safe_redirect 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +2 -0
- data/LICENSE +22 -0
- data/README.md +51 -0
- data/lib/safe_redirect.rb +3 -0
- data/lib/safe_redirect/configuration.rb +17 -0
- data/lib/safe_redirect/safe_redirect.rb +27 -0
- data/lib/safe_redirect/version.rb +3 -0
- data/safe_redirect.gemspec +18 -0
- metadata +52 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA1:
|
|
3
|
+
metadata.gz: 42781306d360f12ef01f4a73870f29f7d7bb3ccf
|
|
4
|
+
data.tar.gz: 17ee1e4e9949489f5cb4f4b80798aadbb8ed32bd
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 9d5601897b86a1bd091e90ec5fa091f43a2d4d595715339933aa99a519edda52cd677d30d33a8f10c87879adcb6a5caf066de95e7095dc48fe3649a4fefa254a
|
|
7
|
+
data.tar.gz: f2ddf78d33afb33fb33ed17927dc24af704b2b1ccc904e21a38ac2d9bbc85fb8909cac98c1bd4594f8152c0fb90a42df6d11de91d701d970f18ff37c8967ec87
|
data/.gitignore
ADDED
data/LICENSE
ADDED
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
Copyright (c) 2015 Edwin Tunggawan (sdsdkkk)
|
|
2
|
+
|
|
3
|
+
MIT License
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
|
6
|
+
a copy of this software and associated documentation files (the
|
|
7
|
+
"Software"), to deal in the Software without restriction, including
|
|
8
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
|
9
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
|
10
|
+
permit persons to whom the Software is furnished to do so, subject to
|
|
11
|
+
the following conditions:
|
|
12
|
+
|
|
13
|
+
The above copyright notice and this permission notice shall be
|
|
14
|
+
included in all copies or substantial portions of the Software.
|
|
15
|
+
|
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
17
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
18
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
19
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
20
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
21
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
# SafeRedirect
|
|
2
|
+
|
|
3
|
+
A little gem to keep our Rails app safe from open redirection vulnerabilities.
|
|
4
|
+
|
|
5
|
+
## Installation
|
|
6
|
+
|
|
7
|
+
Add this line to Gemfile.
|
|
8
|
+
|
|
9
|
+
```
|
|
10
|
+
gem 'safe_redirect'
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
## Usage
|
|
14
|
+
|
|
15
|
+
Create a `config/initializer/safe_redirect.rb` file.
|
|
16
|
+
|
|
17
|
+
```rb
|
|
18
|
+
SafeRedirect.configure do |config|
|
|
19
|
+
config.domain_whitelists = ['www.google.com']
|
|
20
|
+
config.default_path = 'https://www.yahoo.com'
|
|
21
|
+
end
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
Add this line to the controllers you wish to secure from open redirection.
|
|
25
|
+
|
|
26
|
+
```rb
|
|
27
|
+
include SafeRedirect
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
The `redirect_to` method provided by Rails will be overrode by `safe_redirect`'s `redirect_to` method.
|
|
31
|
+
|
|
32
|
+
```rb
|
|
33
|
+
redirect_to 'https://www.google.com' # => redirects to https://www.google.com
|
|
34
|
+
redirect_to 'https://www.golgege.com' # => redirects to ''
|
|
35
|
+
redirect_to 'https://www.golgege.com/hahaha' # => redirects to '/hahaha'
|
|
36
|
+
redirect_to 1234 # => redirects to https://www.yahoo.com as default path
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
## Contributing
|
|
40
|
+
|
|
41
|
+
- Fork the repository
|
|
42
|
+
- Create a branch for a new feature, build it
|
|
43
|
+
- Create a pull request
|
|
44
|
+
|
|
45
|
+
## License
|
|
46
|
+
|
|
47
|
+
MIT License
|
|
48
|
+
|
|
49
|
+
## Author
|
|
50
|
+
|
|
51
|
+
- [Edwin Tunggawan](https://github.com/sdsdkkk)
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
module SafeRedirect
|
|
