oauth2 2.0.18 → 2.0.22

data/SECURITY.md

@@ -4,7 +4,7 @@
 
 | Version  | Supported |
 |----------|-----------|
-| 1.latest | ✅         |
+| 2.0.latest | ✅         |
 
 ## Security contact information
 
@@ -12,8 +12,6 @@ To report a security vulnerability, please use the
 [Tidelift security contact](https://tidelift.com/security).
 Tidelift will coordinate the fix and disclosure.
 
-More detailed explanation of the process is in [IRP.md][IRP]
-
 ## Additional Support
 
 If you are interested in support for versions older than the latest release,
@@ -21,4 +19,3 @@ please consider sponsoring the project / maintainer @ https://liberapay.com/pbol
 or find other sponsorship links in the [README].
 
 [README]: README.md
-[IRP]: IRP.md

data/certs/pboling.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEgDCCAuigAwIBAgIBATANBgkqhkiG9w0BAQsFADBDMRUwEwYDVQQDDAxwZXRl
+ci5ib2xpbmcxFTATBgoJkiaJk/IsZAEZFgVnbWFpbDETMBEGCgmSJomT8ixkARkW
+A2NvbTAeFw0yNTA1MDQxNTMzMDlaFw00NTA0MjkxNTMzMDlaMEMxFTATBgNVBAMM
+DHBldGVyLmJvbGluZzEVMBMGCgmSJomT8ixkARkWBWdtYWlsMRMwEQYKCZImiZPy
+LGQBGRYDY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAruUoo0WA
+uoNuq6puKWYeRYiZekz/nsDeK5x/0IEirzcCEvaHr3Bmz7rjo1I6On3gGKmiZs61
+LRmQ3oxy77ydmkGTXBjruJB+pQEn7UfLSgQ0xa1/X3kdBZt6RmabFlBxnHkoaGY5
+mZuZ5+Z7walmv6sFD9ajhzj+oIgwWfnEHkXYTR8I6VLN7MRRKGMPoZ/yvOmxb2DN
+coEEHWKO9CvgYpW7asIihl/9GMpKiRkcYPm9dGQzZc6uTwom1COfW0+ZOFrDVBuV
+FMQRPswZcY4Wlq0uEBLPU7hxnCL9nKK6Y9IhdDcz1mY6HZ91WImNslOSI0S8hRpj
+yGOWxQIhBT3fqCBlRIqFQBudrnD9jSNpSGsFvbEijd5ns7Z9ZMehXkXDycpGAUj1
+to/5cuTWWw1JqUWrKJYoifnVhtE1o1DZ+LkPtWxHtz5kjDG/zR3MG0Ula0UOavlD
+qbnbcXPBnwXtTFeZ3C+yrWpE4pGnl3yGkZj9SMTlo9qnTMiPmuWKQDatAgMBAAGj
+fzB9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBQE8uWvNbPVNRXZ
+HlgPbc2PCzC4bjAhBgNVHREEGjAYgRZwZXRlci5ib2xpbmdAZ21haWwuY29tMCEG
+A1UdEgQaMBiBFnBldGVyLmJvbGluZ0BnbWFpbC5jb20wDQYJKoZIhvcNAQELBQAD
+ggGBAJbnUwfJQFPkBgH9cL7hoBfRtmWiCvdqdjeTmi04u8zVNCUox0A4gT982DE9
+wmuN12LpdajxZONqbXuzZvc+nb0StFwmFYZG6iDwaf4BPywm2e/Vmq0YG45vZXGR
+L8yMDSK1cQXjmA+ZBKOHKWavxP6Vp7lWvjAhz8RFwqF9GuNIdhv9NpnCAWcMZtpm
+GUPyIWw/Cw/2wZp74QzZj6Npx+LdXoLTF1HMSJXZ7/pkxLCsB8m4EFVdb/IrW/0k
+kNSfjtAfBHO8nLGuqQZVH9IBD1i9K6aSs7pT6TW8itXUIlkIUI2tg5YzW6OFfPzq
+QekSkX3lZfY+HTSp/o+YvKkqWLUV7PQ7xh1ZYDtocpaHwgxe/j3bBqHE+CUPH2vA
+0V/FwdTRWcwsjVoOJTrYcff8pBZ8r2MvtAc54xfnnhGFzeRHfcltobgFxkAXdE6p
+DVjBtqT23eugOqQ73umLcYDZkc36vnqGxUBSsXrzY9pzV5gGr2I8YUxMqf6ATrZt
+L9nRqA==
+-----END CERTIFICATE-----

