oauth2 2.0.19 → 2.0.22

data/SECURITY.md

@@ -4,7 +4,7 @@
 
 | Version  | Supported |
 |----------|-----------|
-| 1.latest | ✅         |
+| 2.0.latest | ✅         |
 
 ## Security contact information
 
@@ -12,8 +12,6 @@ To report a security vulnerability, please use the
 [Tidelift security contact](https://tidelift.com/security).
 Tidelift will coordinate the fix and disclosure.
 
-More detailed explanation of the process is in [IRP.md][IRP].
-
 ## Additional Support
 
 If you are interested in support for versions older than the latest release,
@@ -21,4 +19,3 @@ please consider sponsoring the project / maintainer @ https://liberapay.com/pbol
 or find other sponsorship links in the [README].
 
 [README]: README.md
-[IRP]: IRP.md

data/certs/pboling.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEgDCCAuigAwIBAgIBATANBgkqhkiG9w0BAQsFADBDMRUwEwYDVQQDDAxwZXRl
+ci5ib2xpbmcxFTATBgoJkiaJk/IsZAEZFgVnbWFpbDETMBEGCgmSJomT8ixkARkW
+A2NvbTAeFw0yNTA1MDQxNTMzMDlaFw00NTA0MjkxNTMzMDlaMEMxFTATBgNVBAMM
+DHBldGVyLmJvbGluZzEVMBMGCgmSJomT8ixkARkWBWdtYWlsMRMwEQYKCZImiZPy
+LGQBGRYDY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAruUoo0WA
+uoNuq6puKWYeRYiZekz/nsDeK5x/0IEirzcCEvaHr3Bmz7rjo1I6On3gGKmiZs61
+LRmQ3oxy77ydmkGTXBjruJB+pQEn7UfLSgQ0xa1/X3kdBZt6RmabFlBxnHkoaGY5
+mZuZ5+Z7walmv6sFD9ajhzj+oIgwWfnEHkXYTR8I6VLN7MRRKGMPoZ/yvOmxb2DN
+coEEHWKO9CvgYpW7asIihl/9GMpKiRkcYPm9dGQzZc6uTwom1COfW0+ZOFrDVBuV
+FMQRPswZcY4Wlq0uEBLPU7hxnCL9nKK6Y9IhdDcz1mY6HZ91WImNslOSI0S8hRpj
+yGOWxQIhBT3fqCBlRIqFQBudrnD9jSNpSGsFvbEijd5ns7Z9ZMehXkXDycpGAUj1
+to/5cuTWWw1JqUWrKJYoifnVhtE1o1DZ+LkPtWxHtz5kjDG/zR3MG0Ula0UOavlD
+qbnbcXPBnwXtTFeZ3C+yrWpE4pGnl3yGkZj9SMTlo9qnTMiPmuWKQDatAgMBAAGj
+fzB9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBQE8uWvNbPVNRXZ
+HlgPbc2PCzC4bjAhBgNVHREEGjAYgRZwZXRlci5ib2xpbmdAZ21haWwuY29tMCEG
+A1UdEgQaMBiBFnBldGVyLmJvbGluZ0BnbWFpbC5jb20wDQYJKoZIhvcNAQELBQAD
+ggGBAJbnUwfJQFPkBgH9cL7hoBfRtmWiCvdqdjeTmi04u8zVNCUox0A4gT982DE9
+wmuN12LpdajxZONqbXuzZvc+nb0StFwmFYZG6iDwaf4BPywm2e/Vmq0YG45vZXGR
+L8yMDSK1cQXjmA+ZBKOHKWavxP6Vp7lWvjAhz8RFwqF9GuNIdhv9NpnCAWcMZtpm
+GUPyIWw/Cw/2wZp74QzZj6Npx+LdXoLTF1HMSJXZ7/pkxLCsB8m4EFVdb/IrW/0k
+kNSfjtAfBHO8nLGuqQZVH9IBD1i9K6aSs7pT6TW8itXUIlkIUI2tg5YzW6OFfPzq
+QekSkX3lZfY+HTSp/o+YvKkqWLUV7PQ7xh1ZYDtocpaHwgxe/j3bBqHE+CUPH2vA
+0V/FwdTRWcwsjVoOJTrYcff8pBZ8r2MvtAc54xfnnhGFzeRHfcltobgFxkAXdE6p
+DVjBtqT23eugOqQ73umLcYDZkc36vnqGxUBSsXrzY9pzV5gGr2I8YUxMqf6ATrZt
+L9nRqA==
+-----END CERTIFICATE-----

