Merge pull request #516 from bollwyvl/github-url-sanitizing

GitHub url sanitizing
jupyter · Oct 15, 2015 · fe8194d · fe8194d
2 parents 59feece + b5253f4
commit fe8194d
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 3 deletions.
diff --git a/nbviewer/tests/test_security.py b/nbviewer/tests/test_security.py
@@ -35,3 +35,14 @@ def test_url(self):
         url = self.url('localfile/../README.md')
         r = requests.get(url)
         self.assertEqual(r.status_code, 404)
+
+
+class URLLeakTestCase(NBViewerTestCase):
+    def test_gist(self):
+        url = self.url('/github/jupyter')
+        r = requests.get(url)
+        self.assertEqual(r.status_code, 200)
+        html = r.content
+        self.assertNotIn('client_id', html)
+        self.assertNotIn('client_secret', html)
+        self.assertNotIn('access_token', html)
diff --git a/nbviewer/utils.py b/nbviewer/utils.py
@@ -11,13 +11,33 @@
 from subprocess import check_output
 
 try:
-    from urllib.parse import quote as stdlib_quote
+    from urllib.parse import (
+        parse_qs,
+        quote as stdlib_quote,
+        urlencode,
+        urlparse,
+        urlunparse,
+    )
 except ImportError:
+    from urllib import urlencode
     from urllib2 import quote as stdlib_quote
+    from urlparse import (
+        parse_qs,
+        urlparse,
+        urlunparse,
+    )
+
 
 from IPython.utils import py3compat
 
 
+STRIP_PARAMS = [
+    'client_id',
+    'client_secret',
+    'access_token',
+]
+
+
 def quote(s):
     """unicode-safe quote
 
@@ -113,11 +133,11 @@ def response_text(response, encoding=None):
 # parse_header_links from requests.util
 # modified to actually return a dict, like the docstring says.
 
+
 def parse_header_links(value):
     """Return a dict of parsed link headers proxies.
 
     i.e. Link: <http:/.../front.jpeg>; rel=front; type="image/jpeg",<http://.../back.jpeg>; rel=back;type="image/jpeg"
-
     """
 
     links = {}
@@ -132,7 +152,19 @@ def parse_header_links(value):
 
         link = {}
 
-        link["url"] = url.strip("<> '\"")
+        parts = list(urlparse(url.strip("<> '\"")))
+
+        get_params = parse_qs(parts[4])
+
+        get_params = {
+            key: value[0]
+            for key, value in get_params.items()
+            if key not in STRIP_PARAMS
+        }
+        parts[4] = urlencode(get_params)
+
+        link["url"] = urlunparse(parts)
+
         for param in params.split(";"):
             try:
                 key, value = param.split("=")
@@ -146,6 +178,7 @@ def parse_header_links(value):
 
     return links
 
+
 def git_info(path):
     """Return some git info"""
     command = ['git', 'log', '-1', '--format=%H\n%s\n%cD']