RubyGems - onebox - Versions diffs - 1.6.5 → 1.6.6 - Mend

onebox 1.6.5 → 1.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/lib/onebox/engine/audio_onebox.rb +3 -2
data/lib/onebox/engine/image_onebox.rb +2 -2
data/lib/onebox/engine/video_onebox.rb +3 -2
data/lib/onebox/engine/whitelisted_generic_onebox.rb +2 -2
data/lib/onebox/helpers.rb +10 -1
data/lib/onebox/version.rb +1 -1
data/spec/lib/onebox/engine/audio_onebox_spec.rb +5 -1
data/spec/lib/onebox/engine/image_onebox_spec.rb +1 -1
data/spec/lib/onebox/engine/video_onebox_spec.rb +1 -1
data/spec/lib/onebox/helpers_spec.rb +22 -11
metadata +4 -3

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d7ab04f20175f2f5178aeff589be9de5a3c6efbf
-  data.tar.gz: 30c66d325d2a5f48124dda00297da95373ff2a9e
+  metadata.gz: f6930d4a5a9ef64e464c152dbb2529f05a371575
+  data.tar.gz: ae19e58e8fda95f03a22501f5a4bfddb3727dfec
 SHA512:
-  metadata.gz: 4174a3df1a3af3bb4ef2c3e1604bd06102128d1ec8557bf8bef70f670f47e65015f3764cd49dfc4b6d1638d63f07cdbc1f79a267ca4208a88d66f8a560c2088e
-  data.tar.gz: bc7fcc8ecdf0b816f64f0ccd37a40841a37b0f0d8aa282fb5a7f3239e18a8929b8a3b321143373f33d5ad547eeccc9c6626a29adfbc6ed7c818d2d4a2cd1b317
+  metadata.gz: 090d8eed2fba3e8c9be2ad047439a061b44c8e9ac65c874007579cf1f5e2d1e6f950208cfc2c1e451772b11ff5818534e7745bde83e916f7e4aaa408c7121e01
+  data.tar.gz: 20c3b56077aa58cabd1ee7483f67d6436d678f4c5a246fa350f4d26c18faed50b1188a65d4a3bedfd44a1cbc45300f960b2e1d7d2fed3b2281b7f93938364268

data/CHANGELOG.md CHANGED

@@ -1,3 +1,7 @@
+## 1.6.6
+  * SECURITY: normalize url for audio/video oneboxes
 ## 1.5.64
   * Escape HTML entities in text when oneboxing Amazon URLs.

data/lib/onebox/engine/audio_onebox.rb CHANGED

@@ -3,14 +3,15 @@ module Onebox
     class AudioOnebox
       include Engine
-      matches_regexp /^(https?:)?\/\/.*\.(mp3|ogg|wav|m4a)(\?.*)?$/
+      matches_regexp(/^(https?:)?\/\/.*\.(mp3|ogg|wav|m4a)(\?.*)?$/i)
       def always_https?
         WhitelistedGenericOnebox.host_matches(uri, WhitelistedGenericOnebox.https_hosts)
       end
       def to_html
-        "<audio controls><source src='#{@url}'><a href='#{@url}'>#{@url}</a></audio>"
+        url = ::Onebox::Helpers.normalize_url_for_output(@url)
+        "<audio controls><source src='#{url}'><a href='#{url}'>#{url}</a></audio>"
       end
     end
   end

data/lib/onebox/engine/image_onebox.rb CHANGED

@@ -3,7 +3,7 @@ module Onebox
     class ImageOnebox
       include Engine
-      matches_regexp /^(https?:)?\/\/.+\.(png|jpg|jpeg|gif|bmp|tif|tiff)(\?.*)?$/i
+      matches_regexp(/^(https?:)?\/\/.+\.(png|jpg|jpeg|gif|bmp|tif|tiff)(\?.*)?$/i)
       def always_https?
         WhitelistedGenericOnebox.host_matches(uri, WhitelistedGenericOnebox.https_hosts)
@@ -15,7 +15,7 @@ module Onebox
           @url.gsub!("https://www.dropbox.com","https://dl.dropboxusercontent.com")
         end
-        escaped = url.gsub(/'/, "%27")
+        escaped = Onebox::Helpers.normalize_url_for_output(url)
         "<a href='#{escaped}' target='_blank'><img src='#{escaped}'></a>"
       end
     end

