Url Grey v 0.1.3 release notes
# 16 Jun 2017 by SeanNew in release 0.1.3
This release protects the application’s domain from being redirected to by the app to avoid possible infinite loops or inaccessible application routes.
To accomplish this, the following changes were made:
- A new custom validator,
safe_redirect_validator.rb
was added - An additional validation was added to the
ShortUrl
model
Further work
The validator could easily be extended to check requested redirect targets against an array of blacklisted domains, rather than just the application domain. I have no need for this personally, but it’s worth noting as it could be useful to others.
The big learn
The Addressable gem saved a lot of hackwork on this one. The validator needed to be able to assess redirects with and without schemes (schemes are prepended before_save
, not before_validation
), which Ruby’s inbuilt URI
has difficulty with: URI.parse('www.google.com').host
returns nil
, becuase URI
doesn’t parse the unqualified URL.
Using Addressable::URI.heuristic_parse('www.google.com')
, the return object is fully qualified and will respond to the .host
method.
Once that was in place, checking against the application’s host (set in application.rb
) was easy. There was a while where I ran around in circles trying to get Rails to see it’s own address, but because of the reverse-proxied architecture in production and staging, it just kept returning meaningless values. The workaround would be to make an actual HTTP request externally and see what the response says about ourselves… but that could take for ever. Faster to just tell the app who/where it is.