github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-05 14:07:30 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: correct local onebox category checks

Browse Source 
Also removes ugly "source_topic_id" from cooked posts

Patch was authored by @zogstrip

Signed-off-by: Sam <sam.saffron@gmail.com>
This commit is contained in:
Sam
2018-02-14 10:39:44 +11:00
parent 548db91c76
commit f028ffaf29
14 changed files with 251 additions and 361 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
spec/components/cooked_post_processor_spec.rb
View File

@ -479,10 +479,11 @@ describe CookedPostProcessor do
before do
Oneboxer.expects(:onebox)
.with("http://www.youtube.com/watch?v=9bZkp7q19f0", post_id: 123, invalidate_oneboxes: true)
.with("http://www.youtube.com/watch?v=9bZkp7q19f0", invalidate_oneboxes: true, user_id: nil, category_id: post.topic.category_id)
.returns("<div>GANGNAM STYLE</div>")
cpp.post_process_oneboxes
end
it "inserts the onebox without wrapping p" do
expect(cpp).to be_dirty
expect(cpp.html).to match_html "<div>GANGNAM STYLE</div>"

161
spec/components/onebox/engine/discourse_local_onebox_spec.rb
View File

@ -1,161 +0,0 @@
require 'rails_helper'
describe Onebox::Engine::DiscourseLocalOnebox do
before { SiteSetting.external_system_avatars_enabled = false }
def build_link(url)
%|<a href="#{url}" rel="nofollow noopener">#{url}</a>|
end
context "for a link to a post" do
let(:post) { Fabricate(:post) }
let(:post2) { Fabricate(:post, topic: post.topic, post_number: 2) }
it "returns a link if post isn't found" do
url = "#{Discourse.base_url}/t/not-exist/3/2"
expect(Onebox.preview(url).to_s).to eq(build_link(url))
end
it "returns a link if not allowed to see the post" do
url = "#{Discourse.base_url}#{post2.url}"
Guardian.any_instance.expects(:can_see_post?).returns(false)
expect(Onebox.preview(url).to_s).to eq(build_link(url))
end
it "returns a link if post is hidden" do
hidden_post = Fabricate(:post, topic: post.topic, post_number: 2, hidden: true, hidden_reason_id: Post.hidden_reasons[:flag_threshold_reached])
url = "#{Discourse.base_url}#{hidden_post.url}"
expect(Onebox.preview(url).to_s).to eq(build_link(url))
end
it "returns some onebox goodness if post exists and can be seen" do
url = "#{Discourse.base_url}#{post2.url}?source_topic_id=#{post2.topic_id + 1}"
html = Onebox.preview(url).to_s
expect(html).to include(post2.excerpt)
expect(html).to include(post2.topic.title)
url = "#{Discourse.base_url}#{post2.url}/?source_topic_id=#{post2.topic_id + 1}"
html = Onebox.preview(url).to_s
expect(html).to include(post2.excerpt)
expect(html).to include(post2.topic.title)
html = Onebox.preview("#{Discourse.base_url}#{post2.url}").to_s
expect(html).to include(post2.user.username)
expect(html).to include(post2.excerpt)
end
end
context "for a link to a topic" do
let(:post) { Fabricate(:post) }
let(:topic) { post.topic }
it "returns a link if topic isn't found" do
url = "#{Discourse.base_url}/t/not-found/123"
expect(Onebox.preview(url).to_s).to eq(build_link(url))
end
it "returns a link if not allowed to see the topic" do
url = topic.url
Guardian.any_instance.expects(:can_see_topic?).returns(false)
expect(Onebox.preview(url).to_s).to eq(build_link(url))
end
it "replaces emoji in the title" do
topic.update_column(:title, "Who wants to eat a :hamburger:")
expect(Onebox.preview(topic.url).to_s).to match(/hamburger\.png/)
end
it "returns some onebox goodness if topic exists and can be seen" do
html = Onebox.preview(topic.url).to_s
expect(html).to include(topic.ordered_posts.first.user.username)
expect(html).to include("<blockquote>")
html = Onebox.preview("#{topic.url}/?u=codinghorror").to_s
expect(html).to include(topic.ordered_posts.first.user.username)
expect(html).to include("<blockquote>")
end
end
context "for a link to a user profile" do
let(:user) { Fabricate(:user) }
it "returns a link if user isn't found" do
url = "#{Discourse.base_url}/u/none"
expect(Onebox.preview(url).to_s).to eq(build_link(url))
end
it "returns some onebox goodness if user exists" do
html = Onebox.preview("#{Discourse.base_url}/u/#{user.username}").to_s
expect(html).to include(user.username)
expect(html).to include(user.name)
expect(html).to include(user.created_at.strftime("%B %-d, %Y"))
expect(html).to include('<aside class="onebox">')
end
end
context "for a link to an internal audio or video file" do
let(:sha) { Digest::SHA1.hexdigest("discourse") }
let(:path) { "/uploads/default/original/3X/5/c/#{sha}" }
it "returns nil if file type is not audio or video" do
url = "#{Discourse.base_url}#{path}.pdf"
stub_request(:get, url).to_return(body: '')
expect(Onebox.preview(url).to_s).to eq("")
end
it "returns some onebox goodness for audio file" do
url = "#{Discourse.base_url}#{path}.MP3"
html = Onebox.preview(url).to_s
# </source> will be removed by the browser
# need to fix https://github.com/rubys/nokogumbo/issues/14
expect(html).to eq(%|<audio controls=""><source src="#{url}"></source>#{build_link(url)}</audio>|)
end
it "returns some onebox goodness for video file" do
url = "#{Discourse.base_url}#{path}.mov"
html = Onebox.preview(url).to_s
expect(html).to eq(%|<video width="100%" height="100%" controls=""><source src="#{url}"></source>#{build_link(url)}</video>|)
end
end
context "When deployed to a subfolder" do
let(:base_uri) { "/subfolder" }
let(:base_url) { "http://test.localhost#{base_uri}" }
before do
Discourse.stubs(:base_url).returns(base_url)
Discourse.stubs(:base_uri).returns(base_uri)
end
context "for a link to a post" do
let(:post) { Fabricate(:post) }
let(:post2) { Fabricate(:post, topic: post.topic, post_number: 2) }
it "returns some onebox goodness if post exists and can be seen" do
url = "#{Discourse.base_url}#{post2.url}?source_topic_id=#{post2.topic_id + 1}"
html = Onebox.preview(url).to_s
expect(html).to include(post2.excerpt)
expect(html).to include(post2.topic.title)
end
end
end
context "When login_required is enabled" do
before { SiteSetting.login_required = true }
context "for a link to a topic" do
let(:post) { Fabricate(:post) }
let(:topic) { post.topic }
it "returns some onebox goodness if post exists and can be seen" do
html = Onebox.preview(topic.url).to_s
expect(html).to include(topic.ordered_posts.first.user.username)
expect(html).to include("<blockquote>")
end
end
end
end

