discourse/spec/lib/onebox/engine/github_issue_onebox_spec.rb

# frozen_string_literal: true

RSpec.describe Onebox::Engine::GithubIssueOnebox do
  let(:issue_uri) { "https://api.github.com/repos/discourse/discourse/issues/1" }
  let(:repo_uri) { "https://api.github.com/repos/discourse/discourse" }
  let(:repo_response) { onebox_response("githubrepo") }

  before do
    stub_request(:get, issue_uri).to_return(
      status: 200,
      body: onebox_response("github_issue_onebox"),
    )
    stub_request(:get, repo_uri).to_return(status: 200, body: repo_response)
  end

  include_context "with engines" do
    let(:link) { "https://github.com/discourse/discourse/issues/1" }
  end
  it_behaves_like "an engine"

  describe "#to_html" do
    it "sanitizes the input and transform the emoji into an img tag" do
      sanitized_label =
        'Test <img src="/images/emoji/twitter/+1.png?v=12" title="+1" class="emoji" alt="+1" loading="lazy" width="20" height="20">'

      expect(html).to include(sanitized_label)
    end

    it "sets the data-github-private-repo attr to false" do
      expect(html).to include("data-github-private-repo=\"false\"")
    end

    context "when the PR is in a private repo" do
      let(:repo_response) do
        resp = MultiJson.load(onebox_response("githubrepo"))
        resp["private"] = true
        MultiJson.dump(resp)
      end

      it "sets the data-github-private-repo attr to true" do
        expect(html).to include("data-github-private-repo=\"true\"")
      end
    end

    context "when github_onebox_access_token is configured" do
      before { SiteSetting.github_onebox_access_tokens = "discourse|github_pat_1234" }

      it "sends it as part of the request" do
        html
        expect(WebMock).to have_requested(:get, issue_uri).with(
          headers: {
            "Authorization" => "Bearer github_pat_1234",
          },
        )
      end
    end
  end
end
SECURITY: Onebox templates' HTML injections. The use of triple-curlies on Mustache templates opens the possibility for HTML injections. 2023-10-24 01:19:21 +08:00			`# frozen_string_literal: true`

			`RSpec.describe Onebox::Engine::GithubIssueOnebox do`
DEV: Avoid instance variables in specs Small followup of https://github.com/discourse/discourse/pull/27705 2024-07-11 18:15:48 +08:00			`let(:issue_uri) { "https://api.github.com/repos/discourse/discourse/issues/1" }`
FEATURE: Allow oneboxing private GitHub repo URLs and add private indicator to HTML (#27947) Followup 560e8aff75e4bde67bb162e8fdea52e704a19f81 The linked commit allowed oneboxing private GitHub PRs, issues, commits, and so on, but it didn't actually allow oneboxing the root repo e.g https://github.com/discourse/discourse-reactions We didn't have an engine for this, we were relying on OpenGraph tags on the HTML rendering of the page like we do with other oneboxes. To fix this, we needed a new github engine for repos specifically. Also, this commit adds a `data-github-private-repo` attribute to PR, issue, and repo onebox HTML so we have an indicator of whether the repo was private, which can be used for theme components and so on. 2024-07-19 10:21:45 +08:00			`let(:repo_uri) { "https://api.github.com/repos/discourse/discourse" }`
			`let(:repo_response) { onebox_response("githubrepo") }`
SECURITY: Onebox templates' HTML injections. The use of triple-curlies on Mustache templates opens the possibility for HTML injections. 2023-10-24 01:19:21 +08:00
DEV: Avoid instance variables in specs Small followup of https://github.com/discourse/discourse/pull/27705 2024-07-11 18:15:48 +08:00			`before do`
			`stub_request(:get, issue_uri).to_return(`
SECURITY: Onebox templates' HTML injections. The use of triple-curlies on Mustache templates opens the possibility for HTML injections. 2023-10-24 01:19:21 +08:00			`status: 200,`
			`body: onebox_response("github_issue_onebox"),`
			`)`
FEATURE: Allow oneboxing private GitHub repo URLs and add private indicator to HTML (#27947) Followup 560e8aff75e4bde67bb162e8fdea52e704a19f81 The linked commit allowed oneboxing private GitHub PRs, issues, commits, and so on, but it didn't actually allow oneboxing the root repo e.g https://github.com/discourse/discourse-reactions We didn't have an engine for this, we were relying on OpenGraph tags on the HTML rendering of the page like we do with other oneboxes. To fix this, we needed a new github engine for repos specifically. Also, this commit adds a `data-github-private-repo` attribute to PR, issue, and repo onebox HTML so we have an indicator of whether the repo was private, which can be used for theme components and so on. 2024-07-19 10:21:45 +08:00			`stub_request(:get, repo_uri).to_return(status: 200, body: repo_response)`
SECURITY: Onebox templates' HTML injections. The use of triple-curlies on Mustache templates opens the possibility for HTML injections. 2023-10-24 01:19:21 +08:00			`end`

