safe_redirect 0.2.4 → 0.2.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/safe_redirect/configuration.rb +2 -1
- data/lib/safe_redirect/safe_redirect.rb +10 -0
- data/lib/safe_redirect/version.rb +1 -1
- data/spec/lib/safe_redirect/configuration_spec.rb +11 -0
- data/spec/lib/safe_redirect/safe_redirect_spec.rb +45 -19
- data/spec/spec_helper.rb +2 -1
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8ff898728ac428398f321deade8d5e2cf36f1631
|
4
|
+
data.tar.gz: 9c4e7f8d11df8507ba04f1ad85e1fb38d9da1e4f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7c92e3e71cfae64d3ca4e64f66b64bd2106aab23b5f4e6cb36a68059a7122063fc5227354cdae928f333baa589d61af2560eca54766b44b291f43bea71c7302c
|
7
|
+
data.tar.gz: fe073f08cee215ff1471d6b75e007ce6b3057ae0c735dab60c699b412b5c5a0b1f8dc29ccf30059eeb8afd622ed34f5917803da938d0e5602bb40f18418b0eca
|
@@ -12,11 +12,12 @@ module SafeRedirect
|
|
12
12
|
end
|
13
13
|
|
14
14
|
class Configuration
|
15
|
-
attr_accessor :default_path
|
15
|
+
attr_accessor :default_path, :whitelist_local
|
16
16
|
attr_reader :domain_whitelists
|
17
17
|
|
18
18
|
def initialize
|
19
19
|
self.default_path = '/'
|
20
|
+
self.whitelist_local = false
|
20
21
|
self.domain_whitelists = []
|
21
22
|
end
|
22
23
|
|
@@ -61,6 +61,7 @@ module SafeRedirect
|
|
61
61
|
end
|
62
62
|
|
63
63
|
def valid_uri?(uri)
|
64
|
+
return true if uri.host && whitelist_local? && local_address?(uri.host)
|
64
65
|
return false unless uri.host.nil? && uri.scheme.nil?
|
65
66
|
return true if uri.path.nil? || uri.path =~ /^\//
|
66
67
|
false
|
@@ -70,4 +71,13 @@ module SafeRedirect
|
|
70
71
|
path !~ /\/\/\//
|
71
72
|
end
|
72
73
|
|
74
|
+
def whitelist_local?
|
75
|
+
SafeRedirect.configuration.whitelist_local
|
76
|
+
end
|
77
|
+
|
78
|
+
# borrowed the regex from https://github.com/rack/rack/blob/ea9e7a570b7ffd8ac6845a9ebecdd7de0af6b0ca/lib/rack/request.rb#L420
|
79
|
+
def local_address?(host)
|
80
|
+
host =~ /\A127\.0\.0\.1\Z|\A(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|\A::1\Z|\Afd[0-9a-f]{2}:.+|\Alocalhost\Z|\Aunix\Z|\Aunix:/i
|
81
|
+
end
|
82
|
+
|
73
83
|
end
|
@@ -20,6 +20,10 @@ module SafeRedirect
|
|
20
20
|
expect(SafeRedirect.configuration.default_path).to eq('/')
|
21
21
|
end
|
22
22
|
|
23
|
+
it 'default whitelist_local is false' do
|
24
|
+
expect(SafeRedirect.configuration.whitelist_local).to eq(false)
|
25
|
+
end
|
26
|
+
|
23
27
|
it 'default domain_whitelists is []' do
|
24
28
|
expect(SafeRedirect.configuration.domain_whitelists).to eq([])
|
25
29
|
end
|
@@ -31,6 +35,13 @@ module SafeRedirect
|
|
31
35
|
expect(SafeRedirect.configuration.default_path).to eq('https://www.bukalapak.com')
|
32
36
|
end
|
33
37
|
|
38
|
+
it 'can update whitelist_local' do
|
39
|
+
SafeRedirect.configure do |config|
|
40
|
+
config.whitelist_local = true
|
41
|
+
end
|
42
|
+
expect(SafeRedirect.configuration.whitelist_local).to eq(true)
|
43
|
+
end
|
44
|
+
|
34
45
|
it 'can update domain_whitelists' do
|
35
46
|
SafeRedirect.configure do |config|
|
36
47
|
config.domain_whitelists = ['www.bukalapak.com']
|
@@ -5,10 +5,6 @@ module SafeRedirect
|
|
5
5
|
class Controller
|
6
6
|
extend SafeRedirect
|
7
7
|
end
|
8
|
-
|
9
|
-
before(:all) do
