github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-31 14:08:32 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Better and more secure validation of periods for TopicQuery

Browse Source 
Co-authored-by: Martin Brennan <mjrbrennan@gmail.com>
This commit is contained in:
Robin Ward
2021-07-23 13:52:35 -04:00
parent c7beb0b9a6
commit 7b45a5ce55
10 changed files with 68 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
spec/requests/embed_controller_spec.rb
View File

@ -116,6 +116,25 @@ describe EmbedController do
expect(response.body).to match("data-referer=\"https://example.com/evil-trout\"")
end
it "returns a list of topics if the top_period is not valid" do
topic1 = Fabricate(:topic)
topic2 = Fabricate(:topic)
good_topic = Fabricate(:topic, like_count: 1000, posts_count: 100)
TopTopic.refresh!
TopicQuery.any_instance.expects(:list_top_for).never
get '/embed/topics?discourse_embed_id=de-1234&top_period=decadely', headers: {
'REFERER' => 'https://example.com/evil-trout'
}
expect(response.status).to eq(200)
expect(response.headers['X-Frame-Options']).to be_nil
expect(response.body).to match("data-embed-id=\"de-1234\"")
expect(response.body).to match("data-topic-id=\"#{good_topic.id}\"")
expect(response.body).to match("data-topic-id=\"#{topic1.id}\"")
expect(response.body).to match("data-topic-id=\"#{topic2.id}\"")
expect(response.body).to match("data-referer=\"https://example.com/evil-trout\"")
end
it "wraps the list in a custom class" do
topic = Fabricate(:topic)
get '/embed/topics?discourse_embed_id=de-1234&embed_class=my-special-class', headers: {