71
spec/components/oneboxer_spec.rb
View File

@ -11,4 +11,75 @@ describe Oneboxer do
expect(Oneboxer.onebox("http://boom.com")).to eq("")
end
context "local oneboxes" do
def link(url)
url = "#{Discourse.base_url}#{url}"
%{<a href="#{url}">#{url}</a>}
end
def preview(url, user, category = Category.first)
Oneboxer.preview("#{Discourse.base_url}#{url}", user_id: user.id, category_id: category.id).to_s
end
it "links to a topic/post" do
staff = Fabricate(:user)
Group[:staff].add(staff)
secured_category = Fabricate(:category)
secured_category.permissions = { staff: :full }
secured_category.save!
public_post = Fabricate(:post)
public_topic = public_post.topic
public_reply = Fabricate(:post, topic: public_topic, post_number: 2)
public_hidden = Fabricate(:post, topic: public_topic, post_number: 3, hidden: true)
user = public_post.user
public_category = public_topic.category
secured_topic = Fabricate(:topic, user: staff, category: secured_category)
secured_post = Fabricate(:post, user: staff, topic: secured_topic)
secured_reply = Fabricate(:post, user: staff, topic: secured_topic, post_number: 2)
expect(preview(public_topic.relative_url, user, public_category)).to include(public_topic.title)
expect(preview(public_post.url, user, public_category)).to include(public_topic.title)
expect(preview(public_reply.url, user, public_category)).to include(public_reply.cooked)
expect(preview(public_hidden.url, user, public_category)).to match_html(link(public_hidden.url))
expect(preview(secured_topic.relative_url, user, public_category)).to match_html(link(secured_topic.relative_url))
expect(preview(secured_post.url, user, public_category)).to match_html(link(secured_post.url))
expect(preview(secured_reply.url, user, public_category)).to match_html(link(secured_reply.url))
expect(preview(public_topic.relative_url, user, secured_category)).to match_html(link(public_topic.relative_url))
expect(preview(public_reply.url, user, secured_category)).to match_html(link(public_reply.url))
expect(preview(secured_post.url, user, secured_category)).to match_html(link(secured_post.url))
expect(preview(secured_reply.url, user, secured_category)).to match_html(link(secured_reply.url))
expect(preview(public_topic.relative_url, staff, secured_category)).to include(public_topic.title)
expect(preview(public_post.url, staff, secured_category)).to include(public_topic.title)
expect(preview(public_reply.url, staff, secured_category)).to include(public_reply.cooked)
expect(preview(public_hidden.url, staff, secured_category)).to match_html(link(public_hidden.url))
expect(preview(secured_topic.relative_url, staff, secured_category)).to include(secured_topic.title)
expect(preview(secured_post.url, staff, secured_category)).to include(secured_topic.title)
expect(preview(secured_reply.url, staff, secured_category)).to include(secured_reply.cooked)
end
it "links to an user profile" do
user = Fabricate(:user)
expect(preview("/u/does-not-exist", user)).to match_html(link("/u/does-not-exist"))
expect(preview("/u/#{user.username}", user)).to include(user.name)
end
it "links to an upload" do
user = Fabricate(:user)
path = "/uploads/default/original/3X/e/8/e8fcfa624e4fb6623eea57f54941a58ba797f14d"
expect(preview("#{path}.pdf", user)).to match_html(link("#{path}.pdf"))
expect(preview("#{path}.MP3", user)).to include("<audio ")
expect(preview("#{path}.mov", user)).to include("<video ")
end
end
end