data/lib/onebox/engine/video_onebox.rb CHANGED

@@ -3,14 +3,15 @@ module Onebox
     class VideoOnebox
       include Engine
-      matches_regexp /^(https?:)?\/\/.*\.(mov|mp4|webm|ogv)(\?.*)?$/
+      matches_regexp(/^(https?:)?\/\/.*\.(mov|mp4|webm|ogv)(\?.*)?$/i)
       def always_https?
         WhitelistedGenericOnebox.host_matches(uri, WhitelistedGenericOnebox.https_hosts)
       end
       def to_html
-        "<video width='100%' height='100%' controls><source src='#{@url}'><a href='#{@url}'>#{@url}</a></video>"
+        url = ::Onebox::Helpers.normalize_url_for_output(@url)
+        "<video width='100%' height='100%' controls><source src='#{url}'><a href='#{url}'>#{url}</a></video>"
       end
     end
   end

data/lib/onebox/engine/whitelisted_generic_onebox.rb CHANGED

@@ -200,10 +200,10 @@ module Onebox
           html_entities = HTMLEntities.new
           d = { link: link }.merge(raw)
           if !Onebox::Helpers.blank?(d[:title])
-            d[:title] = html_entities.decode(Onebox::Helpers.truncate(d[:title]))
+            d[:title] = html_entities.decode(Onebox::Helpers.truncate(d[:title].strip, 80))
           end
           if !Onebox::Helpers.blank?(d[:description])
-            d[:description] = html_entities.decode(Onebox::Helpers.truncate(d[:description], 250))
+            d[:description] = html_entities.decode(Onebox::Helpers.truncate(d[:description].strip, 250))
           end
           d
         end

data/lib/onebox/helpers.rb CHANGED

@@ -65,11 +65,20 @@ module Onebox
     end
     def self.truncate(string, length = 50)
-      string.size > length ? string[0..length] + "..." : string
+      string.size > length ? string[0...(string.rindex(" ", length)||length)] + "..." : string
     end
     def self.title_attr(meta)
       (meta && !blank?(meta[:title])) ? "title='#{CGI.escapeHTML(meta[:title])}'" : ""
     end
+    def self.normalize_url_for_output(url)
+      url = url.dup
+      # expect properly encoded url, remove any unsafe chars
+      url.gsub!(/[^a-zA-Z0-9%\-`._~:\/?#\[\]@!$&'\(\)*+,;=]/, "")
+      url.gsub!("'", "&quot;")
+      url
+    end
   end
 end

data/lib/onebox/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Onebox
-  VERSION = "1.6.5"
+  VERSION = "1.6.6"
 end

data/spec/lib/onebox/engine/audio_onebox_spec.rb CHANGED

@@ -6,7 +6,7 @@ describe Onebox::Engine::AudioOnebox do
   end
   it "supports mp3" do
-    expect(Onebox.preview('http://kolber.github.io/audiojs/demos/mp3/juicy.mp3').to_s).to match(/<audio/)
+    expect(Onebox.preview('http://kolber.github.io/audiojs/demos/mp3/juicy.MP3').to_s).to match(/<audio/)
   end
   it "supports wav" do
@@ -28,4 +28,8 @@ describe Onebox::Engine::AudioOnebox do
   it "includes a fallback direct link to the audio" do
     expect(Onebox.preview('http://kolber.github.io/audiojs/demos/mp3/juicy.mp3').to_s).to match(/<a.*mp3/)
   end
+  it "correctly escapes single quotes" do
+    expect(Onebox.preview("http://test.com/test'ing.mp3").to_s).not_to match(/test'ing/)
+  end
 end

