Ensure we raise if the root domain changed and it was not an expected behavior

Guillaume Feliciano · amro · commit b2eb99ed304d · 2022-02-18T07:58:42.000-05:00
diff --git a/lib/gibbon/api_request.rb b/lib/gibbon/api_request.rb
@@ -194,6 +194,8 @@ def api_url
 
     def base_api_url
       computed_api_endpoint = "https://#{get_data_center_from_api_key(self.api_key)}api.mailchimp.com"
+      raise Gibbon::GibbonError, "SSRF attempt" unless URI(computed_api_endpoint).host.include?("api.mailchimp.com")
+
       "#{self.api_endpoint || computed_api_endpoint}/3.0/"
     end
   end
diff --git a/spec/gibbon/gibbon_spec.rb b/spec/gibbon/gibbon_spec.rb
@@ -162,6 +162,12 @@
       @request = Gibbon::APIRequest.new(builder: @gibbon)
       expect {@request.validate_api_key}.not_to raise_error
     end
+
+    it "raises with a valid SSRF attack" do
+      @api_key = "-attacker.net/test/?"
+      @gibbon.api_key = @api_key
+      expect {@gibbon.try.retrieve}.not_to raise_error
+    end
   end
 
   describe "class variables" do
@@ -213,7 +219,7 @@
     it "set debug on new instances" do
       expect(Gibbon::Request.new.debug).to eq(Gibbon::Request.debug)
     end
-    
+
     it "set faraday_adapter on new instances" do
       expect(Gibbon::Request.new.faraday_adapter).to eq(Gibbon::Request.faraday_adapter)
     end
