2018-12-05 23:21:45 +05:30
|
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
2018-03-27 19:54:05 +05:30
|
|
|
|
require 'spec_helper'
|
|
|
|
|
|
2020-07-28 23:09:34 +05:30
|
|
|
|
RSpec.describe AddressableUrlValidator do
|
2018-11-08 19:23:39 +05:30
|
|
|
|
let!(:badge) { build(:badge, link_url: 'http://www.example.com') }
|
2020-01-01 13:55:28 +05:30
|
|
|
|
|
2020-03-07 23:17:34 +05:30
|
|
|
|
let(:validator) { described_class.new(validator_options.reverse_merge(attributes: [:link_url])) }
|
|
|
|
|
let(:validator_options) { {} }
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
subject { validator.validate(badge) }
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
include_examples 'url validator examples', described_class::DEFAULT_OPTIONS[:schemes]
|
2018-11-08 19:23:39 +05:30
|
|
|
|
|
2018-11-29 20:51:05 +05:30
|
|
|
|
describe 'validations' do
|
|
|
|
|
include_context 'invalid urls'
|
2021-12-11 22:18:48 +05:30
|
|
|
|
include_context 'valid urls with CRLF'
|
2018-11-29 20:51:05 +05:30
|
|
|
|
|
|
|
|
|
let(:validator) { described_class.new(attributes: [:link_url]) }
|
|
|
|
|
|
|
|
|
|
it 'returns error when url is nil' do
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(validator.validate_each(badge, :link_url, nil)).to be_falsey
|
2021-06-08 01:23:25 +05:30
|
|
|
|
expect(badge.errors.added?(:link_url, validator.options.fetch(:message))).to be true
|
2018-11-29 20:51:05 +05:30
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it 'returns error when url is empty' do
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(validator.validate_each(badge, :link_url, '')).to be_falsey
|
2021-06-08 01:23:25 +05:30
|
|
|
|
expect(badge.errors.added?(:link_url, validator.options.fetch(:message))).to be true
|
2018-11-29 20:51:05 +05:30
|
|
|
|
end
|
|
|
|
|
|
2021-12-11 22:18:48 +05:30
|
|
|
|
it 'allows urls with encoded CR or LF characters' do
|
|
|
|
|
aggregate_failures do
|
2022-06-21 17:19:12 +05:30
|
|
|
|
valid_urls_with_crlf.each do |url|
|
2021-12-11 22:18:48 +05:30
|
|
|
|
validator.validate_each(badge, :link_url, url)
|
|
|
|
|
|
|
|
|
|
expect(badge.errors).to be_empty
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2018-11-29 20:51:05 +05:30
|
|
|
|
it 'does not allow urls with CR or LF characters' do
|
|
|
|
|
aggregate_failures do
|
2022-06-21 17:19:12 +05:30
|
|
|
|
urls_with_crlf.each do |url|
|
2021-12-11 22:18:48 +05:30
|
|
|
|
badge = build(:badge, link_url: 'http://www.example.com')
|
2021-06-08 01:23:25 +05:30
|
|
|
|
validator.validate_each(badge, :link_url, url)
|
|
|
|
|
|
|
|
|
|
expect(badge.errors.added?(:link_url, 'is blocked: URI is invalid')).to be true
|
2018-11-29 20:51:05 +05:30
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
2019-07-31 22:56:46 +05:30
|
|
|
|
|
|
|
|
|
it 'provides all arguments to UrlBlock validate' do
|
|
|
|
|
expect(Gitlab::UrlBlocker)
|
|
|
|
|
.to receive(:validate!)
