heroku-bouncer 0.4.0 → 0.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 03abaeaa8715d6bcd3f72fad85fa58dd8f0645c0
-  data.tar.gz: 0debdadff5ca498f87a3f2d90a37b80dd00c84ce
+  metadata.gz: 561e884f024ac6a325bb3b923da047eb4e1093a2
+  data.tar.gz: 693c9b580e04067aff895f73b74124b55ca9c96c
 SHA512:
-  metadata.gz: e1d4d8f927f12a89f3d4f2d6855129a14ac623a08b99e2e1cb81d9d82810e57b6cf727fdb99f3398696f19b3ba827f96af8e817c230f70a56d9dd5db80fe85ab
-  data.tar.gz: c018b6dc635a21cfeb88da1fb57869c40e8ef8d5eaa411b091ffea5fe0e2f3e453e110255d8777d89d91021c597e7fd03dfdba852c2692b599ad7d13f24e9de4
+  metadata.gz: f4191578a75d18970863267576af3f1427d36d8663231ea1b86bf5f6fa74cfb5ca72dc1034c04729ebcd1f2c4cd6dd9c9e61e35d3da521bc087fc18c12211896
+  data.tar.gz: d3089222610ba125714dd08f1b9457ad9727a7c9bfabcaa25ea3adcdc4386036381072e6fc59a20a3cb5612ac73cba2d7560df104762fcf620aa1f6998246d35

data/lib/heroku/bouncer/middleware.rb

@@ -78,7 +78,9 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
     store_write(@session_sync_nonce.to_sym, session_nonce_cookie) if @session_sync_nonce
     store_write(:token, token) if @expose_token
     store_write(:expires_at, Time.now.to_i + 3600 * 8)
-    redirect to(store_delete(:return_to) || '/')
+
+    return_to = store_delete(:return_to) || '/'
+    redirect to(enforce_host(request.host, return_to))
   end
 
   # something went wrong
@@ -198,4 +200,11 @@ private
     end
   end
 
+  # Prevent open redirect vulnerabilities by setting the current host
+  def enforce_host(host, url)
+    return_to = URI.parse(url) rescue '/'
+    return_to.host = request.host
+    return_to.to_s
+  end
+
 end

metadata

@@ -1,153 +1,153 @@
 --- !ruby/object:Gem::Specification
 name: heroku-bouncer
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.4.1
 platform: ruby
 authors:
 - Jonathan Dance
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-01-29 00:00:00.000000000 Z
+date: 2014-03-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-heroku
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.1.0
 - !ruby/object:Gem::Dependency
   name: sinatra
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0.8'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0.8'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
   name: minitest-spec-context
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: delorean
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: ID please.
@@ -158,15 +158,15 @@ extensions: []
 extra_rdoc_files:
 - README.md
 files:
-- lib/heroku/bouncer/lockbox.rb
-- lib/heroku/bouncer/decrypted_hash.rb
+- Gemfile
+- README.md
+- Rakefile
+- lib/heroku/bouncer.rb
 - lib/heroku/bouncer/builder.rb
+- lib/heroku/bouncer/decrypted_hash.rb
 - lib/heroku/bouncer/json_parser.rb
+- lib/heroku/bouncer/lockbox.rb
 - lib/heroku/bouncer/middleware.rb
-- lib/heroku/bouncer.rb
-- README.md
-- Gemfile
-- Rakefile
 homepage: https://github.com/heroku/heroku-bouncer
 licenses:
 - MIT
@@ -177,17 +177,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.14
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Rapidly add Heroku OAuth to your Ruby app.