gitlab-org--gitlab-foss/spec/validators/addressable_url_validator_s...

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe AddressableUrlValidator do
  let!(:badge) { build(:badge, link_url: 'http://www.example.com') }

  let(:validator) { described_class.new(validator_options.reverse_merge(attributes: [:link_url])) }
  let(:validator_options) { {} }

  subject { validator.validate(badge) }

  include_examples 'url validator examples', described_class::DEFAULT_OPTIONS[:schemes]

  describe 'validations' do
    include_context 'invalid urls'
    include_context 'valid urls with CRLF'

    let(:validator) { described_class.new(attributes: [:link_url]) }

    it 'returns error when url is nil' do
      expect(validator.validate_each(badge, :link_url, nil)).to be_falsey
      expect(badge.errors.added?(:link_url, validator.options.fetch(:message))).to be true
    end

    it 'returns error when url is empty' do
      expect(validator.validate_each(badge, :link_url, '')).to be_falsey
      expect(badge.errors.added?(:link_url, validator.options.fetch(:message))).to be true
    end

    it 'allows urls with encoded CR or LF characters' do
      aggregate_failures do
        valid_urls_with_crlf.each do |url|
          validator.validate_each(badge, :link_url, url)

          expect(badge.errors).to be_empty
        end
      end
    end

    it 'does not allow urls with CR or LF characters' do
      aggregate_failures do
        urls_with_crlf.each do |url|
          badge = build(:badge, link_url: 'http://www.example.com')
          validator.validate_each(badge, :link_url, url)

          expect(badge.errors.added?(:link_url, 'is blocked: URI is invalid')).to be true
        end
      end
    end

    it 'provides all arguments to UrlBlock validate' do
      expect(Gitlab::UrlBlocker)
          .to receive(:validate!)
                  .with(badge.link_url, described_class::BLOCKER_VALIDATE_OPTIONS)
                  .and_return(true)

      subject

      expect(badge.errors).to be_empty
    end
  end

  context 'by default' do
    let(:validator) { described_class.new(attributes: [:link_url]) }

    it 'does not block urls pointing to localhost' do
      badge.link_url = 'https://127.0.0.1'

      subject

      expect(badge.errors).to be_empty
    end

    it 'does not block urls pointing to the local network' do
      badge.link_url = 'https://192.168.1.1'

      subject

      expect(badge.errors).to be_empty
    end

    it 'does block nil urls' do
      badge.link_url = nil

      subject

      expect(badge.errors).to be_present
    end

    it 'does block blank urls' do
      badge.link_url = '\n\r \n'

      subject

      expect(badge.errors).to be_present
    end

    it 'strips urls' do
      badge.link_url = "\n\r\n\nhttps://127.0.0.1\r\n\r\n\n\n\n"

      # It's unusual for a validator to modify its arguments. Some extensions,
      # such as attr_encrypted, freeze the string to signal that modifications
      # will not be persisted, so freeze this string to ensure the scheme is
      # compatible with them.
      badge.link_url.freeze

      subject

      expect(badge.errors).to be_empty
      expect(badge.link_url).to eq('https://127.0.0.1')
    end

    it 'allows urls that cannot be resolved' do
      stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
      badge.link_url = 'http://foobar.x'

      subject

      expect(badge.errors).to be_empty
    end
  end

  context 'when message is set' do
    let(:message) { 'is blocked: test message' }
    let(:validator) { described_class.new(attributes: [:link_url], allow_nil: false, message: message) }

    it 'does block nil url with provided error message' do
      expect(validator.validate_each(badge, :link_url, nil)).to be_falsey
      expect(badge.errors.added?(:link_url, message)).to be true
    end
  end

  context 'when blocked_message is set' do
    let(:message) { 'is not allowed due to: %{exception_message}' }
    let(:validator_options) { { blocked_message: message } }

    it 'blocks url with provided error message' do
      badge.link_url = 'javascript:alert(window.opener.document.location)'

      subject

      expect(badge.errors.added?(:link_url, 'is not allowed due to: Only allowed schemes are http, https')).to be true
    end
  end

  context 'when allow_nil is set to true' do
    let(:validator) { described_class.new(attributes: [:link_url], allow_nil: true) }

