From 867d65b079a09c9629b792daddb2b4fcc9a6a310 Mon Sep 17 00:00:00 2001 From: Chris Roberts Date: Mon, 15 Mar 2021 15:17:48 -0700 Subject: [PATCH] Remove access token parameter if found on URL --- .../auth/middleware/add_authentication.rb | 19 +++++++++++++++++++ .../middleware/add_authentication_test.rb | 17 +++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/plugins/commands/cloud/auth/middleware/add_authentication.rb b/plugins/commands/cloud/auth/middleware/add_authentication.rb index 464acc791..704a07967 100644 --- a/plugins/commands/cloud/auth/middleware/add_authentication.rb +++ b/plugins/commands/cloud/auth/middleware/add_authentication.rb @@ -84,6 +84,25 @@ module VagrantPlugins end end else + env[:box_urls].map! do |url| + begin + u = URI.parse(url) + q = CGI.parse(u.query || "") + if q["access_token"] + @logger.warn("Removing access token from URL parameter.") + q.delete("access_token") + if q.empty? + u.query = nil + else + u.query = URI.encode_www_form(q) + end + end + + u.to_s + rescue URI::Error + url + end + end @logger.warn("Authentication token not added as GET parameter.") end @app.call(env) diff --git a/test/unit/plugins/commands/cloud/auth/middleware/add_authentication_test.rb b/test/unit/plugins/commands/cloud/auth/middleware/add_authentication_test.rb index 2bad351e0..bb72329a1 100644 --- a/test/unit/plugins/commands/cloud/auth/middleware/add_authentication_test.rb +++ b/test/unit/plugins/commands/cloud/auth/middleware/add_authentication_test.rb @@ -186,6 +186,23 @@ describe VagrantPlugins::CloudCommand::AddAuthentication do expect(env[:box_urls]).to eq([box1, box2]) end + + it "removes access_token parameters if set" do + box1 = "http://vagrantcloud.com/box.box" + box2 = "http://app.vagrantup.com/box.box" + box3 = "http://app.vagrantup.com/box.box?arg1=value1" + + env = { + box_urls: [ + "#{box1}?access_token=TEST_TOKEN", + box2.dup, + "#{box3}&access_token=TEST_TOKEN" + ] + } + subject.call(env) + + expect(env[:box_urls]).to eq([box1, box2, box3]) + end end end end