Skip to content

Commit 8590365

Browse files
authored
Merge pull request #73 from basecamp/flavorjones/fix-url-check
Prevent redirects to malformed URLs
2 parents 44f572a + a0548a6 commit 8590365

File tree

2 files changed

+17
-2
lines changed

2 files changed

+17
-2
lines changed

lib/google_sign_in/redirect_protector.rb

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,12 @@ class Violation < StandardError; end
99
QUALIFIED_URL_PATTERN = /\A#{URI::DEFAULT_PARSER.make_regexp}\z/
1010

1111
def ensure_same_origin(target, source)
12-
if target.blank? || (target =~ QUALIFIED_URL_PATTERN && origin_of(target) != origin_of(source))
13-
raise Violation, "Redirect target #{target.inspect} does not have same origin as request (expected #{origin_of(source)})"
12+
if (target =~ QUALIFIED_URL_PATTERN && origin_of(target) == origin_of(source)) ||
13+
target =~ URI::DEFAULT_PARSER.regexp[:ABS_PATH]
14+
return
1415
end
16+
17+
raise Violation, "Redirect target #{target.inspect} does not have same origin as request (expected #{origin_of(source)})"
1518
end
1619

1720
private

test/models/redirect_protector_test.rb

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,18 @@ class GoogleSignIn::RedirectProtectorTest < ActiveSupport::TestCase
88
end
99
end
1010

11+
test "disallows URL target that is not a valid URL" do
12+
assert_raises GoogleSignIn::RedirectProtector::Violation do
13+
GoogleSignIn::RedirectProtector.ensure_same_origin 'https://basecamp.com\n\r@\n\revil.com', 'https://basecamp.com'
14+
end
15+
end
16+
17+
test "disallows URL target that is blank" do
18+
assert_raises GoogleSignIn::RedirectProtector::Violation do
19+
GoogleSignIn::RedirectProtector.ensure_same_origin '', 'https://basecamp.com'
20+
end
21+
end
22+
1123
test "disallows URL target with different port than source" do
1224
assert_raises GoogleSignIn::RedirectProtector::Violation do
1325
GoogleSignIn::RedirectProtector.ensure_same_origin 'https://basecamp.com:10443', 'https://basecamp.com'

0 commit comments

Comments
 (0)