github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-02 04:08:41 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Restrict allowed URL patterns

Browse Source 
Restrict allowed URL patterns for oneboxes.
This commit is contained in:
Blake Erickson
2024-12-19 11:01:54 -07:00
committed by Roman Rizzi
parent 17e1bfe069
commit 17116c440b
86 changed files with 1131 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
spec/lib/onebox/engine/gitlab_blob_onebox_spec.rb
View File

@ -23,4 +23,31 @@ RSpec.describe Onebox::Engine::GitlabBlobOnebox do
expect(html).to include("module Onebox")
end
end
describe ".===" do
it "matches valid GitLab blob URL" do
valid_url = URI("https://gitlab.com/group/project/-/blob/main/file.txt")
expect(described_class === valid_url).to eq(true)
end
it "matches valid GitLab blob URL with www" do
valid_url_with_www = URI("https://www.gitlab.com/group/project/-/blob/main/file.txt")
expect(described_class === valid_url_with_www).to eq(true)
end
it "does not match URL with extra domain" do
malicious_url = URI("https://gitlab.com.malicious.com/group/project/-/blob/main/file.txt")
expect(described_class === malicious_url).to eq(false)
end
it "does not match URL with subdomain" do
subdomain_url = URI("https://sub.gitlab.com/group/project/-/blob/main/file.txt")
expect(described_class === subdomain_url).to eq(false)
end
it "does not match URL with invalid path" do
invalid_path_url = URI("https://gitlab.com/group/project/-/tree/main")
expect(described_class === invalid_path_url).to eq(false)
end
end
end