From 6ca5b19aafae10f0d9dfd3018e27f9b1731101f2 Mon Sep 17 00:00:00 2001
From: Paul Gascou-Vaillancourt <paul.gascvail@gmail.com>
Date: Thu, 30 May 2019 13:40:20 -0400
Subject: Add global isSafeURL utility

- Added isSafeURL utility based on prior work in gitlab-ee
- Also added isAbsoluteOrRootRelative() and getBaseURL() utils,
  needed by isSafeURL
- Removed URL() fallback because URL() is now polyfilled
- Updated specs
---
 spec/frontend/lib/utils/url_utility_spec.js | 194 ++++++++++++++++++++++++++++
 1 file changed, 194 insertions(+)
 create mode 100644 spec/frontend/lib/utils/url_utility_spec.js

(limited to 'spec/frontend/lib')

diff --git a/spec/frontend/lib/utils/url_utility_spec.js b/spec/frontend/lib/utils/url_utility_spec.js
new file mode 100644
index 00000000000..eca240c9c18
--- /dev/null
+++ b/spec/frontend/lib/utils/url_utility_spec.js
@@ -0,0 +1,194 @@
+import * as urlUtils from '~/lib/utils/url_utility';
+
+describe('URL utility', () => {
+  describe('webIDEUrl', () => {
+    afterEach(() => {
+      gon.relative_url_root = '';
+    });
+
+    describe('without relative_url_root', () => {
+      it('returns IDE path with route', () => {
+        expect(urlUtils.webIDEUrl('/gitlab-org/gitlab-ce/merge_requests/1')).toBe(
+          '/-/ide/project/gitlab-org/gitlab-ce/merge_requests/1',
+        );
+      });
+    });
+
+    describe('with relative_url_root', () => {
+      beforeEach(() => {
+        gon.relative_url_root = '/gitlab';
+      });
+
+      it('returns IDE path with route', () => {
+        expect(urlUtils.webIDEUrl('/gitlab/gitlab-org/gitlab-ce/merge_requests/1')).toBe(
+          '/gitlab/-/ide/project/gitlab-org/gitlab-ce/merge_requests/1',
+        );
+      });
+    });
+  });
+
+  describe('mergeUrlParams', () => {
+    it('adds w', () => {
+      expect(urlUtils.mergeUrlParams({ w: 1 }, '#frag')).toBe('?w=1#frag');
+      expect(urlUtils.mergeUrlParams({ w: 1 }, '/path#frag')).toBe('/path?w=1#frag');
+      expect(urlUtils.mergeUrlParams({ w: 1 }, 'https://host/path')).toBe('https://host/path?w=1');
+      expect(urlUtils.mergeUrlParams({ w: 1 }, 'https://host/path#frag')).toBe(
+        'https://host/path?w=1#frag',
+      );
+
+      expect(urlUtils.mergeUrlParams({ w: 1 }, 'https://h/p?k1=v1#frag')).toBe(
+        'https://h/p?k1=v1&w=1#frag',
+      );
+    });
+
+    it('updates w', () => {
+      expect(urlUtils.mergeUrlParams({ w: 1 }, '?k1=v1&w=0#frag')).toBe('?k1=v1&w=1#frag');
+    });
+
+    it('adds multiple params', () => {
+      expect(urlUtils.mergeUrlParams({ a: 1, b: 2, c: 3 }, '#frag')).toBe('?a=1&b=2&c=3#frag');
+    });
+
+    it('adds and updates encoded params', () => {
+      expect(urlUtils.mergeUrlParams({ a: '&', q: '?' }, '?a=%23#frag')).toBe('?a=%26&q=%3F#frag');
+    });
+  });
+
+  describe('removeParams', () => {
+    describe('when url is passed', () => {
+      it('removes query param with encoded ampersand', () => {
+        const url = urlUtils.removeParams(['filter'], '/mail?filter=n%3Djoe%26l%3Dhome');
+
+        expect(url).toBe('/mail');
+      });
+
+      it('should remove param when url has no other params', () => {
+        const url = urlUtils.removeParams(['size'], '/feature/home?size=5');
+
+        expect(url).toBe('/feature/home');
+      });
+
+      it('should remove param when url has other params', () => {
+        const url = urlUtils.removeParams(['size'], '/feature/home?q=1&size=5&f=html');
+
+        expect(url).toBe('/feature/home?q=1&f=html');
+      });
+
+      it('should remove param and preserve fragment', () => {
+        const url = urlUtils.removeParams(['size'], '/feature/home?size=5#H2');