data/lib/oauth2/access_token.rb

@@ -57,26 +57,23 @@ module OAuth2
       def from_hash(client, hash)
         fresh = hash.dup
         # If token_name is present, then use that key name
-        key =
-          if fresh.key?(:token_name)
-            t_key = fresh[:token_name]
-            no_tokens_warning(fresh, t_key)
-            t_key
-          else
-            # Otherwise, if one of the supported default keys is present, use whichever has precedence
-            supported_keys = TOKEN_KEY_LOOKUP & fresh.keys
-            t_key = supported_keys[0]
-            extra_tokens_warning(supported_keys, t_key)
-            t_key
-          end
+        if fresh.key?(:token_name)
+          t_key = fresh[:token_name]
+          no_tokens_warning(fresh, t_key)
+        else
+          # Otherwise, if one of the supported default keys is present, use whichever has precedence
+          supported_keys = TOKEN_KEY_LOOKUP & fresh.keys
+          t_key = supported_keys[0]
+          extra_tokens_warning(supported_keys, t_key)
+        end
         # :nocov:
         # TODO: Get rid of this branching logic when dropping Hashie < v3.2
         token = if !defined?(Hashie::VERSION) # i.e. <= "1.1.0"; the first Hashie to ship with a VERSION constant
           warn("snaky_hash and oauth2 will drop support for Hashie v0 in the next major version. Please upgrade to a modern Hashie.")
           # There is a bug in Hashie v0, which is accounts for.
-          fresh.delete(key) || fresh[key] || ""
+          fresh.delete(t_key) || fresh[t_key] || ""
         else
-          fresh.delete(key) || ""
+          fresh.delete(t_key) || ""
         end
         # :nocov:
         new(client, token, fresh)

data/lib/oauth2/auth_sanitizer.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module OAuth2
+  AUTH_SANITIZER = begin
+    auth_sanitizer_requirement = Gem::Requirement.new("~> 0.2", ">= 0.2.1")
+    auth_sanitizer_spec = Gem.loaded_specs["auth-sanitizer"]
+    unless auth_sanitizer_spec && auth_sanitizer_requirement.satisfied_by?(auth_sanitizer_spec.version)
+      # :nocov:
+      auth_sanitizer_spec = Gem::Specification.find_by_name("auth-sanitizer", auth_sanitizer_requirement)
+      # :nocov:
+    end
+
+    auth_sanitizer_loader_path = File.join(
+      auth_sanitizer_spec.full_gem_path,
+      "lib/auth_sanitizer/loader.rb"
+    )
+    unless File.file?(auth_sanitizer_loader_path)
+      # :nocov:
+      raise LoadError, "oauth2 requires auth-sanitizer #{auth_sanitizer_requirement}; " \
+        "loader not found at #{auth_sanitizer_loader_path}"
+      # :nocov:
+    end
+
+    auth_sanitizer_loader_namespace = Module.new
+    auth_sanitizer_loader_namespace.module_eval(
+      File.read(auth_sanitizer_loader_path),
+      auth_sanitizer_loader_path,
+      1
+    )
+
+    auth_sanitizer_loader_namespace.
+      const_get(:AuthSanitizer).
+      const_get(:Loader).
+      load_isolated
+  end
+end

data/lib/oauth2/authenticator.rb

@@ -51,13 +51,15 @@ module OAuth2
       end
     end
 
-    # Encodes a Basic Authorization header value for the provided credentials.
-    #
-    # @param [String] user The client identifier
-    # @param [String] password The client secret
-    # @return [String] The value to use for the Authorization header
-    def self.encode_basic_auth(user, password)
-      "Basic #{Base64.strict_encode64("#{user}:#{password}")}"
+    class << self
+      # Encodes a Basic Authorization header value for the provided credentials.
+      #
+      # @param [String] user The client identifier
+      # @param [String] password The client secret
+      # @return [String] The value to use for the Authorization header
+      def encode_basic_auth(user, password)
+        "Basic #{Base64.strict_encode64("#{user}:#{password}")}"
+      end
     end
 