|
|
|
|
|
.with(badge.link_url, described_class::BLOCKER_VALIDATE_OPTIONS)
|
|
|
|
|
.and_return(true)
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
|
|
|
|
expect(badge.errors).to be_empty
|
|
|
|
|
end
|
2018-11-29 20:51:05 +05:30
|
|
|
|
end
|
|
|
|
|
|
2018-11-08 19:23:39 +05:30
|
|
|
|
context 'by default' do
|
|
|
|
|
let(:validator) { described_class.new(attributes: [:link_url]) }
|
|
|
|
|
|
|
|
|
|
it 'does not block urls pointing to localhost' do
|
|
|
|
|
badge.link_url = 'https://127.0.0.1'
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(badge.errors).to be_empty
|
2018-11-08 19:23:39 +05:30
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it 'does not block urls pointing to the local network' do
|
|
|
|
|
badge.link_url = 'https://192.168.1.1'
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(badge.errors).to be_empty
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it 'does block nil urls' do
|
|
|
|
|
badge.link_url = nil
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
|
|
|
|
expect(badge.errors).to be_present
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it 'does block blank urls' do
|
|
|
|
|
badge.link_url = '\n\r \n'
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
|
|
|
|
expect(badge.errors).to be_present
|
2018-11-08 19:23:39 +05:30
|
|
|
|
end
|
2018-12-05 23:21:45 +05:30
|
|
|
|
|
|
|
|
|
it 'strips urls' do
|
|
|
|
|
badge.link_url = "\n\r\n\nhttps://127.0.0.1\r\n\r\n\n\n\n"
|
|
|
|
|
|
|
|
|
|
# It's unusual for a validator to modify its arguments. Some extensions,
|
|
|
|
|
# such as attr_encrypted, freeze the string to signal that modifications
|
|
|
|
|
# will not be persisted, so freeze this string to ensure the scheme is
|
|
|
|
|
# compatible with them.
|
|
|
|
|
badge.link_url.freeze
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
|
|
|
|
expect(badge.errors).to be_empty
|
|
|
|
|
expect(badge.link_url).to eq('https://127.0.0.1')
|
|
|
|
|
end
|
2019-12-04 20:38:33 +05:30
|
|
|
|
|
|
|
|
|
it 'allows urls that cannot be resolved' do
|
|
|
|
|
stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
|
|
|
|
|
badge.link_url = 'http://foobar.x'
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
|
|
|
|
expect(badge.errors).to be_empty
|
|
|
|
|
end
|
2018-11-08 19:23:39 +05:30
|
|
|
|
end
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
context 'when message is set' do
|
|
|
|
|
let(:message) { 'is blocked: test message' }
|
|
|
|
|
let(:validator) { described_class.new(attributes: [:link_url], allow_nil: false, message: message) }
|
|
|
|
|
|
|
|
|
|
it 'does block nil url with provided error message' do
|
|
|
|
|
expect(validator.validate_each(badge, :link_url, nil)).to be_falsey
|
2021-06-08 01:23:25 +05:30
|
|
|
|
expect(badge.errors.added?(:link_url, message)).to be true
|
2019-07-31 22:56:46 +05:30
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2020-03-07 23:17:34 +05:30
|
|
|
|
context 'when blocked_message is set' do
|
|
|
|
|
let(:message) { 'is not allowed due to: %{exception_message}' }
|
|
|
|
|
let(:validator_options) { { blocked_message: message } }
|
|
|
|
|
|
|
|
|
|
it 'blocks url with provided error message' do
|
|
|
|
|
badge.link_url = 'javascript:alert(window.opener.document.location)'
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
2021-06-08 01:23:25 +05:30
|
|
|
|
expect(badge.errors.added?(:link_url, 'is not allowed due to: Only allowed schemes are http, https')).to be true
|
2020-03-07 23:17:34 +05:30
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
context 'when allow_nil is set to true' do
|
|
|
|
|
let(:validator) { described_class.new(attributes: [:link_url], allow_nil: true) }
|
|
|
|
|
|
|
|
|
|
it 'does not block nil urls' do
|
|
|
|
|
badge.link_url = nil
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
|
|
|
|
expect(badge.errors).to be_empty
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'when allow_blank is set to true' do
|
|
|
|
|
let(:validator) { described_class.new(attributes: [:link_url], allow_blank: true) }
|
|
|
|
|
|
|
|
|
|
it 'does not block blank urls' do
|
|
|
|
|
badge.link_url = "\n\r \n"
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
|
|
|
|
expect(badge.errors).to be_empty
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2018-11-08 19:23:39 +05:30
|
|
|
|
context 'when allow_localhost is set to false' do
|
|
|
|
|
let(:validator) { described_class.new(attributes: [:link_url], allow_localhost: false) }
|
|
|
|
|
|
|
|
|
|
it 'blocks urls pointing to localhost' do
|
|
|
|
|
badge.link_url = 'https://127.0.0.1'
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(badge.errors).to be_present
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'when allow_setting_local_requests is set to true' do
|
|
|
|
|
it 'does not block urls pointing to localhost' do
|
|
|
|
|
expect(described_class)
|
|
|
|
|
.to receive(:allow_setting_local_requests?)
