IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Restrict allowed URL patterns

Browse Source 
Restrict allowed URL patterns for oneboxes.
This commit is contained in:
Blake Erickson
2024-12-19 11:01:54 -07:00
committed by Roman Rizzi
parent 17e1bfe069
commit 17116c440b
86 changed files with 1131 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
spec/lib/onebox/engine/audio_com_onebox_spec.rb
View File

@@ -20,4 +20,26 @@ RSpec.describe Onebox::Engine::AudioComOnebox do
Onebox.preview("https://audio.com/agilov/collections/discourse-test-collection").to_s,
).to match(%r{<iframe src="https://audio\.com/embed/collection/1773124246389900})
end
describe ".===" do
it "matches valid URL" do
valid_url = URI("https://audio.com/path/to/resource")
expect(described_class === valid_url).to eq(true)
end
it "matches valid URL without path" do
valid_url = URI("https://audio.com")
expect(described_class === valid_url).to eq(true)
end
it "does not match invalid URL with subdomain" do
invalid_url = URI("https://sub.audio.com/path/to/resource")
expect(described_class === invalid_url).to eq(false)
end
it "does not match invalid URL with valid domain as part of another domain" do
malicious_url = URI("https://audio.com.malicious.com")
expect(described_class === malicious_url).to eq(false)
end
end
end