imgix · luqven · Apr 22, 2021 · Apr 5, 2021 · Apr 5, 2021 · Apr 5, 2021
@@ -0,0 +1,29 @@
+{
+	"version": "2.0.0",
+	"tasks": [
+		{
+			"label": "rake: test",
+			"type": "shell",
+			"group":{
+				"kind": "test",
+				"isDefault": true
+			},
+			"problemMatcher": {
+				"owner": "ruby",
+				"fileLocation": ["relative", "${workspaceFolder}"],
+				"pattern": [
+						{
+							"regexp": "^([^:]+: .+)",
+							"message": 1
+						},
+						{
+							"regexp": "^    ([^:]+):(\\d+)",
+							"file": 1,
+							"line": 2
+						}
+				]
+			},
+			"command": "bundle exec rake test"
+		}
+	]
+}
@@ -8,5 +8,7 @@ gemspec
 gem 'rake'
 gem 'json'
 gem 'minitest'
+gem 'minitest-reporters'
 gem 'webmock'
 gem 'benchmark-ips'
+
@@ -12,16 +12,14 @@ def initialize(prefix, secure_url_token, path = "/")
       @secure_url_token = secure_url_token
       @path = path
       @options = {}
-
-      @path = CGI.escape(@path) if /^https?/ =~ @path
-      @path = "/#{@path}" if @path[0] != "/"
     end
 
     def to_url(opts = {})
+      sanitized_path ||= sanitize_path(@path)
       prev_options = @options.dup
       @options.merge!(opts)
 
-      current_path_and_params = path_and_params
+      current_path_and_params = path_and_params(sanitized_path)
       url = @prefix + current_path_and_params
 
       if @secure_url_token
@@ -130,12 +128,45 @@ def method_missing(method, *args, &block)
 
     private
 
-    def signature(current_path_and_params)
-      Digest::MD5.hexdigest(@secure_url_token + current_path_and_params)
+    # Escape and encode any characters in path that are reserved and not utf8 encoded.
+    # This includes " +?:#" characters. If a path is being used as a proxy, utf8
+    # encode everything. If it is not being used as proxy, leave certain chars, like
+    # "/", alone. Method assumes path is not already encoded.
+    def sanitize_path(path)
+      # remove the leading "/", we'll add it back after encoding
+      path = path.slice(1, path.length) if Regexp.new('^/') =~ path
+      # if path is being used as a proxy, encode the entire thing
+      if /^https?/ =~ path
+        return encode_URI_Component(path)
+      else
+        # otherwise, encode only specific characters
+        return encode_URI(path)
+      end
+    end
 def to_url(opts = {}) 
   sanitized_path ||= sanitize_path(@path) 
   prev_options = @options.dup 
   @options.merge!(opts) 
   current_path_and_params = path_and_params(sanitized_path) 
   url = @prefix + current_path_and_params 
   if @secure_url_token 
     url += (has_query? ? "&" : "?") + "s=#{signature(current_path_and_params)}" 
   end 
 def to_url(opts = {}) 
   sanitized_path ||= sanitize_path(@path) 
   prev_options = @options.dup 
   @options.merge!(opts) 
  
   current_path_and_params = path_and_params(sanitized_path) 
   url = @prefix + current_path_and_params 
  
   if @secure_url_token 
     url += (has_query? ? "&" : "?") + "s=#{signature(current_path_and_params)}" 
   end 
+
+    # URL encode the entire path
+    def encode_URI_Component(path)
+      return "/" + CGI.escape(path)
+    end
+
+    # URL encode every character in the path, including
+    # " +?:#" characters.
+    def encode_URI(path)
+      result = []
+      path.split("/").each do |str|
+        escaped_key = ERB::Util.url_encode(str)
+        result << escaped_key
+      end
+      result =  "/" + result.join("/")
+      return result;
+    end
+
+    def signature(rest)
+      Digest::MD5.hexdigest(@secure_url_token + rest)
     end
 
-    def path_and_params
-      has_query? ? "#{@path}?#{query}" : @path
+    def path_and_params(path)
+      has_query? ? "#{path}?#{query}" : path
     end
 
     def query

@@ -8,5 +8,10 @@
 require "imgix"
 require "webmock/minitest"
 
+require 'minitest/autorun'
+require 'minitest/reporters' # requires the gem
+
+Minitest::Reporters.use! Minitest::Reporters::SpecReporter.new
+
 class Imgix::Test < MiniTest::Test
 end
@@ -54,6 +54,18 @@ def test_path_with_multiple_params
     assert_equal url, path.to_url
   end
 
+  def test_relative_path_with_params
+    url = "https://demo.imgix.net/images/demo.png?h=200&w=200&s=d570a1ecd765470f7b34a69b56718a7a"
+    path = client.path("images/demo.png").h(200).w(200)
+    assert_equal url, path.to_url
+  end
+
+  def test_file_path_with_reserved_delimiters
+    url = "https://demo.imgix.net/%20%3C%3E%5B%5D%7B%7D%7C%5C%5C%5E%25.jpg?h=200&w=200&s=c53e7dc75b2d8fb70006f12357881622"
+    path = client.path("/ <>[]{}|\\\\^%.jpg").h(200).w(200)
+    assert_equal url, path.to_url
+  end
+
   def test_path_with_multi_value_param_safely_encoded
     url = "https://demo.imgix.net/images/demo.png?markalign=middle%2Ccenter&s=f0d0e28a739f022638f4ba6dddf9b694"
     path = client.path("/images/demo.png").markalign("middle,center")
@@ -73,6 +85,11 @@ def test_param_values_are_escaped
     assert_equal "https://demo.imgix.net/demo.png?hello_world=%2Ffoo%22%3E%20%3Cscript%3Ealert%28%22hacked%22%29%3C%2Fscript%3E%3C", ix_url
   end
 
+  def test_unicode_path_variants_are_utf8_encoded
+    ix_url = unsigned_client.path("I cannøt belîév∑ it wors! 😱").to_url
+
+    assert_equal "https://demo.imgix.net/I%20cann%C3%B8t%20bel%C3%AE%C3%A9v%E2%88%91%20it%20wor%EF%A3%BFs%21%20%F0%9F%98%B1", ix_url
+  end
   def test_base64_param_variants_are_base64_encoded
     ix_url = unsigned_client.path("~text").to_url({txt64: "I cannøt belîév∑ it wors! 😱"})
 

@@ -26,6 +26,22 @@ def test_signing_with_multiple_params
     assert_equal expected, path.to_url(h: 200, w: 200)
   end
 
+  def test_calling_to_url_many_times
+    path = client.path(DEMO_IMAGE_PATH)
+    expected = ["https://demo.imgix.net/images/demo.png?h=200&w=200&s=d570a1ecd765470f7b34a69b56718a7a"]
+    result = []
+
+    10.times do
+      expected << expected[0]
+    end
+
+    expected.length.times do
+      result << path.to_url(h: 200, w: 200)
+    end
+
+    assert_equal expected, result
+  end
+
   private
 
   def client