# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Sanitizable do
let_it_be(:klass) do
Class.new do
include ActiveModel::Model
include ActiveModel::Attributes
include ActiveModel::Validations
include ActiveModel::Validations::Callbacks
include Sanitizable
attribute :id, :integer
attribute :name, :string
attribute :description, :string
attribute :html_body, :string
sanitizes! :name, :description
def self.model_name
ActiveModel::Name.new(self, nil, 'SomeModel')
end
end
end
shared_examples 'noop' do
it 'has no effect' do
expect(subject).to eq(input)
end
end
shared_examples 'a sanitizable field' do |field|
let(:record) { klass.new(id: 1, name: input, description: input, html_body: input) }
before do
record.valid?
end
subject { record.public_send(field) }
describe field do
context 'when input is nil' do
let_it_be(:input) { nil }
it_behaves_like 'noop'
end
context 'when input does not contain any html' do
let_it_be(:input) { 'hello, world!' }
it_behaves_like 'noop'
end
context 'when input contains html' do
let_it_be(:input) { 'hello' }
it 'sanitizes the input' do
expect(subject).to eq('hello')
end
context 'when input includes html entities' do
let(:input) { 'hello&world
' }
it 'does not escape them' do
expect(subject).to eq(' hello&world ')
end
end
end
context 'when input contains pre-escaped html entities' do
let_it_be(:input) { '<script>alert(1)</script>' }
it_behaves_like 'noop'
it 'is not valid', :aggregate_failures do
expect(record).not_to be_valid
expect(record.errors.full_messages).to contain_exactly(
'Name cannot contain escaped HTML entities',
'Description cannot contain escaped HTML entities'
)
end
end
context 'when input contains double-escaped data' do
let_it_be(:input) do
'%2526lt%253Bscript%2526gt%253Balert%25281%2529%2526lt%253B%252Fscript%2526gt%253B'
end
it_behaves_like 'noop'
it 'is not valid', :aggregate_failures do
expect(record).not_to be_valid
expect(record.errors.full_messages).to contain_exactly(
'Name cannot contain escaped components',
'Description cannot contain escaped components'
)
end
end
context 'when input contains a path traversal attempt' do
let_it_be(:input) { 'main../../../../../../api/v4/projects/1/import_project_members/2' }
it_behaves_like 'noop'
it 'is not valid', :aggregate_failures do
expect(record).not_to be_valid
expect(record.errors.full_messages).to contain_exactly(
'Name cannot contain a path traversal component',
'Description cannot contain a path traversal component'
)
end
end
context 'when input contains both path traversal attempt and pre-escaped entities' do
let_it_be(:input) do
'main../../../../../../api/v4/projects/1/import_project_members/2<script>alert(1)</script>'
end
it_behaves_like 'noop'
it 'is not valid', :aggregate_failures do
expect(record).not_to be_valid
expect(record.errors.full_messages).to contain_exactly(
'Name cannot contain a path traversal component',
'Name cannot contain escaped HTML entities',
'Description cannot contain a path traversal component',
'Description cannot contain escaped HTML entities'
)
end
end
end
end
shared_examples 'a non-sanitizable field' do |field, input|
describe field do
subject { klass.new(field => input).valid? }
it 'has no effect' do
expect(Sanitize).not_to receive(:fragment)
subject
end
end
end
it_behaves_like 'a non-sanitizable field', :id, 1
it_behaves_like 'a non-sanitizable field', :html_body, 'hello'
it_behaves_like 'a sanitizable field', :name
it_behaves_like 'a sanitizable field', :description
end