github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-03-13 04:15:36 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
discourse/spec/lib/onebox/engine/wikipedia_onebox_spec.rb
Blake Erickson 2ddb27cf9c
SECURITY: Restrict allowed URL patterns 
Restrict allowed URL patterns for oneboxes.
2025-02-04 13:35:02 -03:00

80 lines
2.3 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
RSpec.describe Onebox::Engine::WikipediaOnebox do
let(:wp_link) { "http://en.wikipedia.org/wiki/Billy_Jack" }
before do
stub_request(:get, "https://en.wikipedia.org/wiki/Billy_Jack").to_return(
status: 200,
body: onebox_response(described_class.onebox_name),
)
end
include_context "with engines" do
let(:link) { wp_link }
end
it_behaves_like "an engine"
describe "#to_html" do
it "includes article image" do
expect(html).to include("Billy_Jack_poster.jpg")
end
it "includes summary" do
expect(html).to include("Billy Jack is a 1971 action/drama")
end
end
describe "url with section hash" do
let(:wp_link) { "http://en.wikipedia.org/wiki/Billy_Jack#Soundtrack" }
it "includes summary" do
expect(html).to include("The film score was composed")
end
end
describe "url with url-encoded section hash" do
let(:wp_link) do
"https://fr.wikipedia.org/wiki/Th%C3%A9ologie#La_th%C3%A9ologie_selon_Aristote"
end
before do
stub_request(:get, "https://fr.wikipedia.org/wiki/Th%C3%A9ologie").to_return(
status: 200,
body: onebox_response("wikipedia_url_encoded"),
)
end
it "includes summary" do
expect(html).to include("Le terme est repris par")
end
end
describe ".matches_regexp" do
it "matches valid Wikipedia URL with .org" do
valid_url_org = URI("https://en.wikipedia.org/wiki/Ruby_(programming_language)")
expect(described_class === valid_url_org).to eq(true)
end
it "matches valid Wikipedia URL with .com" do
valid_url_com = URI("https://en.wikipedia.com/wiki/Ruby_(programming_language)")
expect(described_class === valid_url_com).to eq(true)
end
it "does not match URL with extra domain" do
malicious_url = URI("https://en.wikipedia.org.malicious.com/wiki/Ruby_(programming_language)")
expect(described_class === malicious_url).to eq(false)
end
it "does not match URL with subdomain" do
subdomain_url = URI("https://sub.en.wikipedia.org/wiki/Ruby_(programming_language)")
expect(described_class === subdomain_url).to eq(false)
end
it "does not match unrelated URL" do
unrelated_url = URI("https://example.com/wiki/wikipedia.org")
expect(described_class === unrelated_url).to eq(false)
end
end
end
Reference in New Issue View Git Blame Copy Permalink