oauth2 2.0.20 → 2.0.23

data/SECURITY.md

@@ -4,7 +4,7 @@
 
 | Version  | Supported |
 |----------|-----------|
-| 1.latest | ✅         |
+| 2.0.latest | ✅         |
 
 ## Security contact information
 
@@ -12,8 +12,6 @@ To report a security vulnerability, please use the
 [Tidelift security contact](https://tidelift.com/security).
 Tidelift will coordinate the fix and disclosure.
 
-More detailed explanation of the process is in [IRP.md][IRP].
-
 ## Additional Support
 
 If you are interested in support for versions older than the latest release,
@@ -21,4 +19,3 @@ please consider sponsoring the project / maintainer @ https://liberapay.com/pbol
 or find other sponsorship links in the [README].
 
 [README]: README.md
-[IRP]: IRP.md

data/certs/pboling.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEgDCCAuigAwIBAgIBATANBgkqhkiG9w0BAQsFADBDMRUwEwYDVQQDDAxwZXRl
+ci5ib2xpbmcxFTATBgoJkiaJk/IsZAEZFgVnbWFpbDETMBEGCgmSJomT8ixkARkW
+A2NvbTAeFw0yNTA1MDQxNTMzMDlaFw00NTA0MjkxNTMzMDlaMEMxFTATBgNVBAMM
+DHBldGVyLmJvbGluZzEVMBMGCgmSJomT8ixkARkWBWdtYWlsMRMwEQYKCZImiZPy
+LGQBGRYDY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAruUoo0WA
+uoNuq6puKWYeRYiZekz/nsDeK5x/0IEirzcCEvaHr3Bmz7rjo1I6On3gGKmiZs61
+LRmQ3oxy77ydmkGTXBjruJB+pQEn7UfLSgQ0xa1/X3kdBZt6RmabFlBxnHkoaGY5
+mZuZ5+Z7walmv6sFD9ajhzj+oIgwWfnEHkXYTR8I6VLN7MRRKGMPoZ/yvOmxb2DN
+coEEHWKO9CvgYpW7asIihl/9GMpKiRkcYPm9dGQzZc6uTwom1COfW0+ZOFrDVBuV
+FMQRPswZcY4Wlq0uEBLPU7hxnCL9nKK6Y9IhdDcz1mY6HZ91WImNslOSI0S8hRpj
+yGOWxQIhBT3fqCBlRIqFQBudrnD9jSNpSGsFvbEijd5ns7Z9ZMehXkXDycpGAUj1
+to/5cuTWWw1JqUWrKJYoifnVhtE1o1DZ+LkPtWxHtz5kjDG/zR3MG0Ula0UOavlD
+qbnbcXPBnwXtTFeZ3C+yrWpE4pGnl3yGkZj9SMTlo9qnTMiPmuWKQDatAgMBAAGj
+fzB9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBQE8uWvNbPVNRXZ
+HlgPbc2PCzC4bjAhBgNVHREEGjAYgRZwZXRlci5ib2xpbmdAZ21haWwuY29tMCEG
+A1UdEgQaMBiBFnBldGVyLmJvbGluZ0BnbWFpbC5jb20wDQYJKoZIhvcNAQELBQAD
+ggGBAJbnUwfJQFPkBgH9cL7hoBfRtmWiCvdqdjeTmi04u8zVNCUox0A4gT982DE9
+wmuN12LpdajxZONqbXuzZvc+nb0StFwmFYZG6iDwaf4BPywm2e/Vmq0YG45vZXGR
+L8yMDSK1cQXjmA+ZBKOHKWavxP6Vp7lWvjAhz8RFwqF9GuNIdhv9NpnCAWcMZtpm
+GUPyIWw/Cw/2wZp74QzZj6Npx+LdXoLTF1HMSJXZ7/pkxLCsB8m4EFVdb/IrW/0k
+kNSfjtAfBHO8nLGuqQZVH9IBD1i9K6aSs7pT6TW8itXUIlkIUI2tg5YzW6OFfPzq
+QekSkX3lZfY+HTSp/o+YvKkqWLUV7PQ7xh1ZYDtocpaHwgxe/j3bBqHE+CUPH2vA
+0V/FwdTRWcwsjVoOJTrYcff8pBZ8r2MvtAc54xfnnhGFzeRHfcltobgFxkAXdE6p
+DVjBtqT23eugOqQ73umLcYDZkc36vnqGxUBSsXrzY9pzV5gGr2I8YUxMqf6ATrZt
+L9nRqA==
+-----END CERTIFICATE-----

