github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-24 12:21:11 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Restrict allowed URL patterns

Browse Source 
Restrict allowed URL patterns for oneboxes.
This commit is contained in:
Blake Erickson
2024-12-19 11:01:54 -07:00
committed by Roman Rizzi
parent 17e1bfe069
commit 17116c440b
86 changed files with 1131 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
spec/lib/onebox/engine/github_gist_onebox_spec.rb
View File

@ -70,4 +70,31 @@ RSpec.describe Onebox::Engine::GithubGistOnebox do
end
end
end
describe ".===" do
it "matches valid Gist URL" do
valid_url = URI("https://gist.github.com/username/123456")
expect(described_class === valid_url).to eq(true)
end
it "matches valid Gist URL with trailing slash" do
valid_url_with_slash = URI("https://gist.github.com/username/123456/")
expect(described_class === valid_url_with_slash).to eq(true)
end
it "does not match URL with extra domain" do
malicious_url = URI("https://gist.github.com.malicious.com/username/123456")
expect(described_class === malicious_url).to eq(false)
end
it "does not match URL with subdomain" do
subdomain_url = URI("https://sub.gist.github.com/username/123456")
expect(described_class === subdomain_url).to eq(false)
end
it "does not match URL with wrong domain" do
invalid_url = URI("https://gist.github.io/username/123456")
expect(described_class === invalid_url).to eq(false)
end
end
end