From 6bbee35fd6daed045103f3122490a588d97c066a Mon Sep 17 00:00:00 2001 From: Evan Phoenix Date: Thu, 14 May 2015 14:53:35 -0700 Subject: [PATCH] Limit API endpoint to original security domain Conflicts: lib/rubygems/remote_fetcher.rb Conflicts: test/rubygems/test_gem_remote_fetcher.rb --- lib/rubygems/remote_fetcher.rb | 8 +++++++- test/rubygems/test_gem_remote_fetcher.rb | 18 ++++++++++++++++-- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/lib/rubygems/remote_fetcher.rb b/lib/rubygems/remote_fetcher.rb index da1febb..ec78e5f 100644 --- a/lib/rubygems/remote_fetcher.rb +++ b/lib/rubygems/remote_fetcher.rb @@ -94,7 +94,13 @@ def api_endpoint(uri) rescue Resolv::ResolvError uri else - URI.parse "#{uri.scheme}://#{res.target}#{uri.path}" + target = res.target.to_s.strip + + if /#{host}\z/ =~ target + return URI.parse "#{uri.scheme}://#{target}#{uri.path}" + end + + uri end end diff --git a/test/rubygems/test_gem_remote_fetcher.rb b/test/rubygems/test_gem_remote_fetcher.rb index 883e1bd..a590dca 100644 --- a/test/rubygems/test_gem_remote_fetcher.rb +++ b/test/rubygems/test_gem_remote_fetcher.rb @@ -167,6 +167,21 @@ def test_no_proxy end def test_api_endpoint + uri = URI.parse "http://example.com/foo" + target = MiniTest::Mock.new + target.expect :target, "gems.example.com" + + dns = MiniTest::Mock.new + dns.expect :getresource, target, [String, Object] + + fetch = Gem::RemoteFetcher.new nil, dns + assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) + + target.verify + dns.verify + end + + def test_api_endpoint_ignores_trans_domain_values uri = URI.parse "http://gems.example.com/foo" target = MiniTest::Mock.new target.expect :target, "blah.com" @@ -175,8 +190,7 @@ def test_api_endpoint dns.expect :getresource, target, [String, Object] fetch = Gem::RemoteFetcher.new nil, dns - @fetcher = fetcher - assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri) + assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) target.verify dns.verify