37
+ it 'returns a not whitelisted redirect url error' do
38
+ expect { post_request }.to(
39
+ not_change(User, :count)
40
+ .and(not_change(ActionMailer::Base.deliveries, :count))
41
+ )
42
+
43
+ expect(json_response[:errors]).to containing_exactly(
44
+ hash_including(
45
+ message: "Redirect to '#{redirect}' not allowed.",
46
+ extensions: { code: 'USER_ERROR' }
47
+ )
48
+ )
49
+ end
50
+ end
51
+
34
52
  context 'when params are correct' do
35
53
  it 'creates a new resource that requires confirmation' do
36
54
  expect { post_request }.to(
@@ -54,6 +54,21 @@ RSpec.describe 'Check Password Token Requests' do
54
54
  expect(response.body).to include('uid=')
55
55
  expect(response.body).to include('expiry=')
56
56
  end
57
+
58
+ context 'when redirect_url is not whitelisted' do
59
+ let(:redirect_url) { 'https://not-safe.com' }
60
+
61
+ before { post_request }
62
+
63
+ it 'returns a not whitelisted redirect url error' do
64
+ expect(json_response[:errors]).to containing_exactly(
65
+ hash_including(
66
+ message: "Redirect to '#{redirect_url}' not allowed.",
67
+ extensions: { code: 'USER_ERROR' }
68
+ )
69
+ )
70
+ end
71
+ end
57
72
  end
58
73
 
59
74
  context 'when token has expired' do
@@ -7,7 +7,7 @@ RSpec.describe 'Account confirmation' do
7
7
 
8
8
  context 'when using the user model' do
9
9
  let(:user) { create(:user, confirmed_at: nil) }
10
- let(:redirect) { Faker::Internet.url }
10
+ let(:redirect) { 'https://google.com' }
11
11
  let(:query) do
12
12
  <<-GRAPHQL
13
13
  {
@@ -43,6 +43,21 @@ RSpec.describe 'Account confirmation' do
43
43
  expect(user).to be_active_for_authentication
44
44
  end
45
45
 
46
+ context 'when redirect_url is not whitelisted' do
47
+ let(:redirect) { 'https://not-safe.com' }
48
+
49
+ it 'returns a not whitelisted redirect url error' do
50
+ expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
51
+
52
+ expect(json_response[:errors]).to containing_exactly(
53
+ hash_including(
54
+ message: "Redirect to '#{redirect}' not allowed.",
55
+ extensions: { code: 'USER_ERROR' }
56
+ )
57
+ )
58
+ end
59
+ end
60
+
46
61
  context 'when unconfirmed_email is present' do
47
62
  let(:user) { create(:user, :confirmed, unconfirmed_email: 'vvega@wallaceinc.com') }
48
63
 
@@ -81,7 +96,7 @@ RSpec.describe 'Account confirmation' do
81
96
 
82
97
  context 'when using the admin model' do
83
98
  let(:admin) { create(:admin, confirmed_at: nil) }
84
- let(:redirect) { Faker::Internet.url }
99
+ let(:redirect) { 'https://google.com' }
85
100
  let(:query) do
86
101
  <<-GRAPHQL
87
102
  {
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: graphql_devise
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.13.5
4
+ version: 0.13.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mario Celi
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: exe
11
11
  cert_chain: []
12
- date: 2020-11-20 00:00:00.000000000 Z
12
+ date: 2020-12-22 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: devise_token_auth