oauth 1.1.4 → 1.1.6

data/SECURITY.md

@@ -4,7 +4,7 @@
 
 | Version  | Supported |
 |----------|-----------|
-| 1.latest | ✅         |
+| 1.1.latest | ✅         |
 
 ## Security contact information
 
@@ -12,8 +12,6 @@ To report a security vulnerability, please use the
 [Tidelift security contact](https://tidelift.com/security).
 Tidelift will coordinate the fix and disclosure.
 
-More detailed explanation of the process is in [IRP.md][IRP].
-
 ## Additional Support
 
 If you are interested in support for versions older than the latest release,
@@ -21,4 +19,3 @@ please consider sponsoring the project / maintainer @ https://liberapay.com/pbol
 or find other sponsorship links in the [README].
 
 [README]: README.md
-[IRP]: IRP.md

data/certs/pboling.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEgDCCAuigAwIBAgIBATANBgkqhkiG9w0BAQsFADBDMRUwEwYDVQQDDAxwZXRl
+ci5ib2xpbmcxFTATBgoJkiaJk/IsZAEZFgVnbWFpbDETMBEGCgmSJomT8ixkARkW
+A2NvbTAeFw0yNTA1MDQxNTMzMDlaFw00NTA0MjkxNTMzMDlaMEMxFTATBgNVBAMM
+DHBldGVyLmJvbGluZzEVMBMGCgmSJomT8ixkARkWBWdtYWlsMRMwEQYKCZImiZPy
+LGQBGRYDY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAruUoo0WA
+uoNuq6puKWYeRYiZekz/nsDeK5x/0IEirzcCEvaHr3Bmz7rjo1I6On3gGKmiZs61
+LRmQ3oxy77ydmkGTXBjruJB+pQEn7UfLSgQ0xa1/X3kdBZt6RmabFlBxnHkoaGY5
+mZuZ5+Z7walmv6sFD9ajhzj+oIgwWfnEHkXYTR8I6VLN7MRRKGMPoZ/yvOmxb2DN
+coEEHWKO9CvgYpW7asIihl/9GMpKiRkcYPm9dGQzZc6uTwom1COfW0+ZOFrDVBuV
+FMQRPswZcY4Wlq0uEBLPU7hxnCL9nKK6Y9IhdDcz1mY6HZ91WImNslOSI0S8hRpj
+yGOWxQIhBT3fqCBlRIqFQBudrnD9jSNpSGsFvbEijd5ns7Z9ZMehXkXDycpGAUj1
+to/5cuTWWw1JqUWrKJYoifnVhtE1o1DZ+LkPtWxHtz5kjDG/zR3MG0Ula0UOavlD
+qbnbcXPBnwXtTFeZ3C+yrWpE4pGnl3yGkZj9SMTlo9qnTMiPmuWKQDatAgMBAAGj
+fzB9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBQE8uWvNbPVNRXZ
+HlgPbc2PCzC4bjAhBgNVHREEGjAYgRZwZXRlci5ib2xpbmdAZ21haWwuY29tMCEG
+A1UdEgQaMBiBFnBldGVyLmJvbGluZ0BnbWFpbC5jb20wDQYJKoZIhvcNAQELBQAD
+ggGBAJbnUwfJQFPkBgH9cL7hoBfRtmWiCvdqdjeTmi04u8zVNCUox0A4gT982DE9
+wmuN12LpdajxZONqbXuzZvc+nb0StFwmFYZG6iDwaf4BPywm2e/Vmq0YG45vZXGR
+L8yMDSK1cQXjmA+ZBKOHKWavxP6Vp7lWvjAhz8RFwqF9GuNIdhv9NpnCAWcMZtpm
+GUPyIWw/Cw/2wZp74QzZj6Npx+LdXoLTF1HMSJXZ7/pkxLCsB8m4EFVdb/IrW/0k
+kNSfjtAfBHO8nLGuqQZVH9IBD1i9K6aSs7pT6TW8itXUIlkIUI2tg5YzW6OFfPzq
+QekSkX3lZfY+HTSp/o+YvKkqWLUV7PQ7xh1ZYDtocpaHwgxe/j3bBqHE+CUPH2vA
+0V/FwdTRWcwsjVoOJTrYcff8pBZ8r2MvtAc54xfnnhGFzeRHfcltobgFxkAXdE6p
+DVjBtqT23eugOqQ73umLcYDZkc36vnqGxUBSsXrzY9pzV5gGr2I8YUxMqf6ATrZt
+L9nRqA==
+-----END CERTIFICATE-----

