safe_redirection 0.0.1

data/Gemfile

@@ -0,0 +1,2 @@
+source "http://rubygems.org"
+gemspec

data/Gemfile.lock

@@ -0,0 +1,36 @@
+PATH
+  remote: .
+  specs:
+    safe_redirection (0.0.1)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    builder (3.0.0)
+    cucumber (1.2.1)
+      builder (>= 2.1.2)
+      diff-lcs (>= 1.1.3)
+      gherkin (~> 2.11.0)
+      json (>= 1.4.6)
+    diff-lcs (1.1.3)
+    gherkin (2.11.1)
+      json (>= 1.4.6)
+    json (1.7.3)
+    rake (0.9.2.2)
+    rspec (2.11.0)
+      rspec-core (~> 2.11.0)
+      rspec-expectations (~> 2.11.0)
+      rspec-mocks (~> 2.11.0)
+    rspec-core (2.11.0)
+    rspec-expectations (2.11.1)
+      diff-lcs (~> 1.1.3)
+    rspec-mocks (2.11.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  cucumber
+  rake
+  rspec
+  safe_redirection!

data/README.md

@@ -0,0 +1,46 @@
+# SafeRedirection
+
+SafeRedirection allows you to easily sanitize your URLs.
+
+## Getting started
+
+```ruby
+require 'safe_redirection'
+
+class MyResolver < SafeRedirection::Resolvers::Resolver
+  def recognize_path(path, options = {})
+    if path =~ /^special/
+      "http://my.app.tld/special_page"
+    else
+      raise 'Not found'
+    end
+  end
+end
+
+resolver = MyResolver.new
+my_sanitizer = SafeRedirection::Sanitizer.new(resolver, 'http://my.app.tld/root/path/', 'http://my.app.tld/root/path/default_url')
+
+my_sanitizer.safe_url_for 'http://www.outside.tld/some/path'
+# => "http://my.app.tld/root/path/default_url"
+my_sanitizer.safe_url_for 'http://my.app.tld/root/path/special/subpath'
+# => "http://my.app.tld/special_page"
+my_sanitizer.safe_url_for 'ftp://my.app.tld/root/path/special/subpath'
+# => "http://my.app.tld/root/path/default_url"
+my_sanitizer.safe_url_for 'http://my.app.tld2/root/path/special/subpath'
+# => "http://my.app.tld/special_page"
+```
+
+Everything that responds to `recognize_path` could be a resolver and guess what! `ActionController::Routing::Routes` with Rails 2.x and `MyApplication::Application.routes` in Rails 3.x do respond to this method. It can therefore be used as a resolver in a code like this :
+
+```ruby
+resolver = SafeRedirection::Resolvers::ExceptionsResolver.new(MyApplication::Application.routes)
+resolver.legitimate_base_urls << "http://www.outsite.tld/"
+sanitizer = SafeRedirection::Sanitizer.new(resolver, 'http://my.app.tld/', 'http://my.app.tld/')
+
+sanitizer.safe_url_for "http://my.app.tld/articles/2"
+# => { :controller => "articles", :action => "show", :id => 2 }
+sanitizer.safe_url_for "http://www.outside.tld/path"
+# => "http://www.outside.tld/path"
+sanitizer.safe_url_fo "http://www.outside.but_somewhere_else.com/"
+# => "http://my.app.tld/"
+```

data/Rakefile

@@ -0,0 +1,17 @@
+require "cucumber/rake/task"
+require "rspec/core/rake_task"
+
+$:.unshift File.expand_path('lib', __FILE__)
+
+Cucumber::Rake::Task.new(:cucumber) do |task|
+end
+
+namespace :cucumber do
+  Cucumber::Rake::Task.new(:wip) do |task|
+    task.cucumber_opts = %w{--tags @wip}
+  end
+end
+
+RSpec::Core::RakeTask.new do |t|
+  t.rspec_opts = '--color'
+end