    it 'does not block nil urls' do
      badge.link_url = nil

      subject

      expect(badge.errors).to be_empty
    end
  end

  context 'when allow_blank is set to true' do
    let(:validator) { described_class.new(attributes: [:link_url], allow_blank: true) }

    it 'does not block blank urls' do
      badge.link_url = "\n\r \n"

      subject

      expect(badge.errors).to be_empty
    end
  end

  context 'when allow_localhost is set to false' do
    let(:validator) { described_class.new(attributes: [:link_url], allow_localhost: false) }

    it 'blocks urls pointing to localhost' do
      badge.link_url = 'https://127.0.0.1'

      subject

      expect(badge.errors).to be_present
    end

    context 'when allow_setting_local_requests is set to true' do
      it 'does not block urls pointing to localhost' do
        expect(described_class)
          .to receive(:allow_setting_local_requests?)
            .and_return(true)

        badge.link_url = 'https://127.0.0.1'

        subject

        expect(badge.errors).to be_empty
      end
    end
  end

  context 'when allow_local_network is set to false' do
    let(:validator) { described_class.new(attributes: [:link_url], allow_local_network: false) }

    it 'blocks urls pointing to the local network' do
      badge.link_url = 'https://192.168.1.1'

      subject

      expect(badge.errors).to be_present
    end

    context 'when allow_setting_local_requests is set to true' do
      it 'does not block urls pointing to local network' do
        expect(described_class)
          .to receive(:allow_setting_local_requests?)
            .and_return(true)

        badge.link_url = 'https://192.168.1.1'

        subject

        expect(badge.errors).to be_empty
      end
    end
  end

  context 'when ports is' do
    let(:validator) { described_class.new(attributes: [:link_url], ports: ports) }

    context 'empty' do
      let(:ports) { [] }

      it 'does not block any port' do
        subject

        expect(badge.errors).to be_empty
      end
    end

    context 'set' do
      let(:ports) { [443] }

      it 'blocks urls with a different port' do
        subject

        expect(badge.errors).to be_present
      end
    end
  end

  context 'when enforce_user is' do
    let(:url) { 'http://$user@example.com'}
    let(:validator) { described_class.new(attributes: [:link_url], enforce_user: enforce_user) }

    context 'true' do
      let(:enforce_user) { true }

      it 'checks user format' do
        badge.link_url = url

        subject

        expect(badge.errors).to be_present
      end
    end

    context 'false (default)' do
      let(:enforce_user) { false }

      it 'does not check user format' do
        badge.link_url = url

        subject

        expect(badge.errors).to be_empty
      end
    end
  end

  context 'when ascii_only is' do
    let(:url) { 'https://𝕘itⅼαƄ.com/foo/foo.bar'}
    let(:validator) { described_class.new(attributes: [:link_url], ascii_only: ascii_only) }

    context 'true' do
      let(:ascii_only) { true }

      it 'prevents unicode characters' do
        badge.link_url = url

        subject

        expect(badge.errors).to be_present
      end
    end

    context 'false (default)' do
      let(:ascii_only) { false }

      it 'does not prevent unicode characters' do
        badge.link_url = url

        subject

        expect(badge.errors).to be_empty
      end
    end
  end

  context 'when enforce_sanitization is' do
    let(:validator) { described_class.new(attributes: [:link_url], enforce_sanitization: enforce_sanitization) }
    let(:unsafe_url) { "https://replaceme.com/'><script>alert(document.cookie)</script>" }
    let(:safe_url) { 'https://replaceme.com/path/to/somewhere' }

    let(:unsafe_internal_url) do
      Gitlab.config.gitlab.protocol + '://' + Gitlab.config.gitlab.host +
        "/'><script>alert(document.cookie)</script>"
    end

    context 'true' do
      let(:enforce_sanitization) { true }

      it 'prevents unsafe urls' do
        badge.link_url = unsafe_url

        subject

        expect(badge.errors).to be_present
      end

      it 'prevents unsafe internal urls' do
        badge.link_url = unsafe_internal_url

        subject

        expect(badge.errors).to be_present
      end

      it 'allows safe urls' do
        badge.link_url = safe_url

        subject

        expect(badge.errors).to be_empty
      end
    end

    context 'false' do
      let(:enforce_sanitization) { false }

      it 'allows unsafe urls' do
        badge.link_url = unsafe_url

        subject

        expect(badge.errors).to be_empty
      end
    end
  end

  context 'when dns_rebind_protection is' do
    let(:not_resolvable_url) { 'http://foobar.x' }
    let(:validator) { described_class.new(attributes: [:link_url], dns_rebind_protection: dns_value) }

    before do
      stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
      badge.link_url = not_resolvable_url

      subject
    end

    context 'true' do
      let(:dns_value) { true }

      it 'raises error' do
        expect(badge.errors).to be_present
      end
    end

    context 'false' do
      let(:dns_value) { false }

      it 'allows urls that cannot be resolved' do
        expect(badge.errors).to be_empty
      end
    end
  end
end
-												Merge branch 'security-fj-crlf-injection' into 'master'

[master] Fix CRLF issue in UrlValidator

See merge request gitlab/gitlabhq!2627
											
										
										
											2018-11-28 19:06:44 +00:00
+								# frozen_string_literal: true
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
+								require 'spec_helper'
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2020-06-24 15:08:50 +00:00
+								RSpec.describe AddressableUrlValidator do
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
+								  let!(:badge) { build(:badge, link_url: 'http://www.example.com') }
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2019-12-17 18:07:48 +00:00
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2020-03-04 21:07:54 +00:00
+								  let(:validator) { described_class.new(validator_options.reverse_merge(attributes: [:link_url])) }
 								  let(:validator_options) { {} }
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								  subject { validator.validate(badge) }
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								  include_examples 'url validator examples', described_class::DEFAULT_OPTIONS[:schemes]
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
-												Merge branch 'security-fj-crlf-injection' into 'master'

[master] Fix CRLF issue in UrlValidator

See merge request gitlab/gitlabhq!2627
											
										
										
											2018-11-28 19:06:44 +00:00
+								  describe 'validations' do
 								    include_context 'invalid urls'
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2021-10-21 03:12:55 +00:00
+								    include_context 'valid urls with CRLF'
-												Merge branch 'security-fj-crlf-injection' into 'master'

[master] Fix CRLF issue in UrlValidator

See merge request gitlab/gitlabhq!2627
											
										
										
											2018-11-28 19:06:44 +00:00
 								    let(:validator) { described_class.new(attributes: [:link_url]) }
 								    it 'returns error when url is nil' do
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								      expect(validator.validate_each(badge, :link_url, nil)).to be_falsey
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2021-04-23 09:10:03 +00:00
+								      expect(badge.errors.added?(:link_url, validator.options.fetch(:message))).to be true
-												Merge branch 'security-fj-crlf-injection' into 'master'

[master] Fix CRLF issue in UrlValidator

See merge request gitlab/gitlabhq!2627
											
										
										
											2018-11-28 19:06:44 +00:00
+								    end
 								    it 'returns error when url is empty' do
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								      expect(validator.validate_each(badge, :link_url, '')).to be_falsey
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2021-04-23 09:10:03 +00:00
+								      expect(badge.errors.added?(:link_url, validator.options.fetch(:message))).to be true
-												Merge branch 'security-fj-crlf-injection' into 'master'

[master] Fix CRLF issue in UrlValidator

See merge request gitlab/gitlabhq!2627
											
										
										
											2018-11-28 19:06:44 +00:00
+								    end
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2021-10-21 03:12:55 +00:00
+								    it 'allows urls with encoded CR or LF characters' do
 								      aggregate_failures do
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2022-04-06 18:08:19 +00:00
+								        valid_urls_with_crlf.each do |url|
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2021-10-21 03:12:55 +00:00
+								          validator.validate_each(badge, :link_url, url)
 								          expect(badge.errors).to be_empty
 								        end
 								      end
 								    end
-												Merge branch 'security-fj-crlf-injection' into 'master'

[master] Fix CRLF issue in UrlValidator

See merge request gitlab/gitlabhq!2627
											
										
										
