Skip to content
Permalink
Browse files Browse the repository at this point in the history
Ensure we raise if the root domain changed and it was not an expected…
… behavior
  • Loading branch information
Guillaume Feliciano authored and amro committed Feb 18, 2022
1 parent f71acf2 commit b2eb99e
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
2 changes: 2 additions & 0 deletions lib/gibbon/api_request.rb
Expand Up @@ -194,6 +194,8 @@ def api_url

def base_api_url
computed_api_endpoint = "https://#{get_data_center_from_api_key(self.api_key)}api.mailchimp.com"
raise Gibbon::GibbonError, "SSRF attempt" unless URI(computed_api_endpoint).host.include?("api.mailchimp.com")

"#{self.api_endpoint || computed_api_endpoint}/3.0/"
end
end
Expand Down
8 changes: 7 additions & 1 deletion spec/gibbon/gibbon_spec.rb
Expand Up @@ -162,6 +162,12 @@
@request = Gibbon::APIRequest.new(builder: @gibbon)
expect {@request.validate_api_key}.not_to raise_error
end

it "raises with a valid SSRF attack" do
@api_key = "-attacker.net/test/?"
@gibbon.api_key = @api_key
expect {@gibbon.try.retrieve}.not_to raise_error
end
end

describe "class variables" do
Expand Down Expand Up @@ -213,7 +219,7 @@
it "set debug on new instances" do
expect(Gibbon::Request.new.debug).to eq(Gibbon::Request.debug)
end

it "set faraday_adapter on new instances" do
expect(Gibbon::Request.new.faraday_adapter).to eq(Gibbon::Request.faraday_adapter)
end
Expand Down

0 comments on commit b2eb99e

Please sign in to comment.