data/lib/oauth2/access_token.rb

@@ -68,13 +68,7 @@ module OAuth2
         end
         # :nocov:
         # TODO: Get rid of this branching logic when dropping Hashie < v3.2
-        token = if !defined?(Hashie::VERSION) # i.e. <= "1.1.0"; the first Hashie to ship with a VERSION constant
-          warn("snaky_hash and oauth2 will drop support for Hashie v0 in the next major version. Please upgrade to a modern Hashie.")
-          # There is a bug in Hashie v0, which is accounts for.
-          fresh.delete(t_key) || fresh[t_key] || ""
-        else
-          fresh.delete(t_key) || ""
-        end
+        token = extract_token_value(fresh, t_key)
         # :nocov:
         new(client, token, fresh)
       end
@@ -108,6 +102,17 @@ Custom token_name (#{key}) is not found in (#{hash.keys})
 You may need to set `snaky: false`. See inline documentation for more info.
         ])
       end
+
+      # :nocov:
+      def extract_token_value(fresh, key)
+        token_value = fresh.delete(key)
+        return token_value || "" if defined?(Hashie::VERSION)
+
+        warn("snaky_hash and oauth2 will drop support for Hashie v0 in the next major version. Please upgrade to a modern Hashie.")
+        # There is a bug in Hashie v0, which this accounts for.
+        token_value || fresh[key] || ""
+      end
+      # :nocov:
     end
 
     # Initialize an AccessToken
@@ -305,8 +310,8 @@ You may need to set `snaky: false`. See inline documentation for more info.
       # TODO: Switch when dropping Ruby < 2.5 support
       # params.transform_keys(&:to_sym) # Ruby 2.5 only
       # Old Ruby transform_keys alternative:
-      sheesh = @params.each_with_object({}) { |(k, v), memo|
-        memo[k.to_sym] = v
+      sheesh = @params.each_with_object({}) { |(key, value), memo|
+        memo[key.to_sym] = value
       }
       sheesh.merge(hsh)
     end
@@ -375,6 +380,7 @@ You may need to set `snaky: false`. See inline documentation for more info.
 
     def configure_authentication!(opts, verb)
       mode_opt = options[:mode]
+      param_name = options[:param_name]
       mode =
         if mode_opt.respond_to?(:call)
           mode_opt.call(verb)
@@ -388,19 +394,19 @@ You may need to set `snaky: false`. See inline documentation for more info.
 
       case mode
       when :header
-        opts[:headers] ||= {}
-        opts[:headers].merge!(headers)
+        request_headers = opts[:headers] ||= {}
+        request_headers.merge!(headers)
       when :query
         # OAuth 2.1 note: Bearer tokens in the query string are omitted from the spec due to security risks.
         # Prefer the default :header mode whenever possible.
-        opts[:params] ||= {}
-        opts[:params][options[:param_name]] = token
+        request_params = opts[:params] ||= {}
+        request_params[param_name] = token
       when :body
-        opts[:body] ||= {}
-        if opts[:body].is_a?(Hash)
-          opts[:body][options[:param_name]] = token
+        request_body = opts[:body] ||= {}
+        if request_body.is_a?(Hash)
+          request_body[param_name] = token
         else
-          opts[:body] += "&#{options[:param_name]}=#{token}"
+          opts[:body] = "#{request_body}&#{param_name}=#{token}"
         end
         # @todo support for multi-part (file uploads)
       else

data/lib/oauth2/auth_sanitizer.rb

@@ -2,7 +2,7 @@
 
 module OAuth2
   AUTH_SANITIZER = begin
-    auth_sanitizer_requirement = Gem::Requirement.new("~> 0.1", ">= 0.1.3")
+    auth_sanitizer_requirement = Gem::Requirement.new("~> 0.2", ">= 0.2.1")
     auth_sanitizer_spec = Gem.loaded_specs["auth-sanitizer"]
     unless auth_sanitizer_spec && auth_sanitizer_requirement.satisfied_by?(auth_sanitizer_spec.version)
       # :nocov:
@@ -12,7 +12,7 @@ module OAuth2
 
     auth_sanitizer_loader_path = File.join(
       auth_sanitizer_spec.full_gem_path,
-      "lib/auth_sanitizer/loader.rb",
+      "lib/auth_sanitizer/loader.rb"
     )
     unless File.file?(auth_sanitizer_loader_path)
       # :nocov:
@@ -25,7 +25,7 @@ module OAuth2
     auth_sanitizer_loader_namespace.module_eval(
       File.read(auth_sanitizer_loader_path),
       auth_sanitizer_loader_path,
-      1,
+      1
     )
 
     auth_sanitizer_loader_namespace.