DEV: Avoid instance variables in specs Small followup of https://github.com/discourse/discourse/pull/27705 2024-07-11 18:15:48 +08:00			`include_context "with engines" do`
			`let(:link) { "https://github.com/discourse/discourse/issues/1" }`
			`end`
SECURITY: Onebox templates' HTML injections. The use of triple-curlies on Mustache templates opens the possibility for HTML injections. 2023-10-24 01:19:21 +08:00			`it_behaves_like "an engine"`

			`describe "#to_html" do`
			`it "sanitizes the input and transform the emoji into an img tag" do`
			`sanitized_label =`
FIX: Allow sanitized-HTML in GH issues and categories oneboxes. (#25374) Follow-up to https://github.com/discourse/discourse/commit/d78357917c6a917a8a27af68756228e89c69321c Related meta topic: https://meta.discourse.org/t/html-is-not-render-on-category-onebox-description/289424: 2024-01-23 02:25:29 +08:00			`'Test <img src="/images/emoji/twitter/+1.png?v=12" title="+1" class="emoji" alt="+1" loading="lazy" width="20" height="20">'`
SECURITY: Onebox templates' HTML injections. The use of triple-curlies on Mustache templates opens the possibility for HTML injections. 2023-10-24 01:19:21 +08:00
			`expect(html).to include(sanitized_label)`
			`end`
FEATURE: Allow oneboxing private GitHub URLs (#27705) This commit adds the ability to onebox private GitHub commits, pull requests, issues, blobs, and actions using a new `github_onebox_access_token` site setting. The token must be set up in correctly to have access to the repos needed. To do this successfully with the Oneboxer, we need to skip redirects on the github.com host, otherwise we get a 404 on the URL before it is translated into a GitHub API URL and has the appropriate headers added. 2024-07-10 07:39:31 +08:00
FEATURE: Allow oneboxing private GitHub repo URLs and add private indicator to HTML (#27947) Followup 560e8aff75e4bde67bb162e8fdea52e704a19f81 The linked commit allowed oneboxing private GitHub PRs, issues, commits, and so on, but it didn't actually allow oneboxing the root repo e.g https://github.com/discourse/discourse-reactions We didn't have an engine for this, we were relying on OpenGraph tags on the HTML rendering of the page like we do with other oneboxes. To fix this, we needed a new github engine for repos specifically. Also, this commit adds a `data-github-private-repo` attribute to PR, issue, and repo onebox HTML so we have an indicator of whether the repo was private, which can be used for theme components and so on. 2024-07-19 10:21:45 +08:00			`it "sets the data-github-private-repo attr to false" do`
			`expect(html).to include("data-github-private-repo=\"false\"")`
			`end`

			`context "when the PR is in a private repo" do`
			`let(:repo_response) do`
			`resp = MultiJson.load(onebox_response("githubrepo"))`
			`resp["private"] = true`
			`MultiJson.dump(resp)`
			`end`

			`it "sets the data-github-private-repo attr to true" do`
			`expect(html).to include("data-github-private-repo=\"true\"")`
			`end`
			`end`

