From 25f9c804013974826c422ccc7d41a368b61d5236 Mon Sep 17 00:00:00 2001 From: Nick Morgan Date: Sun, 25 Apr 2021 19:26:11 -0400 Subject: [PATCH 1/2] Fail faster on infinite redirects This commit reverts the ordering that was changed in: https://github.com/oauth-xx/oauth-ruby/commit/d74b767f464ee045cec75504974ff897b3dc0076#diff-7539411a25dc370ad4ed8baed9d33ad853f07cadcfcc8c566494ecc438f5bd16 Once we know we are in an infinite redirect, we should fail immediately. --- lib/oauth/consumer.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/oauth/consumer.rb b/lib/oauth/consumer.rb index fd2f3185..5a618078 100644 --- a/lib/oauth/consumer.rb +++ b/lib/oauth/consumer.rb @@ -243,12 +243,14 @@ def token_request(http_method, path, token = nil, request_options = {}, *argumen uri = URI.parse(response['location']) our_uri = URI.parse(site) + # Guard against infinite redirects + response.error! if uri.path == path && our_uri.host == uri.host + if uri.path == path && our_uri.host != uri.host options[:site] = "#{uri.scheme}://#{uri.host}" @http = create_http end - response.error! if uri.path == path && our_uri.host == uri.host # careful of those infinite redirects self.token_request(http_method, uri.path, token, request_options, arguments) when (400..499) raise OAuth::Unauthorized, response From cb93c727e9f25def01b4ccb37ff038f12a2fbd83 Mon Sep 17 00:00:00 2001 From: Nick Morgan Date: Sun, 25 Apr 2021 20:26:54 -0400 Subject: [PATCH 2/2] Adding test for not following infinite redirect --- lib/oauth/consumer.rb | 2 +- test/units/test_consumer.rb | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/oauth/consumer.rb b/lib/oauth/consumer.rb index 5a618078..5b6468c3 100644 --- a/lib/oauth/consumer.rb +++ b/lib/oauth/consumer.rb @@ -239,7 +239,7 @@ def token_request(http_method, path, token = nil, request_options = {}, *argumen end end when (300..399) - # this is a redirect + # Parse redirect to follow uri = URI.parse(response['location']) our_uri = URI.parse(site) diff --git a/test/units/test_consumer.rb b/test/units/test_consumer.rb index 8c58674f..3cffb336 100644 --- a/test/units/test_consumer.rb +++ b/test/units/test_consumer.rb @@ -263,6 +263,22 @@ def test_follow_redirect_different_host_same_path assert_equal 'secret', hash[:oauth_token_secret] end + def test_not_following_redirect_with_same_uri + request_uri = URI.parse("http://example.com/request_token") + redirect_uri = request_uri.clone + + stub_request(:get, request_uri.to_s).to_return( + :status => 301, + :headers => {'Location' => redirect_uri.to_s} + ) + + assert_raises Net::HTTPRetriableError do + @consumer.token_request(:get, request_uri.path) { + { :oauth_token => 'token', :oauth_token_secret => 'secret' } + } + end + end + def test_that_can_provide_a_block_to_interpret_a_request_token_response @consumer.expects(:request).returns(create_stub_http_response)