data/lib/oauth2/client.rb

@@ -86,8 +86,9 @@ module OAuth2
       @connection ||=
         Faraday.new(site, options[:connection_opts]) do |builder|
           oauth_debug_logging(builder)
-          if options[:connection_build]
-            options[:connection_build].call(builder)
+          connection_build = options[:connection_build]
+          if connection_build
+            connection_build.call(builder)
           else
             builder.request(:url_encoded)             # form-encode POST params
             builder.adapter(Faraday.default_adapter)  # make requests with Net::HTTP
@@ -149,9 +150,9 @@ module OAuth2
 
       case status
       when 301, 302, 303, 307
-        req_opts[:redirect_count] ||= 0
-        req_opts[:redirect_count] += 1
-        return response if req_opts[:redirect_count] > options[:max_redirects]
+        redirect_count = (req_opts[:redirect_count] || 0).to_i + 1
+        req_opts[:redirect_count] = redirect_count
+        return response if redirect_count > options[:max_redirects]
 
         if status == 303
           verb = :get
@@ -159,8 +160,9 @@ module OAuth2
         end
         location = response.headers["location"]
         if location
-          full_location = response.response.env.url.merge(location)
-          request(verb, full_location, req_opts)
+          current_location = response.response.env.url
+          full_location = resolve_redirect_location(current_location, location)
+          request(verb, full_location, sanitize_redirect_options(req_opts, current_location, full_location))
         else
           error = Error.new(response)
           raise(error, "Got #{status} status code, but no Location header was present")
@@ -337,8 +339,9 @@ module OAuth2
     #
     # @return [Hash] the params to add to a request or URL
     def redirection_params
-      if options[:redirect_uri]
-        {"redirect_uri" => options[:redirect_uri]}
+      redirect_uri = options[:redirect_uri]
+      if redirect_uri
+        {"redirect_uri" => redirect_uri}
       else
         {}
       end
@@ -445,18 +448,18 @@ module OAuth2
       url = connection.build_url(url).to_s
       # See: Hash#partition https://bugs.ruby-lang.org/issues/16252
       req_opts, oauth_opts = opts.
-        partition { |k, _v| RESERVED_REQ_KEYS.include?(k.to_s) }.
-        map { |p| Hash[p] }
+        partition { |key, _value| RESERVED_REQ_KEYS.include?(key.to_s) }.
+        map(&:to_h)
 
       begin
         response = connection.run_request(verb, url, req_opts[:body], req_opts[:headers]) do |req|
           req.params.update(req_opts[:params]) if req_opts[:params]
           yield(req) if block_given?
         end
-      rescue Faraday::ConnectionFailed => e
-        raise ConnectionError, e
-      rescue Faraday::TimeoutError => e
-        raise TimeoutError, e
+      rescue Faraday::ConnectionFailed => exception
+        raise ConnectionError, exception
+      rescue Faraday::TimeoutError => exception
+        raise TimeoutError, exception
       end
 
       parse = oauth_opts.key?(:parse) ? oauth_opts.delete(:parse) : Response::DEFAULT_OPTIONS[:parse]
@@ -465,6 +468,49 @@ module OAuth2
       Response.new(response, parse: parse, snaky: snaky)
     end
 
+    def resolve_redirect_location(current_location, location)
+      return protocol_relative_redirect_location(current_location, location) if location.respond_to?(:start_with?) && location.start_with?("//")
+
+      current_location.merge(location)
+    end
+
+    def protocol_relative_redirect_location(current_location, location)
+      protocol_relative_location = URI.parse(location)
+      authority = +""
+      authority << "#{protocol_relative_location.userinfo}@" if protocol_relative_location.userinfo
+      authority << protocol_relative_location.host.to_s
+      authority << ":#{protocol_relative_location.port}" if protocol_relative_location.port
+
+      current_location.dup.tap do |safe_location|
+        safe_location.path = "///#{authority}#{protocol_relative_location.path}"
+        safe_location.query = protocol_relative_location.query if safe_location.respond_to?(:query=)
+        safe_location.fragment = protocol_relative_location.fragment if safe_location.respond_to?(:fragment=)
+      end
+    end
+
+    def sanitize_redirect_options(req_opts, current_location, next_location)
+      return req_opts unless cross_origin_redirect?(current_location, next_location)
+
+      headers = req_opts[:headers]
+      return req_opts unless headers && headers.any? { |key, _value| authorization_header?(key) }
+
+      safe_opts = req_opts.dup
+      safe_headers = headers.dup
+      safe_headers.delete_if { |key, _value| authorization_header?(key) }
+      safe_opts[:headers] = safe_headers
+      safe_opts
+    end
+
+    def authorization_header?(key)
+      key.to_s.casecmp("Authorization").zero?
+    end
+
+    def cross_origin_redirect?(current_location, next_location)
+      current_location.scheme != next_location.scheme ||
+        current_location.host != next_location.host ||
+        current_location.port != next_location.port
+    end
+
     # Returns the authenticator object
     #
     # @return [Authenticator] the initialized Authenticator
@@ -563,15 +609,18 @@ module OAuth2
     end
 
