|
|
b54141 |
From 6bbee35fd6daed045103f3122490a588d97c066a Mon Sep 17 00:00:00 2001
|
|
|
b54141 |
From: Evan Phoenix <evan@phx.io>
|
|
|
b54141 |
Date: Thu, 14 May 2015 14:53:35 -0700
|
|
|
b54141 |
Subject: [PATCH] Limit API endpoint to original security domain
|
|
|
b54141 |
|
|
|
b54141 |
Conflicts:
|
|
|
b54141 |
lib/rubygems/remote_fetcher.rb
|
|
|
b54141 |
|
|
|
b54141 |
Conflicts:
|
|
|
b54141 |
test/rubygems/test_gem_remote_fetcher.rb
|
|
|
b54141 |
---
|
|
|
b54141 |
lib/rubygems/remote_fetcher.rb | 8 +++++++-
|
|
|
b54141 |
test/rubygems/test_gem_remote_fetcher.rb | 18 ++++++++++++++++--
|
|
|
b54141 |
2 files changed, 23 insertions(+), 3 deletions(-)
|
|
|
b54141 |
|
|
|
b54141 |
diff --git a/lib/rubygems/remote_fetcher.rb b/lib/rubygems/remote_fetcher.rb
|
|
|
b54141 |
index da1febb..ec78e5f 100644
|
|
|
b54141 |
--- a/lib/rubygems/remote_fetcher.rb
|
|
|
b54141 |
+++ b/lib/rubygems/remote_fetcher.rb
|
|
|
b54141 |
@@ -94,7 +94,13 @@ def api_endpoint(uri)
|
|
|
b54141 |
rescue Resolv::ResolvError
|
|
|
b54141 |
uri
|
|
|
b54141 |
else
|
|
|
b54141 |
- URI.parse "#{uri.scheme}://#{res.target}#{uri.path}"
|
|
|
b54141 |
+ target = res.target.to_s.strip
|
|
|
b54141 |
+
|
|
|
b54141 |
+ if /#{host}\z/ =~ target
|
|
|
b54141 |
+ return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
|
|
|
b54141 |
+ end
|
|
|
b54141 |
+
|
|
|
b54141 |
+ uri
|
|
|
b54141 |
end
|
|
|
b54141 |
end
|
|
|
b54141 |
|
|
|
b54141 |
diff --git a/test/rubygems/test_gem_remote_fetcher.rb b/test/rubygems/test_gem_remote_fetcher.rb
|
|
|
b54141 |
index 883e1bd..a590dca 100644
|
|
|
b54141 |
--- a/test/rubygems/test_gem_remote_fetcher.rb
|
|
|
b54141 |
+++ b/test/rubygems/test_gem_remote_fetcher.rb
|
|
|
b54141 |
@@ -167,6 +167,21 @@ def test_no_proxy
|
|
|
b54141 |
end
|
|
|
b54141 |
|
|
|
b54141 |
def test_api_endpoint
|
|
|
b54141 |
+ uri = URI.parse "http://example.com/foo"
|
|
|
b54141 |
+ target = MiniTest::Mock.new
|
|
|
b54141 |
+ target.expect :target, "gems.example.com"
|
|
|
b54141 |
+
|
|
|
b54141 |
+ dns = MiniTest::Mock.new
|
|
|
b54141 |
+ dns.expect :getresource, target, [String, Object]
|
|
|
b54141 |
+
|
|
|
b54141 |
+ fetch = Gem::RemoteFetcher.new nil, dns
|
|
|
b54141 |
+ assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)
|
|
|
b54141 |
+
|
|
|
b54141 |
+ target.verify
|
|
|
b54141 |
+ dns.verify
|
|
|
b54141 |
+ end
|
|
|
b54141 |
+
|
|
|
b54141 |
+ def test_api_endpoint_ignores_trans_domain_values
|
|
|
b54141 |
uri = URI.parse "http://gems.example.com/foo"
|
|
|
b54141 |
target = MiniTest::Mock.new
|
|
|
b54141 |
target.expect :target, "blah.com"
|
|
|
b54141 |
@@ -175,8 +190,7 @@ def test_api_endpoint
|
|
|
b54141 |
dns.expect :getresource, target, [String, Object]
|
|
|
b54141 |
|
|
|
b54141 |
fetch = Gem::RemoteFetcher.new nil, dns
|
|
|
b54141 |
- @fetcher = fetcher
|
|
|
b54141 |
- assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri)
|
|
|
b54141 |
+ assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri)
|
|
|
b54141 |
|
|
|
b54141 |
target.verify
|
|
|
b54141 |
dns.verify
|