fix: ambiguous path match in other phase

tommymccallig · tommymccallig · commit 1b465b984f0e · 2018-02-19T16:46:38.000Z
This closes #153
diff --git a/lib/omniauth/strategies/saml.rb b/lib/omniauth/strategies/saml.rb
@@ -69,7 +69,7 @@ def response_fingerprint
       end
 
       def other_phase
-        if current_path.start_with?(request_path)
+        if request_path_pattern.match(current_path)
           @env['omniauth.strategy'] ||= self
           setup_phase
 
@@ -120,6 +120,10 @@ def find_attribute_by(keys)
 
       private
 
+      def request_path_pattern
+        @request_path_pattern ||= %r{\A#{Regexp.quote(request_path)}(/|\z)}
+      end
+
       def on_subpath?(subpath)
         on_path?("#{request_path}/#{subpath}")
       end
diff --git a/spec/omniauth/strategies/saml_spec.rb b/spec/omniauth/strategies/saml_spec.rb
@@ -435,6 +435,15 @@ def test_default_relay_state(static_default_relay_state = nil, &block_default_re
     specify { expect(last_response.status).to eql 404 }
   end
 
+  context 'when hitting a route that contains a substring match for the strategy name' do
+    before { get '/auth/saml2/metadata' }
+
+    it 'should not set the strategy' do
+      expect(last_request.env['omniauth.strategy']).to be_nil
+      expect(last_response.status).to eql 404
+    end
+  end
+
   describe 'subclass behavior' do
     it 'registers subclasses in OmniAuth.strategies' do
       subclass = Class.new(described_class)