data/spec/lib/onebox/engine/image_onebox_spec.rb CHANGED

@@ -38,6 +38,6 @@ describe Onebox::Engine::ImageOnebox do
   end
   it "doesn't inline single quotes" do
-    expect(Onebox.preview("http://host/path/to/image'withquote.png").to_s).to match(/image%27withquote/)
+    expect(Onebox.preview("http://host/path/to/Image'withquote.png").to_s).to match(/Image&quot;withquote/)
   end
 end

data/spec/lib/onebox/engine/video_onebox_spec.rb CHANGED

@@ -10,7 +10,7 @@ describe Onebox::Engine::VideoOnebox do
   end
   it "supports mov" do
-    expect(Onebox.preview('http://download.wavetlan.com/SVV/Media/HTTP/BlackBerry.mov').to_s).to match(/<video/)
+    expect(Onebox.preview('http://download.wavetlan.com/SVV/Media/HTTP/BlackBerry.MOV').to_s).to match(/<video/)
   end
   it "supports webm" do

data/spec/lib/onebox/helpers_spec.rb CHANGED

@@ -2,15 +2,26 @@ require 'spec_helper'
 RSpec.describe Onebox::Helpers do
   describe '.blank?' do
-    it { expect(Onebox::Helpers.blank?("")).to be(true) }
-    it { expect(Onebox::Helpers.blank?(" ")).to be(true) }
-    it { expect(Onebox::Helpers.blank?("test")).to be(false) }
-    it { expect(Onebox::Helpers.blank?(["test", "testing"])).to be(false) }
-    it { expect(Onebox::Helpers.blank?([])).to be(true) }
-    it { expect(Onebox::Helpers.blank?({})).to be(true) }
-    it { expect(Onebox::Helpers.blank?({a: 'test'})).to be(false) }
-    it { expect(Onebox::Helpers.blank?(nil)).to be(true) }
-    it { expect(Onebox::Helpers.blank?(true)).to be(false) }
-    it { expect(Onebox::Helpers.blank?(false)).to be(true) }
+    it { expect(described_class.blank?("")).to be(true) }
+    it { expect(described_class.blank?(" ")).to be(true) }
+    it { expect(described_class.blank?("test")).to be(false) }
+    it { expect(described_class.blank?(["test", "testing"])).to be(false) }
+    it { expect(described_class.blank?([])).to be(true) }
+    it { expect(described_class.blank?({})).to be(true) }
+    it { expect(described_class.blank?({a: 'test'})).to be(false) }
+    it { expect(described_class.blank?(nil)).to be(true) }
+    it { expect(described_class.blank?(true)).to be(false) }
+    it { expect(described_class.blank?(false)).to be(true) }
   end
-end
+  describe ".truncate" do
+    let(:test_string) { "Chops off on spaces" }
+    it { expect(described_class.truncate(test_string)).to eq(test_string) }
+    it { expect(described_class.truncate(test_string,5)).to eq("Chops...") }
+    it { expect(described_class.truncate(test_string,7)).to eq("Chops...") }
+    it { expect(described_class.truncate(test_string,9)).to eq("Chops off...") }
+    it { expect(described_class.truncate(test_string,10)).to eq("Chops off...") }
+    it { expect(described_class.truncate(test_string,100)).to eq("Chops off on spaces") }
+    it { expect(described_class.truncate(" #{test_string} ",6)).to eq(" Chops...") }
+  end
+end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: onebox
 version: !ruby/object:Gem::Version
-  version: 1.6.5
+  version: 1.6.6
 platform: ruby
 authors:
 - Joanna Zeta
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-12-15 00:00:00.000000000 Z
+date: 2016-12-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multi_json
@@ -464,7 +464,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.5.2
+rubygems_version: 2.5.1
 signing_key:
 specification_version: 4
 summary: A gem for turning URLs into previews.
@@ -528,3 +528,4 @@ test_files:
 - spec/lib/onebox_spec.rb
 - spec/spec_helper.rb
 - spec/support/html_spec_helper.rb
+has_rdoc: