bastodon/spec/models/account/field_spec.rb
David Leadbeater 69378eac99
Don't allow URLs that contain non-normalized paths to be verified (#20999)
* Don't allow URLs that contain non-normalized paths to be verified

This stops things like https://example.com/otheruser/../realuser where
"/otheruser" appears to be the verified URL, but the actual URL being
verified is "/realuser" due to the "/../".

Also fix a test to use 'https', so it is testing the right thing, now
that since #20304 https is required.

* missing do
2022-11-20 19:28:13 +01:00

162 lines
4.9 KiB
Ruby
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

require 'rails_helper'
RSpec.describe Account::Field, type: :model do
describe '#verified?' do
let(:account) { double('Account', local?: true) }
subject { described_class.new(account, 'name' => 'Foo', 'value' => 'Bar', 'verified_at' => verified_at) }
context 'when verified_at is set' do
let(:verified_at) { Time.now.utc.iso8601 }
it 'returns true' do
expect(subject.verified?).to be true
end
end
context 'when verified_at is not set' do
let(:verified_at) { nil }
it 'returns false' do
expect(subject.verified?).to be false
end
end
end
describe '#mark_verified!' do
let(:account) { double('Account', local?: true) }
let(:original_hash) { { 'name' => 'Foo', 'value' => 'Bar' } }
subject { described_class.new(account, original_hash) }
before do
subject.mark_verified!
end
it 'updates verified_at' do
expect(subject.verified_at).to_not be_nil
end
it 'updates original hash' do
expect(original_hash['verified_at']).to_not be_nil
end
end
describe '#verifiable?' do
let(:account) { double('Account', local?: local) }
subject { described_class.new(account, 'name' => 'Foo', 'value' => value) }
context 'for local accounts' do
let(:local) { true }
context 'for a URL with misleading authentication' do
let(:value) { 'https://spacex.com @h.43z.one' }
it 'returns false' do
expect(subject.verifiable?).to be false
end
end
context 'for a URL' do
let(:value) { 'https://example.com' }
it 'returns true' do
expect(subject.verifiable?).to be true
end
end
context 'for an IDN URL' do
let(:value) { 'https://twitter.comdougalljstatus1590357240443437057.ê.cc/twitter.html' }
it 'returns false' do
expect(subject.verifiable?).to be false
end
end
context 'for a URL with a non-normalized path' do
let(:value) { 'https://github.com/octocatxxxxxxxx/../mastodon' }
it 'returns false' do
expect(subject.verifiable?).to be false
end
end
context 'for text that is not a URL' do
let(:value) { 'Hello world' }
it 'returns false' do
expect(subject.verifiable?).to be false
end
end
context 'for text that contains a URL' do
let(:value) { 'Hello https://example.com world' }
it 'returns false' do
expect(subject.verifiable?).to be false
end
end
context 'for text which is blank' do
let(:value) { '' }
it 'returns false' do
expect(subject.verifiable?).to be false
end
end
end
context 'for remote accounts' do
let(:local) { false }
context 'for a link' do
let(:value) { '<a href="https://www.patreon.com/mastodon" target="_blank" rel="nofollow noopener noreferrer me"><span class="invisible">https://www.</span><span class="">patreon.com/mastodon</span><span class="invisible"></span></a>' }
it 'returns true' do
expect(subject.verifiable?).to be true
end
end
context 'for a link with misleading authentication' do
let(:value) { '<a href="https://google.com @h.43z.one" target="_blank" rel="nofollow noopener noreferrer me"><span class="invisible">https://</span><span class="">google.com</span><span class="invisible"> @h.43z.one</span></a>' }
it 'returns false' do
expect(subject.verifiable?).to be false
end
end
context 'for HTML that has more than just a link' do
let(:value) { '<a href="https://google.com" target="_blank" rel="nofollow noopener noreferrer me"><span class="invisible">https://</span><span class="">google.com</span><span class="invisible"></span></a> @h.43z.one' }
it 'returns false' do
expect(subject.verifiable?).to be false
end
end
context 'for a link with different visible text' do
let(:value) { '<a href="https://google.com/bar">https://example.com/foo</a>' }
it 'returns false' do
expect(subject.verifiable?).to be false
end
end
context 'for text that is a URL but is not linked' do
let(:value) { 'https://example.com/foo' }
it 'returns false' do
expect(subject.verifiable?).to be false
end
end
context 'for text which is blank' do
let(:value) { '' }
it 'returns false' do
expect(subject.verifiable?).to be false
end
end
end
end
end