|
|
|
|
|
.and_return(true)
|
|
|
|
|
|
|
|
|
|
badge.link_url = 'https://127.0.0.1'
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
|
|
|
|
expect(badge.errors).to be_empty
|
|
|
|
|
end
|
2018-11-08 19:23:39 +05:30
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'when allow_local_network is set to false' do
|
|
|
|
|
let(:validator) { described_class.new(attributes: [:link_url], allow_local_network: false) }
|
|
|
|
|
|
|
|
|
|
it 'blocks urls pointing to the local network' do
|
|
|
|
|
badge.link_url = 'https://192.168.1.1'
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
2018-11-08 19:23:39 +05:30
|
|
|
|
subject
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(badge.errors).to be_present
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'when allow_setting_local_requests is set to true' do
|
|
|
|
|
it 'does not block urls pointing to local network' do
|
|
|
|
|
expect(described_class)
|
|
|
|
|
.to receive(:allow_setting_local_requests?)
|
|
|
|
|
.and_return(true)
|
|
|
|
|
|
|
|
|
|
badge.link_url = 'https://192.168.1.1'
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
|
|
|
|
expect(badge.errors).to be_empty
|
|
|
|
|
end
|
2018-11-08 19:23:39 +05:30
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'when ports is' do
|
|
|
|
|
let(:validator) { described_class.new(attributes: [:link_url], ports: ports) }
|
|
|
|
|
|
|
|
|
|
context 'empty' do
|
|
|
|
|
let(:ports) { [] }
|
|
|
|
|
|
|
|
|
|
it 'does not block any port' do
|
|
|
|
|
subject
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(badge.errors).to be_empty
|
2018-03-27 19:54:05 +05:30
|
|
|
|
end
|
2018-11-08 19:23:39 +05:30
|
|
|
|
end
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
2018-11-08 19:23:39 +05:30
|
|
|
|
context 'set' do
|
|
|
|
|
let(:ports) { [443] }
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
2018-11-08 19:23:39 +05:30
|
|
|
|
it 'blocks urls with a different port' do
|
2018-03-27 19:54:05 +05:30
|
|
|
|
subject
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(badge.errors).to be_present
|
2018-03-27 19:54:05 +05:30
|
|
|
|
end
|
|
|
|
|
end
|
2018-11-08 19:23:39 +05:30
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'when enforce_user is' do
|
2022-10-11 01:57:18 +05:30
|
|
|
|
let(:url) { 'http://$user@example.com' }
|
2018-11-08 19:23:39 +05:30
|
|
|
|
let(:validator) { described_class.new(attributes: [:link_url], enforce_user: enforce_user) }
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
2018-11-08 19:23:39 +05:30
|
|
|
|
context 'true' do
|
|
|
|
|
let(:enforce_user) { true }
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
2018-11-08 19:23:39 +05:30
|
|
|
|
it 'checks user format' do
|
|
|
|
|
badge.link_url = url
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(badge.errors).to be_present
|
2018-03-27 19:54:05 +05:30
|
|
|
|
end
|
2018-11-08 19:23:39 +05:30
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'false (default)' do
|
|
|
|
|
let(:enforce_user) { false }
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
2018-11-08 19:23:39 +05:30
|
|
|
|
it 'does not check user format' do
|
|
|
|
|
badge.link_url = url
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(badge.errors).to be_empty
|
2018-03-27 19:54:05 +05:30
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
2019-02-15 15:39:39 +05:30
|
|
|
|
|
|
|
|
|
context 'when ascii_only is' do
|
2022-10-11 01:57:18 +05:30