data/lib/oauth2/auth_sanitizer.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module OAuth2
+  AUTH_SANITIZER = begin
+    auth_sanitizer_requirement = Gem::Requirement.new("~> 0.2", ">= 0.2.1")
+    auth_sanitizer_spec = Gem.loaded_specs["auth-sanitizer"]
+    unless auth_sanitizer_spec && auth_sanitizer_requirement.satisfied_by?(auth_sanitizer_spec.version)
+      # :nocov:
+      auth_sanitizer_spec = Gem::Specification.find_by_name("auth-sanitizer", auth_sanitizer_requirement)
+      # :nocov:
+    end
+
+    auth_sanitizer_loader_path = File.join(
+      auth_sanitizer_spec.full_gem_path,
+      "lib/auth_sanitizer/loader.rb"
+    )
+    unless File.file?(auth_sanitizer_loader_path)
+      # :nocov:
+      raise LoadError, "oauth2 requires auth-sanitizer #{auth_sanitizer_requirement}; " \
+        "loader not found at #{auth_sanitizer_loader_path}"
+      # :nocov:
+    end
+
+    auth_sanitizer_loader_namespace = Module.new
+    auth_sanitizer_loader_namespace.module_eval(
+      File.read(auth_sanitizer_loader_path),
+      auth_sanitizer_loader_path,
+      1
+    )
+
+    auth_sanitizer_loader_namespace.
+      const_get(:AuthSanitizer).
+      const_get(:Loader).
+      load_isolated
+  end
+end

data/lib/oauth2/client.rb

@@ -42,7 +42,7 @@ module OAuth2
     # @option options [Hash] :connection_opts ({}) Hash of connection options to pass to initialize Faraday
     # @option options [Boolean] :raise_errors (true) whether to raise an OAuth2::Error on responses with 400+ status codes
     # @option options [Integer] :max_redirects (5) maximum number of redirects to follow
-    # @option options [Logger] :logger (::Logger.new($stdout)) Logger instance for HTTP request/response output; requires OAUTH_DEBUG to be true. When debug logging is enabled, sensitive values are filtered using {Auth::Sanitizer::SanitizedLogger} initialized from `OAuth2.config[:filtered_label]` and the key names in `OAuth2.config[:filtered_debug_keys]`.
+    # @option options [Logger] :logger (::Logger.new($stdout)) Logger instance for HTTP request/response output; requires OAUTH_DEBUG to be true. When debug logging is enabled, sensitive values are filtered using {OAuth2::AUTH_SANITIZER::SanitizedLogger} initialized from `OAuth2.config[:filtered_label]` and the key names in `OAuth2.config[:filtered_debug_keys]`.
     # @option options [Class] :access_token_class (AccessToken) class to use for access tokens; you can subclass OAuth2::AccessToken, @version 2.0+
     # @option options [Hash] :ssl SSL options for Faraday
     #
@@ -159,8 +159,9 @@ module OAuth2
         end
         location = response.headers["location"]
         if location
-          full_location = response.response.env.url.merge(location)
-          request(verb, full_location, req_opts)
+          current_location = response.response.env.url
+          full_location = resolve_redirect_location(current_location, location)
+          request(verb, full_location, sanitize_redirect_options(req_opts, current_location, full_location))
         else
           error = Error.new(response)
           raise(error, "Got #{status} status code, but no Location header was present")
@@ -446,7 +447,7 @@ module OAuth2
       # See: Hash#partition https://bugs.ruby-lang.org/issues/16252
       req_opts, oauth_opts = opts.
         partition { |k, _v| RESERVED_REQ_KEYS.include?(k.to_s) }.
-        map { |p| Hash[p] }
+        map(&:to_h)
 
       begin
         response = connection.run_request(verb, url, req_opts[:body], req_opts[:headers]) do |req|
@@ -465,6 +466,36 @@ module OAuth2
       Response.new(response, parse: parse, snaky: snaky)
     end
 
