github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 07:53:49 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Restrict allowed URL patterns

Browse Source 
Restrict allowed URL patterns for oneboxes.
This commit is contained in:
Blake Erickson
2024-12-19 11:01:54 -07:00
committed by Roman Rizzi
parent 17e1bfe069
commit 17116c440b
86 changed files with 1131 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
spec/lib/onebox/engine/github_commit_onebox_spec.rb
View File

@ -133,4 +133,39 @@ RSpec.describe Onebox::Engine::GithubCommitOnebox do
end
end
end
describe ".===" do
it "matches valid GitHub commit URL" do
valid_url =
URI("https://github.com/owner/repo/commit/9a9b9c9d9e9f9a9b9c9d9e9f9a9b9c9d9e9f9a9b")
expect(described_class === valid_url).to eq(true)
end
it "does not match URL with subdomain" do
subdomain_url =
URI(
"https://subdomain.github.com/owner/repo/commit/9a9b9c9d9e9f9g9h9i9j9k9l9m9n9o9p9q9r9s9t",
)
expect(described_class === subdomain_url).to eq(false)
end
it "does not match URL with additional domain" do
malicious_url =
URI(
"https://github.com.malicious.com/owner/repo/commit/9a9b9c9d9e9f9g9h9i9j9k9l9m9n9o9p9q9r9s9t",
)
expect(described_class === malicious_url).to eq(false)
end
it "does not match URL with invalid path" do
invalid_path_url =
URI("https://github.com/owner/repo/invalid/9a9b9c9d9e9f9g9h9i9j9k9l9m9n9o9p9q9r9s9t")
expect(described_class === invalid_path_url).to eq(false)
end
it "does not match URL with invalid commit hash" do
invalid_hash_url = URI("https://github.com/owner/repo/commit/invalidhash")
expect(described_class === invalid_hash_url).to eq(false)
end
end
end