Commit 56c2101

mo <mo@mokhan.ca>
2018-10-13 17:40:37
validate redirect url
main
1 parent 66e4468
Changed files (2)
app
models
client.rb
spec
models
client_spec.rb
app/models/client.rb
@@ -57,8 +57,10 @@ class Client < ApplicationRecord
   end
 
   def redirect_url(fragments = {})
-    "#{redirect_uri}#" + fragments.map do |(key, value)|
-      "#{key}=#{value}" if value.present?
-    end.compact.join("&")
+    URI.parse(
+      "#{redirect_uri}#" + fragments.map do |(key, value)|
+        "#{key}=#{value}" if value.present?
+      end.compact.join("&")
+    ).to_s
   end
 end
spec/models/client_spec.rb
@@ -10,4 +10,13 @@ RSpec.describe Client do
     specify { expect(build(:client, uuid: 'invalid')).to be_invalid }
     specify { expect(build(:client, name: nil)).to be_invalid }
   end
+
+  describe "#redirect_url" do
+    subject { build(:client) }
+    let(:code) { SecureRandom.uuid }
+    let(:redirect_uri) { subject.redirect_uri }
+
+    specify { expect(subject.redirect_url(code: code)).to eql("#{redirect_uri}#code=#{code}") }
+    specify { expect { subject.redirect_url(state: '<script>alert("hi");</script>') }.to raise_error(URI::InvalidURIError) }
+  end
 end