onebox 1.6.5 → 1.6.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d7ab04f20175f2f5178aeff589be9de5a3c6efbf
-  data.tar.gz: 30c66d325d2a5f48124dda00297da95373ff2a9e
+  metadata.gz: f6930d4a5a9ef64e464c152dbb2529f05a371575
+  data.tar.gz: ae19e58e8fda95f03a22501f5a4bfddb3727dfec
 SHA512:
-  metadata.gz: 4174a3df1a3af3bb4ef2c3e1604bd06102128d1ec8557bf8bef70f670f47e65015f3764cd49dfc4b6d1638d63f07cdbc1f79a267ca4208a88d66f8a560c2088e
-  data.tar.gz: bc7fcc8ecdf0b816f64f0ccd37a40841a37b0f0d8aa282fb5a7f3239e18a8929b8a3b321143373f33d5ad547eeccc9c6626a29adfbc6ed7c818d2d4a2cd1b317
+  metadata.gz: 090d8eed2fba3e8c9be2ad047439a061b44c8e9ac65c874007579cf1f5e2d1e6f950208cfc2c1e451772b11ff5818534e7745bde83e916f7e4aaa408c7121e01
+  data.tar.gz: 20c3b56077aa58cabd1ee7483f67d6436d678f4c5a246fa350f4d26c18faed50b1188a65d4a3bedfd44a1cbc45300f960b2e1d7d2fed3b2281b7f93938364268

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.6.6
+
+  * SECURITY: normalize url for audio/video oneboxes
+
 ## 1.5.64
 
   * Escape HTML entities in text when oneboxing Amazon URLs.

data/lib/onebox/engine/audio_onebox.rb

@@ -3,14 +3,15 @@ module Onebox
     class AudioOnebox
       include Engine
 
-      matches_regexp /^(https?:)?\/\/.*\.(mp3|ogg|wav|m4a)(\?.*)?$/
+      matches_regexp(/^(https?:)?\/\/.*\.(mp3|ogg|wav|m4a)(\?.*)?$/i)
 
       def always_https?
         WhitelistedGenericOnebox.host_matches(uri, WhitelistedGenericOnebox.https_hosts)
       end
 
       def to_html
-        "<audio controls><source src='#{@url}'><a href='#{@url}'>#{@url}</a></audio>"
+        url = ::Onebox::Helpers.normalize_url_for_output(@url)
+        "<audio controls><source src='#{url}'><a href='#{url}'>#{url}</a></audio>"
       end
     end
   end

data/lib/onebox/engine/image_onebox.rb

@@ -3,7 +3,7 @@ module Onebox
     class ImageOnebox
       include Engine
 
-      matches_regexp /^(https?:)?\/\/.+\.(png|jpg|jpeg|gif|bmp|tif|tiff)(\?.*)?$/i
+      matches_regexp(/^(https?:)?\/\/.+\.(png|jpg|jpeg|gif|bmp|tif|tiff)(\?.*)?$/i)
 
       def always_https?
         WhitelistedGenericOnebox.host_matches(uri, WhitelistedGenericOnebox.https_hosts)
@@ -15,7 +15,7 @@ module Onebox
           @url.gsub!("https://www.dropbox.com","https://dl.dropboxusercontent.com")
         end
 
-        escaped = url.gsub(/'/, "%27")
+        escaped = Onebox::Helpers.normalize_url_for_output(url)
         "<a href='#{escaped}' target='_blank'><img src='#{escaped}'></a>"
       end
     end

data/lib/onebox/engine/video_onebox.rb

@@ -3,14 +3,15 @@ module Onebox
     class VideoOnebox
       include Engine
 
-      matches_regexp /^(https?:)?\/\/.*\.(mov|mp4|webm|ogv)(\?.*)?$/
+      matches_regexp(/^(https?:)?\/\/.*\.(mov|mp4|webm|ogv)(\?.*)?$/i)
 
       def always_https?
         WhitelistedGenericOnebox.host_matches(uri, WhitelistedGenericOnebox.https_hosts)
       end
 
       def to_html
-        "<video width='100%' height='100%' controls><source src='#{@url}'><a href='#{@url}'>#{@url}</a></video>"
+        url = ::Onebox::Helpers.normalize_url_for_output(@url)
+        "<video width='100%' height='100%' controls><source src='#{url}'><a href='#{url}'>#{url}</a></video>"
       end
     end
   end

data/lib/onebox/engine/whitelisted_generic_onebox.rb

@@ -200,10 +200,10 @@ module Onebox
           html_entities = HTMLEntities.new
           d = { link: link }.merge(raw)
           if !Onebox::Helpers.blank?(d[:title])
-            d[:title] = html_entities.decode(Onebox::Helpers.truncate(d[:title]))
+            d[:title] = html_entities.decode(Onebox::Helpers.truncate(d[:title].strip, 80))
           end
           if !Onebox::Helpers.blank?(d[:description])
-            d[:description] = html_entities.decode(Onebox::Helpers.truncate(d[:description], 250))
+            d[:description] = html_entities.decode(Onebox::Helpers.truncate(d[:description].strip, 250))
           end
           d
         end

data/lib/onebox/helpers.rb

@@ -65,11 +65,20 @@ module Onebox
     end
 
     def self.truncate(string, length = 50)
-      string.size > length ? string[0..length] + "..." : string
+      string.size > length ? string[0...(string.rindex(" ", length)||length)] + "..." : string
     end
 
