oauth2 2.0.20 → 2.0.22

data/SECURITY.md

@@ -4,7 +4,7 @@
 
 | Version  | Supported |
 |----------|-----------|
-| 1.latest | ✅         |
+| 2.0.latest | ✅         |
 
 ## Security contact information
 
@@ -12,8 +12,6 @@ To report a security vulnerability, please use the
 [Tidelift security contact](https://tidelift.com/security).
 Tidelift will coordinate the fix and disclosure.
 
-More detailed explanation of the process is in [IRP.md][IRP].
-
 ## Additional Support
 
 If you are interested in support for versions older than the latest release,
@@ -21,4 +19,3 @@ please consider sponsoring the project / maintainer @ https://liberapay.com/pbol
 or find other sponsorship links in the [README].
 
 [README]: README.md
-[IRP]: IRP.md

data/certs/pboling.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEgDCCAuigAwIBAgIBATANBgkqhkiG9w0BAQsFADBDMRUwEwYDVQQDDAxwZXRl
+ci5ib2xpbmcxFTATBgoJkiaJk/IsZAEZFgVnbWFpbDETMBEGCgmSJomT8ixkARkW
+A2NvbTAeFw0yNTA1MDQxNTMzMDlaFw00NTA0MjkxNTMzMDlaMEMxFTATBgNVBAMM
+DHBldGVyLmJvbGluZzEVMBMGCgmSJomT8ixkARkWBWdtYWlsMRMwEQYKCZImiZPy
+LGQBGRYDY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAruUoo0WA
+uoNuq6puKWYeRYiZekz/nsDeK5x/0IEirzcCEvaHr3Bmz7rjo1I6On3gGKmiZs61
+LRmQ3oxy77ydmkGTXBjruJB+pQEn7UfLSgQ0xa1/X3kdBZt6RmabFlBxnHkoaGY5
+mZuZ5+Z7walmv6sFD9ajhzj+oIgwWfnEHkXYTR8I6VLN7MRRKGMPoZ/yvOmxb2DN
+coEEHWKO9CvgYpW7asIihl/9GMpKiRkcYPm9dGQzZc6uTwom1COfW0+ZOFrDVBuV
+FMQRPswZcY4Wlq0uEBLPU7hxnCL9nKK6Y9IhdDcz1mY6HZ91WImNslOSI0S8hRpj
+yGOWxQIhBT3fqCBlRIqFQBudrnD9jSNpSGsFvbEijd5ns7Z9ZMehXkXDycpGAUj1
+to/5cuTWWw1JqUWrKJYoifnVhtE1o1DZ+LkPtWxHtz5kjDG/zR3MG0Ula0UOavlD
+qbnbcXPBnwXtTFeZ3C+yrWpE4pGnl3yGkZj9SMTlo9qnTMiPmuWKQDatAgMBAAGj
+fzB9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBQE8uWvNbPVNRXZ
+HlgPbc2PCzC4bjAhBgNVHREEGjAYgRZwZXRlci5ib2xpbmdAZ21haWwuY29tMCEG
+A1UdEgQaMBiBFnBldGVyLmJvbGluZ0BnbWFpbC5jb20wDQYJKoZIhvcNAQELBQAD
+ggGBAJbnUwfJQFPkBgH9cL7hoBfRtmWiCvdqdjeTmi04u8zVNCUox0A4gT982DE9
+wmuN12LpdajxZONqbXuzZvc+nb0StFwmFYZG6iDwaf4BPywm2e/Vmq0YG45vZXGR
+L8yMDSK1cQXjmA+ZBKOHKWavxP6Vp7lWvjAhz8RFwqF9GuNIdhv9NpnCAWcMZtpm
+GUPyIWw/Cw/2wZp74QzZj6Npx+LdXoLTF1HMSJXZ7/pkxLCsB8m4EFVdb/IrW/0k
+kNSfjtAfBHO8nLGuqQZVH9IBD1i9K6aSs7pT6TW8itXUIlkIUI2tg5YzW6OFfPzq
+QekSkX3lZfY+HTSp/o+YvKkqWLUV7PQ7xh1ZYDtocpaHwgxe/j3bBqHE+CUPH2vA
+0V/FwdTRWcwsjVoOJTrYcff8pBZ8r2MvtAc54xfnnhGFzeRHfcltobgFxkAXdE6p
+DVjBtqT23eugOqQ73umLcYDZkc36vnqGxUBSsXrzY9pzV5gGr2I8YUxMqf6ATrZt
+L9nRqA==
+-----END CERTIFICATE-----