|
10
|
-
load_config
|
11
|
-
end
|
12
8
|
|
13
9
|
SAFE_PATHS = [
|
14
10
|
'https://www.bukalapak.com',
|
@@ -36,30 +32,60 @@ module SafeRedirect
|
|
36
32
|
"///bit.ly/1hqE77G",
|
37
33
|
]
|
38
34
|
|
39
|
-
|
40
|
-
|
41
|
-
|
35
|
+
shared_examples_for 'nonlocal hosts' do
|
36
|
+
SAFE_PATHS.each do |path|
|
37
|
+
it "considers #{path} a safe path" do
|
38
|
+
expect(Controller.safe_path(path)).to eq(path)
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
UNSAFE_PATHS.each do |path|
|
43
|
+
it "considers #{path} an unsafe path" do
|
44
|
+
expect(Controller.safe_path(path)).to eq(SafeRedirect.configuration.default_path)
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
48
|
+
it 'filters host, port, and protocol options when hash is passed to safe_path' do
|
49
|
+
hash = { host: 'yahoo.com', port: 80, protocol: 'https', controller: 'home', action: 'index' }
|
50
|
+
safe_hash = { port: 80, protocol: 'https', controller: 'home', action: 'index' }
|
51
|
+
expect(Controller.safe_path(hash)).to eq(safe_hash)
|
52
|
+
end
|
53
|
+
|
54
|
+
it 'can use redirect_to method with only the target path' do
|
55
|
+
Controller.redirect_to '/'
|
56
|
+
end
|
57
|
+
|
58
|
+
it 'can use redirect_to method with both the target path and the options' do
|
59
|
+
Controller.redirect_to '/', notice: 'Back to home page'
|
42
60
|
end
|
43
61
|
end
|
44
62
|
|
45
|
-
|
46
|
-
|
63
|
+
context 'whitelist_local is not set' do
|
64
|
+
|
65
|
+
before(:all) do
|
66
|
+
load_config
|
67
|
+
end
|
68
|
+
|
69
|
+
it_should_behave_like 'nonlocal hosts'
|
70
|
+
|
71
|
+
it 'considers local addresses as unsafe' do
|
72
|
+
path = 'http://127.0.0.1'
|
47
73
|
expect(Controller.safe_path(path)).to eq(SafeRedirect.configuration.default_path)
|
48
74
|
end
|
49
75
|
end
|
50
76
|
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
77
|
+
context 'whitelist_local is set' do
|
78
|
+
|
79
|
+
before(:all) do
|
80
|
+
load_config true
|
81
|
+
end
|
56
82
|
|
57
|
-
|
58
|
-
Controller.redirect_to '/'
|
59
|
-
end
|
83
|
+
it_should_behave_like 'nonlocal hosts'
|
60
84
|
|
61
|
-
|
62
|
-
|
85
|
+
it 'considers local addresses as safe' do
|
86
|
+
path = 'http://127.0.0.1'
|
87
|
+
expect(Controller.safe_path(path)).to eq(path)
|
88
|
+
end
|
63
89
|
end
|
64
90
|
end
|
65
91
|
end
|
data/spec/spec_helper.rb
CHANGED
@@ -7,10 +7,11 @@ def reset_config
|
|
7
7
|
SafeRedirect.reset_config
|
8
8
|
end
|
9
9
|
|
10
|
-
def load_config
|
10
|
+
def load_config(whitelist_local = false)
|
11
11
|
SafeRedirect.configure do |config|
|
12
12
|
config.default_path = '/sdsdkkk'
|
13
13
|
config.domain_whitelists = %w{www.twitter.com www.bukalapak.com *.foo.org}
|
14
|
+
config.whitelist_local = whitelist_local
|
14
15
|
end
|
15
16
|
end
|
16
17
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: safe_redirect
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Edwin Tunggawan
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-06-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rspec
|
@@ -71,3 +71,4 @@ test_files:
|
|
71
71
|
- spec/lib/safe_redirect/configuration_spec.rb
|
72
72
|
- spec/lib/safe_redirect/safe_redirect_spec.rb
|
73
73
|
- spec/spec_helper.rb
|
74
|
+
has_rdoc:
|