linkedin_sign_in 0.4.0 → 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +40 -40
- data/README.md +1 -1
- data/app/controllers/linkedin_sign_in/authorizations_controller.rb +2 -0
- data/lib/linkedin_sign_in/redirect_protector.rb +2 -2
- data/linkedin_sign_in.gemspec +1 -1
- data/test/controllers/callbacks_controller_test.rb +5 -0
- data/test/models/redirect_protector_test.rb +7 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3f8985d4d6e80ebff3c604f93d84431384c778f4dda5fc1eb8f4a000e9cdd85d
|
|
4
|
+
data.tar.gz: 13111de62ee932965e347d7af6ba72cb0f5f4a876324d3e27e2286c928dab29d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cdb09852791dc5819b7c6736f2425406210c5a31dee6e996d6f991d448c4e6f26155fa6c20edc5aa9f358ec8dd877e80cbfae5328e8a649c7d2a5c3bb73ab66d
|
|
7
|
+
data.tar.gz: 7baf9711c87dd68155f6fdd412a5d9c3384a2ff41743f1ec2775e168b44437230256560b1be5cb719b8dc169714c2d5a1e87dff535fe4c8ee8d3dc18f388a501
|
data/Gemfile.lock
CHANGED
|
@@ -1,50 +1,50 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
linkedin_sign_in (0.
|
|
4
|
+
linkedin_sign_in (0.5.0)
|
|
5
5
|
oauth2 (>= 1.4.0)
|
|
6
6
|
rails (>= 5.2.0)
|
|
7
7
|
|
|
8
8
|
GEM
|
|
9
9
|
remote: https://rubygems.org/
|
|
10
10
|
specs:
|
|
11
|
-
actioncable (5.2.
|
|
12
|
-
actionpack (= 5.2.
|
|
11
|
+
actioncable (5.2.3)
|
|
12
|
+
actionpack (= 5.2.3)
|
|
13
13
|
nio4r (~> 2.0)
|
|
14
14
|
websocket-driver (>= 0.6.1)
|
|
15
|
-
actionmailer (5.2.
|
|
16
|
-
actionpack (= 5.2.
|
|
17
|
-
actionview (= 5.2.
|
|
18
|
-
activejob (= 5.2.
|
|
15
|
+
actionmailer (5.2.3)
|
|
16
|
+
actionpack (= 5.2.3)
|
|
17
|
+
actionview (= 5.2.3)
|
|
18
|
+
activejob (= 5.2.3)
|
|
19
19
|
mail (~> 2.5, >= 2.5.4)
|
|
20
20
|
rails-dom-testing (~> 2.0)
|
|
21
|
-
actionpack (5.2.
|
|
22
|
-
actionview (= 5.2.
|
|
23
|
-
activesupport (= 5.2.
|
|
21
|
+
actionpack (5.2.3)
|
|
22
|
+
actionview (= 5.2.3)
|
|
23
|
+
activesupport (= 5.2.3)
|
|
24
24
|
rack (~> 2.0)
|
|
25
25
|
rack-test (>= 0.6.3)
|
|
26
26
|
rails-dom-testing (~> 2.0)
|
|
27
27
|
rails-html-sanitizer (~> 1.0, >= 1.0.2)
|
|
28
|
-
actionview (5.2.
|
|
29
|
-
activesupport (= 5.2.
|
|
28
|
+
actionview (5.2.3)
|
|
29
|
+
activesupport (= 5.2.3)
|
|
30
30
|
builder (~> 3.1)
|
|
31
31
|
erubi (~> 1.4)
|
|
32
32
|
rails-dom-testing (~> 2.0)
|
|
33
33
|
rails-html-sanitizer (~> 1.0, >= 1.0.3)
|
|
34
|
-
activejob (5.2.
|
|
35
|
-
activesupport (= 5.2.
