safe_redirect 0.2.4 → 0.2.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/safe_redirect/configuration.rb +2 -1
- data/lib/safe_redirect/safe_redirect.rb +10 -0
- data/lib/safe_redirect/version.rb +1 -1
- data/spec/lib/safe_redirect/configuration_spec.rb +11 -0
- data/spec/lib/safe_redirect/safe_redirect_spec.rb +45 -19
- data/spec/spec_helper.rb +2 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8ff898728ac428398f321deade8d5e2cf36f1631
|
|
4
|
+
data.tar.gz: 9c4e7f8d11df8507ba04f1ad85e1fb38d9da1e4f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7c92e3e71cfae64d3ca4e64f66b64bd2106aab23b5f4e6cb36a68059a7122063fc5227354cdae928f333baa589d61af2560eca54766b44b291f43bea71c7302c
|
|
7
|
+
data.tar.gz: fe073f08cee215ff1471d6b75e007ce6b3057ae0c735dab60c699b412b5c5a0b1f8dc29ccf30059eeb8afd622ed34f5917803da938d0e5602bb40f18418b0eca
|
|
@@ -12,11 +12,12 @@ module SafeRedirect
|
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
class Configuration
|
|
15
|
-
attr_accessor :default_path
|
|
15
|
+
attr_accessor :default_path, :whitelist_local
|
|
16
16
|
attr_reader :domain_whitelists
|
|
17
17
|
|
|
18
18
|
def initialize
|
|
19
19
|
self.default_path = '/'
|
|
20
|
+
self.whitelist_local = false
|
|
20
21
|
self.domain_whitelists = []
|
|
21
22
|
end
|
|
22
23
|
|
|
@@ -61,6 +61,7 @@ module SafeRedirect
|
|
|
61
61
|
end
|
|
62
62
|
|
|
63
63
|
def valid_uri?(uri)
|
|
64
|
+
return true if uri.host && whitelist_local? && local_address?(uri.host)
|
|
64
65
|
return false unless uri.host.nil? && uri.scheme.nil?
|
|
65
66
|
return true if uri.path.nil? || uri.path =~ /^\//
|
|
66
67
|
false
|
|
@@ -70,4 +71,13 @@ module SafeRedirect
|
|
|
70
71
|
path !~ /\/\/\//
|
|
71
72
|
end
|
|
72
73
|
|
|
74
|
+
def whitelist_local?
|
|
75
|
+
SafeRedirect.configuration.whitelist_local
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
# borrowed the regex from https://github.com/rack/rack/blob/ea9e7a570b7ffd8ac6845a9ebecdd7de0af6b0ca/lib/rack/request.rb#L420
|
|
79
|
+
def local_address?(host)
|
|
80
|
+
host =~ /\A127\.0\.0\.1\Z|\A(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|\A::1\Z|\Afd[0-9a-f]{2}:.+|\Alocalhost\Z|\Aunix\Z|\Aunix:/i
|
|
81
|
+
end
|
|
82
|
+
|
|
73
83
|
end
|
|
@@ -20,6 +20,10 @@ module SafeRedirect
|
|
|
20
20
|
expect(SafeRedirect.configuration.default_path).to eq('/')
|
|
21
21
|
end
|
|
22
22
|
|
|
23
|
+
it 'default whitelist_local is false' do
|
|
24
|
+
expect(SafeRedirect.configuration.whitelist_local).to eq(false)
|
|
25
|
+
end
|
|
26
|
+
|
|
23
27
|
it 'default domain_whitelists is []' do
|
|
24
28
|
expect(SafeRedirect.configuration.domain_whitelists).to eq([])
|
|
25
29
|
end
|
|
@@ -31,6 +35,13 @@ module SafeRedirect
|
|
|
31
35
|
expect(SafeRedirect.configuration.default_path).to eq('https://www.bukalapak.com')
|
|
32
36
|
end
|
|
33
37
|
|
|
38
|
+
it 'can update whitelist_local' do
|
|
39
|
+
SafeRedirect.configure do |config|
|
|
40
|
+
config.whitelist_local = true
|
|
41
|
+
end
|
|
42
|
+
expect(SafeRedirect.configuration.whitelist_local).to eq(true)
|
|
43
|
+
end
|
|
44
|
+
|
|
34
45
|
it 'can update domain_whitelists' do
|
|
35
46
|
SafeRedirect.configure do |config|
|
|
36
47
|
config.domain_whitelists = ['www.bukalapak.com']
|
|
@@ -5,10 +5,6 @@ module SafeRedirect
|
|
|
5
5
|
class Controller
|
|
6
6
|
extend SafeRedirect
|
|
7
7
|
end
|
|
8
|
-
|
|
9
|
-
before(:all) do
|
|
10
|
-
load_config
|
|
11
|
-
end
|
|
12
8
|
|
|
13
9
|
SAFE_PATHS = [
|
|
14
10
|
'https://www.bukalapak.com',
|
|
@@ -36,30 +32,60 @@ module SafeRedirect
|
|
|
36
32
|
"///bit.ly/1hqE77G",
|
|
37
33
|
]
|
|
38
34
|
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
35
|
+
shared_examples_for 'nonlocal hosts' do
|
|
36
|
+
SAFE_PATHS.each do |path|
|
|
37
|
+
it "considers #{path} a safe path" do
|
|
38
|
+
expect(Controller.safe_path(path)).to eq(path)
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
UNSAFE_PATHS.each do |path|
|
|
43
|
+
it "considers #{path} an unsafe path" do
|
|
44
|
+
expect(Controller.safe_path(path)).to eq(SafeRedirect.configuration.default_path)
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
it 'filters host, port, and protocol options when hash is passed to safe_path' do
|
|
49
|
+
hash = { host: 'yahoo.com', port: 80, protocol: 'https', controller: 'home', action: 'index' }
|
|
50
|
+
safe_hash = { port: 80, protocol: 'https', controller: 'home', action: 'index' }
|
|
51
|
+
expect(Controller.safe_path(hash)).to eq(safe_hash)
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
it 'can use redirect_to method with only the target path' do
|
|
55
|
+
Controller.redirect_to '/'
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
it 'can use redirect_to method with both the target path and the options' do
|
|
59
|
+
Controller.redirect_to '/', notice: 'Back to home page'
|
|
42
60
|
end
|
|
43
61
|
end
|
|
44
62
|
|
|
45
|
-
|
|
46
|
-
|
|
63
|
+
context 'whitelist_local is not set' do
|
|
64
|
+
|
|
65
|
+
before(:all) do
|
|
66
|
+
load_config
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
it_should_behave_like 'nonlocal hosts'
|
|
70
|
+
|
|
71
|
+
it 'considers local addresses as unsafe' do
|
|
72
|
+
path = 'http://127.0.0.1'
|
|
47
73
|
expect(Controller.safe_path(path)).to eq(SafeRedirect.configuration.default_path)
|
|
48
74
|
end
|
|
49
75
|
end
|
|
50
76
|
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
77
|
+
context 'whitelist_local is set' do
|
|
78
|
+
|
|
79
|
+
before(:all) do
|
|
80
|
+
load_config true
|
|
81
|
+
end
|
|
56
82
|
|
|
57
|
-
|
|
58
|
-
Controller.redirect_to '/'
|
|
59
|
-
end
|
|
83
|
+
it_should_behave_like 'nonlocal hosts'
|
|
60
84
|
|
|
61
|
-
|
|
62
|
-
|
|
85
|
+
it 'considers local addresses as safe' do
|
|
86
|
+
path = 'http://127.0.0.1'
|
|
87
|
+
expect(Controller.safe_path(path)).to eq(path)
|
|
88
|
+
end
|
|
63
89
|
end
|
|
64
90
|
end
|
|
65
91
|
end
|
data/spec/spec_helper.rb
CHANGED
|
@@ -7,10 +7,11 @@ def reset_config
|
|
|
7
7
|
SafeRedirect.reset_config
|
|
8
8
|
end
|
|
9
9
|
|
|
10
|
-
def load_config
|
|
10
|
+
def load_config(whitelist_local = false)
|
|
11
11
|
SafeRedirect.configure do |config|
|
|
12
12
|
config.default_path = '/sdsdkkk'
|
|
13
13
|
config.domain_whitelists = %w{www.twitter.com www.bukalapak.com *.foo.org}
|
|
14
|
+
config.whitelist_local = whitelist_local
|
|
14
15
|
end
|
|
15
16
|
end
|
|
16
17
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: safe_redirect
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Edwin Tunggawan
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-06-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rspec
|
|
@@ -71,3 +71,4 @@ test_files:
|
|
|
71
71
|
- spec/lib/safe_redirect/configuration_spec.rb
|
|
72
72
|
- spec/lib/safe_redirect/safe_redirect_spec.rb
|
|
73
73
|
- spec/spec_helper.rb
|
|
74
|
+
has_rdoc:
|