   private

data/lib/oauth2/client.rb

@@ -42,7 +42,7 @@ module OAuth2
     # @option options [Hash] :connection_opts ({}) Hash of connection options to pass to initialize Faraday
     # @option options [Boolean] :raise_errors (true) whether to raise an OAuth2::Error on responses with 400+ status codes
     # @option options [Integer] :max_redirects (5) maximum number of redirects to follow
-    # @option options [Logger] :logger (::Logger.new($stdout)) Logger instance for HTTP request/response output; requires OAUTH_DEBUG to be true
+    # @option options [Logger] :logger (::Logger.new($stdout)) Logger instance for HTTP request/response output; requires OAUTH_DEBUG to be true. When debug logging is enabled, sensitive values are filtered using {OAuth2::AUTH_SANITIZER::SanitizedLogger} initialized from `OAuth2.config[:filtered_label]` and the key names in `OAuth2.config[:filtered_debug_keys]`.
     # @option options [Class] :access_token_class (AccessToken) class to use for access tokens; you can subclass OAuth2::AccessToken, @version 2.0+
     # @option options [Hash] :ssl SSL options for Faraday
     #
@@ -159,8 +159,9 @@ module OAuth2
         end
         location = response.headers["location"]
         if location
-          full_location = response.response.env.url.merge(location)
-          request(verb, full_location, req_opts)
+          current_location = response.response.env.url
+          full_location = resolve_redirect_location(current_location, location)
+          request(verb, full_location, sanitize_redirect_options(req_opts, current_location, full_location))
         else
           error = Error.new(response)
           raise(error, "Got #{status} status code, but no Location header was present")
@@ -446,7 +447,7 @@ module OAuth2
       # See: Hash#partition https://bugs.ruby-lang.org/issues/16252
       req_opts, oauth_opts = opts.
         partition { |k, _v| RESERVED_REQ_KEYS.include?(k.to_s) }.
-        map { |p| Hash[p] }
+        map(&:to_h)
 
       begin
         response = connection.run_request(verb, url, req_opts[:body], req_opts[:headers]) do |req|
@@ -465,6 +466,36 @@ module OAuth2
       Response.new(response, parse: parse, snaky: snaky)
     end
 
+    def resolve_redirect_location(current_location, location)
+      safe_location =
+        if location.respond_to?(:start_with?) && location.start_with?("//")
+          "./#{location}"
+        else
+          location
+        end
+
+      current_location.merge(safe_location)
+    end
+
+    def sanitize_redirect_options(req_opts, current_location, next_location)
+      return req_opts unless cross_origin_redirect?(current_location, next_location)
+
+      headers = req_opts[:headers]
+      return req_opts unless headers && headers.any? { |key, _value| key.to_s.casecmp("Authorization").zero? }
+
+      safe_opts = req_opts.dup
+      safe_headers = headers.dup
+      safe_headers.delete_if { |key, _value| key.to_s.casecmp("Authorization").zero? }
+      safe_opts[:headers] = safe_headers
+      safe_opts
+    end
+
+    def cross_origin_redirect?(current_location, next_location)
+      current_location.scheme != next_location.scheme ||
+        current_location.host != next_location.host ||
+        current_location.port != next_location.port
+    end
+
     # Returns the authenticator object
     #
     # @return [Authenticator] the initialized Authenticator
@@ -563,7 +594,17 @@ module OAuth2
     end
 
     def oauth_debug_logging(builder)
-      builder.response(:logger, options[:logger], bodies: true) if OAuth2::OAUTH_DEBUG
+      if OAuth2::OAUTH_DEBUG
+        builder.response(
+          :logger,
+          OAuth2::AUTH_SANITIZER::SanitizedLogger.new(
+            options[:logger],
+            filtered_keys: OAuth2.config[:filtered_debug_keys],
+            label: OAuth2.config[:filtered_label]
+          ),
+          bodies: true
+        )
+      end
     end
   end
 end

data/lib/oauth2/error.rb

@@ -17,6 +17,8 @@ module OAuth2
     # @param [OAuth2::Response, Hash, Object] response A Response or error payload
     def initialize(response)
       @response = response
+      @code = nil
+      @description = nil
       if response.respond_to?(:parsed)
         if response.parsed.is_a?(Hash)
           @code = response.parsed["error"]