+
+        expect(url).toBe('/feature/home#H2');
+      });
+
+      it('should remove multiple params', () => {
+        const url = urlUtils.removeParams(['z', 'a'], '/home?z=11111&l=en_US&a=true#H2');
+
+        expect(url).toBe('/home?l=en_US#H2');
+      });
+    });
+  });
+
+  describe('setUrlFragment', () => {
+    it('should set fragment when url has no fragment', () => {
+      const url = urlUtils.setUrlFragment('/home/feature', 'usage');
+
+      expect(url).toBe('/home/feature#usage');
+    });
+
+    it('should set fragment when url has existing fragment', () => {
+      const url = urlUtils.setUrlFragment('/home/feature#overview', 'usage');
+
+      expect(url).toBe('/home/feature#usage');
+    });
+
+    it('should set fragment when given fragment includes #', () => {
+      const url = urlUtils.setUrlFragment('/home/feature#overview', '#install');
+
+      expect(url).toBe('/home/feature#install');
+    });
+  });
+
+  describe('getBaseURL', () => {
+    beforeEach(() => {
+      global.window = Object.create(window);
+      Object.defineProperty(window, 'location', {
+        value: {
+          host: 'gitlab.com',
+          protocol: 'https:',
+        },
+      });
+    });
+
+    it('returns correct base URL', () => {
+      expect(urlUtils.getBaseURL()).toBe('https://gitlab.com');
+    });
+  });
+
+  describe('isAbsoluteOrRootRelative', () => {
+    const validUrls = ['https://gitlab.com/', 'http://gitlab.com/', '/users/sign_in'];
+
+    const invalidUrls = [' https://gitlab.com/', './file/path', 'notanurl', '<a></a>'];
+
+    it.each(validUrls)(`returns true for %s`, url => {
+      expect(urlUtils.isAbsoluteOrRootRelative(url)).toBe(true);
+    });
+
+    it.each(invalidUrls)(`returns false for %s`, url => {
+      expect(urlUtils.isAbsoluteOrRootRelative(url)).toBe(false);
+    });
+  });
+
+  describe('isSafeUrl', () => {
+    const absoluteUrls = [
+      'http://example.org',
+      'http://example.org:8080',
+      'https://example.org',
+      'https://example.org:8080',
+      'https://192.168.1.1',
+    ];
+
+    const rootRelativeUrls = ['/relative/link'];
+
+    const relativeUrls = ['./relative/link', '../relative/link'];
+
+    const urlsWithoutHost = ['http://', 'https://', 'https:https:https:'];
+
+    /* eslint-disable no-script-url */
+    const nonHttpUrls = [
+      'javascript:',
+      'javascript:alert("XSS")',
+      'jav\tascript:alert("XSS");',
+      ' &#14;  javascript:alert("XSS");',
+      'ftp://192.168.1.1',
+      'file:///',
+      'file:///etc/hosts',
+    ];
+    /* eslint-enable no-script-url */
+
+    // javascript:alert('XSS')
+    const encodedJavaScriptUrls = [
+      '&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041',
+      '&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;',
+      '&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29',
+      '\\u006A\\u0061\\u0076\\u0061\\u0073\\u0063\\u0072\\u0069\\u0070\\u0074\\u003A\\u0061\\u006C\\u0065\\u0072\\u0074\\u0028\\u0027\\u0058\\u0053\\u0053\\u0027\\u0029',
+    ];
+
+    const safeUrls = [...absoluteUrls, ...rootRelativeUrls];
+    const unsafeUrls = [
+      ...relativeUrls,
+      ...urlsWithoutHost,
+      ...nonHttpUrls,
+      ...encodedJavaScriptUrls,
+    ];
+
+    describe('with URL constructor support', () => {
+      it.each(safeUrls)('returns true for %s', url => {
+        expect(urlUtils.isSafeURL(url)).toBe(true);
+      });
+
+      it.each(unsafeUrls)('returns false for %s', url => {
+        expect(urlUtils.isSafeURL(url)).toBe(false);
+      });
+    });
+  });
+});
-- 
cgit v1.2.1