Pin redir_protocols

Gemfile

@@ -8,6 +8,7 @@ group :development do
   gem "pry", "~> 0.10"
   gem "pry-byebug"
   gem "rspec", "~> 3.0"
+  gem "rspec-retry", "~> 0.6"
   gem "rubocop", "~> 0.52"
   gem "webmock", "~> 3.8"
 end

lib/github-pages-health-check.rb

@@ -66,6 +66,7 @@ def self.typhoeus_options
 
       @typhoeus_options = {
         :followlocation => true,
+        :redir_protocols => %i[http https], # don't allow non-http protocols on redirections
         :timeout => TIMEOUT,
         :accept_encoding => "gzip",
         :method => :head,

lib/github-pages-health-check/version.rb

@@ -2,6 +2,6 @@
 
 module GitHubPages
   module HealthCheck
-    VERSION = "1.18.3"
+    VERSION = "1.18.4"
   end
 end

spec/github_pages_health_check/domain_spec.rb

@@ -671,6 +671,78 @@
     end
   end
 
+  context "Protocol redirections" do
+    before do
+      @out = []
+
+      class SmallServer
+        def initialize(location, out)
+          @server = TCPServer.new(0)
+          @port = @server.addr[1]
+          @location = location
+          @out = out
+        end
+
+        attr_reader :port
+
+        def start
+          loop do
+            client = @server.accept
+
+            # Log
+            @out << "HIT #{@port}"
+
+            # Continue with HTTP redirect
+            if @location != "STOP"
+              request = client.gets
+              if request
+                response = <<~RESPONSE
+                  HTTP/1.1 301 Moved Permanently
+                  Location: #{@location}
+                RESPONSE
+                client.print response
+              end
+            end
+            client.close
+          end
+        end
+
+        def stop
+          @server.close
+        end
+      end
+
+      @servers = []
+      @servers << SmallServer.new("STOP", @out)
+      @servers << SmallServer.new("ftp://localhost:#{@servers[0].port}/", @out)
+      @servers.each do |server|
+        Thread.new { server.start }
+      end
+    end
+
+    after do
+      @servers.each(&:stop)
+    end
+
+    it "it does not follow anything other than http/https by default", :retry => 3 do
+      Typhoeus.get(
+        "http://localhost:#{@servers[1].port}",
+        GitHubPages::HealthCheck.typhoeus_options
+      )
+      expect(@out).to include("HIT #{@servers[1].port}")
+      expect(@out).to_not include("HIT #{@servers[0].port}")
+    end
+
+    it "it follows ftp if requested (negative test)", :retry => 3 do
+      Typhoeus.get(
+        "http://localhost:#{@servers[1].port}",
+        GitHubPages::HealthCheck.typhoeus_options.merge(:redir_protocols => %i[http https ftp])
+      )
+      expect(@out).to include("HIT #{@servers[1].port}")
+      expect(@out).to include("HIT #{@servers[0].port}")
+    end
+  end
+
   context "served by pages" do
     let(:domain) { "http://choosealicense.com" }
     let(:status) { 200 }

spec/spec_helper.rb

@@ -3,9 +3,11 @@
 require "bundler/setup"
 require "webmock/rspec"
 require "pry-byebug"
+require "rspec/retry"
+
 require_relative "../lib/github-pages-health-check"
 
-WebMock.disable_net_connect!
+WebMock.disable_net_connect!(:allow => "localhost")
 
 RSpec.configure do |config|
   config.raise_errors_for_deprecations!