safe_redirect_rails 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 00230c02950156c12350b15c791eaaa6c86eface415a987d3ee7d832e5b3df6e
+  data.tar.gz: 2647132cb892ec055d91352f837e3d7f8881dcd7ee5d8268448652a796906b9c
+SHA512:
+  metadata.gz: 4816cd51aec868d4c9886061abf028c6f2141cb1ff1873611e362cb2d5992a0168391eaca7b70347bb82fe27a873ef1c0ba3bc21697e06bcfb4772df4f601143
+  data.tar.gz: 60dad28b40e0e5c710d2003fe6747b9863f481eb48da0f266884a8c7544b7207a69e0ef5dba5f05e34c2b4d069b2ca0908711dbb9ee1be7197f3fc08847f402c

data/.standard.yml

@@ -0,0 +1,3 @@
+# For available configuration options, see:
+#   https://github.com/standardrb/standard
+ruby_version: 2.6

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2025-03-21
+
+- Initial release

data/README.md

@@ -0,0 +1,32 @@
+# SafeRedirectRails
+
+TODO: Delete this and the text below, and describe your gem
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/safe_redirect_rails`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+## Installation
+
+TODO: Replace `UPDATE_WITH_YOUR_GEM_NAME_IMMEDIATELY_AFTER_RELEASE_TO_RUBYGEMS_ORG` with your gem name right after releasing it to RubyGems.org. Please do not do it earlier due to security reasons. Alternatively, replace this section with instructions to install your gem from git if you don't plan to release to RubyGems.org.
+
+Install the gem and add to the application's Gemfile by executing:
+
+    $ bundle add UPDATE_WITH_YOUR_GEM_NAME_IMMEDIATELY_AFTER_RELEASE_TO_RUBYGEMS_ORG
+
+If bundler is not being used to manage dependencies, install the gem by executing:
+
+    $ gem install UPDATE_WITH_YOUR_GEM_NAME_IMMEDIATELY_AFTER_RELEASE_TO_RUBYGEMS_ORG
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/safe_redirect_rails.
+# safe_redirect_rails

data/Rakefile

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "standard/rake"
+
+task default: :standard

data/lib/safe_redirect_rails/configuration.rb

@@ -0,0 +1,33 @@
+module SafeRedirectRails
+  class << self
+    attr_writer :configuration
+
+    def configuration
+      @configuration ||= Configuration.new
+    end
+
+    def configure
+      yield(configuration)
+    end
+  end
+
+  class Configuration
+    attr_accessor :default_path, :whitelist_local, :log
+    attr_reader :domain_whitelists
+
+    def initialize
+      self.default_path = '/'
+      self.whitelist_local = false
+      self.domain_whitelists = []
+      self.log = false
+    end
+
+    def domain_whitelists=(whitelists)
+      if whitelists.any?{ |w| w =~ /\*\z/ }
+        raise ArgumentError, "whitelisted domain cannot end with a glob (*)"
+      end
+
+      @domain_whitelists = whitelists
+    end
+  end
+end

