Per review, check the URL is from a stripe subdomain

2026-03-18 04:39:14 +00:00 · 2025-09-08 11:00:11 +10:00
parent 118e18a78e
commit 1f15f094ce
2 changed files with 4 additions and 4 deletions
--- a/lib/stripe/authorize_response_patcher.rb
+++ b/lib/stripe/authorize_response_patcher.rb
@@ -27,9 +27,9 @@ module Stripe
      next_action_type = next_action["type"]
      return unless %w(authorize_with_url redirect_to_url).include?(next_action_type)

-      url = next_action[next_action_type]["url"]
-      host = URI(url).host
-      url if url.match(%r{https?://\S+}) && host.match?(/\S?stripe.com\Z/)
+      url = URI(next_action[next_action_type]["url"])
+      # Check the URL is from a stripe subdomain
+      url.to_s if url.is_a?(URI::HTTPS) && url.host.match?(/\.stripe.com\Z/)
    end

    # This field is used because the Spree code recognizes and stores it
--- a/spec/lib/stripe/authorize_response_patcher_spec.rb
+++ b/spec/lib/stripe/authorize_response_patcher_spec.rb
@@ -37,7 +37,7 @@ RSpec.describe Stripe::AuthorizeResponsePatcher do
            "status" => "requires_source_action",
            "next_source_action" => {
              "type" => "authorize_with_url",
-              "authorize_with_url" => { "url" => "https://www.stripe.com.malicious.org/authorize" }
+              "authorize_with_url" => { "url" => "https://www.evil-stripe.com.malicious.org/authorize" }
            }
          }
        }