|
|
34
|
+
activejob (5.2.3)
|
|
35
|
+
activesupport (= 5.2.3)
|
|
36
36
|
globalid (>= 0.3.6)
|
|
37
|
-
activemodel (5.2.
|
|
38
|
-
activesupport (= 5.2.
|
|
39
|
-
activerecord (5.2.
|
|
40
|
-
activemodel (= 5.2.
|
|
41
|
-
activesupport (= 5.2.
|
|
37
|
+
activemodel (5.2.3)
|
|
38
|
+
activesupport (= 5.2.3)
|
|
39
|
+
activerecord (5.2.3)
|
|
40
|
+
activemodel (= 5.2.3)
|
|
41
|
+
activesupport (= 5.2.3)
|
|
42
42
|
arel (>= 9.0)
|
|
43
|
-
activestorage (5.2.
|
|
44
|
-
actionpack (= 5.2.
|
|
45
|
-
activerecord (= 5.2.
|
|
43
|
+
activestorage (5.2.3)
|
|
44
|
+
actionpack (= 5.2.3)
|
|
45
|
+
activerecord (= 5.2.3)
|
|
46
46
|
marcel (~> 0.3.1)
|
|
47
|
-
activesupport (5.2.
|
|
47
|
+
activesupport (5.2.3)
|
|
48
48
|
concurrent-ruby (~> 1.0, >= 1.0.2)
|
|
49
49
|
i18n (>= 0.7, < 2)
|
|
50
50
|
minitest (~> 5.1)
|
|
@@ -81,9 +81,9 @@ GEM
|
|
|
81
81
|
minitest (5.11.3)
|
|
82
82
|
multi_json (1.13.1)
|
|
83
83
|
multi_xml (0.6.0)
|
|
84
|
-
multipart-post (2.
|
|
84
|
+
multipart-post (2.1.0)
|
|
85
85
|
nio4r (2.3.1)
|
|
86
|
-
nokogiri (1.10.
|
|
86
|
+
nokogiri (1.10.3)
|
|
87
87
|
mini_portile2 (~> 2.4.0)
|
|
88
88
|
oauth2 (1.4.1)
|
|
89
89
|
faraday (>= 0.8, < 0.16.0)
|
|
@@ -92,30 +92,30 @@ GEM
|
|
|
92
92
|
multi_xml (~> 0.5)
|
|
93
93
|
rack (>= 1.2, < 3)
|
|
94
94
|
public_suffix (3.0.3)
|
|
95
|
-
rack (2.0.
|
|
95
|
+
rack (2.0.7)
|
|
96
96
|
rack-test (1.1.0)
|
|
97
97
|
rack (>= 1.0, < 3)
|
|
98
|
-
rails (5.2.
|
|
99
|
-
actioncable (= 5.2.
|
|
100
|
-
actionmailer (= 5.2.
|
|
101
|
-
actionpack (= 5.2.
|
|
102
|
-
actionview (= 5.2.
|
|
103
|
-
activejob (= 5.2.
|
|
104
|
-
activemodel (= 5.2.
|
|
105
|
-
activerecord (= 5.2.
|
|
106
|
-
activestorage (= 5.2.
|
|
107
|
-
activesupport (= 5.2.
|
|
98
|
+
rails (5.2.3)
|
|
99
|
+
actioncable (= 5.2.3)
|
|
100
|
+
actionmailer (= 5.2.3)
|
|
101
|
+
actionpack (= 5.2.3)
|
|
102
|
+
actionview (= 5.2.3)
|
|
103
|
+
activejob (= 5.2.3)
|
|
104
|
+
activemodel (= 5.2.3)
|
|
105
|
+
activerecord (= 5.2.3)
|
|
106
|
+
activestorage (= 5.2.3)
|
|
107
|
+
activesupport (= 5.2.3)
|
|
108
108
|
bundler (>= 1.3.0)
|
|
109
|
-
railties (= 5.2.
