From 1f15f094ce90c19280c62c23cfc9021ddf16fa80 Mon Sep 17 00:00:00 2001
From: Gaetan Craig-Riou <gaetan.riou@gmail.com>
Date: Mon, 8 Sep 2025 11:00:11 +1000
Subject: [PATCH] Per review, check the URL is from a stripe subdomain

---
 lib/stripe/authorize_response_patcher.rb           | 6 +++---
 spec/lib/stripe/authorize_response_patcher_spec.rb | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/stripe/authorize_response_patcher.rb b/lib/stripe/authorize_response_patcher.rb
index 06e8fde247..5586718949 100644
--- a/lib/stripe/authorize_response_patcher.rb
+++ b/lib/stripe/authorize_response_patcher.rb
@@ -27,9 +27,9 @@ module Stripe
       next_action_type = next_action["type"]
       return unless %w(authorize_with_url redirect_to_url).include?(next_action_type)
 
-      url = next_action[next_action_type]["url"]
-      host = URI(url).host
-      url if url.match(%r{https?://\S+}) && host.match?(/\S?stripe.com\Z/)
+      url = URI(next_action[next_action_type]["url"])
+      # Check the URL is from a stripe subdomain
+      url.to_s if url.is_a?(URI::HTTPS) && url.host.match?(/\.stripe.com\Z/)
     end
 
     # This field is used because the Spree code recognizes and stores it
diff --git a/spec/lib/stripe/authorize_response_patcher_spec.rb b/spec/lib/stripe/authorize_response_patcher_spec.rb
index 395dac7d60..3eb2f2e626 100644
--- a/spec/lib/stripe/authorize_response_patcher_spec.rb
+++ b/spec/lib/stripe/authorize_response_patcher_spec.rb
@@ -37,7 +37,7 @@ RSpec.describe Stripe::AuthorizeResponsePatcher do
             "status" => "requires_source_action",
             "next_source_action" => {
               "type" => "authorize_with_url",
-              "authorize_with_url" => { "url" => "https://www.stripe.com.malicious.org/authorize" }
+              "authorize_with_url" => { "url" => "https://www.evil-stripe.com.malicious.org/authorize" }
             }
           }
         }