make sure we don't leak the github oauth code via a referrer

2012-09-19 16:29:11 +02:00 · 2012-09-19 16:29:11 +02:00 · 742583e8e9
commit 742583e8e9
parent 3ddb2da33b
4 changed files with 30 additions and 2 deletions
--- a/lib/travis/api/app.rb
+++ b/lib/travis/api/app.rb
@ -54,6 +54,10 @@ class Travis::Api::App
      use Rack::SSL if Endpoint.production?
      use ActiveRecord::ConnectionAdapters::ConnectionManagement

+      use Rack::Config do |env|
+        env['travis.global_prefix'] = env['SCRIPT_NAME']
+      end
+
      Middleware.subclasses.each { |m| use(m) }
      Endpoint.subclasses.each { |e| map(e.prefix) { run(e.new) } }
    end
--- a/lib/travis/api/app/endpoint.rb
+++ b/lib/travis/api/app/endpoint.rb
@ -1,4 +1,5 @@
 require 'travis/api/app'
+require 'addressable/uri'

 class Travis::Api::App
  # Superclass for HTTP endpoints. Takes care of prefixing.
@ -25,5 +26,17 @@ class Travis::Api::App
      def redis
        Thread.current[:redis] ||= ::Redis.connect(url: Travis.config.redis.url)
      end
+
+      def endpoint(link, query_values = {})
+        link = url(File.join(env['travis.global_prefix'], link), true, false)
+        uri  = Addressable::URI.parse(link)
+        query_values = query_values.merge(uri.query_values) if uri.query_values
+        uri.query_values = query_values
+        uri.to_s
+      end
+
+      def safe_redirect(url)
+        redirect(endpoint('/redirect', to: url), 301)
+      end
  end
 end
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@ -95,10 +95,10 @@ class Travis::Api::App
      #
      # Parameters:
      #
-      # * **redirect_uri**: URI to redirect after handshake.
+      # * **redirect_uri**: URI to redirect to after handshake.
      get '/handshake' do
        handshake do |*, redirect_uri|
-          redirect redirect_uri
+          safe_redirect redirect_uri
        end
      end

--- a/lib/travis/api/app/endpoint/home.rb
+++ b/lib/travis/api/app/endpoint/home.rb
@ -11,6 +11,17 @@ class Travis::Api::App
        redirect to('/docs/') if request.preferred_type('application/json', 'text/html') == 'text/html'
        { 'hello' => 'world' }
      end
+
+      # Simple endpoints that redirects somewhere else, to make sure we don't
+      # send a referrer.
+      #
+      # Parameters:
+      #
+      # * **to**: URI to redirect to after handshake.
+      get '/redirect' do
+        halt 400 unless params[:to] =~ %r{^https?://}
+        redirect params[:to]
+      end
    end
  end
 end