2
|
+
class << self
|
|
3
|
+
attr_writer :configuration
|
|
4
|
+
|
|
5
|
+
def configuration
|
|
6
|
+
@configuration ||= Configuration.new
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def configure
|
|
10
|
+
yield(configuration)
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
class Configuration
|
|
15
|
+
attr_accessor :default_path, :domain_whitelists
|
|
16
|
+
end
|
|
17
|
+
end
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
module SafeRedirect
|
|
2
|
+
def safe_domain?(path)
|
|
3
|
+
whitelists = SafeRedirect.configuration.domain_whitelists || []
|
|
4
|
+
path =~ /^\// && !(path =~ /^\/\/+/) ||
|
|
5
|
+
whitelists.any? do |w|
|
|
6
|
+
path =~ /^https?:\/\/#{w}($|\/.*)/
|
|
7
|
+
end
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def safe_path(path)
|
|
11
|
+
if path.kind_of?(String)
|
|
12
|
+
stripped_path = path.strip
|
|
13
|
+
if safe_domain?(stripped_path)
|
|
14
|
+
stripped_path
|
|
15
|
+
else
|
|
16
|
+
stripped_path.gsub(/https?:\/\/[a-z0-9\-\.:]*/i, '')
|
|
17
|
+
.gsub(/^(data:|javascript:|\.|\/\/|@)+/i, '')
|
|
18
|
+
end
|
|
19
|
+
else
|
|
20
|
+
SafeRedirect.configuration.default_path
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def redirect_to(path)
|
|
25
|
+
super safe_path(path)
|
|
26
|
+
end
|
|
27
|
+
end
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
|
|
2
|
+
# -*- encoding: utf-8 -*-
|
|
3
|
+
lib = File.expand_path('../lib', __FILE__)
|
|
4
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
5
|
+
require 'safe_redirect/version'
|
|
6
|
+
|
|
7
|
+
Gem::Specification.new do |gem|
|
|
8
|
+
gem.name = "safe_redirect"
|
|
9
|
+
gem.version = SafeRedirect::VERSION
|
|
10
|
+
gem.authors = ["Edwin Tunggawan"]
|
|
11
|
+
gem.email = ["vcc.edwint@gmail.com"]
|
|
12
|
+
gem.description = %q{Preventing open redirects in Ruby web apps}
|
|
13
|
+
gem.summary = %q{Preventing open redirects in Ruby web apps}
|
|
14
|
+
gem.homepage = "https://github.com/sdsdkkk/safe_redirect"
|
|
15
|
+
|
|
16
|
+
gem.files = `git ls-files`.split($/)
|
|
17
|
+
gem.require_paths = ["lib", "lib/safe_redirect"]
|
|
18
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: safe_redirect
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.1.0
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Edwin Tunggawan
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2016-04-30 00:00:00.000000000 Z
|
|
12
|
+
dependencies: []
|
|
13
|
+
description: Preventing open redirects in Ruby web apps
|
|
14
|
+
email:
|
|
15
|
+
- vcc.edwint@gmail.com
|
|
16
|
+
executables: []
|
|
17
|
+
extensions: []
|
|
18
|
+
extra_rdoc_files: []
|
|
19
|
+
files:
|
|
20
|
+
- ".gitignore"
|
|
21
|
+
- LICENSE
|
|
22
|
+
- README.md
|
|
23
|
+
- lib/safe_redirect.rb
|
|
24
|
+
- lib/safe_redirect/configuration.rb
|
|
25
|
+
- lib/safe_redirect/safe_redirect.rb
|
|
26
|
+
- lib/safe_redirect/version.rb
|
|
27
|
+
- safe_redirect.gemspec
|
|
28
|
+
homepage: https://github.com/sdsdkkk/safe_redirect
|
|
29
|
+
licenses: []
|
|
30
|
+
metadata: {}
|
|
31
|
+
post_install_message:
|
|
32
|
+
rdoc_options: []
|
|
33
|
+
require_paths:
|
|
34
|
+
- lib
|
|
35
|
+
- lib/safe_redirect
|
|
36
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
37
|
+
requirements:
|
|
38
|
+
- - ">="
|
|
39
|
+
- !ruby/object:Gem::Version
|
|
40
|
+
version: '0'
|
|
41
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
42
|
+
requirements:
|
|
43
|
+
- - ">="
|
|
44
|
+
- !ruby/object:Gem::Version
|
|
45
|
+
version: '0'
|
|
46
|
+
requirements: []
|
|
47
|
+
rubyforge_project:
|
|
48
|
+
rubygems_version: 2.5.1
|
|
49
|
+
signing_key:
|
|
50
|
+
specification_version: 4
|
|
51
|
+
summary: Preventing open redirects in Ruby web apps
|
|
52
|
+
test_files: []
|