suzanne.soy/travis-api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

make sure we don't leak the github oauth code via a referrer

Browse Source
This commit is contained in:
Konstantin Haase 2012-09-19 16:29:11 +02:00
parent 3ddb2da33b
commit 742583e8e9
4 changed files with 30 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/travis/api/app.rb
View File

@ -54,6 +54,10 @@ class Travis::Api::App
use Rack::SSL if Endpoint.production? use Rack::SSL if Endpoint.production?
use ActiveRecord::ConnectionAdapters::ConnectionManagement use ActiveRecord::ConnectionAdapters::ConnectionManagement
use Rack::Config do |env|
env['travis.global_prefix'] = env['SCRIPT_NAME']
end
Middleware.subclasses.each { |m| use(m) } Middleware.subclasses.each { |m| use(m) }
Endpoint.subclasses.each { |e| map(e.prefix) { run(e.new) } } Endpoint.subclasses.each { |e| map(e.prefix) { run(e.new) } }
end end

13
lib/travis/api/app/endpoint.rb
View File

@ -1,4 +1,5 @@
require 'travis/api/app' require 'travis/api/app'
require 'addressable/uri'
class Travis::Api::App class Travis::Api::App
# Superclass for HTTP endpoints. Takes care of prefixing. # Superclass for HTTP endpoints. Takes care of prefixing.
@ -25,5 +26,17 @@ class Travis::Api::App
def redis def redis
Thread.current[:redis] ||= ::Redis.connect(url: Travis.config.redis.url) Thread.current[:redis] ||= ::Redis.connect(url: Travis.config.redis.url)
end end
def endpoint(link, query_values = {})
link = url(File.join(env['travis.global_prefix'], link), true, false)
uri = Addressable::URI.parse(link)
query_values = query_values.merge(uri.query_values) if uri.query_values
uri.query_values = query_values
uri.to_s
end
def safe_redirect(url)
redirect(endpoint('/redirect', to: url), 301)
end
end end
end end

4
lib/travis/api/app/endpoint/authorization.rb
View File

@ -95,10 +95,10 @@ class Travis::Api::App
# #
# Parameters: # Parameters:
# #
# * **redirect_uri**: URI to redirect after handshake. # * **redirect_uri**: URI to redirect to after handshake.
get '/handshake' do get '/handshake' do
handshake do |*, redirect_uri| handshake do |*, redirect_uri|
redirect redirect_uri safe_redirect redirect_uri
end end
end end

11
lib/travis/api/app/endpoint/home.rb
View File

@ -11,6 +11,17 @@ class Travis::Api::App
redirect to('/docs/') if request.preferred_type('application/json', 'text/html') == 'text/html' redirect to('/docs/') if request.preferred_type('application/json', 'text/html') == 'text/html'
{ 'hello' => 'world' } { 'hello' => 'world' }
end end
# Simple endpoints that redirects somewhere else, to make sure we don't
# send a referrer.
#
# Parameters:
#
# * **to**: URI to redirect to after handshake.
get '/redirect' do
halt 400 unless params[:to] =~ %r{^https?://}
redirect params[:to]
end
end end
end end
end end