|
|
|
|
let(:url) { 'https://𝕘itⅼαƄ.com/foo/foo.bar' }
|
2019-02-15 15:39:39 +05:30
|
|
|
|
let(:validator) { described_class.new(attributes: [:link_url], ascii_only: ascii_only) }
|
|
|
|
|
|
|
|
|
|
context 'true' do
|
|
|
|
|
let(:ascii_only) { true }
|
|
|
|
|
|
|
|
|
|
it 'prevents unicode characters' do
|
|
|
|
|
badge.link_url = url
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(badge.errors).to be_present
|
2019-02-15 15:39:39 +05:30
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'false (default)' do
|
|
|
|
|
let(:ascii_only) { false }
|
|
|
|
|
|
|
|
|
|
it 'does not prevent unicode characters' do
|
|
|
|
|
badge.link_url = url
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(badge.errors).to be_empty
|
2019-02-15 15:39:39 +05:30
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'when enforce_sanitization is' do
|
|
|
|
|
let(:validator) { described_class.new(attributes: [:link_url], enforce_sanitization: enforce_sanitization) }
|
|
|
|
|
let(:unsafe_url) { "https://replaceme.com/'><script>alert(document.cookie)</script>" }
|
|
|
|
|
let(:safe_url) { 'https://replaceme.com/path/to/somewhere' }
|
|
|
|
|
|
|
|
|
|
let(:unsafe_internal_url) do
|
|
|
|
|
Gitlab.config.gitlab.protocol + '://' + Gitlab.config.gitlab.host +
|
|
|
|
|
"/'><script>alert(document.cookie)</script>"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'true' do
|
|
|
|
|
let(:enforce_sanitization) { true }
|
|
|
|
|
|
|
|
|
|
it 'prevents unsafe urls' do
|
|
|
|
|
badge.link_url = unsafe_url
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(badge.errors).to be_present
|
2019-02-15 15:39:39 +05:30
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it 'prevents unsafe internal urls' do
|
|
|
|
|
badge.link_url = unsafe_internal_url
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(badge.errors).to be_present
|
2019-02-15 15:39:39 +05:30
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it 'allows safe urls' do
|
|
|
|
|
badge.link_url = safe_url
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(badge.errors).to be_empty
|
2019-02-15 15:39:39 +05:30
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'false' do
|
|
|
|
|
let(:enforce_sanitization) { false }
|
|
|
|
|
|
|
|
|
|
it 'allows unsafe urls' do
|
|
|
|
|
badge.link_url = unsafe_url
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
2019-07-31 22:56:46 +05:30
|
|
|
|
expect(badge.errors).to be_empty
|
2019-02-15 15:39:39 +05:30
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
2019-10-31 01:37:42 +05:30
|
|
|
|
|
2019-12-04 20:38:33 +05:30
|
|
|
|
context 'when dns_rebind_protection is' do
|
|
|
|
|
let(:not_resolvable_url) { 'http://foobar.x' }
|
|
|
|
|
let(:validator) { described_class.new(attributes: [:link_url], dns_rebind_protection: dns_value) }
|
|
|
|
|
|
|
|
|
|
before do
|
|
|
|
|
stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
|
|
|
|
|
badge.link_url = not_resolvable_url
|
|
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'true' do
|
|
|
|
|
let(:dns_value) { true }
|
|
|
|
|
|
|
|
|
|
it 'raises error' do
|
|
|
|
|
expect(badge.errors).to be_present
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'false' do
|
|
|
|
|
let(:dns_value) { false }
|
|
|
|
|
|
|
|
|
|
it 'allows urls that cannot be resolved' do
|
|
|
|
|
expect(badge.errors).to be_empty
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
2018-03-27 19:54:05 +05:30
|
|
|
|
end
|