safe_redirect 0.2.4 → 0.2.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/lib/safe_redirect/configuration.rb +2 -1
  3. data/lib/safe_redirect/safe_redirect.rb +10 -0
  4. data/lib/safe_redirect/version.rb +1 -1
  5. data/spec/lib/safe_redirect/configuration_spec.rb +11 -0
  6. data/spec/lib/safe_redirect/safe_redirect_spec.rb +45 -19
  7. data/spec/spec_helper.rb +2 -1
  8. metadata +3 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 336f84a6b03db00df68f1f76be936b3e199cd829
4
- data.tar.gz: f65b82666b23abce9eeb46e310aef4526ca9d5f1
3
+ metadata.gz: 8ff898728ac428398f321deade8d5e2cf36f1631
4
+ data.tar.gz: 9c4e7f8d11df8507ba04f1ad85e1fb38d9da1e4f
5
5
  SHA512:
6
- metadata.gz: e8c77143c12ec4d810fa92554dd22fb7277aaad3552b927b3dc817565b5a0996ffabcd299cb968a5f7a82df8f4210934d71178a8092b79b46d0774aebf81d3f6
7
- data.tar.gz: 50d512e6af84ad7353914b1406eacc80208f5874d9787edbea9707afc49415081b6702e6953f1537a1c1c6000188ad6e0ffc8d83638f8beb4169f3648bcaf632
6
+ metadata.gz: 7c92e3e71cfae64d3ca4e64f66b64bd2106aab23b5f4e6cb36a68059a7122063fc5227354cdae928f333baa589d61af2560eca54766b44b291f43bea71c7302c
7
+ data.tar.gz: fe073f08cee215ff1471d6b75e007ce6b3057ae0c735dab60c699b412b5c5a0b1f8dc29ccf30059eeb8afd622ed34f5917803da938d0e5602bb40f18418b0eca
data/lib/safe_redirect/configuration.rb CHANGED
@@ -12,11 +12,12 @@ module SafeRedirect
12
12
  end
13
13
 
14
14
  class Configuration
15
- attr_accessor :default_path
15
+ attr_accessor :default_path, :whitelist_local
16
16
  attr_reader :domain_whitelists
17
17
 
18
18
  def initialize
19
19
  self.default_path = '/'
20
+ self.whitelist_local = false
20
21
  self.domain_whitelists = []
21
22
  end
22
23
 
data/lib/safe_redirect/safe_redirect.rb CHANGED
@@ -61,6 +61,7 @@ module SafeRedirect
61
61
  end
62
62
 
63
63
  def valid_uri?(uri)
64
+ return true if uri.host && whitelist_local? && local_address?(uri.host)
64
65
  return false unless uri.host.nil? && uri.scheme.nil?
65
66
  return true if uri.path.nil? || uri.path =~ /^\//
66
67
  false
@@ -70,4 +71,13 @@ module SafeRedirect
70
71
  path !~ /\/\/\//
71
72
  end
72
73
 
74
+ def whitelist_local?
75
+ SafeRedirect.configuration.whitelist_local
76
+ end
77
+
78
+ # borrowed the regex from https://github.com/rack/rack/blob/ea9e7a570b7ffd8ac6845a9ebecdd7de0af6b0ca/lib/rack/request.rb#L420
79
+ def local_address?(host)
80
+ host =~ /\A127\.0\.0\.1\Z|\A(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|\A::1\Z|\Afd[0-9a-f]{2}:.+|\Alocalhost\Z|\Aunix\Z|\Aunix:/i
81
+ end
82
+
73
83
  end
data/lib/safe_redirect/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module SafeRedirect
2
- VERSION = '0.2.4'
2
+ VERSION = '0.2.5'
3
3
  end
data/spec/lib/safe_redirect/configuration_spec.rb CHANGED
@@ -20,6 +20,10 @@ module SafeRedirect
20
20
  expect(SafeRedirect.configuration.default_path).to eq('/')
21
21
  end
22
22
 
23
+ it 'default whitelist_local is false' do
24
+ expect(SafeRedirect.configuration.whitelist_local).to eq(false)
25
+ end
26
+
23
27
  it 'default domain_whitelists is []' do
24
28
  expect(SafeRedirect.configuration.domain_whitelists).to eq([])
25
29
  end
@@ -31,6 +35,13 @@ module SafeRedirect
31
35
  expect(SafeRedirect.configuration.default_path).to eq('https://www.bukalapak.com')
32
36
  end
33
37
 
