diff options
author | James Edwards-Jones <jedwardsjones@gitlab.com> | 2018-12-05 23:14:09 +0300 |
---|---|---|
committer | James Edwards-Jones <jedwardsjones@gitlab.com> | 2018-12-06 18:18:18 +0300 |
commit | 72c00594070dfd1a778c2e03ff400b478e6c3774 (patch) | |
tree | d8fd26536ef6c5e4a2e3ef02ea7785537d34d93b /spec | |
parent | 8cd5004b350ef342f66956c11272dad1328f6526 (diff) |
Allow URLs to be validated as ascii_only
Restricts unicode characters and IDNA deviations
which could be used in a phishing attack
Diffstat (limited to 'spec')
-rw-r--r-- | spec/lib/gitlab/url_blocker_spec.rb | 21 | ||||
-rw-r--r-- | spec/validators/url_validator_spec.rb | 29 |
2 files changed, 50 insertions, 0 deletions
diff --git a/spec/lib/gitlab/url_blocker_spec.rb b/spec/lib/gitlab/url_blocker_spec.rb index 39e0a17a307..62970bd8cb6 100644 --- a/spec/lib/gitlab/url_blocker_spec.rb +++ b/spec/lib/gitlab/url_blocker_spec.rb @@ -249,6 +249,27 @@ describe Gitlab::UrlBlocker do end end end + + context 'when ascii_only is true' do + it 'returns true for unicode domain' do + expect(described_class.blocked_url?('https://𝕘itⅼαƄ.com/foo/foo.bar', ascii_only: true)).to be true + end + + it 'returns true for unicode tld' do + expect(described_class.blocked_url?('https://gitlab.ᴄοm/foo/foo.bar', ascii_only: true)).to be true + end + + it 'returns true for unicode path' do + expect(described_class.blocked_url?('https://gitlab.com/𝒇οο/𝒇οο.Ƅαꮁ', ascii_only: true)).to be true + end + + it 'returns true for IDNA deviations' do + expect(described_class.blocked_url?('https://mißile.com/foo/foo.bar', ascii_only: true)).to be true + expect(described_class.blocked_url?('https://miςςile.com/foo/foo.bar', ascii_only: true)).to be true + expect(described_class.blocked_url?('https://gitlab.com/foo/foo.bar', ascii_only: true)).to be true + expect(described_class.blocked_url?('https://gitlab.com/foo/foo.bar', ascii_only: true)).to be true + end + end end describe '#validate_hostname!' do diff --git a/spec/validators/url_validator_spec.rb b/spec/validators/url_validator_spec.rb index 082d09d3f16..f3f3386382f 100644 --- a/spec/validators/url_validator_spec.rb +++ b/spec/validators/url_validator_spec.rb @@ -143,4 +143,33 @@ describe UrlValidator do end end end + + context 'when ascii_only is' do + let(:url) { 'https://𝕘itⅼαƄ.com/foo/foo.bar'} + let(:validator) { described_class.new(attributes: [:link_url], ascii_only: ascii_only) } + + context 'true' do + let(:ascii_only) { true } + + it 'prevents unicode characters' do + badge.link_url = url + + subject + + expect(badge.errors.empty?).to be false + end + end + + context 'false (default)' do + let(:ascii_only) { false } + + it 'does not prevent unicode characters' do + badge.link_url = url + + subject + + expect(badge.errors.empty?).to be true + end + end + end end |