Permalink
Browse files

Limit API endpoint to original security domain

Conflicts:
	lib/rubygems/remote_fetcher.rb

Conflicts:
	test/rubygems/test_gem_remote_fetcher.rb
  • Loading branch information...
evanphx committed May 14, 2015
1 parent 540d1d9 commit 6bbee35fd6daed045103f3122490a588d97c066a
Showing with 23 additions and 3 deletions.
  1. +7 −1 lib/rubygems/remote_fetcher.rb
  2. +16 −2 test/rubygems/test_gem_remote_fetcher.rb
@@ -94,7 +94,13 @@ def api_endpoint(uri)
rescue Resolv::ResolvError
uri
else
URI.parse "#{uri.scheme}://#{res.target}#{uri.path}"
target = res.target.to_s.strip
if /#{host}\z/ =~ target

This comment has been minimized.

Show comment
Hide comment
@ngollan

ngollan Jun 24, 2015

Shouldn't the #{host} interpolation be Regexp.escaped?

@ngollan

ngollan Jun 24, 2015

Shouldn't the #{host} interpolation be Regexp.escaped?

This comment has been minimized.

Show comment
Hide comment
@thoger

thoger Jun 26, 2015

Commit 5c7bfb5 added 4 days after this commit changed it to /\.#{Regexp.quote(host)}\z/, which should also prevent accepting notrubygems.org target for rubygems.org.

@thoger

thoger Jun 26, 2015

Commit 5c7bfb5 added 4 days after this commit changed it to /\.#{Regexp.quote(host)}\z/, which should also prevent accepting notrubygems.org target for rubygems.org.

return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
end
uri
end
end
@@ -167,6 +167,21 @@ def test_no_proxy
end
def test_api_endpoint
uri = URI.parse "http://example.com/foo"
target = MiniTest::Mock.new
target.expect :target, "gems.example.com"
dns = MiniTest::Mock.new
dns.expect :getresource, target, [String, Object]
fetch = Gem::RemoteFetcher.new nil, dns
assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)
target.verify
dns.verify
end
def test_api_endpoint_ignores_trans_domain_values
uri = URI.parse "http://gems.example.com/foo"
target = MiniTest::Mock.new
target.expect :target, "blah.com"
@@ -175,8 +190,7 @@ def test_api_endpoint
dns.expect :getresource, target, [String, Object]
fetch = Gem::RemoteFetcher.new nil, dns
@fetcher = fetcher
assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri)
assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)
target.verify
dns.verify

0 comments on commit 6bbee35

Please sign in to comment.