safe_redirect 0.2.5 → 0.2.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +1 -0
- data/lib/safe_redirect/configuration.rb +2 -1
- data/lib/safe_redirect/safe_redirect.rb +16 -1
- data/lib/safe_redirect/version.rb +1 -1
- data/spec/lib/safe_redirect/configuration_spec.rb +11 -0
- data/spec/lib/safe_redirect/safe_redirect_spec.rb +21 -3
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: fbe525b948ca963bb961d0b4c64922cb54253447
|
4
|
+
data.tar.gz: 2e36dfc92789eec066bfedc3552504110c8c3c0b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d30be6e5be4553647b399c30d20113f4c5619be63fb292075f0499ce23a738174dce4a4df782aa120d4c1c26a3f90eee840d730d371cb9048c3722785e01f701
|
7
|
+
data.tar.gz: a2070726d6a1f985363f377b45cbbd756f9f9f5d83b9fa85a4dcd7bda0e517522efbf400f8f6a407dbcdcec5ff55034235fec8022d5eb347ab1489db02010cf9
|
data/README.md
CHANGED
@@ -18,6 +18,7 @@ Create a `config/initializer/safe_redirect.rb` file.
|
|
18
18
|
SafeRedirect.configure do |config|
|
19
19
|
config.default_path = 'https://www.yahoo.com' # default value: '/'
|
20
20
|
config.domain_whitelists = ['www.google.com'] # default value: []
|
21
|
+
config.log = Rails.env.development? # default value: false
|
21
22
|
end
|
22
23
|
```
|
23
24
|
|
@@ -12,13 +12,14 @@ module SafeRedirect
|
|
12
12
|
end
|
13
13
|
|
14
14
|
class Configuration
|
15
|
-
attr_accessor :default_path, :whitelist_local
|
15
|
+
attr_accessor :default_path, :whitelist_local, :log
|
16
16
|
attr_reader :domain_whitelists
|
17
17
|
|
18
18
|
def initialize
|
19
19
|
self.default_path = '/'
|
20
20
|
self.whitelist_local = false
|
21
21
|
self.domain_whitelists = []
|
22
|
+
self.log = false
|
22
23
|
end
|
23
24
|
|
24
25
|
def domain_whitelists=(whitelists)
|
@@ -7,7 +7,7 @@ module SafeRedirect
|
|
7
7
|
|
8
8
|
SafeRedirect.configuration.domain_whitelists.any? do |domain|
|
9
9
|
if domain.include?("*")
|
10
|
-
rf = domain.split(/(\*)/).map{ |f| f == "*" ? "
|
10
|
+
rf = domain.split(/(\*)/).map{ |f| f == "*" ? "[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]?" : Regexp.escape(f) }
|
11
11
|
regexp = Regexp.new("\\A#{rf.join}\\z")
|
12
12
|
|
13
13
|
safe = uri.host.match(regexp)
|
@@ -39,6 +39,9 @@ module SafeRedirect
|
|
39
39
|
|
40
40
|
def redirect_to(path, options={})
|
41
41
|
target = options[:safe] ? path : safe_path(path)
|
42
|
+
|
43
|
+
log("Unsafe redirect path modified to #{target} from #{path}", :warn) if target != path
|
44
|
+
|
42
45
|
super target, options
|
43
46
|
rescue NoMethodError
|
44
47
|
end
|
@@ -80,4 +83,16 @@ module SafeRedirect
|
|
80
83
|
host =~ /\A127\.0\.0\.1\Z|\A(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|\A::1\Z|\Afd[0-9a-f]{2}:.+|\Alocalhost\Z|\Aunix\Z|\Aunix:/i
|
81
84
|
end
|
82
85
|
|
86
|
+
def log(msg, level = :warn)
|
87
|
+
return unless (logger = SafeRedirect.configuration.log)
|
88
|
+
|
89
|
+
msg = "[#{Time.now}] SafeRedirect: #{msg}"
|
90
|
+
|
91
|
+
if logger.respond_to?(level)
|
92
|
+
logger.send(level, msg)
|
93
|
+
elsif defined?(Rails)
|
94
|
+
Rails.logger.send(level, msg)
|
95
|
+
end
|
96
|
+
end
|
97
|
+
|
83
98
|
end
|
@@ -28,6 +28,10 @@ module SafeRedirect
|
|
28
28
|
expect(SafeRedirect.configuration.domain_whitelists).to eq([])
|
29
29
|
end
|
30
30
|
|
31
|
+
it 'default log is false' do
|
32
|
+
expect(SafeRedirect.configuration.log).to eq(false)
|
33
|
+
end
|
34
|
+
|
31
35
|
it 'can update default_path' do
|
32
36
|
SafeRedirect.configure do |config|
|
33
37
|
config.default_path = 'https://www.bukalapak.com'
|
@@ -48,5 +52,12 @@ module SafeRedirect
|
|
48
52
|
end
|
49
53
|
expect(SafeRedirect.configuration.domain_whitelists).to eq(['www.bukalapak.com'])
|
50
54
|
end
|
55
|
+
|
56
|
+
it 'can update log' do
|
57
|
+
SafeRedirect.configure do |config|
|
58
|
+
config.log = true
|
59
|
+
end
|
60
|
+
expect(SafeRedirect.configuration.log).to eq(true)
|
61
|
+
end
|
51
62
|
end
|
52
63
|
end
|
@@ -1,8 +1,16 @@
|
|
1
1
|
require 'spec_helper'
|
2
|
+
require 'stringio'
|
3
|
+
require 'logger'
|
2
4
|
|
3
5
|
module SafeRedirect
|
4
6
|
describe SafeRedirect do
|
5
|
-
class
|
7
|
+
class BaseController
|
8
|
+
def redirect_to(*)
|
9
|
+
# test stub
|
10
|
+
end
|
11
|
+
end
|
12
|
+
|
13
|
+
class Controller < BaseController
|
6
14
|
extend SafeRedirect
|
7
15
|
end
|
8
16
|
|
@@ -12,6 +20,7 @@ module SafeRedirect
|
|
12
20
|
'/foobar',
|
13
21
|
'http://www.twitter.com',
|
14
22
|
'http://blah.foo.org',
|
23
|
+
'http://bl-ah.foo.org',
|
15
24
|
'http://foo.org',
|
16
25
|
'http://foo.org/',
|
17
26
|
:back,
|
@@ -58,10 +67,19 @@ module SafeRedirect
|
|
58
67
|
it 'can use redirect_to method with both the target path and the options' do
|
59
68
|
Controller.redirect_to '/', notice: 'Back to home page'
|
60
69
|
end
|
70
|
+
|
71
|
+
it 'can log violations' do
|
72
|
+
log_io = StringIO.new
|
73
|
+
SafeRedirect.configure{ |config| config.log = Logger.new(log_io) }
|
74
|
+
|
75
|
+
Controller.redirect_to(UNSAFE_PATHS.first)
|
76
|
+
|
77
|
+
expect(log_io.size).not_to eq(0)
|
78
|
+
end
|
61
79
|
end
|
62
80
|
|
63
81
|
context 'whitelist_local is not set' do
|
64
|
-
|
82
|
+
|
65
83
|
before(:all) do
|
66
84
|
load_config
|
67
85
|
end
|
@@ -75,7 +93,7 @@ module SafeRedirect
|
|
75
93
|
end
|
76
94
|
|
77
95
|
context 'whitelist_local is set' do
|
78
|
-
|
96
|
+
|
79
97
|
before(:all) do
|
80
98
|
load_config true
|
81
99
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: safe_redirect
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Edwin Tunggawan
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-10-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rspec
|