data/lib/oauth/auth_sanitizer.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module OAuth
+  AUTH_SANITIZER = begin
+    auth_sanitizer_requirement = Gem::Requirement.new("~> 0.1", ">= 0.1.3")
+    auth_sanitizer_spec = Gem.loaded_specs["auth-sanitizer"]
+    unless auth_sanitizer_spec && auth_sanitizer_requirement.satisfied_by?(auth_sanitizer_spec.version)
+      # :nocov:
+      auth_sanitizer_spec = Gem::Specification.find_by_name("auth-sanitizer", auth_sanitizer_requirement)
+      # :nocov:
+    end
+
+    auth_sanitizer_loader_path = File.join(
+      auth_sanitizer_spec.full_gem_path,
+      "lib/auth_sanitizer/loader.rb",
+    )
+    unless File.file?(auth_sanitizer_loader_path)
+      # :nocov:
+      raise LoadError, "oauth requires auth-sanitizer #{auth_sanitizer_requirement}; " \
+        "loader not found at #{auth_sanitizer_loader_path}"
+      # :nocov:
+    end
+
+    auth_sanitizer_loader_namespace = Module.new
+    auth_sanitizer_loader_namespace.module_eval(
+      File.read(auth_sanitizer_loader_path),
+      auth_sanitizer_loader_path,
+      1,
+    )
+
+    auth_sanitizer_loader_namespace
+      .const_get(:AuthSanitizer)
+      .const_get(:Loader)
+      .load_isolated
+  end
+end

data/lib/oauth/consumer.rb

@@ -10,10 +10,10 @@ require "cgi"
 module OAuth
   # Consumer credentials and request configuration for OAuth 1.0 / 1.0a flows.
   #
-  # Includes {Auth::Sanitizer::FilteredAttributes} so inspect output redacts the
+  # Includes {OAuth::AUTH_SANITIZER::FilteredAttributes} so inspect output redacts the
   # consumer secret while leaving non-sensitive configuration visible.
   class Consumer
-    include Auth::Sanitizer::FilteredAttributes
+    include OAuth::AUTH_SANITIZER::FilteredAttributes
 
     # Instance attributes exposed by the consumer.
     #
@@ -89,6 +89,12 @@ module OAuth
         body_hash_enabled: true,
 
         oauth_version: "1.0",
+
+        # Token endpoint redirects are followed only within the same origin by
+        # default. Cross-origin redirects can re-sign token requests for an
+        # attacker-controlled endpoint, so they require explicit opt-in.
+        token_request_max_redirects: 10,
+        token_request_cross_origin_redirects: false,
       },
     )
 
@@ -294,14 +300,13 @@ module OAuth
     end
 
     # Creates a request and parses the result as url_encoded. This is used internally for the RequestToken and AccessToken requests.
-    def token_request(http_method, path, token = nil, request_options = {}, *arguments)
-      request_options[:token_request] ||= true
-      response = request(http_method, path, token, request_options, *arguments)
+    def token_request(http_method, path, token = nil, request_options = {}, *arguments, &block)
+      response = request(http_method, path, token, token_request_options(request_options), *arguments)
       case response.code.to_i
 
       when (200..299)
-        if block_given?
-          yield response.body
+        if block
+          block.call(response.body)
         else
           # symbolize keys
           # TODO this could be considered unexpected behavior; symbols or not?
@@ -312,19 +317,17 @@ module OAuth
           end
         end
       when (300..399)
-        # Parse redirect to follow
-        uri = URI.parse(response["location"])
-        our_uri = URI.parse(site)
-
-        # Guard against infinite redirects
-        response.error! if uri.path == path && our_uri.host == uri.host
+        current_uri = token_request_uri(path)
+        redirected_uri = token_request_redirect_uri(current_uri, response)
+        response.error! unless redirected_uri
 
-        if uri.path == path && our_uri.host != uri.host
-          options[:site] = "#{uri.scheme}://#{uri.host}"
-          @http = create_http
-        end
+        redirect_count = request_options[:token_request_redirect_count].to_i + 1
+        response.error! if redirect_count > token_request_max_redirects(request_options)
+        response.error! if token_request_cross_origin?(current_uri, redirected_uri) &&
+          !token_request_cross_origin_redirects?(request_options)
 
-        token_request(http_method, uri.path, token, request_options, arguments)
+        redirect_options = request_options.merge(token_request_redirect_count: redirect_count)
+        token_request(http_method, token_request_redirect_path(current_uri, redirected_uri), token, redirect_options, *arguments, &block)
       when (400..499)
         raise OAuth::Unauthorized, response
       else
@@ -332,6 +335,55 @@ module OAuth
       end
     end
 
