From e8c911577fe09b83793f7ffc95123642ab07668d Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Wed, 11 Aug 2021 21:49:27 +0000
Subject: Relax allowed protocols in links by denying specific protocols for
 CommonMark text formatting (#32424).

Patch by Martin Cizek.

git-svn-id: http://svn.redmine.org/redmine/trunk@21161 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 test/unit/lib/redmine/helpers/url_test.rb          | 41 ++++++++++++++++++++++
 .../common_mark/sanitization_filter_test.rb        | 24 ++++++++++---
 2 files changed, 60 insertions(+), 5 deletions(-)

(limited to 'test/unit')

diff --git a/test/unit/lib/redmine/helpers/url_test.rb b/test/unit/lib/redmine/helpers/url_test.rb
index 013a7ecac..a9c917e9c 100644
--- a/test/unit/lib/redmine/helpers/url_test.rb
+++ b/test/unit/lib/redmine/helpers/url_test.rb
@@ -33,4 +33,45 @@ class URLTest < ActiveSupport::TestCase
     assert_not uri_with_safe_scheme?("httpx://example.com/")
     assert_not uri_with_safe_scheme?("mailto:root@")
   end
+
+  LINK_SAFE_URIS = [
+    "http://example.com/",
+    "https://example.com/",
+    "ftp://example.com/",
+    "foo://example.org",
+    "mailto:foo@example.org",
+    " http://example.com/",
+    "",
+    "/javascript:alert(\'filename\')",
+  ]
+
+  def test_uri_with_link_safe_scheme_should_recognize_safe_uris
+    LINK_SAFE_URIS.each do |uri|
+      assert uri_with_link_safe_scheme?(uri), "'#{uri}' should be safe"
+    end
+  end
+
+  LINK_UNSAFE_URIS = [
+    "javascript:alert(\'XSS\');",
+    "javascript    :alert(\'XSS\');",
+    "javascript:    alert(\'XSS\');",
+    "javascript    :   alert(\'XSS\');",
+    ":javascript:alert(\'XSS\');",
+    "javascript&#58;",
+    "javascript&#0058;",
+    "javascript&#x3A;",
+    "javascript&#x003A;",
+    "java\0script:alert(\"XSS\")",
+    "java\script:alert(\"XSS\")",
+    " \x0e  javascript:alert(\'XSS\');",
+    "data:image/png;base64,foobar",
+    "vbscript:foobar",
+    "data:text/html;base64,foobar",
+  ]
+
+  def test_uri_with_link_safe_scheme_should_recognize_unsafe_uris
+    LINK_UNSAFE_URIS.each do |uri|
+      assert_not uri_with_link_safe_scheme?(uri), "'#{uri}' should not be safe"
+    end
+  end
 end
diff --git a/test/unit/lib/redmine/wiki_formatting/common_mark/sanitization_filter_test.rb b/test/unit/lib/redmine/wiki_formatting/common_mark/sanitization_filter_test.rb
index 72ef52a63..a1de2b974 100644
--- a/test/unit/lib/redmine/wiki_formatting/common_mark/sanitization_filter_test.rb
+++ b/test/unit/lib/redmine/wiki_formatting/common_mark/sanitization_filter_test.rb
@@ -71,6 +71,25 @@ if Object.const_defined?(:CommonMarker)
       assert_equal %(<code>foo</code>), filter(input)
     end
 
+    def test_should_allow_links_with_safe_url_schemes
+      %w(http https ftp ssh foo).each do |scheme|
+        input = %(<a href="#{scheme}://example.org/">foo</a>)
+        assert_equal input, filter(input)
+      end
+    end
+
+    def test_should_allow_mailto_links
+      input = %(<a href="mailto:foo@example.org">bar</a>)
+      assert_equal input, filter(input)
+    end
+
+    def test_should_remove_empty_link
+      input = %(<a href="">bar</a>)
+      assert_equal %(<a>bar</a>), filter(input)
+      input = %(<a href=" ">bar</a>)
+      assert_equal %(<a>bar</a>), filter(input)
+    end
+
     # samples taken from the Sanitize test suite
     # rubocop:disable Layout/LineLength
     STRINGS = [
@@ -194,11 +213,6 @@ if Object.const_defined?(:CommonMarker)
         '<a href="vbscript:foobar">XSS</a>',
         '<a>XSS</a>'
       ],
-
-      'invalid URIs' => [
-        '<a href="foo://example.org">link</a>',
-        '<a>link</a>'
-      ],
     }
 
     PROTOCOLS.each do |name, strings|
-- 
cgit v1.2.3