SECURITY: Fix Stored-dom XSS via Facebook Oneboxes

This commit is contained in:
Jan Cernik 2024-05-23 20:11:27 -03:00 committed by Nat
parent 8d5b21170e
commit 26aef0c288
No known key found for this signature in database
GPG Key ID: 4938B35D927EC773
2 changed files with 22 additions and 1 deletions

View File

@ -6,7 +6,7 @@ module Onebox
include Engine
include StandardEmbed
matches_regexp(%r{^https?://.*\.facebook\.com/(\w+)/(videos|\?).*})
matches_regexp(%r{^https?://(?:www\.)?facebook\.com/(\w+)/(videos|\?).*})
always_https
requires_iframe_origins "https://www.facebook.com"

View File

@ -0,0 +1,21 @@
# frozen_string_literal: true
RSpec.describe Onebox::Engine::FacebookMediaOnebox do
describe "regex URI match" do
it "matches videos with title" do
expect(match("https://www.facebook.com/user/videos/title/123456789/")).to eq true
end
it "matches videos without a title" do
expect(match("https://facebook.com/user/videos/123456789")).to eq true
end
it "only matches the facebook.com domain" do
expect(match("https://somedomain.com/a.facebook.com/a/videos")).to eq false
end
def match(url)
Onebox::Engine::FacebookMediaOnebox === URI(url)
end
end
end