     def self.title_attr(meta)
       (meta && !blank?(meta[:title])) ? "title='#{CGI.escapeHTML(meta[:title])}'" : ""
     end
+
+    def self.normalize_url_for_output(url)
+      url = url.dup
+      # expect properly encoded url, remove any unsafe chars
+      url.gsub!(/[^a-zA-Z0-9%\-`._~:\/?#\[\]@!$&'\(\)*+,;=]/, "")
+      url.gsub!("'", """)
+      url
+    end
+
   end
 end

data/lib/onebox/version.rb

@@ -1,3 +1,3 @@
 module Onebox
-  VERSION = "1.6.5"
+  VERSION = "1.6.6"
 end

data/spec/lib/onebox/engine/audio_onebox_spec.rb

@@ -6,7 +6,7 @@ describe Onebox::Engine::AudioOnebox do
   end
 
   it "supports mp3" do
-    expect(Onebox.preview('http://kolber.github.io/audiojs/demos/mp3/juicy.mp3').to_s).to match(/<audio/)
+    expect(Onebox.preview('http://kolber.github.io/audiojs/demos/mp3/juicy.MP3').to_s).to match(/<audio/)
   end
 
   it "supports wav" do
@@ -28,4 +28,8 @@ describe Onebox::Engine::AudioOnebox do
   it "includes a fallback direct link to the audio" do
     expect(Onebox.preview('http://kolber.github.io/audiojs/demos/mp3/juicy.mp3').to_s).to match(/<a.*mp3/)
   end
+
+  it "correctly escapes single quotes" do
+    expect(Onebox.preview("http://test.com/test'ing.mp3").to_s).not_to match(/test'ing/)
+  end
 end

data/spec/lib/onebox/engine/image_onebox_spec.rb

@@ -38,6 +38,6 @@ describe Onebox::Engine::ImageOnebox do
   end
 
   it "doesn't inline single quotes" do
-    expect(Onebox.preview("http://host/path/to/image'withquote.png").to_s).to match(/image%27withquote/)
+    expect(Onebox.preview("http://host/path/to/Image'withquote.png").to_s).to match(/Image"withquote/)
   end
 end

data/spec/lib/onebox/engine/video_onebox_spec.rb

@@ -10,7 +10,7 @@ describe Onebox::Engine::VideoOnebox do
   end
 
   it "supports mov" do
-    expect(Onebox.preview('http://download.wavetlan.com/SVV/Media/HTTP/BlackBerry.mov').to_s).to match(/<video/)
+    expect(Onebox.preview('http://download.wavetlan.com/SVV/Media/HTTP/BlackBerry.MOV').to_s).to match(/<video/)
   end
 
   it "supports webm" do

data/spec/lib/onebox/helpers_spec.rb

@@ -2,15 +2,26 @@ require 'spec_helper'
 
 RSpec.describe Onebox::Helpers do
   describe '.blank?' do
-    it { expect(Onebox::Helpers.blank?("")).to be(true) }
-    it { expect(Onebox::Helpers.blank?(" ")).to be(true) }
-    it { expect(Onebox::Helpers.blank?("test")).to be(false) }
-    it { expect(Onebox::Helpers.blank?(["test", "testing"])).to be(false) }
-    it { expect(Onebox::Helpers.blank?([])).to be(true) }
-    it { expect(Onebox::Helpers.blank?({})).to be(true) }
-    it { expect(Onebox::Helpers.blank?({a: 'test'})).to be(false) }
-    it { expect(Onebox::Helpers.blank?(nil)).to be(true) }
-    it { expect(Onebox::Helpers.blank?(true)).to be(false) }
-    it { expect(Onebox::Helpers.blank?(false)).to be(true) }
+    it { expect(described_class.blank?("")).to be(true) }
+    it { expect(described_class.blank?(" ")).to be(true) }
+    it { expect(described_class.blank?("test")).to be(false) }
+    it { expect(described_class.blank?(["test", "testing"])).to be(false) }
+    it { expect(described_class.blank?([])).to be(true) }
+    it { expect(described_class.blank?({})).to be(true) }
+    it { expect(described_class.blank?({a: 'test'})).to be(false) }
+    it { expect(described_class.blank?(nil)).to be(true) }
+    it { expect(described_class.blank?(true)).to be(false) }
+    it { expect(described_class.blank?(false)).to be(true) }
   end
-end
+
+  describe ".truncate" do
+    let(:test_string) { "Chops off on spaces" }
+    it { expect(described_class.truncate(test_string)).to eq(test_string) }
+    it { expect(described_class.truncate(test_string,5)).to eq("Chops...") }
+    it { expect(described_class.truncate(test_string,7)).to eq("Chops...") }
+    it { expect(described_class.truncate(test_string,9)).to eq("Chops off...") }
+    it { expect(described_class.truncate(test_string,10)).to eq("Chops off...") }
+    it { expect(described_class.truncate(test_string,100)).to eq("Chops off on spaces") }
+    it { expect(described_class.truncate(" #{test_string} ",6)).to eq(" Chops...") }
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: onebox
 version: !ruby/object:Gem::Version
-  version: 1.6.5
+  version: 1.6.6
 platform: ruby
 authors:
 - Joanna Zeta
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-12-15 00:00:00.000000000 Z
+date: 2016-12-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multi_json
@@ -464,7 +464,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: A gem for turning URLs into previews.
@@ -528,3 +528,4 @@ test_files:
 - spec/lib/onebox_spec.rb
 - spec/spec_helper.rb
 - spec/support/html_spec_helper.rb
+has_rdoc: