From 16ddafad9a9badecd868d92d9fd1560a5f508c94 Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Tue, 1 Nov 2022 17:38:00 +0000
Subject: [PATCH] SECURITY: Improve SSRF protections (#72)

See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr
---
 plugin.rb | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/plugin.rb b/plugin.rb
index 0eb0d9d..1545dc0 100644
--- a/plugin.rb
+++ b/plugin.rb
@@ -123,15 +123,14 @@ class ::OAuth2BasicAuthenticator < Auth::ManagedAuthenticator
                           opts[:scope] = SiteSetting.oauth2_scope
                         end
 
-                        if SiteSetting.oauth2_debug_auth && defined? OAuth2FaradayFormatter
-                          opts[:client_options][:connection_build] = lambda { |builder|
+                        opts[:client_options][:connection_build] = lambda { |builder|
+                          if SiteSetting.oauth2_debug_auth && defined? OAuth2FaradayFormatter
                             builder.response :logger, Rails.logger, { bodies: true, formatter: OAuth2FaradayFormatter }
+                          end
 
-                            # Default stack:
-                            builder.request :url_encoded             # form-encode POST params
-                            builder.adapter Faraday.default_adapter  # make requests with Net::HTTP
-                          }
-                        end
+                          builder.request :url_encoded                      # form-encode POST params
+                          builder.adapter FinalDestination::FaradayAdapter  # make requests with FinalDestination::HTTP
+                        }
                       }
   end
 
@@ -206,16 +205,14 @@ class ::OAuth2BasicAuthenticator < Auth::ManagedAuthenticator
 
   def fetch_user_details(token, id)
     user_json_url = SiteSetting.oauth2_user_json_url.sub(':token', token.to_s).sub(':id', id.to_s)
-    user_json_method = SiteSetting.oauth2_user_json_url_method
+    user_json_method = SiteSetting.oauth2_user_json_url_method.downcase.to_sym
 
     log("user_json_url: #{user_json_method} #{user_json_url}")
 
     bearer_token = "Bearer #{token}"
-    connection = Excon.new(
-      user_json_url,
-      headers: { 'Authorization' => bearer_token, 'Accept' => 'application/json' }
-    )
-    user_json_response = connection.request(method: user_json_method)
+    connection = Faraday.new { |f| f.adapter FinalDestination::FaradayAdapter }
+    headers = { 'Authorization' => bearer_token, 'Accept' => 'application/json' }
+    user_json_response = connection.run_request(user_json_method, user_json_url, nil, headers)
 
     log("user_json_response: #{user_json_response.inspect}")