Remove access token parameter if found on URL

2021-03-15 15:17:48 -07:00 · 2021-03-15 15:17:48 -07:00 · 867d65b079
commit 867d65b079
parent 51382a0d0a
2 changed files with 36 additions and 0 deletions
--- a/plugins/commands/cloud/auth/middleware/add_authentication.rb
+++ b/plugins/commands/cloud/auth/middleware/add_authentication.rb
@ -84,6 +84,25 @@ module VagrantPlugins
            end
          end
        else
+          env[:box_urls].map! do |url|
+            begin
+              u = URI.parse(url)
+              q = CGI.parse(u.query || "")
+              if q["access_token"]
+                @logger.warn("Removing access token from URL parameter.")
+                q.delete("access_token")
+                if q.empty?
+                  u.query = nil
+                else
+                  u.query = URI.encode_www_form(q)
+                end
+              end
+
+              u.to_s
+            rescue URI::Error
+              url
+            end
+          end
          @logger.warn("Authentication token not added as GET parameter.")
        end
        @app.call(env)
--- a/test/unit/plugins/commands/cloud/auth/middleware/add_authentication_test.rb
+++ b/test/unit/plugins/commands/cloud/auth/middleware/add_authentication_test.rb
@ -186,6 +186,23 @@ describe VagrantPlugins::CloudCommand::AddAuthentication do

        expect(env[:box_urls]).to eq([box1, box2])
      end
+
+      it "removes access_token parameters if set" do
+        box1 = "http://vagrantcloud.com/box.box"
+        box2 = "http://app.vagrantup.com/box.box"
+        box3 = "http://app.vagrantup.com/box.box?arg1=value1"
+
+        env = {
+          box_urls: [
+            "#{box1}?access_token=TEST_TOKEN",
+            box2.dup,
+            "#{box3}&access_token=TEST_TOKEN"
+          ]
+        }
+        subject.call(env)
+
+        expect(env[:box_urls]).to eq([box1, box2, box3])
+      end
    end
  end
 end