oauth2 2.0.21 → 2.0.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/CHANGELOG.md +20 -1
- data/README.md +1 -1
- data/lib/oauth2/client.rb +33 -2
- data/lib/oauth2/version.rb +1 -1
- data.tar.gz.sig +0 -0
- metadata +10 -10
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7964123b20cd2a456b4207c27b2695bbe8e46b30efdafc01731bdf97038fd58e
|
|
4
|
+
data.tar.gz: 908001fb4aa70279ee6384a0de5fefb43bf3c8b64466e5df248f244b353a270c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 772d189a481bf1329bcbb0443f98ce2feefefcc77387dad7d8f6128ebd2139a29fc0c2410721394aec5bcece3f786b980c33eba6acc0fe6ecd1c4366308dc0fb
|
|
7
|
+
data.tar.gz: 959412178a6d2b37902c1b91a7e3b8c688dc1142dc118e56752ddaf0fdc99c06017d297d96ccfd0b37bca1dc2308c441050b40b64f06d31a815c6f5df7c91d0d
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
data/CHANGELOG.md
CHANGED
|
@@ -30,6 +30,23 @@ Please file a bug if you notice a violation of semantic versioning.
|
|
|
30
30
|
|
|
31
31
|
### Security
|
|
32
32
|
|
|
33
|
+
## [2.0.22] - 2026-06-07
|
|
34
|
+
|
|
35
|
+
- TAG: [v2.0.22][2.0.22t]
|
|
36
|
+
- COVERAGE: 100.00% -- 542/542 lines in 15 files
|
|
37
|
+
- BRANCH COVERAGE: 100.00% -- 180/180 branches in 15 files
|
|
38
|
+
- 88.35% documented
|
|
39
|
+
|
|
40
|
+
### Changed
|
|
41
|
+
|
|
42
|
+
- Raised generated development tooling floors to `kettle-dev` >= 2.1.1 and
|
|
43
|
+
`version_gem` >= 1.1.11.
|
|
44
|
+
- Raised the runtime dependency floor for `snaky_hash` to `>= 2.0.5`.
|
|
45
|
+
|
|
46
|
+
### Security
|
|
47
|
+
|
|
48
|
+
- [GHSA-pp92-crg2-gfv9] Prevent protocol-relative redirect `Location` values from changing request authority, and strip `Authorization` headers from cross-origin redirects.
|
|
49
|
+
|
|
33
50
|
## [2.0.21] - 2026-06-06
|
|
34
51
|
|
|
35
52
|
- TAG: [v2.0.21][2.0.21t]
|
|
@@ -846,7 +863,9 @@ Please file a bug if you notice a violation of semantic versioning.
|
|
|
846
863
|
|
|
847
864
|
[gemfiles/readme]: gemfiles/README.md
|
|
848
865
|
|
|
849
|
-
[Unreleased]: https://github.com/ruby-oauth/oauth2/compare/v2.0.
|
|
866
|
+
[Unreleased]: https://github.com/ruby-oauth/oauth2/compare/v2.0.22...HEAD
|
|
867
|
+
[2.0.22]: https://github.com/ruby-oauth/oauth2/compare/v2.0.21...v2.0.22
|
|
868
|
+
[2.0.22t]: https://github.com/ruby-oauth/oauth2/releases/tag/v2.0.22
|
|
850
869
|
[2.0.21]: https://github.com/ruby-oauth/oauth2/compare/v2.0.20...v2.0.21
|
|
851
870
|
[2.0.21t]: https://github.com/ruby-oauth/oauth2/releases/tag/v2.0.21
|
|
852
871
|
[2.0.20]: https://github.com/ruby-oauth/oauth2/compare/v2.0.19...v2.0.20
|
data/README.md
CHANGED
|
@@ -1086,7 +1086,7 @@ Thanks for RTFM. ☺️
|
|
|
1086
1086
|
[📌gitmoji]: https://gitmoji.dev
|
|
1087
1087
|
[📌gitmoji-img]: https://img.shields.io/badge/gitmoji_commits-%20%F0%9F%98%9C%20%F0%9F%98%8D-34495e.svg?style=flat-square
|
|
1088
1088
|
[🧮kloc]: https://www.youtube.com/watch?v=dQw4w9WgXcQ
|
|
1089
|
-
[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.