FEATURE: Allow oneboxing private GitHub URLs (#27705) This commit adds the ability to onebox private GitHub commits, pull requests, issues, blobs, and actions using a new `github_onebox_access_token` site setting. The token must be set up in correctly to have access to the repos needed. To do this successfully with the Oneboxer, we need to skip redirects on the github.com host, otherwise we get a 404 on the URL before it is translated into a GitHub API URL and has the appropriate headers added. 2024-07-10 07:39:31 +08:00			`context "when github_onebox_access_token is configured" do`
FEATURE: Allow for multiple GitHub onebox tokens (#27887) Followup 560e8aff75e4bde67bb162e8fdea52e704a19f81 GitHub auth tokens cannot be made with permissions to access multiple organisations. This is quite limiting. This commit changes the site setting to be a "secret list" type, which allows for a key/value mapping where the value is treated like a password in the UI. Now when a GitHub URL is requested for oneboxing, the org name from the URL is used to determine which token to use for the request. Just in case anyone used the old site setting already, there is a migration to create a `default` entry with that token in the new list setting, and for a period of time we will consider that token valid to use for all GitHub oneboxes as well. 2024-07-15 11:07:36 +08:00			`before { SiteSetting.github_onebox_access_tokens = "discourse\|github_pat_1234" }`
FEATURE: Allow oneboxing private GitHub URLs (#27705) This commit adds the ability to onebox private GitHub commits, pull requests, issues, blobs, and actions using a new `github_onebox_access_token` site setting. The token must be set up in correctly to have access to the repos needed. To do this successfully with the Oneboxer, we need to skip redirects on the github.com host, otherwise we get a 404 on the URL before it is translated into a GitHub API URL and has the appropriate headers added. 2024-07-10 07:39:31 +08:00
			`it "sends it as part of the request" do`
			`html`
DEV: Avoid instance variables in specs Small followup of https://github.com/discourse/discourse/pull/27705 2024-07-11 18:15:48 +08:00			`expect(WebMock).to have_requested(:get, issue_uri).with(`
FEATURE: Allow oneboxing private GitHub URLs (#27705) This commit adds the ability to onebox private GitHub commits, pull requests, issues, blobs, and actions using a new `github_onebox_access_token` site setting. The token must be set up in correctly to have access to the repos needed. To do this successfully with the Oneboxer, we need to skip redirects on the github.com host, otherwise we get a 404 on the URL before it is translated into a GitHub API URL and has the appropriate headers added. 2024-07-10 07:39:31 +08:00			`headers: {`
FEATURE: Allow for multiple GitHub onebox tokens (#27887) Followup 560e8aff75e4bde67bb162e8fdea52e704a19f81 GitHub auth tokens cannot be made with permissions to access multiple organisations. This is quite limiting. This commit changes the site setting to be a "secret list" type, which allows for a key/value mapping where the value is treated like a password in the UI. Now when a GitHub URL is requested for oneboxing, the org name from the URL is used to determine which token to use for the request. Just in case anyone used the old site setting already, there is a migration to create a `default` entry with that token in the new list setting, and for a period of time we will consider that token valid to use for all GitHub oneboxes as well. 2024-07-15 11:07:36 +08:00			`"Authorization" => "Bearer github_pat_1234",`
FEATURE: Allow oneboxing private GitHub URLs (#27705) This commit adds the ability to onebox private GitHub commits, pull requests, issues, blobs, and actions using a new `github_onebox_access_token` site setting. The token must be set up in correctly to have access to the repos needed. To do this successfully with the Oneboxer, we need to skip redirects on the github.com host, otherwise we get a 404 on the URL before it is translated into a GitHub API URL and has the appropriate headers added. 2024-07-10 07:39:31 +08:00			`},`
			`)`
			`end`
			`end`
SECURITY: Onebox templates' HTML injections. The use of triple-curlies on Mustache templates opens the possibility for HTML injections. 2023-10-24 01:19:21 +08:00			`end`
			`end`