diff options
| author | Paul Gascou-Vaillancourt <paul.gascvail@gmail.com> | 2019-05-30 13:40:20 -0400 |
|---|---|---|
| committer | Paul Gascou-Vaillancourt <paul.gascvail@gmail.com> | 2019-06-03 08:10:34 -0400 |
| commit | 6ca5b19aafae10f0d9dfd3018e27f9b1731101f2 (patch) | |
| tree | 2d61c07394a8dac5e788c3025b6deb65724ed8ae | |
| parent | 8ab0db4e8f74457c419e913dc6af6296a0a9fa52 (diff) | |
| download | gitlab-ce-issafeurl-utility.tar.gz | |
Add global isSafeURL utilityissafeurl-utility
- Added isSafeURL utility based on prior work in gitlab-ee
- Also added isAbsoluteOrRootRelative() and getBaseURL() utils,
needed by isSafeURL
- Removed URL() fallback because URL() is now polyfilled
- Updated specs
| -rw-r--r-- | app/assets/javascripts/lib/utils/url_utility.js | 36 | ||||
| -rw-r--r-- | spec/frontend/lib/utils/url_utility_spec.js (renamed from spec/javascripts/lib/utils/url_utility_spec.js) | 84 |
2 files changed, 120 insertions, 0 deletions
diff --git a/app/assets/javascripts/lib/utils/url_utility.js b/app/assets/javascripts/lib/utils/url_utility.js index bdfd06fc250..4a9cd1b6f42 100644 --- a/app/assets/javascripts/lib/utils/url_utility.js +++ b/app/assets/javascripts/lib/utils/url_utility.js @@ -121,4 +121,40 @@ export function webIDEUrl(route = undefined) { return returnUrl; } +/** + * Returns current base URL + */ +export function getBaseURL() { + const { protocol, host } = window.location; + return `${protocol}//${host}`; +} + +/** + * Returns true if url is an absolute or root-relative URL + * + * @param {String} url + */ +export function isAbsoluteOrRootRelative(url) { + return /^(https?:)?\//.test(url); +} + +/** + * Checks if the provided URL is a safe URL (absolute http(s) or root-relative URL) + * + * @param {String} url that will be checked + * @returns {Boolean} + */ +export function isSafeURL(url) { + if (!isAbsoluteOrRootRelative(url)) { + return false; + } + + try { + const parsedUrl = new URL(url, getBaseURL()); + return ['http:', 'https:'].includes(parsedUrl.protocol); + } catch { + return false; + } +} + export { join as joinPaths } from 'path'; diff --git a/spec/javascripts/lib/utils/url_utility_spec.js b/spec/frontend/lib/utils/url_utility_spec.js index 381c7b2d0a6..eca240c9c18 100644 --- a/spec/javascripts/lib/utils/url_utility_spec.js +++ b/spec/frontend/lib/utils/url_utility_spec.js @@ -107,4 +107,88 @@ describe('URL utility', () => { expect(url).toBe('/home/feature#install'); }); }); + + describe('getBaseURL', () => { + beforeEach(() => { + global.window = Object.create(window); + Object.defineProperty(window, 'location', { + value: { + host: 'gitlab.com', + protocol: 'https:', + }, + }); + }); + + it('returns correct base URL', () => { + expect(urlUtils.getBaseURL()).toBe('https://gitlab.com'); + }); + }); + + describe('isAbsoluteOrRootRelative', () => { + const validUrls = ['https://gitlab.com/', 'http://gitlab.com/', '/users/sign_in']; + + const invalidUrls = [' https://gitlab.com/', './file/path', 'notanurl', '<a></a>']; + + it.each(validUrls)(`returns true for %s`, url => { + expect(urlUtils.isAbsoluteOrRootRelative(url)).toBe(true); + }); + + it.each(invalidUrls)(`returns false for %s`, url => { + expect(urlUtils.isAbsoluteOrRootRelative(url)).toBe(false); + }); + }); + + describe('isSafeUrl', () => { + const absoluteUrls = [ + 'http://example.org', + 'http://example.org:8080', + 'https://example.org', + 'https://example.org:8080', + 'https://192.168.1.1', + ]; + + const rootRelativeUrls = ['/relative/link']; + + const relativeUrls = ['./relative/link', '../relative/link']; + + const urlsWithoutHost = ['http://', 'https://', 'https:https:https:']; + + /* eslint-disable no-script-url */ + const nonHttpUrls = [ + 'javascript:', + 'javascript:alert("XSS")', + 'jav\tascript:alert("XSS");', + '  javascript:alert("XSS");', + 'ftp://192.168.1.1', + 'file:///', + 'file:///etc/hosts', + ]; + /* eslint-enable no-script-url */ + + // javascript:alert('XSS') + const encodedJavaScriptUrls = [ + 'javascript:alert('XSS')', + 'javascript:alert('XSS')', + 'javascript:alert('XSS')', + '\\u006A\\u0061\\u0076\\u0061\\u0073\\u0063\\u0072\\u0069\\u0070\\u0074\\u003A\\u0061\\u006C\\u0065\\u0072\\u0074\\u0028\\u0027\\u0058\\u0053\\u0053\\u0027\\u0029', + ]; + + const safeUrls = [...absoluteUrls, ...rootRelativeUrls]; + const unsafeUrls = [ + ...relativeUrls, + ...urlsWithoutHost, + ...nonHttpUrls, + ...encodedJavaScriptUrls, + ]; + + describe('with URL constructor support', () => { + it.each(safeUrls)('returns true for %s', url => { + expect(urlUtils.isSafeURL(url)).toBe(true); + }); + + it.each(unsafeUrls)('returns false for %s', url => { + expect(urlUtils.isSafeURL(url)).toBe(false); + }); + }); + }); }); |