about summary refs log tree commit diff
path: root/spec
diff options
context:
space:
mode:
authorDavid Leadbeater <dgl@dgl.cx>2022-11-21 05:28:13 +1100
committerGitHub <noreply@github.com>2022-11-20 19:28:13 +0100
commit69378eac99c013a0db7d2d5ff9a54dfcc287d9ce (patch)
tree270c7ddf377f62d1272b9fabcab46fb9a23e54f6 /spec
parent48e136605a30fa7ee71a656b599d91adf47b17fc (diff)
Don't allow URLs that contain non-normalized paths to be verified (#20999)
* Don't allow URLs that contain non-normalized paths to be verified

This stops things like https://example.com/otheruser/../realuser where
"/otheruser" appears to be the verified URL, but the actual URL being
verified is "/realuser" due to the "/../".

Also fix a test to use 'https', so it is testing the right thing, now
that since #20304 https is required.

* missing do
Diffstat (limited to 'spec')
-rw-r--r--spec/models/account/field_spec.rb10
1 files changed, 9 insertions, 1 deletions
diff --git a/spec/models/account/field_spec.rb b/spec/models/account/field_spec.rb
index b4beec048..0ac9769bc 100644
--- a/spec/models/account/field_spec.rb
+++ b/spec/models/account/field_spec.rb
@@ -67,7 +67,15 @@ RSpec.describe Account::Field, type: :model do
       end
 
       context 'for an IDN URL' do
-        let(:value) { 'http://twitter.com∕dougallj∕status∕1590357240443437057.ê.cc/twitter.html' }
+        let(:value) { 'https://twitter.com∕dougallj∕status∕1590357240443437057.ê.cc/twitter.html' }
+
+        it 'returns false' do
+          expect(subject.verifiable?).to be false
+        end
+      end
+
+      context 'for a URL with a non-normalized path' do
+        let(:value) { 'https://github.com/octocatxxxxxxxx/../mastodon' }
 
         it 'returns false' do
           expect(subject.verifiable?).to be false