safe_redirect 0.2.0 → 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +1 -1
- data/lib/safe_redirect/safe_redirect.rb +12 -14
- data/lib/safe_redirect/version.rb +1 -1
- data/spec/lib/safe_redirect/safe_redirect_spec.rb +9 -4
- metadata +2 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 432d56c2fe2e256b7040f00a82822d9778ef257c
|
4
|
+
data.tar.gz: 4cd2ccdf44e92e79d613b5ad960b81f486a80009
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e615e2700b962aae967a8894aef1af26484d5ccf7ba1b4c8868090ea49f426f9007ec0e5950f93dc20cb7624049c3d0129fe963470be00073da1f741de92b023
|
7
|
+
data.tar.gz: 71d7558aac96b2a794daf3edb895998b8321b4e03fbde1ed182964612171d8252469034d6927ebc483b7a7b04b682466fd16da987c31c3be71321ba27ce9e2fb
|
data/README.md
CHANGED
@@ -27,7 +27,7 @@ Add this line to the controllers you wish to secure from open redirection.
|
|
27
27
|
include SafeRedirect
|
28
28
|
```
|
29
29
|
|
30
|
-
The `redirect_to` method provided by Rails will be
|
30
|
+
The `redirect_to` method provided by Rails will be overridden by `safe_redirect`'s `redirect_to` method.
|
31
31
|
|
32
32
|
```rb
|
33
33
|
redirect_to 'https://www.google.com' # => redirects to https://www.google.com
|
@@ -1,16 +1,16 @@
|
|
1
|
+
require 'uri'
|
2
|
+
|
1
3
|
module SafeRedirect
|
2
|
-
def safe_domain?(
|
3
|
-
|
4
|
-
SafeRedirect.configuration.domain_whitelists.
|
5
|
-
path =~ /^https?:\/\/#{Regexp.escape(w)}($|\/.*)/i
|
6
|
-
end
|
4
|
+
def safe_domain?(uri)
|
5
|
+
return true if uri.host.nil? && uri.scheme.nil?
|
6
|
+
SafeRedirect.configuration.domain_whitelists.include?(uri.host)
|
7
7
|
end
|
8
8
|
|
9
9
|
def safe_path(path)
|
10
|
-
case
|
11
|
-
when
|
10
|
+
case path
|
11
|
+
when String
|
12
12
|
clean_path(path)
|
13
|
-
when
|
13
|
+
when Symbol, Hash
|
14
14
|
path
|
15
15
|
else
|
16
16
|
SafeRedirect.configuration.default_path
|
@@ -26,11 +26,9 @@ module SafeRedirect
|
|
26
26
|
private
|
27
27
|
|
28
28
|
def clean_path(path)
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
end
|
34
|
-
stripped_path.empty? ? '/' : stripped_path
|
29
|
+
uri = URI.parse(path)
|
30
|
+
safe_domain?(uri) ? path : '/'
|
31
|
+
rescue URI::InvalidURIError
|
32
|
+
'/'
|
35
33
|
end
|
36
34
|
end
|
@@ -13,15 +13,20 @@ module SafeRedirect
|
|
13
13
|
SAFE_PATHS = [
|
14
14
|
'https://www.bukalapak.com',
|
15
15
|
'/',
|
16
|
+
'/foobar',
|
16
17
|
'http://www.twitter.com',
|
17
18
|
:back,
|
18
19
|
{ controller: 'home', action: 'index' }
|
19
20
|
]
|
20
21
|
|
21
|
-
UNSAFE_PATHS =
|
22
|
-
|
23
|
-
|
24
|
-
|
22
|
+
UNSAFE_PATHS = [
|
23
|
+
"https://www.bukalapak.com@google.com",
|
24
|
+
"http://////@@@@@@attacker.com//evil.com",
|
25
|
+
"//bukalapak.com%25%40%25%40%25%40%25%40%25%40%25%40%25%40evil.com",
|
26
|
+
"%@%@%@%@%@%@%@%@%@%@evil.com",
|
27
|
+
"https://www-bukalapak.com",
|
28
|
+
"https://www.bukalapak.com\n.evil.com",
|
29
|
+
]
|
25
30
|
|
26
31
|
SAFE_PATHS.each do |path|
|
27
32
|
it "considers #{path} a safe path" do
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: safe_redirect
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Edwin Tunggawan
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-
|
11
|
+
date: 2016-08-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rspec
|
@@ -71,4 +71,3 @@ test_files:
|
|
71
71
|
- spec/lib/safe_redirect/configuration_spec.rb
|
72
72
|
- spec/lib/safe_redirect/safe_redirect_spec.rb
|
73
73
|
- spec/spec_helper.rb
|
74
|
-
has_rdoc:
|