Permalink
Browse files

Fix SSRF vulnerability in Resource#find

  • Loading branch information...
bhelx authored and drewish committed Nov 8, 2017
1 parent 5278237 commit 1bb0284d6e668b8b3d31167790ed6db1f6ccc4be
Showing with 10 additions and 2 deletions.
  1. +8 −0 lib/recurly/api.rb
  2. +1 −0 lib/recurly/api/net_http_adapter.rb
  3. +1 −2 lib/recurly/resource.rb
View
@@ -15,6 +15,7 @@ class API
require 'recurly/api/errors'
@@base_uri = "https://api.recurly.com/v2/"
@@valid_domains = [".recurly.com"]
RECURLY_API_VERSION = '2.8'
@@ -75,6 +76,13 @@ def base_uri
URI.parse @@base_uri.sub('api', Recurly.subdomain)
end
def validate_uri!(uri)
domain = @@valid_domains.detect { |d| uri.host.end_with?(d) }
unless domain
raise ArgumentError, "URI #{uri} is invalid. You may only make requests to a Recurly domain."
end
end
# @return [String]
def user_agent
"Recurly/#{Version}; #{RUBY_DESCRIPTION}"
@@ -43,6 +43,7 @@ def request method, uri, options = {}
}
uri += "?#{pairs.join '&'}"
end
self.validate_uri!(uri)
request = METHODS[method].new uri.request_uri, head
request.basic_auth(*[Recurly.api_key, nil].flatten[0, 2])
if options[:body]
View
@@ -335,9 +335,8 @@ def find(uuid, options = {})
raise NotFound, "can't find a record with nil identifier"
end
uri = uuid =~ /^http/ ? uuid : member_path(uuid)
begin
from_response API.get(uri, {}, options)
from_response API.get(member_path(uuid), {}, options)
rescue API::NotFound => e
raise NotFound, e.description
end

0 comments on commit 1bb0284

Please sign in to comment.