SECURITY: Oneboxer should escape the URL before processing

2018-03-15 19:57:55 +05:30 · 2018-03-15 19:57:55 +05:30 · 58bb3967e5
parent c589564f6a
commit 58bb3967e5
2 changed files with 11 additions and 0 deletions
--- a/lib/oneboxer.rb
+++ b/lib/oneboxer.rb
@ -1,3 +1,4 @@
+require 'uri'
 require_dependency "onebox/discourse_onebox_sanitize_config"
 require_dependency 'final_destination'

@ -131,6 +132,7 @@ module Oneboxer
    end

    def self.onebox_raw(url, opts = {})
+      url = URI(url).to_s
      local_onebox(url, opts) || external_onebox(url)
    rescue => e
      # no point warning here, just cause we have an issue oneboxing a url
--- a/spec/components/oneboxer_spec.rb
+++ b/spec/components/oneboxer_spec.rb
@ -98,4 +98,13 @@ describe Oneboxer do

  end

+  context ".onebox_raw" do
+    it "should escape the onebox URL before processing" do
+      post = Fabricate(:post, raw: Discourse.base_url + "/new?'class=black")
+      cpp = CookedPostProcessor.new(post, invalidate_oneboxes: true)
+      cpp.post_process_oneboxes
+      expect(cpp.html).to eq("<a href=\"#{Discourse.base_url}/new?%27class=black\">http://test.localhost/new?%27class=black</a>")
+    end
+  end
+
 end