											2018-11-28 19:06:44 +00:00
+								    it 'does not allow urls with CR or LF characters' do
 								      aggregate_failures do
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2022-04-06 18:08:19 +00:00
+								        urls_with_crlf.each do |url|
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2021-10-21 03:12:55 +00:00
+								          badge = build(:badge, link_url: 'http://www.example.com')
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2021-04-23 09:10:03 +00:00
+								          validator.validate_each(badge, :link_url, url)
 								          expect(badge.errors.added?(:link_url, 'is blocked: URI is invalid')).to be true
-												Merge branch 'security-fj-crlf-injection' into 'master'

[master] Fix CRLF issue in UrlValidator

See merge request gitlab/gitlabhq!2627
											
										
										
											2018-11-28 19:06:44 +00:00
+								        end
 								      end
 								    end
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
 								    it 'provides all arguments to UrlBlock validate' do
 								      expect(Gitlab::UrlBlocker)
 								          .to receive(:validate!)
 								                  .with(badge.link_url, described_class::BLOCKER_VALIDATE_OPTIONS)
 								                  .and_return(true)
 								      subject
 								      expect(badge.errors).to be_empty
 								    end
-												Merge branch 'security-fj-crlf-injection' into 'master'

[master] Fix CRLF issue in UrlValidator

See merge request gitlab/gitlabhq!2627
											
										
										
											2018-11-28 19:06:44 +00:00
+								  end
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
+								  context 'by default' do
 								    let(:validator) { described_class.new(attributes: [:link_url]) }
 								    it 'does not block urls pointing to localhost' do
 								      badge.link_url = 'https://127.0.0.1'
 								      subject
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								      expect(badge.errors).to be_empty
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
+								    end
 								    it 'does not block urls pointing to the local network' do
 								      badge.link_url = 'https://192.168.1.1'
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
+								      subject
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								      expect(badge.errors).to be_empty
 								    end
 								    it 'does block nil urls' do
 								      badge.link_url = nil
 								      subject
 								      expect(badge.errors).to be_present
 								    end
 								    it 'does block blank urls' do
 								      badge.link_url = '\n\r \n'
 								      subject
 								      expect(badge.errors).to be_present
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
+								    end
-												Allow UrlValidator to work with attr_encrypted

											
										
										
											2018-09-17 15:11:12 +00:00
 								    it 'strips urls' do
 								      badge.link_url = "\n\r\n\nhttps://127.0.0.1\r\n\r\n\n\n\n"
 								      # It's unusual for a validator to modify its arguments. Some extensions,
 								      # such as attr_encrypted, freeze the string to signal that modifications
 								      # will not be persisted, so freeze this string to ensure the scheme is
 								      # compatible with them.
 								      badge.link_url.freeze
 								      subject
 								      expect(badge.errors).to be_empty
 								      expect(badge.link_url).to eq('https://127.0.0.1')
 								    end
-												Avoid checking dns rebind protection in validation

											
										
										
											2019-09-05 09:11:14 +00:00
 								    it 'allows urls that cannot be resolved' do
 								      stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
 								      badge.link_url = 'http://foobar.x'
 								      subject
 								      expect(badge.errors).to be_empty
 								    end
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
+								  end
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								  context 'when message is set' do
 								    let(:message) { 'is blocked: test message' }
 								    let(:validator) { described_class.new(attributes: [:link_url], allow_nil: false, message: message) }
 								    it 'does block nil url with provided error message' do
 								      expect(validator.validate_each(badge, :link_url, nil)).to be_falsey
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2021-04-23 09:10:03 +00:00
+								      expect(badge.errors.added?(:link_url, message)).to be true
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								    end
 								  end
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2020-03-04 21:07:54 +00:00
+								  context 'when blocked_message is set' do
 								    let(:message) { 'is not allowed due to: %{exception_message}' }
 								    let(:validator_options) { { blocked_message: message } }
 								    it 'blocks url with provided error message' do
 								      badge.link_url = 'javascript:alert(window.opener.document.location)'
 								      subject
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2021-04-23 09:10:03 +00:00
+								      expect(badge.errors.added?(:link_url, 'is not allowed due to: Only allowed schemes are http, https')).to be true
-												Add latest changes from gitlab-org/gitlab@master

											
										