data/lib/oauth2/auth_sanitizer.rb

@@ -2,7 +2,7 @@
 
 module OAuth2
   AUTH_SANITIZER = begin
-    auth_sanitizer_requirement = Gem::Requirement.new("~> 0.1", ">= 0.1.3")
+    auth_sanitizer_requirement = Gem::Requirement.new("~> 0.2", ">= 0.2.1")
     auth_sanitizer_spec = Gem.loaded_specs["auth-sanitizer"]
     unless auth_sanitizer_spec && auth_sanitizer_requirement.satisfied_by?(auth_sanitizer_spec.version)
       # :nocov:
@@ -12,7 +12,7 @@ module OAuth2
 
     auth_sanitizer_loader_path = File.join(
       auth_sanitizer_spec.full_gem_path,
-      "lib/auth_sanitizer/loader.rb",
+      "lib/auth_sanitizer/loader.rb"
     )
     unless File.file?(auth_sanitizer_loader_path)
       # :nocov:
@@ -25,7 +25,7 @@ module OAuth2
     auth_sanitizer_loader_namespace.module_eval(
       File.read(auth_sanitizer_loader_path),
       auth_sanitizer_loader_path,
-      1,
+      1
     )
 
     auth_sanitizer_loader_namespace.

data/lib/oauth2/client.rb

@@ -159,8 +159,9 @@ module OAuth2
         end
         location = response.headers["location"]
         if location
-          full_location = response.response.env.url.merge(location)
-          request(verb, full_location, req_opts)
+          current_location = response.response.env.url
+          full_location = resolve_redirect_location(current_location, location)
+          request(verb, full_location, sanitize_redirect_options(req_opts, current_location, full_location))
         else
           error = Error.new(response)
           raise(error, "Got #{status} status code, but no Location header was present")
@@ -446,7 +447,7 @@ module OAuth2
       # See: Hash#partition https://bugs.ruby-lang.org/issues/16252
       req_opts, oauth_opts = opts.
         partition { |k, _v| RESERVED_REQ_KEYS.include?(k.to_s) }.
-        map { |p| Hash[p] }
+        map(&:to_h)
 
       begin
         response = connection.run_request(verb, url, req_opts[:body], req_opts[:headers]) do |req|
@@ -465,6 +466,36 @@ module OAuth2
       Response.new(response, parse: parse, snaky: snaky)
     end
 
+    def resolve_redirect_location(current_location, location)
+      safe_location =
+        if location.respond_to?(:start_with?) && location.start_with?("//")
+          "./#{location}"
+        else
+          location
+        end
+
+      current_location.merge(safe_location)
+    end
+
+    def sanitize_redirect_options(req_opts, current_location, next_location)
+      return req_opts unless cross_origin_redirect?(current_location, next_location)
+
+      headers = req_opts[:headers]
+      return req_opts unless headers && headers.any? { |key, _value| key.to_s.casecmp("Authorization").zero? }
+
+      safe_opts = req_opts.dup
+      safe_headers = headers.dup
+      safe_headers.delete_if { |key, _value| key.to_s.casecmp("Authorization").zero? }
+      safe_opts[:headers] = safe_headers
+      safe_opts
+    end
+
+    def cross_origin_redirect?(current_location, next_location)
+      current_location.scheme != next_location.scheme ||
+        current_location.host != next_location.host ||
+        current_location.port != next_location.port
+    end
+
     # Returns the authenticator object
     #
     # @return [Authenticator] the initialized Authenticator
@@ -563,15 +594,17 @@ module OAuth2
     end
 
     def oauth_debug_logging(builder)
-      builder.response(
-        :logger,
-        OAuth2::AUTH_SANITIZER::SanitizedLogger.new(
-          options[:logger],
-          filtered_keys: OAuth2.config[:filtered_debug_keys],
-          label: OAuth2.config[:filtered_label],
-        ),
-        bodies: true,
-      ) if OAuth2::OAUTH_DEBUG
+      if OAuth2::OAUTH_DEBUG
+        builder.response(
+          :logger,
+          OAuth2::AUTH_SANITIZER::SanitizedLogger.new(
+            options[:logger],
+            filtered_keys: OAuth2.config[:filtered_debug_keys],
+            label: OAuth2.config[:filtered_label]
+          ),
+          bodies: true
+        )
+      end
     end
   end
 end

data/lib/oauth2/version.rb

@@ -2,7 +2,7 @@
 
 module OAuth2
   module Version
-    VERSION = "2.0.20"
+    VERSION = "2.0.22"
   end
   VERSION = Version::VERSION # Traditional Constant Location
 end

data/lib/oauth2.rb

@@ -67,7 +67,7 @@ module OAuth2
       assertion
       code_verifier
       token
-    ],
+    ]
   )
 
   # The current runtime configuration for the library.

data/sig/oauth2/version.rbs

@@ -2,4 +2,5 @@ module OAuth2
   module Version
     VERSION: String
   end
+  VERSION: String
 end