diff --git a/app/services/wildcard_domain_checker.rb b/app/services/wildcard_domain_checker.rb index 0b95f12d2a2..89c64538821 100644 --- a/app/services/wildcard_domain_checker.rb +++ b/app/services/wildcard_domain_checker.rb @@ -4,7 +4,7 @@ module WildcardDomainChecker def self.check_domain(domain, external_domain) escaped_domain = domain[0] == "*" ? Regexp.escape(domain).sub("\\*", '\S*') : Regexp.escape(domain) - domain_regex = Regexp.new("^#{escaped_domain}$", 'i') + domain_regex = Regexp.new("\\A#{escaped_domain}\\z", 'i') external_domain.match(domain_regex) end diff --git a/app/services/wildcard_url_checker.rb b/app/services/wildcard_url_checker.rb index e9c9f44d0c9..aed621b8850 100644 --- a/app/services/wildcard_url_checker.rb +++ b/app/services/wildcard_url_checker.rb @@ -1,12 +1,23 @@ # frozen_string_literal: true module WildcardUrlChecker + VALID_PROTOCOLS = %w(http https discourse).freeze def self.check_url(url, url_to_check) + return nil if !valid_url?(url_to_check) + escaped_url = Regexp.escape(url).sub("\\*", '\S*') - url_regex = Regexp.new("^#{escaped_url}$", 'i') + url_regex = Regexp.new("\\A#{escaped_url}\\z", 'i') url_to_check.match(url_regex) end + private + + def self.valid_url?(url) + uri = URI.parse(url) + VALID_PROTOCOLS.include?(uri&.scheme) && uri&.host.present? + rescue URI::InvalidURIError + false + end end diff --git a/spec/services/wildcard_domain_checker_spec.rb b/spec/services/wildcard_domain_checker_spec.rb index e7d5ccb65b3..0b1d75986b0 100644 --- a/spec/services/wildcard_domain_checker_spec.rb +++ b/spec/services/wildcard_domain_checker_spec.rb @@ -31,6 +31,9 @@ describe WildcardDomainChecker do result4 = WildcardDomainChecker.check_domain('www.*.discourse.org', 'www.www.discourse.org') expect(result4).to eq(nil) + + result5 = WildcardDomainChecker.check_domain('www.discourse.org', "www.discourse.org\nwww.discourse.org.evil.com") + expect(result5).to eq(nil) end end end diff --git a/spec/services/wildcard_url_checker_spec.rb b/spec/services/wildcard_url_checker_spec.rb new file mode 100644 index 00000000000..3308fa4690d --- /dev/null +++ b/spec/services/wildcard_url_checker_spec.rb @@ -0,0 +1,46 @@ +# frozen_string_literal: true + +require 'rails_helper' + +describe WildcardUrlChecker do + + describe 'check_url' do + context 'valid url' do + it 'returns correct domain' do + result1 = described_class.check_url('https://*.discourse.org', 'https://anything.is.possible.discourse.org') + expect(result1[0]).to eq('https://anything.is.possible.discourse.org') + + result2 = described_class.check_url('https://www.discourse.org', 'https://www.discourse.org') + expect(result2[0]).to eq('https://www.discourse.org') + + result3 = described_class.check_url('*', 'https://hello.discourse.org') + expect(result3[0]).to eq('https://hello.discourse.org') + + result4 = described_class.check_url('discourse://auth_redirect', 'discourse://auth_redirect') + expect(result4[0]).to eq('discourse://auth_redirect') + end + end + + context 'invalid domain' do + it "doesn't return the domain" do + result1 = described_class.check_url('https://*.discourse.org', 'https://bad-domain.discourse.org.evil.com') + expect(result1).to eq(nil) + + result2 = described_class.check_url('https://www.discourse.org', 'https://www.discourse.org.evil.com') + expect(result2).to eq(nil) + + result3 = described_class.check_url('https://www.discourse.org', 'https://www.www.discourse.org') + expect(result3).to eq(nil) + + result4 = described_class.check_url('https://www.discourse.org', "https://www.discourse.org\nwww.discourse.org.evil.com") + expect(result4).to eq(nil) + + result5 = described_class.check_url('ttps://www.discourse.org', "ttps://www.discourse.org") + expect(result5).to eq(nil) + + result6 = described_class.check_url('https://', "https://") + expect(result6).to eq(nil) + end + end + end +end