data/example.rb

@@ -0,0 +1,20 @@
+$:.unshift File.expand_path('lib', File.dirname(__FILE__))
+require 'safe_redirection'
+
+class MyResolver < SafeRedirection::Resolvers::Resolver
+  def recognize_path(path, options = {})
+    if path =~ /^special/
+      "http://my.app.tld/special_page"
+    else
+      raise 'Not found'
+    end
+  end
+end
+
+resolver = MyResolver.new
+my_sanitizer = SafeRedirection::Sanitizer.new(resolver, 'http://my.app.tld/root/path/', 'http://my.app.tld/root/path/default_url')
+
+puts my_sanitizer.safe_url_for('http://www.outside.tld/some/path')
+puts my_sanitizer.safe_url_for('http://my.app.tld/root/path/special/subpath')
+puts my_sanitizer.safe_url_for('ftp://my.app.tld/root/path/special/subpath')
+puts my_sanitizer.safe_url_for('http://my.app.tld2/root/path/special/subpath')

data/lib/safe_redirection/constants.rb

@@ -0,0 +1,3 @@
+module SafeRedirection
+  VERSION = '0.0.1'
+end

data/lib/safe_redirection/resolvers/exceptions_resolver.rb

@@ -0,0 +1,22 @@
+module SafeRedirection
+  module Resolvers
+    class ExceptionsResolver < Resolver
+      attr_accessor :legitimate_urls, :legitimate_base_urls
+
+      def initialize(*args)
+        super(*args)
+        @legitimate_urls = []
+        @legitimate_base_urls = []
+      end
+
+      def recognize_path(path, options = {})
+        if self.legitimate_urls.include?(path) ||
+            self.legitimate_base_urls.any? { |base| path.start_with? base }
+          path
+        else
+          resolver.recognize_path path, options
+        end
+      end
+    end
+  end
+end

data/lib/safe_redirection/resolvers/resolver.rb

@@ -0,0 +1,15 @@
+module SafeRedirection
+  module Resolvers
+    class Resolver
+      attr_accessor :resolver
+
+      def initialize(resolver = nil)
+        @resolver = resolver
+      end
+
+      def recognize_path(*args)
+        raise NotImplementedError
+      end
+    end
+  end
+end

data/lib/safe_redirection/resolvers.rb

@@ -0,0 +1,2 @@
+require 'safe_redirection/resolvers/resolver'
+require 'safe_redirection/resolvers/exceptions_resolver'

data/lib/safe_redirection/sanitizer.rb

@@ -0,0 +1,30 @@
+module SafeRedirection
+  class Sanitizer
+    attr_accessor :resolver, :base_url, :default_url
+
+    def initialize(resolver, base_url, default_url)
+      @resolver = resolver
+      @base_url = base_url
+      @default_url = default_url
+    end
+
+    def safe_url_for(redirect_url)
+      uri = URI(redirect_url)
+      path = relative_path(uri.path)
+
+      if %w{http https}.include? uri.scheme
+        resolver.recognize_path(path, :method => :get) rescue default_url
+      else
+        default_url
+      end
+    end
+
+    def base_path
+      URI(base_url).path
+    end
+
+    def relative_path(path)
+      path.start_with?(base_path) ? path.sub(base_path, '') : path
+    end
+  end
+end

data/lib/safe_redirection.rb

@@ -0,0 +1,8 @@
+require 'uri'
+
+require 'safe_redirection/constants'
+require 'safe_redirection/sanitizer'
+require 'safe_redirection/resolvers'
+
+module SafeRedirection
+end

data/safe_redirection.gemspec

@@ -0,0 +1,21 @@
+$LOAD_PATH.unshift File.expand_path("../lib", __FILE__)
+require "safe_redirection/constants"
+
+Gem::Specification.new do |s|
+  s.name = "safe_redirection"
+  s.version = SafeRedirection::VERSION
+  s.authors = ["Thomas Feron"]
+  s.description = "A small library for sanitization of URLs for redirections in Rails"
+  s.summary = "safe_redirection-#{s.version}"
+  s.email = "tho.feron@gmail.com"
+
+  s.platform = Gem::Platform::RUBY
+
+  s.add_development_dependency "rake"
+  s.add_development_dependency "cucumber"
+  s.add_development_dependency "rspec"
+
+  s.files = `git ls-files`.split("\n").reject { |path| path =~ /\.gitignore$/ }
+  s.test_files = `git ls-files -- {spec,features}/*`.split("\n")
+  s.require_path = "lib"
+end