data/lib/safe_redirect_rails/safe_redirect_rails.rb

@@ -0,0 +1,102 @@
+require 'uri'
+
+module SafeRedirectRails
+  extend self
+
+  def safe_domain?(uri)
+    return true if valid_uri?(uri)
+    return false if uri.host.nil?
+
+    SafeRedirectRails.configuration.domain_whitelists.any? do |domain|
+      if domain.include?("*")
+        rf = domain.split(/(\*)/).map{ |f| f == "*" ? "[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]?" : Regexp.escape(f) }
+        regexp = Regexp.new("\\A#{rf.join}\\z")
+
+        safe = uri.host.match(regexp)
+
+        # if domain starts with *. and contains no other wildcards, include the
+        # naked domain too (e.g. foo.org when *.foo.org is the whitelist)
+        if domain =~ /\A\*\.[^\*]+\z/
+          naked_domain = domain.gsub("*.", "")
+          safe || uri.host == naked_domain
+        else
+          safe
+        end
+      else
+        uri.host == domain
+      end
+    end
+  end
+
+  def safe_path(path)
+    case path
+    when String
+      clean_path(path)
+    when Hash
+      sanitize_hash(path)
+    else
+      path
+    end
+  end
+
+  def redirect_to(path, options={})
+    target = options[:safe] ? path : safe_path(path)
+
+    log("Unsafe redirect path modified to #{target} from #{path}", :warn) if target != path
+    
+    default_options = { allow_other_host: true }
+    merged_options = default_options.merge(options)
+    super target, default_options
+  rescue NoMethodError
+  end
+
+  private
+
+  def clean_path(path)
+    uri = URI.parse(path)
+    valid_path?(path) && safe_domain?(uri) ? path : SafeRedirectRails.configuration.default_path
+  rescue URI::InvalidURIError
+    SafeRedirectRails.configuration.default_path
+  end
+
+  def sanitize_hash(hash)
+    protocol = hash[:protocol] || 'http'
+    host = hash[:host]
+    uri = URI.parse("#{protocol}://#{host}")
+    hash.delete(:host) unless safe_domain?(uri)
+    hash
+  end
+
+  def valid_uri?(uri)
+    return true if uri.host && whitelist_local? && local_address?(uri.host)
+    return false unless uri.host.nil? && uri.scheme.nil?
+    return true if uri.path.nil? || uri.path =~ /^\//
+    false
+  end
+
+  def valid_path?(path)
+    path !~ /\/\/\//
+  end
+
+  def whitelist_local?
+    SafeRedirectRails.configuration.whitelist_local
+  end
+
+  # borrowed the regex from https://github.com/rack/rack/blob/ea9e7a570b7ffd8ac6845a9ebecdd7de0af6b0ca/lib/rack/request.rb#L420
+  def local_address?(host)
+    host =~ /\A127\.0\.0\.1\Z|\A(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|\A::1\Z|\Afd[0-9a-f]{2}:.+|\Alocalhost\Z|\Aunix\Z|\Aunix:/i
+  end
+
+  def log(msg, level = :warn)
+    return unless (logger = SafeRedirectRails.configuration.log)
+
+    msg = "[#{Time.now}] SafeRedirectRails: #{msg}"
+
+    if logger.respond_to?(level)
+      logger.send(level, msg)
+    elsif defined?(Rails)
+      Rails.logger.send(level, msg)
+    end
+  end
+
+end

data/lib/safe_redirect_rails/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module SafeRedirectRails
+  VERSION = "0.1.0"
+end

data/lib/safe_redirect_rails.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require 'safe_redirect_rails/version'
+require 'safe_redirect_rails/safe_redirect_rails'
+require 'safe_redirect_rails/configuration'

data/safe_redirect_rails.gemspec

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require_relative "lib/safe_redirect_rails/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "safe_redirect_rails"
+  spec.version = SafeRedirectRails::VERSION
+  spec.authors = ["Tuan Pham"]
+  spec.email = ["tuanpt1702@gmail.com"]
+
+  spec.summary = "This gem provides a simple way to redirect to safe URLs"
+  spec.description = "This gem provides a simple way to redirect to safe URLs"
+  spec.required_ruby_version = ">= 2.6.0"
+  spec.metadata["homepage_uri"] = "https://github.com/JackoPham/safe_redirect_rails"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (File.expand_path(f) == __FILE__) ||
+        f.start_with?(*%w[bin/ test/ spec/ features/ .git .github appveyor Gemfile])
+    end
+  end
+end

data/sig/safe_redirect_rails.rbs

@@ -0,0 +1,4 @@
+module SafeRedirectRails
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,49 @@
+--- !ruby/object:Gem::Specification
+name: safe_redirect_rails
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Tuan Pham
+bindir: bin
+cert_chain: []
+date: 2025-03-21 00:00:00.000000000 Z
+dependencies: []
+description: This gem provides a simple way to redirect to safe URLs
+email:
+- tuanpt1702@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".standard.yml"
+- CHANGELOG.md
+- README.md
+- Rakefile
+- lib/safe_redirect_rails.rb
+- lib/safe_redirect_rails/configuration.rb
+- lib/safe_redirect_rails/safe_redirect_rails.rb
+- lib/safe_redirect_rails/version.rb
+- safe_redirect_rails.gemspec
+- sig/safe_redirect_rails.rbs
+licenses: []
+metadata:
+  homepage_uri: https://github.com/JackoPham/safe_redirect_rails
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.6.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.6
+specification_version: 4
+summary: This gem provides a simple way to redirect to safe URLs
+test_files: []