Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: vulnerability in WildcardUrlChecker

This commit is contained in:
Krzysztof Kotlarek 2019-12-13 13:12:12 +11:00 committed by Penar Musaraj
parent f47909a2b6
commit d8360b4c82
4 changed files with 62 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/services/wildcard_domain_checker.rb
View File

@ -4,7 +4,7 @@ module WildcardDomainChecker
def self.check_domain(domain, external_domain)
escaped_domain = domain[0] == "*" ? Regexp.escape(domain).sub("\\*", '\S*') : Regexp.escape(domain)
domain_regex = Regexp.new("^#{escaped_domain}$", 'i')
domain_regex = Regexp.new("\\A#{escaped_domain}\\z", 'i')
external_domain.match(domain_regex)
end

13
app/services/wildcard_url_checker.rb
View File

@ -1,12 +1,23 @@
# frozen_string_literal: true
module WildcardUrlChecker
VALID_PROTOCOLS = %w(http https discourse).freeze
def self.check_url(url, url_to_check)
return nil if !valid_url?(url_to_check)
escaped_url = Regexp.escape(url).sub("\\*", '\S*')
url_regex = Regexp.new("^#{escaped_url}$", 'i')
url_regex = Regexp.new("\\A#{escaped_url}\\z", 'i')
url_to_check.match(url_regex)
end
private
def self.valid_url?(url)
uri = URI.parse(url)
VALID_PROTOCOLS.include?(uri&.scheme) && uri&.host.present?
rescue URI::InvalidURIError
false
end
end

3
spec/services/wildcard_domain_checker_spec.rb
View File

@ -31,6 +31,9 @@ describe WildcardDomainChecker do
result4 = WildcardDomainChecker.check_domain('www.*.discourse.org', 'www.www.discourse.org')
expect(result4).to eq(nil)
result5 = WildcardDomainChecker.check_domain('www.discourse.org', "www.discourse.org\nwww.discourse.org.evil.com")
expect(result5).to eq(nil)
end
end
end

46
spec/services/wildcard_url_checker_spec.rb Normal file
View File

@ -0,0 +1,46 @@
# frozen_string_literal: true
require 'rails_helper'
describe WildcardUrlChecker do
describe 'check_url' do
context 'valid url' do
it 'returns correct domain' do
result1 = described_class.check_url('https://*.discourse.org', 'https://anything.is.possible.discourse.org')
expect(result1[0]).to eq('https://anything.is.possible.discourse.org')
result2 = described_class.check_url('https://www.discourse.org', 'https://www.discourse.org')
expect(result2[0]).to eq('https://www.discourse.org')
result3 = described_class.check_url('*', 'https://hello.discourse.org')
expect(result3[0]).to eq('https://hello.discourse.org')
result4 = described_class.check_url('discourse://auth_redirect', 'discourse://auth_redirect')
expect(result4[0]).to eq('discourse://auth_redirect')
end
end
context 'invalid domain' do
it "doesn't return the domain" do
result1 = described_class.check_url('https://*.discourse.org', 'https://bad-domain.discourse.org.evil.com')
expect(result1).to eq(nil)
result2 = described_class.check_url('https://www.discourse.org', 'https://www.discourse.org.evil.com')
expect(result2).to eq(nil)
result3 = described_class.check_url('https://www.discourse.org', 'https://www.www.discourse.org')
expect(result3).to eq(nil)
result4 = described_class.check_url('https://www.discourse.org', "https://www.discourse.org\nwww.discourse.org.evil.com")
expect(result4).to eq(nil)
result5 = described_class.check_url('ttps://www.discourse.org', "ttps://www.discourse.org")
expect(result5).to eq(nil)
result6 = described_class.check_url('https://', "https://")
expect(result6).to eq(nil)
end
end
end
end