require that the redirect url be to stripe.com and over https

2026-01-24 20:36:49 +00:00 · 2021-01-07 11:43:03 -08:00
parent affc82b2b5
commit ab5ffead1d
4 changed files with 6 additions and 5 deletions
--- a/lib/stripe/authorize_response_patcher.rb
+++ b/lib/stripe/authorize_response_patcher.rb
@@ -24,7 +24,8 @@ module Stripe
                    next_action.present? &&
                    next_action["type"] == "authorize_with_url"

-      next_action["authorize_with_url"]["url"]
+      url = next_action["authorize_with_url"]["url"]
+      return url if url.match(%r{https?:\/\/[\S]+}) && url.include?("stripe.com")
    end

    # This field is used because the Spree code recognizes and stores it
--- a/spec/controllers/spree/admin/orders/payments/payments_controller_spec.rb
+++ b/spec/controllers/spree/admin/orders/payments/payments_controller_spec.rb
@@ -94,7 +94,7 @@ describe Spree::Admin::PaymentsController, type: :controller do
        context "where further action is required" do
          before do
            allow_any_instance_of(Spree::Payment).to receive(:authorize!) do |payment|
-              payment.update cvv_response_message: "http://redirect_url"
+              payment.update cvv_response_message: "https://www.stripe.com/authorize"
              payment.update state: "pending"
            end
          end
--- a/spec/features/admin/payments_stripe_spec.rb
+++ b/spec/features/admin/payments_stripe_spec.rb
@@ -70,7 +70,7 @@ feature '
      context "with a card that fails on registration because it requires(redirects) extra auth" do
        before do
          stub_payment_intents_post_request_with_redirect order: order,
-                                                          redirect_url: "www.dummy.org"
+                                                          redirect_url: "https://www.stripe.com/authorize"
        end

        it "fails to add a payment due to card error" do
--- a/spec/lib/stripe/authorize_response_patcher_spec.rb
+++ b/spec/lib/stripe/authorize_response_patcher_spec.rb
@@ -20,12 +20,12 @@ module Stripe
        let(:params) {
          { "status" => "requires_source_action",
            "next_source_action" => { "type" => "authorize_with_url",
-                                      "authorize_with_url" => { "url" => "test_url" } } }
+                                      "authorize_with_url" => { "url" => "https://www.stripe.com/authorize" } } }
        }

        it "patches response.cvv_result.message with the url in the response" do
          new_response = patcher.call!
-          expect(new_response.cvv_result['message']).to eq "test_url"
+          expect(new_response.cvv_result['message']).to eq "https://www.stripe.com/authorize"
        end
      end
    end