diff --git a/lib/stripe/authorize_response_patcher.rb b/lib/stripe/authorize_response_patcher.rb index 4128bf6577..06e8fde247 100644 --- a/lib/stripe/authorize_response_patcher.rb +++ b/lib/stripe/authorize_response_patcher.rb @@ -28,7 +28,8 @@ module Stripe return unless %w(authorize_with_url redirect_to_url).include?(next_action_type) url = next_action[next_action_type]["url"] - url if url.match(%r{https?://\S+}) && url.include?("stripe.com") + host = URI(url).host + url if url.match(%r{https?://\S+}) && host.match?(/\S?stripe.com\Z/) end # This field is used because the Spree code recognizes and stores it diff --git a/spec/lib/stripe/authorize_response_patcher_spec.rb b/spec/lib/stripe/authorize_response_patcher_spec.rb index 9e0c0be3ec..395dac7d60 100644 --- a/spec/lib/stripe/authorize_response_patcher_spec.rb +++ b/spec/lib/stripe/authorize_response_patcher_spec.rb @@ -17,15 +17,36 @@ RSpec.describe Stripe::AuthorizeResponsePatcher do context "when url is found in response" do let(:params) { - { "status" => "requires_source_action", - "next_source_action" => { "type" => "authorize_with_url", - "authorize_with_url" => { "url" => "https://test.stripe.com/authorize" } } } + { + "status" => "requires_source_action", + "next_source_action" => { + "type" => "authorize_with_url", + "authorize_with_url" => { "url" => "https://www.stripe.com/authorize" } + } + } } it "patches response.cvv_result.message with the url in the response" do new_response = patcher.call! expect(new_response.cvv_result['message']).to eq "https://www.stripe.com/authorize" end + + context "with invalid url containing 'stripe.com'" do + let(:params) { + { + "status" => "requires_source_action", + "next_source_action" => { + "type" => "authorize_with_url", + "authorize_with_url" => { "url" => "https://www.stripe.com.malicious.org/authorize" } + } + } + } + + it "patches response.cvv_result.message with nil" do + new_response = patcher.call! + expect(new_response.cvv_result['message']).to be_nil + end + end end end end