SECURITY: Make sure uploaded_urls have corresponding upload records

spec/models/category_spec.rb

@@ -12,6 +12,24 @@ describe Category do
     is_expected.to validate_uniqueness_of(:name).scoped_to(:parent_category_id)
   end
 
+  context "url validation" do
+    let(:user) { Fabricate(:user) }
+
+    let(:upload) { Fabricate(:upload) }
+
+    it "ensures logo_url is valid" do
+      expect(Fabricate.build(:category, user: user, logo_url: "---%")).not_to be_valid
+      expect(Fabricate.build(:category, user: user, logo_url: "http://example.com/made-up.jpg")).not_to be_valid
+      expect(Fabricate.build(:category, user: user, logo_url: upload.url)).to be_valid
+    end
+
+    it "ensures background_url is valid" do
+      expect(Fabricate.build(:category, user: user, background_url: ";test")).not_to be_valid
+      expect(Fabricate.build(:category, user: user, background_url: "http://example.com/no.jpg")).not_to be_valid
+      expect(Fabricate.build(:category, user: user, background_url: upload.url)).to be_valid
+    end
+  end
+
   it 'validates uniqueness in case insensitive way' do
     Fabricate(:category, name: "Cats")
     cats = Fabricate.build(:category, name: "cats")

spec/models/user_profile_spec.rb

@@ -6,6 +6,23 @@ describe UserProfile do
     expect(user.user_profile).to be_present
   end
 
+  context "url validation" do
+    let(:user) { Fabricate(:user) }
+    let(:upload) { Fabricate(:upload) }
+
+    it "ensures profile_background is valid" do
+      expect(Fabricate.build(:user_profile, user: user, profile_background: "---%")).not_to be_valid
+      expect(Fabricate.build(:user_profile, user: user, profile_background: "http://example.com/made-up.jpg")).not_to be_valid
+      expect(Fabricate.build(:user_profile, user: user, profile_background: upload.url)).to be_valid
+    end
+
+    it "ensures background_url is valid" do
+      expect(Fabricate.build(:user_profile, user: user, card_background: ";test")).not_to be_valid
+      expect(Fabricate.build(:user_profile, user: user, card_background: "http://example.com/no.jpg")).not_to be_valid
+      expect(Fabricate.build(:user_profile, user: user, card_background: upload.url)).to be_valid
+    end
+  end
+
   describe 'rebaking' do
     it 'correctly rebakes bio' do
       user_profile = Fabricate(:evil_trout).user_profile

spec/models/user_spec.rb

@@ -339,7 +339,7 @@ describe User do
 
     it 'returns false if user is not the only admin' do
       admin = Fabricate(:admin)
-      second_admin = Fabricate(:admin)
+      Fabricate(:admin)
 
       expect(admin.is_singular_admin?).to eq(false)
     end