safe_redirect 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +2 -0
- data/LICENSE +22 -0
- data/README.md +51 -0
- data/lib/safe_redirect.rb +3 -0
- data/lib/safe_redirect/configuration.rb +17 -0
- data/lib/safe_redirect/safe_redirect.rb +27 -0
- data/lib/safe_redirect/version.rb +3 -0
- data/safe_redirect.gemspec +18 -0
- metadata +52 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA1:
|
|
3
|
+
metadata.gz: 42781306d360f12ef01f4a73870f29f7d7bb3ccf
|
|
4
|
+
data.tar.gz: 17ee1e4e9949489f5cb4f4b80798aadbb8ed32bd
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 9d5601897b86a1bd091e90ec5fa091f43a2d4d595715339933aa99a519edda52cd677d30d33a8f10c87879adcb6a5caf066de95e7095dc48fe3649a4fefa254a
|
|
7
|
+
data.tar.gz: f2ddf78d33afb33fb33ed17927dc24af704b2b1ccc904e21a38ac2d9bbc85fb8909cac98c1bd4594f8152c0fb90a42df6d11de91d701d970f18ff37c8967ec87
|
data/.gitignore
ADDED
data/LICENSE
ADDED
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
Copyright (c) 2015 Edwin Tunggawan (sdsdkkk)
|
|
2
|
+
|
|
3
|
+
MIT License
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
|
6
|
+
a copy of this software and associated documentation files (the
|
|
7
|
+
"Software"), to deal in the Software without restriction, including
|
|
8
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
|
9
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
|
10
|
+
permit persons to whom the Software is furnished to do so, subject to
|
|
11
|
+
the following conditions:
|
|
12
|
+
|
|
13
|
+
The above copyright notice and this permission notice shall be
|
|
14
|
+
included in all copies or substantial portions of the Software.
|
|
15
|
+
|
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
17
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
18
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
19
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
20
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
21
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
# SafeRedirect
|
|
2
|
+
|
|
3
|
+
A little gem to keep our Rails app safe from open redirection vulnerabilities.
|
|
4
|
+
|
|
5
|
+
## Installation
|
|
6
|
+
|
|
7
|
+
Add this line to Gemfile.
|
|
8
|
+
|
|
9
|
+
```
|
|
10
|
+
gem 'safe_redirect'
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
## Usage
|
|
14
|
+
|
|
15
|
+
Create a `config/initializer/safe_redirect.rb` file.
|
|
16
|
+
|
|
17
|
+
```rb
|
|
18
|
+
SafeRedirect.configure do |config|
|
|
19
|
+
config.domain_whitelists = ['www.google.com']
|
|
20
|
+
config.default_path = 'https://www.yahoo.com'
|
|
21
|
+
end
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
Add this line to the controllers you wish to secure from open redirection.
|
|
25
|
+
|
|
26
|
+
```rb
|
|
27
|
+
include SafeRedirect
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
The `redirect_to` method provided by Rails will be overrode by `safe_redirect`'s `redirect_to` method.
|
|
31
|
+
|
|
32
|
+
```rb
|
|
33
|
+
redirect_to 'https://www.google.com' # => redirects to https://www.google.com
|
|
34
|
+
redirect_to 'https://www.golgege.com' # => redirects to ''
|
|
35
|
+
redirect_to 'https://www.golgege.com/hahaha' # => redirects to '/hahaha'
|
|
36
|
+
redirect_to 1234 # => redirects to https://www.yahoo.com as default path
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
## Contributing
|
|
40
|
+
|
|
41
|
+
- Fork the repository
|
|
42
|
+
- Create a branch for a new feature, build it
|
|
43
|
+
- Create a pull request
|
|
44
|
+
|
|
45
|
+
## License
|
|
46
|
+
|
|
47
|
+
MIT License
|
|
48
|
+
|
|
49
|
+
## Author
|
|
50
|
+
|
|
51
|
+
- [Edwin Tunggawan](https://github.com/sdsdkkk)
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
module SafeRedirect
|
|