38
+ it 'can update whitelist_local' do
39
+ SafeRedirect.configure do |config|
40
+ config.whitelist_local = true
41
+ end
42
+ expect(SafeRedirect.configuration.whitelist_local).to eq(true)
43
+ end
44
+
34
45
  it 'can update domain_whitelists' do
35
46
  SafeRedirect.configure do |config|
36
47
  config.domain_whitelists = ['www.bukalapak.com']
data/spec/lib/safe_redirect/safe_redirect_spec.rb CHANGED
@@ -5,10 +5,6 @@ module SafeRedirect
5
5
  class Controller
6
6
  extend SafeRedirect
7
7
  end
8
-
9
- before(:all) do
10
- load_config
11
- end
12
8
 
13
9
  SAFE_PATHS = [
14
10
  'https://www.bukalapak.com',
@@ -36,30 +32,60 @@ module SafeRedirect
36
32
  "///bit.ly/1hqE77G",
37
33
  ]
38
34
 
39
- SAFE_PATHS.each do |path|
40
- it "considers #{path} a safe path" do
41
- expect(Controller.safe_path(path)).to eq(path)
35
+ shared_examples_for 'nonlocal hosts' do
36
+ SAFE_PATHS.each do |path|
37
+ it "considers #{path} a safe path" do
38
+ expect(Controller.safe_path(path)).to eq(path)
39
+ end
40
+ end
41
+
42
+ UNSAFE_PATHS.each do |path|
43
+ it "considers #{path} an unsafe path" do
44
+ expect(Controller.safe_path(path)).to eq(SafeRedirect.configuration.default_path)
45
+ end
46
+ end
47
+
48
+ it 'filters host, port, and protocol options when hash is passed to safe_path' do
49
+ hash = { host: 'yahoo.com', port: 80, protocol: 'https', controller: 'home', action: 'index' }
50
+ safe_hash = { port: 80, protocol: 'https', controller: 'home', action: 'index' }
51
+ expect(Controller.safe_path(hash)).to eq(safe_hash)
52
+ end
53
+
54
+ it 'can use redirect_to method with only the target path' do
55
+ Controller.redirect_to '/'
56
+ end
57
+
58
+ it 'can use redirect_to method with both the target path and the options' do
59
+ Controller.redirect_to '/', notice: 'Back to home page'
42
60
  end
43
61
  end
44
62
 
45
- UNSAFE_PATHS.each do |path|
46
- it "considers #{path} an unsafe path" do
63
+ context 'whitelist_local is not set' do
64
+
65
+ before(:all) do
66
+ load_config
67
+ end
68
+
69
+ it_should_behave_like 'nonlocal hosts'
70
+
71
+ it 'considers local addresses as unsafe' do
72
+ path = 'http://127.0.0.1'
47
73
  expect(Controller.safe_path(path)).to eq(SafeRedirect.configuration.default_path)
48
74
  end
49
75
  end
50
76
 
51
- it 'filters host, port, and protocol options when hash is passed to safe_path' do
52
- hash = { host: 'yahoo.com', port: 80, protocol: 'https', controller: 'home', action: 'index' }
53
- safe_hash = { port: 80, protocol: 'https', controller: 'home', action: 'index' }
54
- expect(Controller.safe_path(hash)).to eq(safe_hash)
55
- end
77
+ context 'whitelist_local is set' do
78
+
79
+ before(:all) do
80
+ load_config true
81
+ end
56
82
 
57
- it 'can use redirect_to method with only the target path' do
58
- Controller.redirect_to '/'
59
- end
83
+ it_should_behave_like 'nonlocal hosts'
60
84
 
61
- it 'can use redirect_to method with both the target path and the options' do
62
- Controller.redirect_to '/', notice: 'Back to home page'
85
+ it 'considers local addresses as safe' do
86
+ path = 'http://127.0.0.1'
87
+ expect(Controller.safe_path(path)).to eq(path)
88
+ end
63
89
  end
64
90
  end
65
91
  end
data/spec/spec_helper.rb CHANGED
@@ -7,10 +7,11 @@ def reset_config
7
7
  SafeRedirect.reset_config
8
8
  end
9
9
 
10
- def load_config
10
+ def load_config(whitelist_local = false)
11
11
  SafeRedirect.configure do |config|
12
12
  config.default_path = '/sdsdkkk'
13
13
  config.domain_whitelists = %w{www.twitter.com www.bukalapak.com *.foo.org}
14
+ config.whitelist_local = whitelist_local
14
15
  end
15
16
  end
16
17
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: safe_redirect
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.4
4
+ version: 0.2.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Edwin Tunggawan
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-01-09 00:00:00.000000000 Z
11
+ date: 2017-06-15 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rspec
@@ -71,3 +71,4 @@ test_files:
71
71
  - spec/lib/safe_redirect/configuration_spec.rb
72
72
  - spec/lib/safe_redirect/safe_redirect_spec.rb
73
73
  - spec/spec_helper.rb
74
+ has_rdoc: