discourse/spec/lib/onebox/preview_spec.rb

# frozen_string_literal: true

describe Onebox::Preview do
  before do
    stub_request(:get, "https://www.amazon.com/product")
      .to_return(status: 200, body: onebox_response("amazon"))
  end

  let(:preview_url) { "http://www.amazon.com/product" }
  let(:preview) { described_class.new(preview_url) }

  describe "#to_s" do
    before do
      stub_request(:get, "https://www.amazon.com/Seven-Languages-Weeks-Programming-Programmers/dp/193435659X")
        .to_return(status: 200, body: onebox_response("amazon"))
    end

    it "returns some html if given a valid url" do
      title = "Seven Languages in Seven Weeks: A Pragmatic Guide to Learning Programming Languages (Pragmatic Programmers)"
      expect(preview.to_s).to include(title)
    end

    it "returns an empty string if the url is not valid" do
      expect(described_class.new('not a url').to_s).to eq("")
    end
  end

  describe "max_width" do
    let(:iframe_html) { '<iframe src="//player.vimeo.com/video/96017582" width="1280" height="720" frameborder="0" title="GO BIG OR GO HOME" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>' }

    it "doesn't change dimensions without an option" do
      iframe = described_class.new(preview_url)
      iframe.stubs(:engine_html).returns(iframe_html)

      result = iframe.to_s
      expect(result).to include("width=\"1280\"")
      expect(result).to include("height=\"720\"")
    end

    it "doesn't change dimensions if it is smaller than `max_width`" do
      iframe = described_class.new(preview_url, max_width: 2000)
      iframe.stubs(:engine_html).returns(iframe_html)

      result = iframe.to_s
      expect(result).to include("width=\"1280\"")
      expect(result).to include("height=\"720\"")
    end

    it "changes dimensions if larger than `max_width`" do
      iframe = described_class.new(preview_url, max_width: 900)
      iframe.stubs(:engine_html).returns(iframe_html)

      result = iframe.to_s
      expect(result).to include("width=\"900\"")
      expect(result).to include("height=\"506\"")
    end
  end

  describe "#engine" do
    let(:preview_image_url) { "http://www.example.com/image/without/file_extension" }
    let(:preview_image) { described_class.new(preview_image_url, content_type: 'image/png') }

    it "returns an engine" do
      expect(preview.send(:engine)).to be_an(Onebox::Engine)
    end

    it "can match based on content_type" do
      expect(preview_image.send(:engine)).to be_an(Onebox::Engine::ImageOnebox)
    end
  end

  describe "xss" do
    let(:xss) { "wat' onerror='alert(/XSS/)" }
    let(:img_html) { "<img src='#{xss}'>" }

    it "prevents XSS" do
      preview = described_class.new(preview_url)
      preview.stubs(:engine_html).returns(img_html)

      result = preview.to_s
      expect(result).not_to match(/onerror/)
    end
  end

  describe "iframe sanitizer" do
    let(:iframe_html) { "<iframe src='https://thirdparty.example.com'>" }

    it "sanitizes iframes from unknown origins" do
      preview = described_class.new(preview_url)
      preview.stubs(:engine_html).returns(iframe_html)

      result = preview.to_s
      expect(result).not_to include(' src="https://thirdparty.example.com"')
      expect(result).to include(' data-unsanitized-src="https://thirdparty.example.com"')
    end

    it "allows allowed origins" do
      preview = described_class.new(preview_url, allowed_iframe_origins: ["https://thirdparty.example.com"])
      preview.stubs(:engine_html).returns(iframe_html)

      result = preview.to_s
      expect(result).to include ' src="https://thirdparty.example.com"'
    end

    it "allows wildcard allowed origins" do
      preview = described_class.new(preview_url, allowed_iframe_origins: ["https://*.example.com"])
      preview.stubs(:engine_html).returns(iframe_html)

      result = preview.to_s
      expect(result).to include ' src="https://thirdparty.example.com"'
    end
  end
end
DEV: Absorb onebox gem into core (#12979) * Move onebox gem in core library * Update template file path * Remove warning for onebox gem caching * Remove onebox version file * Remove onebox gem * Add sanitize gem * Require onebox library in lazy-yt plugin * Remove onebox web specific code This code was used in standalone onebox Sinatra application * Merge Discourse specific AllowlistedGenericOnebox engine in core * Fix onebox engine filenames to match class name casing * Move onebox specs from gem into core * DEV: Rename `response` helper to `onebox_response` Fixes a naming collision. * Require rails_helper * Don't use `before/after(:all)` * Whitespace * Remove fakeweb * Remove poor unit tests * DEV: Re-add fakeweb, plugins are using it * Move onebox helpers * Stub Instagram API * FIX: Follow additional redirect status codes (#476) Don’t throw errors if we encounter 303, 307 or 308 HTTP status codes in responses * Remove an empty file * DEV: Update the license file Using the copy from https://choosealicense.com/licenses/gpl-2.0/# Hopefully this will enable GitHub to show the license UI? * DEV: Update embedded copyrights * DEV: Add Onebox copyright notice * DEV: Add MIT license, convert COPYRIGHT.txt to md * DEV: Remove an incorrect copyright claim Co-authored-by: Jarek Radosz <jradosz@gmail.com> Co-authored-by: jbrw <jamie@goatforce5.org> 2021-05-26 05:41:35 -04:00			`# frozen_string_literal: true`

			`describe Onebox::Preview do`
			`before do`
			`stub_request(:get, "https://www.amazon.com/product")`
			`.to_return(status: 200, body: onebox_response("amazon"))`
			`end`

			`let(:preview_url) { "http://www.amazon.com/product" }`
			`let(:preview) { described_class.new(preview_url) }`

			`describe "#to_s" do`
			`before do`
			`stub_request(:get, "https://www.amazon.com/Seven-Languages-Weeks-Programming-Programmers/dp/193435659X")`
			`.to_return(status: 200, body: onebox_response("amazon"))`
			`end`

			`it "returns some html if given a valid url" do`
			`title = "Seven Languages in Seven Weeks: A Pragmatic Guide to Learning Programming Languages (Pragmatic Programmers)"`
			`expect(preview.to_s).to include(title)`
			`end`

			`it "returns an empty string if the url is not valid" do`
			`expect(described_class.new('not a url').to_s).to eq("")`
			`end`
			`end`

			`describe "max_width" do`
			`let(:iframe_html) { '<iframe src="//player.vimeo.com/video/96017582" width="1280" height="720" frameborder="0" title="GO BIG OR GO HOME" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>' }`

			`it "doesn't change dimensions without an option" do`
			`iframe = described_class.new(preview_url)`
			`iframe.stubs(:engine_html).returns(iframe_html)`

			`result = iframe.to_s`
			`expect(result).to include("width=\"1280\"")`
			`expect(result).to include("height=\"720\"")`
			`end`

			it "doesn't change dimensions if it is smaller than `max_width`" do
			`iframe = described_class.new(preview_url, max_width: 2000)`
			`iframe.stubs(:engine_html).returns(iframe_html)`

			`result = iframe.to_s`
			`expect(result).to include("width=\"1280\"")`
			`expect(result).to include("height=\"720\"")`
			`end`

			it "changes dimensions if larger than `max_width`" do
			`iframe = described_class.new(preview_url, max_width: 900)`
			`iframe.stubs(:engine_html).returns(iframe_html)`

			`result = iframe.to_s`
			`expect(result).to include("width=\"900\"")`
			`expect(result).to include("height=\"506\"")`
			`end`
			`end`

			`describe "#engine" do`
FEATURE: Onebox can match engines based on the content_type (#13876) * FEATURE: Onebox can match engines based on the content_type `FinalDestination` now returns the `content_type` of a resolved URL. `Oneboxer` passes this value to `Onebox` itself. Onebox engines can now specify a `matches_content_type` regex of content_types that the engine can handle, regardless of the URL. `ImageOnebox` will match URLs with a content type of `image/png`, `jpg`, `gif`, `bmp`, `tif`, etc. This will allow images that exist at a URL without a file type extension to be correctly rendered, assuming a valid `content_type` is returned. 2021-07-30 13:36:30 -04:00			`let(:preview_image_url) { "http://www.example.com/image/without/file_extension" }`
			`let(:preview_image) { described_class.new(preview_image_url, content_type: 'image/png') }`

