github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-30 05:48:16 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
Files
30c559f670b85cf10f6c06a032f8ed34dd994e8b
discourse/spec/lib/onebox/engine/loom_onebox_spec.rb
Blake Erickson 17116c440b SECURITY: Restrict allowed URL patterns 
Restrict allowed URL patterns for oneboxes.
2025-02-04 13:32:34 -03:00

44 lines
1.6 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
RSpec.describe Onebox::Engine::LoomOnebox do
it "returns the right HTML markup for the onebox" do
expect(
Onebox
.preview(
"https://www.loom.com/share/c9695e5dc084496c80b7d7516d2a569a?sid=e1279914-ecaa-4faf-afa8-89cbab488240",
)
.to_s
.chomp,
).to eq(
'<iframe class="loom-onebox" src="https://www.loom.com/embed/c9695e5dc084496c80b7d7516d2a569a?sid=e1279914-ecaa-4faf-afa8-89cbab488240" frameborder="0" allowfullscreen="" seamless="seamless" sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox allow-presentation"></iframe>',
)
end
describe ".===" do
it "matches valid Loom share URL" do
valid_url = URI("https://www.loom.com/share/abc123")
expect(described_class === valid_url).to eq(true)
end
it "matches valid Loom share URL with additional segment" do
valid_url_with_segment = URI("https://www.loom.com/share/abc123/xyz456")
expect(described_class === valid_url_with_segment).to eq(true)
end
it "does not match URL with valid domain as part of another domain" do
malicious_url = URI("https://www.loom.com.malicious.com/share/abc123")
expect(described_class === malicious_url).to eq(false)
end
it "does not match unrelated domain" do
unrelated_url = URI("https://example.com/share/abc123")
expect(described_class === unrelated_url).to eq(false)
end
it "does not match invalid path" do
invalid_path_url = URI("https://www.loom.com/shares/abc123")
expect(described_class === invalid_path_url).to eq(false)
end
end
end
Reference in New Issue View Git Blame Copy Permalink