From 25f9c804013974826c422ccc7d41a368b61d5236 Mon Sep 17 00:00:00 2001
From: Nick Morgan <nick@outstand.com>
Date: Sun, 25 Apr 2021 19:26:11 -0400
Subject: [PATCH 1/3] Fail faster on infinite redirects

This commit reverts the ordering that was changed in: https://github.com/oauth-xx/oauth-ruby/commit/d74b767f464ee045cec75504974ff897b3dc0076#diff-7539411a25dc370ad4ed8baed9d33ad853f07cadcfcc8c566494ecc438f5bd16

Once we know we are in an infinite redirect, we should fail immediately.
---
 lib/oauth/consumer.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/oauth/consumer.rb b/lib/oauth/consumer.rb
index fd2f3185..5a618078 100644
--- a/lib/oauth/consumer.rb
+++ b/lib/oauth/consumer.rb
@@ -243,12 +243,14 @@ def token_request(http_method, path, token = nil, request_options = {}, *argumen
         uri = URI.parse(response['location'])
         our_uri = URI.parse(site)
 
+        # Guard against infinite redirects
+        response.error! if uri.path == path && our_uri.host == uri.host
+
         if uri.path == path && our_uri.host != uri.host
             options[:site] = "#{uri.scheme}://#{uri.host}"
             @http = create_http
         end
 
-        response.error! if uri.path == path && our_uri.host == uri.host # careful of those infinite redirects
         self.token_request(http_method, uri.path, token, request_options, arguments)
       when (400..499)
         raise OAuth::Unauthorized, response

From cb93c727e9f25def01b4ccb37ff038f12a2fbd83 Mon Sep 17 00:00:00 2001
From: Nick Morgan <nick@outstand.com>
Date: Sun, 25 Apr 2021 20:26:54 -0400
Subject: [PATCH 2/3] Adding test for not following infinite redirect

---
 lib/oauth/consumer.rb       |  2 +-
 test/units/test_consumer.rb | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/lib/oauth/consumer.rb b/lib/oauth/consumer.rb
index 5a618078..5b6468c3 100644
--- a/lib/oauth/consumer.rb
+++ b/lib/oauth/consumer.rb
@@ -239,7 +239,7 @@ def token_request(http_method, path, token = nil, request_options = {}, *argumen
           end
         end
       when (300..399)
-        # this is a redirect
+        # Parse redirect to follow
         uri = URI.parse(response['location'])
         our_uri = URI.parse(site)
 
diff --git a/test/units/test_consumer.rb b/test/units/test_consumer.rb
index 8c58674f..3cffb336 100644
--- a/test/units/test_consumer.rb
+++ b/test/units/test_consumer.rb
@@ -263,6 +263,22 @@ def test_follow_redirect_different_host_same_path
     assert_equal 'secret', hash[:oauth_token_secret]
   end
 
+  def test_not_following_redirect_with_same_uri
+    request_uri = URI.parse("http://example.com/request_token")
+    redirect_uri = request_uri.clone
+
+    stub_request(:get, request_uri.to_s).to_return(
+      :status => 301,
+      :headers => {'Location' => redirect_uri.to_s}
+    )
+
+    assert_raises Net::HTTPRetriableError do
+      @consumer.token_request(:get, request_uri.path) {
+        { :oauth_token => 'token', :oauth_token_secret => 'secret' }
+      }
+    end
+  end
+
   def test_that_can_provide_a_block_to_interpret_a_request_token_response
     @consumer.expects(:request).returns(create_stub_http_response)
 

From aaad894cc9e9fd7d13da595e752137c377761c1b Mon Sep 17 00:00:00 2001
From: Peter Boling <peter.boling@gmail.com>
Date: Mon, 1 Nov 2021 03:07:15 +0700
Subject: [PATCH 3/3] =?UTF-8?q?=F0=9F=9A=A8=20Linting?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Peter Boling <peter.boling@gmail.com>
---
 lib/oauth/consumer.rb       | 2 +-
 test/units/test_consumer.rb | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/oauth/consumer.rb b/lib/oauth/consumer.rb
index ccb0b8a9..a840f94c 100644
--- a/lib/oauth/consumer.rb
+++ b/lib/oauth/consumer.rb
@@ -243,7 +243,7 @@ def token_request(http_method, path, token = nil, request_options = {}, *argumen
         end
       when (300..399)
         # Parse redirect to follow
-        uri = URI.parse(response['location'])
+        uri = URI.parse(response["location"])
         our_uri = URI.parse(site)
 
         # Guard against infinite redirects
diff --git a/test/units/test_consumer.rb b/test/units/test_consumer.rb
index 43eecf7d..deb19fc1 100644
--- a/test/units/test_consumer.rb
+++ b/test/units/test_consumer.rb
@@ -269,13 +269,13 @@ def test_not_following_redirect_with_same_uri
 
     stub_request(:get, request_uri.to_s).to_return(
       :status => 301,
-      :headers => {'Location' => redirect_uri.to_s}
+      :headers => {"Location" => redirect_uri.to_s}
     )
 
     assert_raises Net::HTTPRetriableError do
-      @consumer.token_request(:get, request_uri.path) {
-        { :oauth_token => 'token', :oauth_token_secret => 'secret' }
-      }
+      @consumer.token_request(:get, request_uri.path) do
+        { :oauth_token => "token", :oauth_token_secret => "secret" }
+      end
     end
   end