require that the redirect url be to stripe.com and over https

2026-04-04 07:09:14 +00:00 · 2021-01-07 11:43:03 -08:00
parent affc82b2b5
commit ab5ffead1d
4 changed files with 6 additions and 5 deletions
--- a/lib/stripe/authorize_response_patcher.rb
+++ b/lib/stripe/authorize_response_patcher.rb
@@ -24,7 +24,8 @@ module Stripe
                    next_action.present? &&
                    next_action["type"] == "authorize_with_url"

-      next_action["authorize_with_url"]["url"]
+      url = next_action["authorize_with_url"]["url"]
+      return url if url.match(%r{https?:\/\/[\S]+}) && url.include?("stripe.com")
    end

    # This field is used because the Spree code recognizes and stores it