diff options
| author | James Edwards-Jones <jedwardsjones@gitlab.com> | 2018-12-05 23:14:09 +0300 |
|---|---|---|
| committer | James Edwards-Jones <jedwardsjones@gitlab.com> | 2018-12-06 18:18:18 +0300 |
| commit | 72c00594070dfd1a778c2e03ff400b478e6c3774 (patch) | |
| tree | d8fd26536ef6c5e4a2e3ef02ea7785537d34d93b /spec/lib/gitlab/url_blocker_spec.rb | |
| parent | 8cd5004b350ef342f66956c11272dad1328f6526 (diff) | |
Allow URLs to be validated as ascii_only
Restricts unicode characters and IDNA deviations
which could be used in a phishing attack
Diffstat (limited to 'spec/lib/gitlab/url_blocker_spec.rb')
| -rw-r--r-- | spec/lib/gitlab/url_blocker_spec.rb | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/spec/lib/gitlab/url_blocker_spec.rb b/spec/lib/gitlab/url_blocker_spec.rb index 39e0a17a307..62970bd8cb6 100644 --- a/spec/lib/gitlab/url_blocker_spec.rb +++ b/spec/lib/gitlab/url_blocker_spec.rb @@ -249,6 +249,27 @@ describe Gitlab::UrlBlocker do end end end + + context 'when ascii_only is true' do + it 'returns true for unicode domain' do + expect(described_class.blocked_url?('https://𝕘itⅼαƄ.com/foo/foo.bar', ascii_only: true)).to be true + end + + it 'returns true for unicode tld' do + expect(described_class.blocked_url?('https://gitlab.ᴄοm/foo/foo.bar', ascii_only: true)).to be true + end + + it 'returns true for unicode path' do + expect(described_class.blocked_url?('https://gitlab.com/𝒇οο/𝒇οο.Ƅαꮁ', ascii_only: true)).to be true + end + + it 'returns true for IDNA deviations' do + expect(described_class.blocked_url?('https://mißile.com/foo/foo.bar', ascii_only: true)).to be true + expect(described_class.blocked_url?('https://miςςile.com/foo/foo.bar', ascii_only: true)).to be true + expect(described_class.blocked_url?('https://gitlab.com/foo/foo.bar', ascii_only: true)).to be true + expect(described_class.blocked_url?('https://gitlab.com/foo/foo.bar', ascii_only: true)).to be true + end + end end describe '#validate_hostname!' do |