diff options
| author | Marius Balteanu <marius.balteanu@zitec.com> | 2021-08-11 21:49:27 +0000 |
|---|---|---|
| committer | Marius Balteanu <marius.balteanu@zitec.com> | 2021-08-11 21:49:27 +0000 |
| commit | e8c911577fe09b83793f7ffc95123642ab07668d (patch) | |
| tree | eed2696ff6d6b27c09e1ebac84418acad96216a6 /test/unit | |
| parent | 46ecdcec4d3d6cec4825221a1cd0e1646e7a5792 (diff) | |
| download | redmine-e8c911577fe09b83793f7ffc95123642ab07668d.tar.gz redmine-e8c911577fe09b83793f7ffc95123642ab07668d.zip | |
Relax allowed protocols in links by denying specific protocols for CommonMark text formatting (#32424).
Patch by Martin Cizek.
git-svn-id: http://svn.redmine.org/redmine/trunk@21161 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'test/unit')
| -rw-r--r-- | test/unit/lib/redmine/helpers/url_test.rb | 41 | ||||
| -rw-r--r-- | test/unit/lib/redmine/wiki_formatting/common_mark/sanitization_filter_test.rb | 24 |
2 files changed, 60 insertions, 5 deletions
diff --git a/test/unit/lib/redmine/helpers/url_test.rb b/test/unit/lib/redmine/helpers/url_test.rb index 013a7ecac..a9c917e9c 100644 --- a/test/unit/lib/redmine/helpers/url_test.rb +++ b/test/unit/lib/redmine/helpers/url_test.rb @@ -33,4 +33,45 @@ class URLTest < ActiveSupport::TestCase assert_not uri_with_safe_scheme?("httpx://example.com/") assert_not uri_with_safe_scheme?("mailto:root@") end + + LINK_SAFE_URIS = [ + "http://example.com/", + "https://example.com/", + "ftp://example.com/", + "foo://example.org", + "mailto:foo@example.org", + " http://example.com/", + "", + "/javascript:alert(\'filename\')", + ] + + def test_uri_with_link_safe_scheme_should_recognize_safe_uris + LINK_SAFE_URIS.each do |uri| + assert uri_with_link_safe_scheme?(uri), "'#{uri}' should be safe" + end + end + + LINK_UNSAFE_URIS = [ + "javascript:alert(\'XSS\');", + "javascript :alert(\'XSS\');", + "javascript: alert(\'XSS\');", + "javascript : alert(\'XSS\');", + ":javascript:alert(\'XSS\');", + "javascript:", + "javascript:", + "javascript:", + "javascript:", + "java\0script:alert(\"XSS\")", + "java\script:alert(\"XSS\")", + " \x0e javascript:alert(\'XSS\');", + "data:image/png;base64,foobar", + "vbscript:foobar", + "data:text/html;base64,foobar", + ] + + def test_uri_with_link_safe_scheme_should_recognize_unsafe_uris + LINK_UNSAFE_URIS.each do |uri| + assert_not uri_with_link_safe_scheme?(uri), "'#{uri}' should not be safe" + end + end end diff --git a/test/unit/lib/redmine/wiki_formatting/common_mark/sanitization_filter_test.rb b/test/unit/lib/redmine/wiki_formatting/common_mark/sanitization_filter_test.rb index 72ef52a63..a1de2b974 100644 --- a/test/unit/lib/redmine/wiki_formatting/common_mark/sanitization_filter_test.rb +++ b/test/unit/lib/redmine/wiki_formatting/common_mark/sanitization_filter_test.rb @@ -71,6 +71,25 @@ if Object.const_defined?(:CommonMarker) assert_equal %(<code>foo</code>), filter(input) end + def test_should_allow_links_with_safe_url_schemes + %w(http https ftp ssh foo).each do |scheme| + input = %(<a href="#{scheme}://example.org/">foo</a>) + assert_equal input, filter(input) + end + end + + def test_should_allow_mailto_links + input = %(<a href="mailto:foo@example.org">bar</a>) + assert_equal input, filter(input) + end + + def test_should_remove_empty_link + input = %(<a href="">bar</a>) + assert_equal %(<a>bar</a>), filter(input) + input = %(<a href=" ">bar</a>) + assert_equal %(<a>bar</a>), filter(input) + end + # samples taken from the Sanitize test suite # rubocop:disable Layout/LineLength STRINGS = [ @@ -194,11 +213,6 @@ if Object.const_defined?(:CommonMarker) '<a href="vbscript:foobar">XSS</a>', '<a>XSS</a>' ], - - 'invalid URIs' => [ - '<a href="foo://example.org">link</a>', - '<a>link</a>' - ], } PROTOCOLS.each do |name, strings| |