DEV: Absorb onebox gem into core (#12979) * Move onebox gem in core library * Update template file path * Remove warning for onebox gem caching * Remove onebox version file * Remove onebox gem * Add sanitize gem * Require onebox library in lazy-yt plugin * Remove onebox web specific code This code was used in standalone onebox Sinatra application * Merge Discourse specific AllowlistedGenericOnebox engine in core * Fix onebox engine filenames to match class name casing * Move onebox specs from gem into core * DEV: Rename `response` helper to `onebox_response` Fixes a naming collision. * Require rails_helper * Don't use `before/after(:all)` * Whitespace * Remove fakeweb * Remove poor unit tests * DEV: Re-add fakeweb, plugins are using it * Move onebox helpers * Stub Instagram API * FIX: Follow additional redirect status codes (#476) Don’t throw errors if we encounter 303, 307 or 308 HTTP status codes in responses * Remove an empty file * DEV: Update the license file Using the copy from https://choosealicense.com/licenses/gpl-2.0/# Hopefully this will enable GitHub to show the license UI? * DEV: Update embedded copyrights * DEV: Add Onebox copyright notice * DEV: Add MIT license, convert COPYRIGHT.txt to md * DEV: Remove an incorrect copyright claim Co-authored-by: Jarek Radosz <jradosz@gmail.com> Co-authored-by: jbrw <jamie@goatforce5.org> 2021-05-26 05:41:35 -04:00			`it "returns an engine" do`
			`expect(preview.send(:engine)).to be_an(Onebox::Engine)`
			`end`
FEATURE: Onebox can match engines based on the content_type (#13876) * FEATURE: Onebox can match engines based on the content_type `FinalDestination` now returns the `content_type` of a resolved URL. `Oneboxer` passes this value to `Onebox` itself. Onebox engines can now specify a `matches_content_type` regex of content_types that the engine can handle, regardless of the URL. `ImageOnebox` will match URLs with a content type of `image/png`, `jpg`, `gif`, `bmp`, `tif`, etc. This will allow images that exist at a URL without a file type extension to be correctly rendered, assuming a valid `content_type` is returned. 2021-07-30 13:36:30 -04:00
			`it "can match based on content_type" do`
			`expect(preview_image.send(:engine)).to be_an(Onebox::Engine::ImageOnebox)`
			`end`
DEV: Absorb onebox gem into core (#12979) * Move onebox gem in core library * Update template file path * Remove warning for onebox gem caching * Remove onebox version file * Remove onebox gem * Add sanitize gem * Require onebox library in lazy-yt plugin * Remove onebox web specific code This code was used in standalone onebox Sinatra application * Merge Discourse specific AllowlistedGenericOnebox engine in core * Fix onebox engine filenames to match class name casing * Move onebox specs from gem into core * DEV: Rename `response` helper to `onebox_response` Fixes a naming collision. * Require rails_helper * Don't use `before/after(:all)` * Whitespace * Remove fakeweb * Remove poor unit tests * DEV: Re-add fakeweb, plugins are using it * Move onebox helpers * Stub Instagram API * FIX: Follow additional redirect status codes (#476) Don’t throw errors if we encounter 303, 307 or 308 HTTP status codes in responses * Remove an empty file * DEV: Update the license file Using the copy from https://choosealicense.com/licenses/gpl-2.0/# Hopefully this will enable GitHub to show the license UI? * DEV: Update embedded copyrights * DEV: Add Onebox copyright notice * DEV: Add MIT license, convert COPYRIGHT.txt to md * DEV: Remove an incorrect copyright claim Co-authored-by: Jarek Radosz <jradosz@gmail.com> Co-authored-by: jbrw <jamie@goatforce5.org> 2021-05-26 05:41:35 -04:00			`end`

			`describe "xss" do`
			`let(:xss) { "wat' onerror='alert(/XSS/)" }`
			`let(:img_html) { "<img src='#{xss}'>" }`

			`it "prevents XSS" do`
			`preview = described_class.new(preview_url)`
			`preview.stubs(:engine_html).returns(img_html)`

			`result = preview.to_s`
			`expect(result).not_to match(/onerror/)`
			`end`
			`end`

			`describe "iframe sanitizer" do`
			`let(:iframe_html) { "<iframe src='https://thirdparty.example.com'>" }`

			`it "sanitizes iframes from unknown origins" do`
			`preview = described_class.new(preview_url)`
			`preview.stubs(:engine_html).returns(iframe_html)`

			`result = preview.to_s`
			`expect(result).not_to include(' src="https://thirdparty.example.com"')`
			`expect(result).to include(' data-unsanitized-src="https://thirdparty.example.com"')`
			`end`

			`it "allows allowed origins" do`
			`preview = described_class.new(preview_url, allowed_iframe_origins: ["https://thirdparty.example.com"])`
			`preview.stubs(:engine_html).returns(iframe_html)`

			`result = preview.to_s`
			`expect(result).to include ' src="https://thirdparty.example.com"'`
			`end`

			`it "allows wildcard allowed origins" do`
			`preview = described_class.new(preview_url, allowed_iframe_origins: ["https://*.example.com"])`
			`preview.stubs(:engine_html).returns(iframe_html)`

			`result = preview.to_s`
			`expect(result).to include ' src="https://thirdparty.example.com"'`
			`end`
			`end`
			`end`