Starts_with when fetching jku

[snyff]

Hi,

I was looking at the code and it seems like starts_with may not be the ideal method here (or maybe some level of canonicalisation would be good):

roo_on_rails/lib/roo_on_rails/rack/populate_env_from_jwt.rb

Line 78 in 29d664e

key_prefixes.any? { |acceptable| key_url.starts_with?(acceptable) }

Example:
http://trusted.com/.well-known/../bad/another_file.json starts_with? http://trusted.com/.well-known/
http://trusted.com/.well-known/../bad/another_bug starts_with? http://trusted.com/.well-known/
http://trusted.com@example.org starts_with? http://trusted.com

One good thing is that your http client configuration doesn't follow redirect so it makes exploitation a lot harder.

It may also be good to enforce the scheme to https in

roo_on_rails/lib/roo_on_rails/rack/populate_env_from_jwt.rb

Line 96 in 29d664e

json = http_request.get(mapped_url(key_url)).body

for people using your library and to follow the RFC.