|
|
109
|
+
railties (= 5.2.3)
|
|
110
110
|
sprockets-rails (>= 2.0.0)
|
|
111
111
|
rails-dom-testing (2.0.3)
|
|
112
112
|
activesupport (>= 4.2.0)
|
|
113
113
|
nokogiri (>= 1.6)
|
|
114
114
|
rails-html-sanitizer (1.0.4)
|
|
115
115
|
loofah (~> 2.2, >= 2.2.2)
|
|
116
|
-
railties (5.2.
|
|
117
|
-
actionpack (= 5.2.
|
|
118
|
-
activesupport (= 5.2.
|
|
116
|
+
railties (5.2.3)
|
|
117
|
+
actionpack (= 5.2.3)
|
|
118
|
+
activesupport (= 5.2.3)
|
|
119
119
|
method_source
|
|
120
120
|
rake (>= 0.8.7)
|
|
121
121
|
thor (>= 0.19.0, < 2.0)
|
data/README.md
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
require 'securerandom'
|
|
2
2
|
|
|
3
3
|
class LinkedinSignIn::AuthorizationsController < LinkedinSignIn::BaseController
|
|
4
|
+
skip_forgery_protection only: :create
|
|
5
|
+
|
|
4
6
|
def create
|
|
5
7
|
redirect_to login_url(scope: 'r_basicprofile r_emailaddress', state: state),
|
|
6
8
|
flash: { proceed_to: params.require(:proceed_to), state: state }
|
|
@@ -9,8 +9,8 @@ module LinkedinSignIn
|
|
|
9
9
|
QUALIFIED_URL_PATTERN = /\A#{URI::DEFAULT_PARSER.make_regexp}\z/
|
|
10
10
|
|
|
11
11
|
def ensure_same_origin(target, source)
|
|
12
|
-
if target =~ QUALIFIED_URL_PATTERN && origin_of(target) != origin_of(source)
|
|
13
|
-
raise Violation, "Redirect target #{target} does not have same origin as request (expected #{origin_of(source)})"
|
|
12
|
+
if target.blank? || (target =~ QUALIFIED_URL_PATTERN && origin_of(target) != origin_of(source))
|
|
13
|
+
raise Violation, "Redirect target #{target.inspect} does not have same origin as request (expected #{origin_of(source)})"
|
|
14
14
|
end
|
|
15
15
|
end
|
|
16
16
|
|
data/linkedin_sign_in.gemspec
CHANGED
|
@@ -101,6 +101,11 @@ class LinkedinSignIn::CallbacksControllerTest < ActionDispatch::IntegrationTest
|
|
|
101
101
|
assert_response :bad_request
|
|
102
102
|
end
|
|
103
103
|
|
|
104
|
+
test "receiving no proceed_to URL" do
|
|
105
|
+
get linkedin_sign_in.callback_url(code: '4/SgCpHSVW5-Cy', state: 'invalid')
|
|
106
|
+
assert_response :bad_request
|
|
107
|
+
end
|
|
108
|
+
|
|
104
109
|
private
|
|
105
110
|
def stub_token_for(code, **response_body)
|
|
106
111
|
stub_token_request(code, status: 200, response: response_body)
|
|
@@ -20,6 +20,13 @@ class LinkedinSignIn::RedirectProtectorTest < ActiveSupport::TestCase
|
|
|
20
20
|
end
|
|
21
21
|
end
|
|
22
22
|
|
|
23
|
+
test "disallows empty URL target" do
|
|
24
|
+
assert_raises LinkedinSignIn::RedirectProtector::Violation do
|
|
25
|
+
LinkedinSignIn::RedirectProtector.ensure_same_origin nil, 'http://genezys.net'
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
|
|
23
30
|
test "allows URL target with same origin as source" do
|
|
24
31
|
assert_nothing_raised do
|
|
25
32
|
LinkedinSignIn::RedirectProtector.ensure_same_origin 'https://genezys.net', 'https://genezys.net'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: linkedin_sign_in
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Vincent Robert
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-05-10 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|