data/spec/lib/safe_redirection/resolvers/exceptions_resolver_spec.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+
+describe SafeRedirection::Resolvers::ExceptionsResolver do
+  let(:resolver) { double('resolver') }
+
+  subject { SafeRedirection::Resolvers::ExceptionsResolver.new(resolver) }
+
+  describe "#recognize_path" do
+    it "should delegate to the resolver" do
+      resolver.should_receive(:recognize_path)
+      subject.recognize_path("http://test.tld/some/path")
+    end
+
+    context "with a legitimate URL" do
+      it "should return this URL" do
+        legitimate_url = "http://else.where/far/far/away"
+        subject.legitimate_urls << legitimate_url
+        subject.recognize_path(legitimate_url).should == legitimate_url
+      end
+    end
+
+    context "with a legitimate base URL" do
+      it "should return the URL passed" do
+        legitimate_base_url = "http://else.where/far/"
+        legitimate_url = "#{legitimate_base_url}far/away"
+        subject.legitimate_base_urls << legitimate_base_url
+        subject.recognize_path(legitimate_url).should == legitimate_url
+      end
+    end
+  end
+end

data/spec/lib/safe_redirection/sanitizer_spec.rb

@@ -0,0 +1,59 @@
+require 'spec_helper'
+
+describe SafeRedirection::Sanitizer do
+  let(:resolver) { double('resolver') }
+  let(:base_url) { "http://test.tld/" }
+  let(:default_url) { "http://test.tld/default" }
+
+  subject { SafeRedirection::Sanitizer.new(resolver, base_url, default_url) }
+
+  describe '#safe_url_for' do
+    context "with a valid URL" do
+      let(:valid_url) { "http://test.tld/valid" }
+      let(:params) { { :controller => 'home', :action => 'valid' } }
+
+      it "should return this very URL" do
+        resolver.should_receive(:recognize_path).with('valid', anything).and_return(params)
+        subject.safe_url_for(valid_url).should == params
+      end
+    end
+
+    context "with an invalid URL" do
+      it "should return the default URL" do
+        resolver.should_receive(:recognize_path).with('rubbish', anything).and_raise('ActionController::RoutingError')
+        subject.safe_url_for("http://test.tld/rubbish").should == default_url
+      end
+
+      it "should return the default URL with a non-HTTP(s) scheme" do
+        subject.safe_url_for("ftp://test.tld/").should == default_url
+      end
+    end
+
+    context "when the application is not at the root" do
+      let(:base_url) { "http://test.tld/some/path/" }
+
+      it "should try to resolve the subpath" do
+        resolver.should_receive(:recognize_path).with('subpath', anything)
+        subject.safe_url_for('http://test.tld/some/path/subpath')
+      end
+    end
+  end
+
+  describe "#relative_path" do
+    let(:base_url) { "http://test.tld/in/so.me/path/" }
+
+    it "should strip the base path" do
+      subject.relative_path('/in/so.me/path/subpath').should == 'subpath'
+    end
+
+    it "should not strip it if it's not in the beginning" do
+      path = '/not/in/so.me/path/subpath'
+      subject.relative_path(path).should == path
+    end
+
+    it "should not interpret regular expressions in the base URL's path" do
+      path = '/in/soZme/path/subpath'
+      subject.relative_path(path).should == path
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,3 @@
+$:.unshift File.join(File.dirname(__FILE__), '..', 'lib')
+
+require 'safe_redirection'

metadata

@@ -0,0 +1,108 @@
+--- !ruby/object:Gem::Specification
+name: safe_redirection
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Thomas Feron
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-07-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cucumber
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A small library for sanitization of URLs for redirections in Rails
+email: tho.feron@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- example.rb
+- features/support/env.rb
+- lib/safe_redirection.rb
+- lib/safe_redirection/constants.rb
+- lib/safe_redirection/resolvers.rb
+- lib/safe_redirection/resolvers/exceptions_resolver.rb
+- lib/safe_redirection/resolvers/resolver.rb
+- lib/safe_redirection/sanitizer.rb
+- safe_redirection.gemspec
+- spec/lib/safe_redirection/resolvers/exceptions_resolver_spec.rb
+- spec/lib/safe_redirection/sanitizer_spec.rb
+- spec/spec_helper.rb
+homepage: 
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: safe_redirection-0.0.1
+test_files: []