raggedstaff/openfoodnetwork
1
0
Fork 0
mirror of https://github.com/openfoodfoundation/openfoodnetwork synced 2026-02-13 23:37:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Tighten url validation

Browse Source 
Per recommendation from https://github.com/openfoodfoundation/openfoodnetwork/security/code-scanning/241
This commit is contained in:
Gaetan Craig-Riou
2025-08-13 22:27:42 +10:00
parent cbced144d5
commit 118e18a78e
2 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/stripe/authorize_response_patcher.rb
View File

@@ -28,7 +28,8 @@ module Stripe
return unless %w(authorize_with_url redirect_to_url).include?(next_action_type)
url = next_action[next_action_type]["url"]
url if url.match(%r{https?://\S+}) && url.include?("stripe.com")
host = URI(url).host
url if url.match(%r{https?://\S+}) && host.match?(/\S?stripe.com\Z/)
end
# This field is used because the Spree code recognizes and stores it

27
spec/lib/stripe/authorize_response_patcher_spec.rb
View File

@@ -17,15 +17,36 @@ RSpec.describe Stripe::AuthorizeResponsePatcher do
context "when url is found in response" do
let(:params) {
{ "status" => "requires_source_action",
"next_source_action" => { "type" => "authorize_with_url",
"authorize_with_url" => { "url" => "https://test.stripe.com/authorize" } } }
{
"status" => "requires_source_action",
"next_source_action" => {
"type" => "authorize_with_url",
"authorize_with_url" => { "url" => "https://www.stripe.com/authorize" }
}
}
}
it "patches response.cvv_result.message with the url in the response" do
new_response = patcher.call!
expect(new_response.cvv_result['message']).to eq "https://www.stripe.com/authorize"
end
context "with invalid url containing 'stripe.com'" do
let(:params) {
{
"status" => "requires_source_action",
"next_source_action" => {
"type" => "authorize_with_url",
"authorize_with_url" => { "url" => "https://www.stripe.com.malicious.org/authorize" }
}
}
}
it "patches response.cvv_result.message with nil" do
new_response = patcher.call!
expect(new_response.cvv_result['message']).to be_nil
end
end
end
end
end