2
|
+
class << self
|
|
3
|
+
attr_writer :configuration
|
|
4
|
+
|
|
5
|
+
def configuration
|
|
6
|
+
@configuration ||= Configuration.new
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def configure
|
|
10
|
+
yield(configuration)
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
class Configuration
|
|
15
|
+
attr_accessor :default_path, :domain_whitelists
|
|
16
|
+
end
|
|
17
|
+
end
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
module SafeRedirect
|
|
2
|
+
def safe_domain?(path)
|
|
3
|
+
whitelists = SafeRedirect.configuration.domain_whitelists || []
|
|
4
|
+
path =~ /^\// && !(path =~ /^\/\/+/) ||
|
|
5
|
+
whitelists.any? do |w|
|
|
6
|
+
path =~ /^https?:\/\/#{w}($|\/.*)/
|
|
7
|
+
end
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def safe_path(path)
|
|
11
|
+
if path.kind_of?(String)
|
|
12
|
+
stripped_path = path.strip
|
|
13
|
+
if safe_domain?(stripped_path)
|
|
14
|
+
stripped_path
|
|
15
|
+
else
|
|
16
|
+
stripped_path.gsub(/https?:\/\/[a-z0-9\-\.:]*/i, '')
|
|
17
|
+
.gsub(/^(data:|javascript:|\.|\/\/|@)+/i, '')
|
|
18
|
+
end
|
|
19
|
+
else
|
|
20
|
+
SafeRedirect.configuration.default_path
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def redirect_to(path)
|
|
25
|
+
super safe_path(path)
|
|
26
|
+
end
|
|
27
|
+
end
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
|
|
2
|
+
# -*- encoding: utf-8 -*-
|
|
3
|
+
lib = File.expand_path('../lib', __FILE__)
|
|
4
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
5
|
+
require 'safe_redirect/version'
|
|
6
|
+
|
|
7
|
+
Gem::Specification.new do |gem|
|
|
8
|
+
gem.name = "safe_redirect"
|
|
9
|
+
gem.version = SafeRedirect::VERSION
|
|
10
|
+
gem.authors = ["Edwin Tunggawan"]
|
|
11
|
+
gem.email = ["vcc.edwint@gmail.com"]
|
|
12
|
+
gem.description = %q{Preventing open redirects in Ruby web apps}
|
|
13
|
+
gem.summary = %q{Preventing open redirects in Ruby web apps}
|
|
14
|
+
gem.homepage = "https://github.com/sdsdkkk/safe_redirect"
|
|
15
|
+
|
|
16
|
+
gem.files = `git ls-files`.split($/)
|
|
17
|
+
gem.require_paths = ["lib", "lib/safe_redirect"]
|
|
18
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: safe_redirect
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.1.0
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Edwin Tunggawan
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2016-04-30 00:00:00.000000000 Z
|
|
12
|
+
dependencies: []
|
|
13
|
+
description: Preventing open redirects in Ruby web apps
|
|
14
|
+
email:
|
|
15
|
+
- vcc.edwint@gmail.com
|
|
16
|
+
executables: []
|
|
17
|
+
extensions: []
|
|
18
|
+
extra_rdoc_files: []
|
|
19
|
+
files:
|
|
20
|
+
- ".gitignore"
|
|
21
|
+
- LICENSE
|
|
22
|
+
- README.md
|
|
23
|
+
- lib/safe_redirect.rb
|
|
24
|
+
- lib/safe_redirect/configuration.rb
|
|
25
|
+
- lib/safe_redirect/safe_redirect.rb
|
|
26
|
+
- lib/safe_redirect/version.rb
|
|
27
|
+
- safe_redirect.gemspec
|
|
28
|
+
homepage: https://github.com/sdsdkkk/safe_redirect
|
|
29
|
+
licenses: []
|
|
30
|
+
metadata: {}
|
|
31
|
+
post_install_message:
|
|
32
|
+
rdoc_options: []
|
|
33
|
+
require_paths:
|
|
34
|
+
- lib
|
|
35
|
+
- lib/safe_redirect
|
|
36
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
37
|
+
requirements:
|
|
38
|
+
- - ">="
|
|
39
|
+
- !ruby/object:Gem::Version
|
|
40
|
+
version: '0'
|
|
41
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
42
|
+
requirements:
|
|
43
|
+
- - ">="
|
|
44
|
+
- !ruby/object:Gem::Version
|
|
45
|
+
version: '0'
|
|
46
|
+
requirements: []
|
|
47
|
+
rubyforge_project:
|
|
48
|
+
rubygems_version: 2.5.1
|
|
49
|
+
signing_key:
|
|
50
|
+
specification_version: 4
|
|
51
|
+
summary: Preventing open redirects in Ruby web apps
|
|
52
|
+
test_files: []
|