+    def token_request_options(request_options)
+      request_options.merge(token_request: true).tap do |options|
+        options.delete(:token_request_redirect_count)
+        options.delete(:token_request_max_redirects)
+        options.delete(:token_request_cross_origin_redirects)
+      end
+    end
+
+    def token_request_uri(path)
+      uri = URI.parse(path)
+      return uri if uri.absolute?
+
+      URI.parse(site).merge(path)
+    end
+
+    def token_request_redirect_uri(current_uri, response)
+      location = response["location"]
+      return if location.nil? || location.to_s.empty?
+
+      current_uri.merge(location)
+    end
+
+    def token_request_redirect_path(current_uri, redirected_uri)
+      return redirected_uri.to_s if token_request_cross_origin?(current_uri, redirected_uri)
+
+      redirected_uri.request_uri
+    end
+
+    def token_request_max_redirects(request_options)
+      request_options[:token_request_max_redirects] || options[:token_request_max_redirects]
+    end
+
+    def token_request_cross_origin_redirects?(request_options)
+      request_options.fetch(:token_request_cross_origin_redirects, options[:token_request_cross_origin_redirects])
+    end
+
+    def token_request_cross_origin?(current_uri, redirected_uri)
+      current_uri.scheme.to_s.downcase != redirected_uri.scheme.to_s.downcase ||
+        current_uri.host.to_s.downcase != redirected_uri.host.to_s.downcase ||
+        token_request_effective_port(current_uri) != token_request_effective_port(redirected_uri)
+    end
+
+    def token_request_effective_port(uri)
+      return uri.port if uri.port
+      return 443 if uri.scheme == "https"
+
+      80 if uri.scheme == "http"
+    end
+
     # Sign the Request object. Use this if you have an externally generated http request object you want to sign.
     def sign!(request, token = nil, request_options = {})
       request.oauth!(http, self, token, options.merge(request_options))

data/lib/oauth/signature/base.rb

@@ -9,11 +9,11 @@ module OAuth
   module Signature
     # Base class for OAuth signature implementations.
     #
-    # Includes {Auth::Sanitizer::FilteredAttributes} so inspect output redacts
+    # Includes {OAuth::AUTH_SANITIZER::FilteredAttributes} so inspect output redacts
     # secret-bearing fields captured during signature construction.
     class Base
       include OAuth::Helper
-      include Auth::Sanitizer::FilteredAttributes
+      include OAuth::AUTH_SANITIZER::FilteredAttributes
 
       # Signature construction options.
       #

data/lib/oauth/tokens/token.rb

@@ -3,12 +3,12 @@
 module OAuth
   # Superclass for the various tokens used by OAuth.
   #
-  # Includes {Auth::Sanitizer::FilteredAttributes} so inspect output redacts the
+  # Includes {OAuth::AUTH_SANITIZER::FilteredAttributes} so inspect output redacts the
   # token value and token secret while leaving object identity and non-sensitive
   # fields visible.
   class Token
     include OAuth::Helper
-    include Auth::Sanitizer::FilteredAttributes
+    include OAuth::AUTH_SANITIZER::FilteredAttributes
 
     # Token attributes.
     #

data/lib/oauth/version.rb

@@ -2,7 +2,7 @@
 
 module OAuth
   module Version
-    VERSION = "1.1.4"
+    VERSION = "1.1.6"
   end
   VERSION = Version::VERSION # Traditional Constant Location
 end

data/lib/oauth.rb

@@ -1,11 +1,12 @@
 # frozen_string_literal: true
 
 # third party gems
-require "auth/sanitizer"
 require "snaky_hash"
 require "version_gem"
+require_relative "oauth/version"
 
 require "oauth/version"
+require "oauth/auth_sanitizer"
 
 require "oauth/oauth"
 

data/sig/oauth/consumer.rbs

@@ -1,6 +1,6 @@
 module OAuth
   class Consumer
-    include Auth::Sanitizer::FilteredAttributes
+    include OAuth::AUTH_SANITIZER::FilteredAttributes
 
     attr_accessor options: untyped
     attr_accessor key: untyped

data/sig/oauth/signature/base.rbs

@@ -1,7 +1,7 @@
 module OAuth
   module Signature
     class Base
-      include Auth::Sanitizer::FilteredAttributes
+      include OAuth::AUTH_SANITIZER::FilteredAttributes
 
       attr_accessor options: untyped
       attr_reader token_secret: untyped

data/sig/oauth/tokens/token.rbs

@@ -1,6 +1,6 @@
 module OAuth
   class Token
-    include Auth::Sanitizer::FilteredAttributes
+    include OAuth::AUTH_SANITIZER::FilteredAttributes
 
     attr_accessor token: untyped
     attr_accessor secret: untyped

data/sig/oauth/version.rbs

@@ -0,0 +1,6 @@
+module OAuth
+  module Version
+    VERSION: String
+  end
+  VERSION: String
+end