|
|
1089
|
+
[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.542-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
|
|
1090
1090
|
[🔐security]: https://github.com/ruby-oauth/oauth2/blob/main/SECURITY.md
|
|
1091
1091
|
[🔐security-img]: https://img.shields.io/badge/security-policy-259D6C.svg?style=flat
|
|
1092
1092
|
[📄copyright-notice-explainer]: https://opensource.stackexchange.com/questions/5778/why-do-licenses-such-as-the-mit-license-specify-a-single-year
|
data/lib/oauth2/client.rb
CHANGED
|
@@ -159,8 +159,9 @@ module OAuth2
|
|
|
159
159
|
end
|
|
160
160
|
location = response.headers["location"]
|
|
161
161
|
if location
|
|
162
|
-
|
|
163
|
-
|
|
162
|
+
current_location = response.response.env.url
|
|
163
|
+
full_location = resolve_redirect_location(current_location, location)
|
|
164
|
+
request(verb, full_location, sanitize_redirect_options(req_opts, current_location, full_location))
|
|
164
165
|
else
|
|
165
166
|
error = Error.new(response)
|
|
166
167
|
raise(error, "Got #{status} status code, but no Location header was present")
|
|
@@ -465,6 +466,36 @@ module OAuth2
|
|
|
465
466
|
Response.new(response, parse: parse, snaky: snaky)
|
|
466
467
|
end
|
|
467
468
|
|
|
469
|
+
def resolve_redirect_location(current_location, location)
|
|
470
|
+
safe_location =
|
|
471
|
+
if location.respond_to?(:start_with?) && location.start_with?("//")
|
|
472
|
+
"./#{location}"
|
|
473
|
+
else
|
|
474
|
+
location
|
|
475
|
+
end
|
|
476
|
+
|
|
477
|
+
current_location.merge(safe_location)
|
|
478
|
+
end
|
|
479
|
+
|
|
480
|
+
def sanitize_redirect_options(req_opts, current_location, next_location)
|
|
481
|
+
return req_opts unless cross_origin_redirect?(current_location, next_location)
|
|
482
|
+
|
|
483
|
+
headers = req_opts[:headers]
|
|
484
|
+
return req_opts unless headers && headers.any? { |key, _value| key.to_s.casecmp("Authorization").zero? }
|
|
485
|
+
|
|
486
|
+
safe_opts = req_opts.dup
|
|
487
|
+
safe_headers = headers.dup
|
|
488
|
+
safe_headers.delete_if { |key, _value| key.to_s.casecmp("Authorization").zero? }
|
|
489
|
+
safe_opts[:headers] = safe_headers
|
|
490
|
+
safe_opts
|
|
491
|
+
end
|
|
492
|
+
|
|
493
|
+
def cross_origin_redirect?(current_location, next_location)
|
|
494
|
+
current_location.scheme != next_location.scheme ||
|
|
495
|
+
current_location.host != next_location.host ||
|
|
496
|
+
current_location.port != next_location.port
|
|
497
|
+
end
|
|
498
|
+
|
|
468
499
|
# Returns the authenticator object
|
|
469
500
|
#
|
|
470
501
|
# @return [Authenticator] the initialized Authenticator
|
data/lib/oauth2/version.rb
CHANGED
data.tar.gz.sig
CHANGED
|
Binary file
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: oauth2
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0.
|
|
4
|
+
version: 2.0.22
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Peter Boling
|
|
@@ -156,7 +156,7 @@ dependencies:
|
|
|
156
156
|
version: '2.0'
|
|
157
157
|
- - ">="
|
|
158
158
|
- !ruby/object:Gem::Version
|
|
159
|
-
version: 2.0.
|
|
159
|
+
version: 2.0.5
|
|
160
160
|
type: :runtime
|
|
161
161
|
prerelease: false
|
|
162
162
|
version_requirements: !ruby/object:Gem::Requirement
|
|
@@ -166,7 +166,7 @@ dependencies:
|
|
|
166
166
|
version: '2.0'
|
|
167
167
|
- - ">="
|
|
168
168
|
- !ruby/object:Gem::Version
|
|
169
|
-
version: 2.0.
|
|
169
|
+
version: 2.0.5
|
|
170
170
|
- !ruby/object:Gem::Dependency
|
|
171
171
|
name: version_gem
|
|
172
172
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -176,7 +176,7 @@ dependencies:
|
|
|
176
176
|
version: '1.1'
|
|
177
177
|
- - ">="
|
|
178
178
|
- !ruby/object:Gem::Version
|
|
179
|
-
version: 1.1.
|
|
179
|
+
version: 1.1.11
|
|
180
180
|
type: :runtime
|
|
181
181
|
prerelease: false
|
|
182
182
|
version_requirements: !ruby/object:Gem::Requirement
|
|
@@ -186,7 +186,7 @@ dependencies:
|
|
|
186
186
|
version: '1.1'
|
|
187
187
|
- - ">="
|
|
188
188
|
- !ruby/object:Gem::Version
|
|
189
|
-
version: 1.1.
|
|
189
|
+
version: 1.1.11
|
|
190
190
|
- !ruby/object:Gem::Dependency
|
|
191
191
|
name: kettle-dev
|
|
192
192
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -196,7 +196,7 @@ dependencies:
|
|
|
196
196
|
version: '2.1'
|
|
197
197
|
- - ">="
|
|
198
198
|
- !ruby/object:Gem::Version
|
|
199
|
-
version: 2.1.
|
|
199
|
+
version: 2.1.1
|
|
200
200
|
type: :development
|
|
201
201
|
prerelease: false
|
|
202
202
|
version_requirements: !ruby/object:Gem::Requirement
|
|
@@ -206,7 +206,7 @@ dependencies:
|
|
|
206
206
|
version: '2.1'
|
|
207
207
|
- - ">="
|
|
208
208
|
- !ruby/object:Gem::Version
|
|
209
|
-
version: 2.1.
|
|
209
|
+
version: 2.1.1
|
|
210
210
|
- !ruby/object:Gem::Dependency
|
|
211
211
|
name: bundler-audit
|
|
212
212
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -502,10 +502,10 @@ licenses:
|
|
|
502
502
|
- MIT
|
|
503
503
|
metadata:
|
|
504
504
|
homepage_uri: https://oauth2.galtzo.com
|
|
505
|
-
source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.
|
|
506
|
-
changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.
|
|
505
|
+
source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.22
|
|
506
|
+
changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.22/CHANGELOG.md
|
|
507
507
|
bug_tracker_uri: https://github.com/ruby-oauth/oauth2/issues
|
|
508
|
-
documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.
|
|
508
|
+
documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.22
|
|
509
509
|
funding_uri: https://github.com/sponsors/pboling
|
|
510
510
|
wiki_uri: https://github.com/ruby-oauth/oauth2/wiki
|
|
511
511
|
news_uri: https://www.railsbling.com/tags/oauth2
|
metadata.gz.sig
CHANGED
|
Binary file
|