+    def resolve_redirect_location(current_location, location)
+      safe_location =
+        if location.respond_to?(:start_with?) && location.start_with?("//")
+          "./#{location}"
+        else
+          location
+        end
+
+      current_location.merge(safe_location)
+    end
+
+    def sanitize_redirect_options(req_opts, current_location, next_location)
+      return req_opts unless cross_origin_redirect?(current_location, next_location)
+
+      headers = req_opts[:headers]
+      return req_opts unless headers && headers.any? { |key, _value| key.to_s.casecmp("Authorization").zero? }
+
+      safe_opts = req_opts.dup
+      safe_headers = headers.dup
+      safe_headers.delete_if { |key, _value| key.to_s.casecmp("Authorization").zero? }
+      safe_opts[:headers] = safe_headers
+      safe_opts
+    end
+
+    def cross_origin_redirect?(current_location, next_location)
+      current_location.scheme != next_location.scheme ||
+        current_location.host != next_location.host ||
+        current_location.port != next_location.port
+    end
+
     # Returns the authenticator object
     #
     # @return [Authenticator] the initialized Authenticator
@@ -563,15 +594,17 @@ module OAuth2
     end
 
     def oauth_debug_logging(builder)
-      builder.response(
-        :logger,
-        Auth::Sanitizer::SanitizedLogger.new(
-          options[:logger],
-          filtered_keys: OAuth2.config[:filtered_debug_keys],
-          label: OAuth2.config[:filtered_label],
-        ),
-        bodies: true,
-      ) if OAuth2::OAUTH_DEBUG
+      if OAuth2::OAUTH_DEBUG
+        builder.response(
+          :logger,
+          OAuth2::AUTH_SANITIZER::SanitizedLogger.new(
+            options[:logger],
+            filtered_keys: OAuth2.config[:filtered_debug_keys],
+            label: OAuth2.config[:filtered_label]
+          ),
+          bodies: true
+        )
+      end
     end
   end
 end

data/lib/oauth2/filtered_attributes.rb

@@ -1,13 +1,10 @@
 # frozen_string_literal: true
 
 module OAuth2
-  # Permanent alias for {Auth::Sanitizer::FilteredAttributes}.
+  # Permanent alias for {OAuth2::AUTH_SANITIZER::FilteredAttributes}.
   #
   # This constant is intentionally kept in the `OAuth2` namespace because it
   # was part of the public API before the implementation was extracted into the
   # `auth-sanitizer` gem.  It will **not** be deprecated or removed.
-  #
-  # New code that does not need the `OAuth2::` namespace can use
-  # {Auth::Sanitizer::FilteredAttributes} directly.
-  FilteredAttributes = Auth::Sanitizer::FilteredAttributes
+  FilteredAttributes = OAuth2::AUTH_SANITIZER::FilteredAttributes
 end

data/lib/oauth2/version.rb

@@ -2,6 +2,7 @@
 
 module OAuth2
   module Version
-    VERSION = "2.0.19"
+    VERSION = "2.0.22"
   end
+  VERSION = Version::VERSION # Traditional Constant Location
 end

data/lib/oauth2.rb

@@ -5,12 +5,12 @@ require "cgi/escape"
 require "time"
 
 # third party gems
-require "auth/sanitizer"
 require "snaky_hash"
 require "version_gem"
 
 # includes gem files
 require_relative "oauth2/version"
+require_relative "oauth2/auth_sanitizer"
 require_relative "oauth2/filtered_attributes"
 require_relative "oauth2/error"
 require_relative "oauth2/authenticator"
@@ -67,7 +67,7 @@ module OAuth2
       assertion
       code_verifier
       token
-    ],
+    ]
   )
 
   # The current runtime configuration for the library.
@@ -92,10 +92,10 @@ module OAuth2
   end
 end
 
-# Wire Auth::Sanitizer's label provider to read from OAuth2.config so that
-# FilteredAttributes-bearing objects and Auth::Sanitizer::SanitizedLogger instances
+# Wire OAuth2::AUTH_SANITIZER's label provider to read from OAuth2.config so that
+# FilteredAttributes-bearing objects and OAuth2::AUTH_SANITIZER::SanitizedLogger instances
 # pick up OAuth2.config[:filtered_label] at their initialization time.
-Auth::Sanitizer.filtered_label_provider = -> { OAuth2.config[:filtered_label] }
+OAuth2::AUTH_SANITIZER.filtered_label_provider = -> { OAuth2.config[:filtered_label] }
 
 # Extend OAuth2::Version with VersionGem helpers to provide semantic version helpers.
 OAuth2::Version.class_eval do

data/sig/oauth2/version.rbs

@@ -2,4 +2,5 @@ module OAuth2
   module Version
     VERSION: String
   end
+  VERSION: String
 end