										
											2020-03-04 21:07:54 +00:00
+								    end
 								  end
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								  context 'when allow_nil is set to true' do
 								    let(:validator) { described_class.new(attributes: [:link_url], allow_nil: true) }
 								    it 'does not block nil urls' do
 								      badge.link_url = nil
 								      subject
 								      expect(badge.errors).to be_empty
 								    end
 								  end
 								  context 'when allow_blank is set to true' do
 								    let(:validator) { described_class.new(attributes: [:link_url], allow_blank: true) }
 								    it 'does not block blank urls' do
 								      badge.link_url = "\n\r \n"
 								      subject
 								      expect(badge.errors).to be_empty
 								    end
 								  end
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
+								  context 'when allow_localhost is set to false' do
 								    let(:validator) { described_class.new(attributes: [:link_url], allow_localhost: false) }
 								    it 'blocks urls pointing to localhost' do
 								      badge.link_url = 'https://127.0.0.1'
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
+								      subject
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								      expect(badge.errors).to be_present
 								    end
 								    context 'when allow_setting_local_requests is set to true' do
 								      it 'does not block urls pointing to localhost' do
 								        expect(described_class)
 								          .to receive(:allow_setting_local_requests?)
 								            .and_return(true)
 								        badge.link_url = 'https://127.0.0.1'
 								        subject
 								        expect(badge.errors).to be_empty
 								      end
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
+								    end
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
+								  end
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
+								  context 'when allow_local_network is set to false' do
 								    let(:validator) { described_class.new(attributes: [:link_url], allow_local_network: false) }
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
+								    it 'blocks urls pointing to the local network' do
 								      badge.link_url = 'https://192.168.1.1'
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
+								      subject
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								      expect(badge.errors).to be_present
 								    end
 								    context 'when allow_setting_local_requests is set to true' do
 								      it 'does not block urls pointing to local network' do
 								        expect(described_class)
 								          .to receive(:allow_setting_local_requests?)
 								            .and_return(true)
 								        badge.link_url = 'https://192.168.1.1'
 								        subject
 								        expect(badge.errors).to be_empty
 								      end
-												Add validation to webhook and service URLs to ensure they are not blocked because of SSRF

											
										
										
											2018-06-01 11:43:53 +00:00
+								    end
 								  end
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
-												Avoid checking the user format in every url validation

											
										
										
											2018-06-11 13:29:37 +00:00
+								  context 'when ports is' do
 								    let(:validator) { described_class.new(attributes: [:link_url], ports: ports) }
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
-												Avoid checking the user format in every url validation

											
										
										
											2018-06-11 13:29:37 +00:00
+								    context 'empty' do
 								      let(:ports) { [] }
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
-												Avoid checking the user format in every url validation

											
										
										
											2018-06-11 13:29:37 +00:00
+								      it 'does not block any port' do
 								        subject
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								        expect(badge.errors).to be_empty
-												Avoid checking the user format in every url validation

											
										
										
											2018-06-11 13:29:37 +00:00
+								      end
 								    end
 								    context 'set' do
 								      let(:ports) { [443] }
 								      it 'blocks urls with a different port' do
 								        subject
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								        expect(badge.errors).to be_present
-												Avoid checking the user format in every url validation

											
										
										
											2018-06-11 13:29:37 +00:00
+								      end
 								    end
 								  end
 								  context 'when enforce_user is' do
 								    let(:url) { 'http://$user@example.com'}
 								    let(:validator) { described_class.new(attributes: [:link_url], enforce_user: enforce_user) }
 								    context 'true' do
 								      let(:enforce_user) { true }
 								      it 'checks user format' do
 								        badge.link_url = url
 								        subject
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								        expect(badge.errors).to be_present
-												Avoid checking the user format in every url validation

											
										
										
											2018-06-11 13:29:37 +00:00
+								      end
 								    end
 								    context 'false (default)' do
 								      let(:enforce_user) { false }
 								      it 'does not check user format' do
 								        badge.link_url = url
 								        subject
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								        expect(badge.errors).to be_empty
-												Avoid checking the user format in every url validation

											
										
										
											2018-06-11 13:29:37 +00:00
+								      end
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
+								    end
 								  end
-												Allow URLs to be validated as ascii_only

Restricts unicode characters and IDNA deviations
which could be used in a phishing attack

											
										
										
											2018-12-05 20:14:09 +00:00
 								  context 'when ascii_only is' do
 								    let(:url) { 'https://𝕘itⅼαƄ.com/foo/foo.bar'}
 								    let(:validator) { described_class.new(attributes: [:link_url], ascii_only: ascii_only) }
 								    context 'true' do
 								      let(:ascii_only) { true }
 								      it 'prevents unicode characters' do
 								        badge.link_url = url
 								        subject
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								        expect(badge.errors).to be_present
-												Allow URLs to be validated as ascii_only

Restricts unicode characters and IDNA deviations
which could be used in a phishing attack

											
										
										
											2018-12-05 20:14:09 +00:00
+								      end
 								    end
 								    context 'false (default)' do
 								      let(:ascii_only) { false }
 								      it 'does not prevent unicode characters' do
 								        badge.link_url = url
 								        subject
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								        expect(badge.errors).to be_empty
-												Allow URLs to be validated as ascii_only

Restricts unicode characters and IDNA deviations
which could be used in a phishing attack

											
										
										
											2018-12-05 20:14:09 +00:00
+								      end
 								    end
 								  end
-												Add table and model for error tracking settings

											
										
										
											2019-01-07 17:55:21 +00:00
 								  context 'when enforce_sanitization is' do
 								    let(:validator) { described_class.new(attributes: [:link_url], enforce_sanitization: enforce_sanitization) }
 								    let(:unsafe_url) { "https://replaceme.com/'><script>alert(document.cookie)</script>" }
 								    let(:safe_url) { 'https://replaceme.com/path/to/somewhere' }
 								    let(:unsafe_internal_url) do
 								      Gitlab.config.gitlab.protocol + '://' + Gitlab.config.gitlab.host +
 								        "/'><script>alert(document.cookie)</script>"
 								    end
 								    context 'true' do
 								      let(:enforce_sanitization) { true }
 								      it 'prevents unsafe urls' do
 								        badge.link_url = unsafe_url
 								        subject
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								        expect(badge.errors).to be_present
-												Add table and model for error tracking settings

											
										
										
											2019-01-07 17:55:21 +00:00
+								      end
 								      it 'prevents unsafe internal urls' do
 								        badge.link_url = unsafe_internal_url
 								        subject
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								        expect(badge.errors).to be_present
-												Add table and model for error tracking settings

											
										
										
											2019-01-07 17:55:21 +00:00
+								      end
 								      it 'allows safe urls' do
 								        badge.link_url = safe_url
 								        subject
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								        expect(badge.errors).to be_empty
-												Add table and model for error tracking settings

											
										
										
											2019-01-07 17:55:21 +00:00
+								      end
 								    end
 								    context 'false' do
 								      let(:enforce_sanitization) { false }
 								      it 'allows unsafe urls' do
 								        badge.link_url = unsafe_url
 								        subject
-												Align UrlValidator to validate_url gem implementation.

Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement.
Make use of the options attribute of the parent class ActiveModel::EachValidator.
Add more options: allow_nil, allow_blank, message.
Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.

											
										
										
											2019-04-11 06:29:07 +00:00
+								        expect(badge.errors).to be_empty
-												Add table and model for error tracking settings

											
										
										
											2019-01-07 17:55:21 +00:00
+								      end
 								    end
 								  end
-												Avoid checking dns rebind protection in validation

											
										
										
											2019-09-05 09:11:14 +00:00
 								  context 'when dns_rebind_protection is' do
 								    let(:not_resolvable_url) { 'http://foobar.x' }
 								    let(:validator) { described_class.new(attributes: [:link_url], dns_rebind_protection: dns_value) }
 								    before do
 								      stub_env('RSPEC_ALLOW_INVALID_URLS', 'false')
 								      badge.link_url = not_resolvable_url
 								      subject
 								    end
 								    context 'true' do
 								      let(:dns_value) { true }
 								      it 'raises error' do
 								        expect(badge.errors).to be_present
 								      end
 								    end
 								    context 'false' do
 								      let(:dns_value) { false }
 								      it 'allows urls that cannot be resolved' do
 								        expect(badge.errors).to be_empty
 								      end
 								    end
 								  end
-												Projects and groups badges API

											
										
										
											2018-03-05 17:51:40 +00:00
+								end