data/lib/oauth2/filtered_attributes.rb

@@ -1,52 +1,10 @@
+# frozen_string_literal: true
+
 module OAuth2
-  # Mixin that redacts sensitive instance variables in #inspect output.
+  # Permanent alias for {OAuth2::AUTH_SANITIZER::FilteredAttributes}.
   #
-  # Classes include this module and declare which attributes should be filtered
-  # using {.filtered_attributes}. Any instance variable name that includes one of
-  # those attribute names will be shown as [FILTERED] in the object's inspect.
-  module FilteredAttributes
-    # Hook invoked when the module is included. Extends the including class with
-    # class-level helpers.
-    #
-    # @param [Class] base The including class
-    # @return [void]
-    def self.included(base)
-      base.extend(ClassMethods)
-    end
-
-    # Class-level helpers for configuring filtered attributes.
-    module ClassMethods
-      # Declare attributes that should be redacted in inspect output.
-      #
-      # @param [Array<Symbol, String>] attributes One or more attribute names
-      # @return [void]
-      def filtered_attributes(*attributes)
-        @filtered_attribute_names = attributes.map(&:to_sym)
-      end
-
-      # The configured attribute names to filter.
-      #
-      # @return [Array<Symbol>]
-      def filtered_attribute_names
-        @filtered_attribute_names || []
-      end
-    end
-
-    # Custom inspect that redacts configured attributes.
-    #
-    # @return [String]
-    def inspect
-      filtered_attribute_names = self.class.filtered_attribute_names
-      return super if filtered_attribute_names.empty?
-
-      inspected_vars = instance_variables.map do |var|
-        if filtered_attribute_names.any? { |filtered_var| var.to_s.include?(filtered_var.to_s) }
-          "#{var}=[FILTERED]"
-        else
-          "#{var}=#{instance_variable_get(var).inspect}"
-        end
-      end
-      "#<#{self.class}:#{object_id} #{inspected_vars.join(", ")}>"
-    end
-  end
+  # This constant is intentionally kept in the `OAuth2` namespace because it
+  # was part of the public API before the implementation was extracted into the
+  # `auth-sanitizer` gem.  It will **not** be deprecated or removed.
+  FilteredAttributes = OAuth2::AUTH_SANITIZER::FilteredAttributes
 end

data/lib/oauth2/response.rb

@@ -43,18 +43,20 @@ module OAuth2
       "text/plain" => :text,
     }
 
-    # Adds a new content type parser.
-    #
-    # @param [Symbol] key A descriptive symbol key such as :json or :query
-    # @param [Array<String>, String] mime_types One or more mime types to which this parser applies
-    # @yield [String] Block that will be called to parse the response body
-    # @yieldparam [String] body The response body to parse
-    # @return [void]
-    def self.register_parser(key, mime_types, &block)
-      key = key.to_sym
-      @@parsers[key] = block
-      Array(mime_types).each do |mime_type|
-        @@content_types[mime_type] = key
+    class << self
+      # Adds a new content type parser.
+      #
+      # @param [Symbol] key A descriptive symbol key such as :json or :query
+      # @param [Array<String>, String] mime_types One or more mime types to which this parser applies
+      # @yield [String] Block that will be called to parse the response body
+      # @yieldparam [String] body The response body to parse
+      # @return [void]
+      def register_parser(key, mime_types, &block)
+        key = key.to_sym
+        @@parsers[key] = block
+        Array(mime_types).each do |mime_type|
+          @@content_types[mime_type] = key
+        end
       end
     end
 

data/lib/oauth2/version.rb

@@ -2,6 +2,7 @@
 
 module OAuth2
   module Version
-    VERSION = "2.0.18"
+    VERSION = "2.0.22"
   end
+  VERSION = Version::VERSION # Traditional Constant Location
 end

data/lib/oauth2.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 # includes modules from stdlib
-require "cgi"
+require "cgi/escape"
 require "time"
 
 # third party gems
@@ -10,6 +10,7 @@ require "version_gem"
 
 # includes gem files
 require_relative "oauth2/version"
+require_relative "oauth2/auth_sanitizer"
 require_relative "oauth2/filtered_attributes"
 require_relative "oauth2/error"
 require_relative "oauth2/authenticator"
@@ -43,38 +44,59 @@ module OAuth2
   #     config[:silence_no_tokens_warning] = false
   #   end
   #
+  # @example Customize filtered output markers and debug-log value filtering by key name
+  #   OAuth2.configure do |config|
+  #     config[:filtered_label] = "[REDACTED]"
+  #     config[:filtered_debug_keys] += ["client_assertion"]
+  #   end
+  #
+  # Existing objects and logger wrappers snapshot filtering configuration during
+  # initialization. Changing these config values later affects only newly
+  # initialized objects and debug loggers.
+  #
   # @return [SnakyHash::SymbolKeyed] A mutable Hash-like config with symbol keys
   DEFAULT_CONFIG = SnakyHash::SymbolKeyed.new(
     silence_extra_tokens_warning: true,
     silence_no_tokens_warning: true,
+    filtered_label: "[FILTERED]",
+    filtered_debug_keys: %w[
+      access_token
+      refresh_token
+      id_token
+      client_secret
+      assertion
+      code_verifier
+      token
+    ]
   )
 