     def oauth_debug_logging(builder)
-      builder.response(
-        :logger,
-        OAuth2::AUTH_SANITIZER::SanitizedLogger.new(
-          options[:logger],
-          filtered_keys: OAuth2.config[:filtered_debug_keys],
-          label: OAuth2.config[:filtered_label],
-        ),
-        bodies: true,
-      ) if OAuth2::OAUTH_DEBUG
+      if OAuth2::OAUTH_DEBUG
+        config = OAuth2.config
+        builder.response(
+          :logger,
+          OAuth2::AUTH_SANITIZER::SanitizedLogger.new(
+            options[:logger],
+            filtered_keys: config[:filtered_debug_keys],
+            label: config[:filtered_label]
+          ),
+          bodies: true
+        )
+      end
     end
   end
 end

data/lib/oauth2/error.rb

@@ -20,9 +20,10 @@ module OAuth2
       @code = nil
       @description = nil
       if response.respond_to?(:parsed)
-        if response.parsed.is_a?(Hash)
-          @code = response.parsed["error"]
-          @description = response.parsed["error_description"]
+        parsed_response = response.parsed
+        if parsed_response.is_a?(Hash)
+          @code = parsed_response["error"]
+          @description = parsed_response["error_description"]
         end
       elsif response.is_a?(Hash)
         @code = response["error"]
@@ -46,11 +47,12 @@ module OAuth2
     # @return [String] Message suitable for StandardError
     def error_message(response_body, opts = {})
       lines = []
+      error_description = opts[:error_description]
 
-      lines << opts[:error_description] if opts[:error_description]
+      lines << error_description if error_description
 
-      error_string = if response_body.respond_to?(:encode) && opts[:error_description].respond_to?(:encoding)
-        script_encoding = opts[:error_description].encoding
+      error_string = if response_body.respond_to?(:encode) && error_description.respond_to?(:encoding)
+        script_encoding = error_description.encoding
         response_body.encode(script_encoding, invalid: :replace, undef: :replace)
       else
         response_body

data/lib/oauth2/response.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "json"
+require "set"
 require "multi_xml"
 require "rack"
 
@@ -108,15 +109,16 @@ module OAuth2
     def parsed
       return @parsed if defined?(@parsed)
 
+      response_parser = parser
       @parsed =
-        if parser.respond_to?(:call)
-          case parser.arity
+        if response_parser.respond_to?(:call)
+          case response_parser.arity
           when 0
-            parser.call
+            response_parser.call
           when 1
-            parser.call(body)
+            response_parser.call(body)
           else
-            parser.call(body, response)
+            response_parser.call(body, response)
           end
         end
 
@@ -132,9 +134,10 @@ module OAuth2
     #
     # @return [String, nil] The content type or nil if headers are not present
     def content_type
-      return unless response.headers
+      response_headers = response.headers
+      return unless response_headers
 
-      ((response.headers.values_at("content-type", "Content-Type").compact.first || "").split(";").first || "").strip.downcase
+      ((response_headers.values_at("content-type", "Content-Type").compact.first || "").split(";").first || "").strip.downcase
     end
 
     # Determines the parser to be used for the response body
@@ -154,11 +157,12 @@ module OAuth2
     def parser
       return @parser if defined?(@parser)
 
+      parse_option = options[:parse]
       @parser =
-        if options[:parse].respond_to?(:call)
-          options[:parse]
-        elsif options[:parse]
-          @@parsers[options[:parse].to_sym]
+        if parse_option.respond_to?(:call)
+          parse_option
+        elsif parse_option
+          @@parsers[parse_option.to_sym]
         end
 
       @parser ||= @@parsers[@@content_types[content_type]]
@@ -171,7 +175,7 @@ end
 OAuth2::Response.register_parser(:xml, ["text/xml", "application/rss+xml", "application/rdf+xml", "application/atom+xml", "application/xml"]) do |body|
   next body unless body.respond_to?(:to_str)
 
-  MultiXml.parse(body)
+  (defined?(MultiXML) ? MultiXML : MultiXml).parse(body)
 end
 
 # Register JSON parser

data/lib/oauth2/version.rb

@@ -2,7 +2,7 @@
 
 module OAuth2
   module Version
-    VERSION = "2.0.20"
+    VERSION = "2.0.23"
   end
   VERSION = Version::VERSION # Traditional Constant Location
 end

data/lib/oauth2.rb

@@ -67,7 +67,7 @@ module OAuth2
       assertion
       code_verifier
       token
-    ],
+    ]
   )
 
   # The current runtime configuration for the library.

data/sig/oauth2/version.rbs

@@ -2,4 +2,5 @@ module OAuth2
   module Version
     VERSION: String
   end
+  VERSION: String
 end