safe_redirect 0.2.0 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +1 -1
  3. data/lib/safe_redirect/safe_redirect.rb +12 -14
  4. data/lib/safe_redirect/version.rb +1 -1
  5. data/spec/lib/safe_redirect/safe_redirect_spec.rb +9 -4
  6. metadata +2 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: d7ec6d3b3465f55bad649de2f616f80fd54eeba7
4
- data.tar.gz: 84a2a87fdd19aea1a6df85ed28db68e12588f1b4
3
+ metadata.gz: 432d56c2fe2e256b7040f00a82822d9778ef257c
4
+ data.tar.gz: 4cd2ccdf44e92e79d613b5ad960b81f486a80009
5
5
  SHA512:
6
- metadata.gz: 977e8f2775ea6bb8b946fd8f405da5c1a7ccc9f5f8e0289f41d4d108e244c5f62f5812bf4f943e78165bcac4307717e8904e842d82efcfa5fe23df4c267a1906
7
- data.tar.gz: 5e763f75a2648e9eac79f60880ef10ac73c60ec789481f1a0fed3435438dd25f17981920952aeb4dc711ca49b28294f5780dc7cb2b412039664621909010fb4a
6
+ metadata.gz: e615e2700b962aae967a8894aef1af26484d5ccf7ba1b4c8868090ea49f426f9007ec0e5950f93dc20cb7624049c3d0129fe963470be00073da1f741de92b023
7
+ data.tar.gz: 71d7558aac96b2a794daf3edb895998b8321b4e03fbde1ed182964612171d8252469034d6927ebc483b7a7b04b682466fd16da987c31c3be71321ba27ce9e2fb
data/README.md CHANGED
@@ -27,7 +27,7 @@ Add this line to the controllers you wish to secure from open redirection.
27
27
  include SafeRedirect
28
28
  ```
29
29
 
30
- The `redirect_to` method provided by Rails will be overrode by `safe_redirect`'s `redirect_to` method.
30
+ The `redirect_to` method provided by Rails will be overridden by `safe_redirect`'s `redirect_to` method.
31
31
 
32
32
  ```rb
33
33
  redirect_to 'https://www.google.com' # => redirects to https://www.google.com
data/lib/safe_redirect/safe_redirect.rb CHANGED
@@ -1,16 +1,16 @@
1
+ require 'uri'
2
+
1
3
  module SafeRedirect
2
- def safe_domain?(path)
3
- path =~ /^\// && !(path =~ /^\/\/+/) ||
4
- SafeRedirect.configuration.domain_whitelists.any? do |w|
5
- path =~ /^https?:\/\/#{Regexp.escape(w)}($|\/.*)/i
6
- end
4
+ def safe_domain?(uri)
5
+ return true if uri.host.nil? && uri.scheme.nil?
6
+ SafeRedirect.configuration.domain_whitelists.include?(uri.host)
7
7
  end
8
8
 
9
9
  def safe_path(path)
10
- case
11
- when path.kind_of?(String)
10
+ case path
11
+ when String
12
12
  clean_path(path)
13
- when path.kind_of?(Symbol) || path.kind_of?(Hash)
13
+ when Symbol, Hash
14
14
  path
15
15
  else
16
16
  SafeRedirect.configuration.default_path
@@ -26,11 +26,9 @@ module SafeRedirect
26
26
  private
27
27
 
28
28
  def clean_path(path)
29
- stripped_path = path.strip
30
- unless safe_domain?(stripped_path)
31
- stripped_path.gsub!(/https?:\/\/[a-z0-9\-\.:@]*/i, '')
32
- stripped_path.gsub!(/^((https?:|data:|javascript:|\.|\/\/|@|%)+[a-z0-9\-\.:@%]*)+/i, '')
33
- end
34
- stripped_path.empty? ? '/' : stripped_path
29
+ uri = URI.parse(path)
30
+ safe_domain?(uri) ? path : '/'
31
+ rescue URI::InvalidURIError
32
+ '/'
35
33
  end
36
34
  end
data/lib/safe_redirect/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module SafeRedirect
2
- VERSION = '0.2.0'
2
+ VERSION = '0.2.1'
3
3
  end
data/spec/lib/safe_redirect/safe_redirect_spec.rb CHANGED
@@ -13,15 +13,20 @@ module SafeRedirect
13
13
  SAFE_PATHS = [
14
14
  'https://www.bukalapak.com',
15
15
  '/',
16
+ '/foobar',
16
17
  'http://www.twitter.com',
17
18
  :back,
18
19
  { controller: 'home', action: 'index' }
19
20
  ]
20
21
 
21
- UNSAFE_PATHS = %w(// https://www.bukalapak.com@google.com http://////@@@@@@attacker.com//evil.com
22
- .@@@google.com //bukalapak.com%25%40%25%40%25%40%25%40%25%40%25%40%25%40evil.com
23
- %25%40%25%40%25%40%25%40%25%40%25%40%25%40%25%40%25%40%25%40evil.com
24
- %@%@%@%@%@%@%@%@%@%@evil.com https://www-bukalapak.com)
22
+ UNSAFE_PATHS = [
23
+ "https://www.bukalapak.com@google.com",
24
+ "http://////@@@@@@attacker.com//evil.com",
25
+ "//bukalapak.com%25%40%25%40%25%40%25%40%25%40%25%40%25%40evil.com",
26
+ "%@%@%@%@%@%@%@%@%@%@evil.com",
27
+ "https://www-bukalapak.com",
28
+ "https://www.bukalapak.com\n.evil.com",
29
+ ]
25
30
 
26
31
  SAFE_PATHS.each do |path|
27
32
  it "considers #{path} a safe path" do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: safe_redirect
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Edwin Tunggawan
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-07-02 00:00:00.000000000 Z
11
+ date: 2016-08-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rspec
@@ -71,4 +71,3 @@ test_files:
71
71
  - spec/lib/safe_redirect/configuration_spec.rb
72
72
  - spec/lib/safe_redirect/safe_redirect_spec.rb
73
73
  - spec/spec_helper.rb
74
- has_rdoc: