safe_redirect 0.2.5 → 0.2.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8ff898728ac428398f321deade8d5e2cf36f1631
-  data.tar.gz: 9c4e7f8d11df8507ba04f1ad85e1fb38d9da1e4f
+  metadata.gz: fbe525b948ca963bb961d0b4c64922cb54253447
+  data.tar.gz: 2e36dfc92789eec066bfedc3552504110c8c3c0b
 SHA512:
-  metadata.gz: 7c92e3e71cfae64d3ca4e64f66b64bd2106aab23b5f4e6cb36a68059a7122063fc5227354cdae928f333baa589d61af2560eca54766b44b291f43bea71c7302c
-  data.tar.gz: fe073f08cee215ff1471d6b75e007ce6b3057ae0c735dab60c699b412b5c5a0b1f8dc29ccf30059eeb8afd622ed34f5917803da938d0e5602bb40f18418b0eca
+  metadata.gz: d30be6e5be4553647b399c30d20113f4c5619be63fb292075f0499ce23a738174dce4a4df782aa120d4c1c26a3f90eee840d730d371cb9048c3722785e01f701
+  data.tar.gz: a2070726d6a1f985363f377b45cbbd756f9f9f5d83b9fa85a4dcd7bda0e517522efbf400f8f6a407dbcdcec5ff55034235fec8022d5eb347ab1489db02010cf9

data/README.md

@@ -18,6 +18,7 @@ Create a `config/initializer/safe_redirect.rb` file.
 SafeRedirect.configure do |config|
   config.default_path = 'https://www.yahoo.com' # default value: '/'
   config.domain_whitelists = ['www.google.com'] # default value: []
+  config.log = Rails.env.development?           # default value: false
 end
 ```
 

data/lib/safe_redirect/configuration.rb

@@ -12,13 +12,14 @@ module SafeRedirect
   end
 
   class Configuration
-    attr_accessor :default_path, :whitelist_local
+    attr_accessor :default_path, :whitelist_local, :log
     attr_reader :domain_whitelists
 
     def initialize
       self.default_path = '/'
       self.whitelist_local = false
       self.domain_whitelists = []
+      self.log = false
     end
 
     def domain_whitelists=(whitelists)

data/lib/safe_redirect/safe_redirect.rb

@@ -7,7 +7,7 @@ module SafeRedirect
 
     SafeRedirect.configuration.domain_whitelists.any? do |domain|
       if domain.include?("*")
-        rf = domain.split(/(\*)/).map{ |f| f == "*" ? "\\w*" : Regexp.escape(f) }
+        rf = domain.split(/(\*)/).map{ |f| f == "*" ? "[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]?" : Regexp.escape(f) }
         regexp = Regexp.new("\\A#{rf.join}\\z")
 
         safe = uri.host.match(regexp)
@@ -39,6 +39,9 @@ module SafeRedirect
 
   def redirect_to(path, options={})
     target = options[:safe] ? path : safe_path(path)
+
+    log("Unsafe redirect path modified to #{target} from #{path}", :warn) if target != path
+
     super target, options
   rescue NoMethodError
   end
@@ -80,4 +83,16 @@ module SafeRedirect
     host =~ /\A127\.0\.0\.1\Z|\A(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|\A::1\Z|\Afd[0-9a-f]{2}:.+|\Alocalhost\Z|\Aunix\Z|\Aunix:/i
   end
 
+  def log(msg, level = :warn)
+    return unless (logger = SafeRedirect.configuration.log)
+
+    msg = "[#{Time.now}] SafeRedirect: #{msg}"
+
+    if logger.respond_to?(level)
+      logger.send(level, msg)
+    elsif defined?(Rails)
+      Rails.logger.send(level, msg)
+    end
+  end
+
 end

data/lib/safe_redirect/version.rb

@@ -1,3 +1,3 @@
 module SafeRedirect
-  VERSION = '0.2.5'
+  VERSION = '0.2.6'
 end

data/spec/lib/safe_redirect/configuration_spec.rb

@@ -28,6 +28,10 @@ module SafeRedirect
       expect(SafeRedirect.configuration.domain_whitelists).to eq([])
     end
 
+    it 'default log is false' do
+      expect(SafeRedirect.configuration.log).to eq(false)
+    end
+
     it 'can update default_path' do
       SafeRedirect.configure do |config|
         config.default_path = 'https://www.bukalapak.com'
@@ -48,5 +52,12 @@ module SafeRedirect
       end
       expect(SafeRedirect.configuration.domain_whitelists).to eq(['www.bukalapak.com'])
     end
+
+    it 'can update log' do
+      SafeRedirect.configure do |config|
+        config.log = true
+      end
+      expect(SafeRedirect.configuration.log).to eq(true)
+    end
   end
 end

data/spec/lib/safe_redirect/safe_redirect_spec.rb

@@ -1,8 +1,16 @@
 require 'spec_helper'
+require 'stringio'
+require 'logger'
 
 module SafeRedirect
   describe SafeRedirect do
-    class Controller
+    class BaseController
+      def redirect_to(*)
+        # test stub
+      end
+    end
+
+    class Controller < BaseController
       extend SafeRedirect
     end
 
@@ -12,6 +20,7 @@ module SafeRedirect
       '/foobar',
       'http://www.twitter.com',
       'http://blah.foo.org',
+      'http://bl-ah.foo.org',
       'http://foo.org',
       'http://foo.org/',
       :back,
@@ -58,10 +67,19 @@ module SafeRedirect
       it 'can use redirect_to method with both the target path and the options' do
         Controller.redirect_to '/', notice: 'Back to home page'
       end
+
+      it 'can log violations' do
+        log_io = StringIO.new
+        SafeRedirect.configure{ |config| config.log = Logger.new(log_io) }
+
+        Controller.redirect_to(UNSAFE_PATHS.first)
+
+        expect(log_io.size).not_to eq(0)
+      end
     end
 
     context 'whitelist_local is not set' do
-  
+
       before(:all) do
         load_config
       end
@@ -75,7 +93,7 @@ module SafeRedirect
     end
 
     context 'whitelist_local is set' do
-  
+
       before(:all) do
         load_config true
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: safe_redirect
 version: !ruby/object:Gem::Version
-  version: 0.2.5
+  version: 0.2.6
 platform: ruby
 authors:
 - Edwin Tunggawan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-06-15 00:00:00.000000000 Z
+date: 2017-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec