39916fdfed
`InternalRedirect` prevents Open redirect issues by only allowing redirection to paths on the same host. It cleans up any unwanted strings from the path that could point to another host (fe. //about.gitlab.com/hello). While preserving the querystring and fragment of the uri. It is already used by: - `TermsController` - `ContinueParams` - `ImportsController` - `ForksController` - `SessionsController`: Only for verifying the host in CE. EE allows redirecting to a different instance using Geo.
45 lines
1.2 KiB
Ruby
45 lines
1.2 KiB
Ruby
require 'spec_helper'
|
|
|
|
describe ContinueParams do
|
|
let(:controller_class) do
|
|
Class.new(ActionController::Base) do
|
|
include ContinueParams
|
|
|
|
def request
|
|
@request ||= Struct.new(:host, :port).new('test.host', 80)
|
|
end
|
|
end
|
|
end
|
|
subject(:controller) { controller_class.new }
|
|
|
|
def strong_continue_params(params)
|
|
ActionController::Parameters.new(continue: params)
|
|
end
|
|
|
|
it 'cleans up any params that are not allowed' do
|
|
allow(controller).to receive(:params) do
|
|
strong_continue_params(to: '/hello',
|
|
notice: 'world',
|
|
notice_now: '!',
|
|
something: 'else')
|
|
end
|
|
|
|
expect(controller.continue_params.keys).to contain_exactly(*%w(to notice notice_now))
|
|
end
|
|
|
|
it 'does not allow cross host redirection' do
|
|
allow(controller).to receive(:params) do
|
|
strong_continue_params(to: '//example.com')
|
|
end
|
|
|
|
expect(controller.continue_params[:to]).to be_nil
|
|
end
|
|
|
|
it 'allows redirecting to a path with querystring' do
|
|
allow(controller).to receive(:params) do
|
|
strong_continue_params(to: '/hello/world?query=string')
|
|
end
|
|
|
|
expect(controller.continue_params[:to]).to eq('/hello/world?query=string')
|
|
end
|
|
end
|