diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb index e73e5c42..20b0ae02 100644 --- a/lib/travis/api/app/endpoint/authorization.rb +++ b/lib/travis/api/app/endpoint/authorization.rb @@ -40,10 +40,7 @@ class Travis::Api::App # The entry point is [/auth/post_message](#/auth/post_message). class Authorization < Endpoint enable :inline_templates - set prefix: '/auth', allowed_targets: %r{ - ^ http:// (localhost|127\.0\.0\.1)(:\d+)? $ | - ^ https:// ([\w\-_]+\.)?travis-ci\.(org|com) $ - }x + set prefix: '/auth' # Endpoint for retrieving an authorization code, which in turn can be used # to generate an access token. @@ -92,8 +89,13 @@ class Travis::Api::App # # * **redirect_uri**: URI to redirect to after handshake. get '/handshake' do - handshake do |*, redirect_uri| - safe_redirect redirect_uri + handshake do |user, token, redirect_uri| + if target_ok? redirect_uri + data = { user: user, token: token, uri: redirect_uri } + erb(:post_payload, locals: data) + else + safe_redirect redirect_uri + end end end @@ -250,7 +252,12 @@ class Travis::Api::App end def target_ok?(target_origin) - target_origin =~ settings.allowed_targets + uri = Addressable::URI.parse(target_origin) + if uri.host =~ /\A(.+\.)?travis-ci\.(com|org)\E/ + uri.scheme == 'https' + elsif uri == 'localhost' or uri == '127.0.0.1' + uri.port > 1023 + end end end end @@ -420,3 +427,12 @@ if(window.parent == window) { sendPayload(window.parent); } + +@@ post_payload + +
+ + + +
+