Skip to content

Use a whitelist approach for URL parameters #1587

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
monfresh merged 1 commit into from
Aug 4, 2017
Merged

Use a whitelist approach for URL parameters #1587

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion app/controllers/application_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,11 @@ def redirect_on_timeout
return unless params[:timeout]

flash[:notice] = t('notices.session_cleared', minutes: Figaro.env.session_timeout_in_minutes)
redirect_to url_for(params.except(:timeout))
redirect_to url_for(permitted_timeout_params)
end

def permitted_timeout_params
params.permit(:request_id)
end

def current_sp
Expand Down
37 changes: 37 additions & 0 deletions spec/controllers/application_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,4 +138,41 @@ def index
end
end
end

describe '#session_expires_at' do
before { routes.draw { get 'index' => 'anonymous#index' } }
after { Rails.application.reload_routes! }

controller do
prepend_before_action :session_expires_at

def index
render text: 'Hello'
end
end

context 'when URL contains the host parameter' do
it 'does not redirect to the host' do
get :index, timeout: true, host: 'www.monfresh.com'

expect(response.header['Location']).to_not match 'www.monfresh.com'
end
end

context 'when URL does not contain the timeout parameter' do
it 'does not redirect anywhere' do
get :index, host: 'www.monfresh.com'

expect(response).to_not be_redirect
end
end

context 'when URL contains the request_id parameter' do
it 'preserves the request_id parameter' do
get :index, timeout: true, request_id: '123'

expect(response.header['Location']).to match '123'
end
end
end
end
4 changes: 2 additions & 2 deletions spec/features/users/sign_in_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,14 +118,14 @@
it 'refreshes the current page after session expires', js: true do
allow(Devise).to receive(:timeout_in).and_return(1)

visit sign_up_email_path(foo: 'bar')
visit sign_up_email_path(request_id: '123abc')
fill_in 'Email', with: 'test@example.com'

expect(page).to have_content(
t('notices.session_cleared', minutes: Figaro.env.session_timeout_in_minutes)
)
expect(page).to have_field('Email', with: '')
expect(current_url).to match Regexp.escape(sign_up_email_path(foo: 'bar'))
expect(current_url).to match Regexp.escape(sign_up_email_path(request_id: '123abc'))
end

it 'does not refresh the page after the session expires', js: true do
Expand Down