github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-04 23:36:11 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: ensure embed_url contains valid http(s) uri

Browse Source
This commit is contained in:
Blake Erickson
2020-05-22 14:54:37 -06:00
parent bf8085e436
commit 03d26cd6f0
4 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
spec/requests/posts_controller_spec.rb
View File

@ -675,6 +675,17 @@ describe PostsController do
I18n.t("invalid_params", message: "category")
)
end
it 'will raise an error if specified embed_url is invalid' do
user = Fabricate(:admin)
master_key = Fabricate(:api_key).key
post "/posts.json",
params: { title: 'this is a test title', raw: 'this is test body', embed_url: '/test.txt' },
headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key }
expect(response.status).to eq(422)
end
end
describe "when logged in" do