From 742583e8e9778b6c7fc147dc4ec3f12d3b360c8f Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Wed, 19 Sep 2012 16:29:11 +0200
Subject: [PATCH] make sure we don't leak the github oauth code via a referrer

---
 lib/travis/api/app.rb                        |  4 ++++
 lib/travis/api/app/endpoint.rb               | 13 +++++++++++++
 lib/travis/api/app/endpoint/authorization.rb |  4 ++--
 lib/travis/api/app/endpoint/home.rb          | 11 +++++++++++
 4 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/lib/travis/api/app.rb b/lib/travis/api/app.rb
index 1b2b7230..458a06e6 100644
--- a/lib/travis/api/app.rb
+++ b/lib/travis/api/app.rb
@@ -54,6 +54,10 @@ class Travis::Api::App
       use Rack::SSL if Endpoint.production?
       use ActiveRecord::ConnectionAdapters::ConnectionManagement
 
+      use Rack::Config do |env|
+        env['travis.global_prefix'] = env['SCRIPT_NAME']
+      end
+
       Middleware.subclasses.each { |m| use(m) }
       Endpoint.subclasses.each { |e| map(e.prefix) { run(e.new) } }
     end
diff --git a/lib/travis/api/app/endpoint.rb b/lib/travis/api/app/endpoint.rb
index c4cd2199..9bee2ff8 100644
--- a/lib/travis/api/app/endpoint.rb
+++ b/lib/travis/api/app/endpoint.rb
@@ -1,4 +1,5 @@
 require 'travis/api/app'
+require 'addressable/uri'
 
 class Travis::Api::App
   # Superclass for HTTP endpoints. Takes care of prefixing.
@@ -25,5 +26,17 @@ class Travis::Api::App
       def redis
         Thread.current[:redis] ||= ::Redis.connect(url: Travis.config.redis.url)
       end
+
+      def endpoint(link, query_values = {})
+        link = url(File.join(env['travis.global_prefix'], link), true, false)
+        uri  = Addressable::URI.parse(link)
+        query_values = query_values.merge(uri.query_values) if uri.query_values
+        uri.query_values = query_values
+        uri.to_s
+      end
+
+      def safe_redirect(url)
+        redirect(endpoint('/redirect', to: url), 301)
+      end
   end
 end
diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index 8a1572a5..28e13784 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -95,10 +95,10 @@ class Travis::Api::App
       #
       # Parameters:
       #
-      # * **redirect_uri**: URI to redirect after handshake.
+      # * **redirect_uri**: URI to redirect to after handshake.
       get '/handshake' do
         handshake do |*, redirect_uri|
-          redirect redirect_uri
+          safe_redirect redirect_uri
         end
       end
 
diff --git a/lib/travis/api/app/endpoint/home.rb b/lib/travis/api/app/endpoint/home.rb
index 96bbcb7d..8f41c586 100644
--- a/lib/travis/api/app/endpoint/home.rb
+++ b/lib/travis/api/app/endpoint/home.rb
@@ -11,6 +11,17 @@ class Travis::Api::App
         redirect to('/docs/') if request.preferred_type('application/json', 'text/html') == 'text/html'
         { 'hello' => 'world' }
       end
+
+      # Simple endpoints that redirects somewhere else, to make sure we don't
+      # send a referrer.
+      #
+      # Parameters:
+      #
+      # * **to**: URI to redirect to after handshake.
+      get '/redirect' do
+        halt 400 unless params[:to] =~ %r{^https?://}
+        redirect params[:to]
+      end
     end
   end
 end