   # The current runtime configuration for the library.
   #
   # @return [SnakyHash::SymbolKeyed]
-  @config = DEFAULT_CONFIG.dup
+  CONFIG = DEFAULT_CONFIG.dup
 
   class << self
-    # Access the current configuration.
+    def config
+      CONFIG
+    end
+
+    # Configure global library behavior.
     #
-    # Prefer using {OAuth2.configure} to mutate configuration.
+    # Yields the mutable configuration object so callers can update settings.
     #
-    # @return [SnakyHash::SymbolKeyed]
-    attr_reader :config
+    # @yieldparam [SnakyHash::SymbolKeyed] config the configuration object
+    # @return [void]
+    def configure
+      yield config
+    end
   end
-
-  # Configure global library behavior.
-  #
-  # Yields the mutable configuration object so callers can update settings.
-  #
-  # @yieldparam [SnakyHash::SymbolKeyed] config the configuration object
-  # @return [void]
-  def configure
-    yield @config
-  end
-  module_function :configure
 end
 
+# Wire OAuth2::AUTH_SANITIZER's label provider to read from OAuth2.config so that
+# FilteredAttributes-bearing objects and OAuth2::AUTH_SANITIZER::SanitizedLogger instances
+# pick up OAuth2.config[:filtered_label] at their initialization time.
+OAuth2::AUTH_SANITIZER.filtered_label_provider = -> { OAuth2.config[:filtered_label] }
+
 # Extend OAuth2::Version with VersionGem helpers to provide semantic version helpers.
 OAuth2::Version.class_eval do
   extend VersionGem::Basic

data/sig/oauth2/filtered_attributes.rbs

@@ -1,6 +1,11 @@
 module OAuth2
   module FilteredAttributes
+    module InitializerMethods
+      def initialize: (*untyped args) { () -> untyped } -> untyped
+    end
+
     def self.included: (untyped) -> untyped
-    def filtered_attributes: (*String) -> void
+    def filtered_attributes: (*(String | Symbol)) -> void
+    def thing_filter: () -> OAuth2::ThingFilter
   end
 end

data/sig/oauth2/sanitized_logger.rbs

@@ -0,0 +1,32 @@
+module OAuth2
+  class SanitizedLogger
+    def initialize: (untyped logger) -> void
+
+    def add: (untyped severity, ?untyped message, ?untyped progname) { () -> untyped } -> untyped
+    def <<: (String message) -> untyped
+    def debug: (?untyped progname) { () -> untyped } -> untyped
+    def info: (?untyped progname) { () -> untyped } -> untyped
+    def warn: (?untyped progname) { () -> untyped } -> untyped
+    def error: (?untyped progname) { () -> untyped } -> untyped
+    def fatal: (?untyped progname) { () -> untyped } -> untyped
+    def unknown: (?untyped progname) { () -> untyped } -> untyped
+    def close: () -> void
+    def formatter: () -> untyped
+    def formatter=: (untyped formatter) -> void
+    def level: () -> untyped
+    def level=: (untyped level) -> void
+    def progname: () -> untyped
+    def progname=: (untyped progname) -> void
+    def respond_to_missing?: (Symbol method_name, ?bool include_private) -> bool
+    def method_missing: (Symbol method_name, *untyped args) { () -> untyped } -> untyped
+
+    private
+
+    def log: (Symbol level, ?untyped progname) { () -> untyped } -> untyped
+    def sanitize: (untyped message) -> untyped
+    def thing_filter: () -> OAuth2::ThingFilter
+    def sanitize_authorization_header: (String message) -> String
+    def sanitize_json_pairs: (String message) -> String
+    def sanitize_form_and_query_pairs: (String message) -> String
+  end
+end

data/sig/oauth2/thing_filter.rbs

@@ -0,0 +1,10 @@
+module OAuth2
+  class ThingFilter
+    attr_reader things: Array[String]
+    attr_reader label: String
+
+    def initialize: (Enumerable[untyped] things, label: String) -> void
+    def filtered?: (untyped thing_name) -> bool
+    def pattern_source: () -> String
+  end
+end

data/sig/oauth2/version.rbs

@@ -2,4 +2,5 @@ module OAuth2
   module Version
     VERSION: String
   end
+  VERSION: String
 end