Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Tree: a85d811dbb
Branches Tags
zammad
/
spec
/
lib
/
html_sanitizer
/
strict_spec.rb

strict_spec.rb 18 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260 
  1. # Copyright (C) 2012-2023 Zammad Foundation, https://zammad-foundation.org/
    2. 

  2. 

  3. require 'rails_helper'
    4. 

  4. 

  5. RSpec.describe HtmlSanitizer::Strict, :aggregate_failures do
    6. 

  6.   def sanitize(input, external: false)
    7. 

  7.     described_class.new.sanitize(input, external: external, timeout: false)
    8. 

  8.   end
    9. 

  9. 

  10.   describe('#sanitize') do
    11. 

  11.     it 'performs various XSS checks' do # rubocop:disable RSpec/ExampleLength
    12. 

  12.       expect(sanitize('<div class="to-be-removed">test</div><script>alert();</script>')).to eq('<div>test</div>')
    13. 

  13.       expect(sanitize('<b>123</b>')).to eq('<b>123</b>')
    14. 

  14.       expect(sanitize('<script><b>123</b></script>')).to eq('')
    15. 

  15.       expect(sanitize('<script><style><b>123</b></style></script>')).to eq('')
    16. 

  16.       expect(sanitize('<abc><i><b>123</b><bbb>123</bbb></i></abc>')).to eq('<i><b>123</b>123</i>')
    17. 

  17.       expect(sanitize('<abc><i><b>123</b><bbb>123<i><ccc>abc</ccc></i></bbb></i></abc>')).to eq('<i><b>123</b>123<i>abc</i></i>')
    18. 

  18.       expect(sanitize('<not_existing>123</not_existing>')).to eq('123')
    19. 

  19.       expect(sanitize('<script type="text/javascript">alert("XSS!");</script>')).to eq('')
    20. 

  20.       expect(sanitize('<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>')).to eq('')
    21. 

  21.       expect(sanitize('<IMG SRC="javascript:alert(\'XSS\');">')).to eq('')
    22. 

  22.       expect(sanitize('<IMG SRC=javascript:alert(\'XSS\')>')).to eq('')
    23. 

  23.       expect(sanitize('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>')).to eq('')
    24. 

  24.       expect(sanitize('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>')).to eq('')
    25. 

  25.       expect(sanitize('<IMG """><SCRIPT>alert("XSS")</SCRIPT>">')).to eq('<img>"&gt;')
    26. 

  26.       expect(sanitize('<IMG SRC=# onmouseover="alert(\'xxs\')">')).to eq('<img src="#">')
    27. 

  27.       expect(sanitize('<IMG SRC="jav  ascript:alert(\'XSS\');">')).to eq('')
    28. 

  28.       expect(sanitize('<IMG SRC="jav&#x09;ascript:alert(\'XSS\');">')).to eq('')
    29. 

  29.       expect(sanitize('<IMG SRC="jav&#x0A;ascript:alert(\'XSS\');">')).to eq('')
    30. 

  30.       expect(sanitize('<IMG SRC="jav&#x0D;ascript:alert(\'XSS\');">')).to eq('')
    31. 

  31.       expect(sanitize('<IMG SRC=" &#14;  javascript:alert(\'XSS\');">')).to eq('<img src="">')
    32. 

  32.       expect(sanitize('<SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT>')).to eq('')
    33. 

  33.       expect(sanitize('<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>')).to eq('')
    34. 

  34.       expect(sanitize('<SCRIPT/SRC="http://xss.rocks/xss.js"></SCRIPT>')).to eq('')
    35. 

  35.       expect(sanitize('<<SCRIPT>alert("XSS");//<</SCRIPT>')).to eq('&lt;')
    36. 

  36.       expect(sanitize('<SCRIPT SRC=http://xss.rocks/xss.js?< B >')).to eq('')
    37. 

  37.       expect(sanitize('<SCRIPT SRC=//xss.rocks/.j>')).to eq('')
    38. 

  38.       expect(sanitize('<IMG SRC="javascript:alert(\'XSS\')"')).to eq('')
    39. 

  39.       expect(sanitize('<IMG SRC="javascript:alert(\'XSS\')" abc<b>123</b>')).to eq('123')
    40. 

  40.       expect(sanitize('<iframe src=http://xss.rocks/scriptlet.html <')).to eq('')
    41. 

  41.       expect(sanitize('</script><script>alert(\'XSS\');</script>')).to eq('')
    42. 

  42.       expect(sanitize('<STYLE>li {list-style-image: url("javascript:alert(\'XSS\')");}</STYLE><UL><LI>XSS</br>')).to eq('<ul><li>XSS</li></ul>')
    43. 

  43.       expect(sanitize('<IMG SRC=\'vbscript:msgbox("XSS")\'>')).to eq('')
    44. 

  44.       expect(sanitize('<IMG SRC="livescript:[code]">')).to eq('')
    45. 

  45.       expect(sanitize('<svg/onload=alert(\'XSS\')>')).to eq('')
    46. 

  46.       expect(sanitize('<BODY ONLOAD=alert(\'XSS\')>')).to eq('')
    47. 

  47.       expect(sanitize('<LINK REL="stylesheet" HREF="javascript:alert(\'XSS\');">')).to eq('')
    48. 

  48.       expect(sanitize('<STYLE>@import\'http://xss.rocks/xss.css\';</STYLE>')).to eq('')
    49. 

  49.       expect(sanitize('<META HTTP-EQUIV="Link" Content="<http://xss.rocks/xss.css>; REL=stylesheet">')).to eq('')
    50. 

  50.       expect(sanitize('<IMG STYLE="java/*XSS*/script:(alert(\'XSS\'), \'\')">')).to eq('<img>')
    51. 

  51.       expect(sanitize('<IMG src="java/*XSS*/script:(alert(\'XSS\'), \'\')">')).to eq('')
    52. 

  52.       expect(sanitize('<IFRAME SRC="javascript:alert(\'XSS\');"></IFRAME>')).to eq('')
    53. 

  53.       expect(sanitize('<TABLE><TD BACKGROUND="javascript:alert(\'XSS\')">')).to eq('<table><td></td></table>')
    54. 

  54.       expect(sanitize('<DIV STYLE="background-image: url(javascript:alert(\'XSS\'), \'\')">')).to eq('<div></div>')
    55. 

  55.       expect(sanitize('<a href="/some/path">test</a>')).to eq('<a href="/some/path">test</a>')
    56. 

  56.       expect(sanitize('<a href="https://some/path">test</a>')).to eq('<a href="https://some/path" rel="nofollow noreferrer noopener" target="_blank" title="https://some/path">test</a>')
    57. 

  57.       expect(sanitize('<a href="https://some/path">test</a>', external: true)).to eq('<a href="https://some/path" rel="nofollow noreferrer noopener" target="_blank" title="https://some/path">test</a>')
    58. 

  58.       expect(sanitize('<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert(\'XSS\')"></B></I></XML>')).to eq('<i><b></b></i>')
    59. 

  59.       expect(sanitize('<IMG SRC="javas<!-- -->cript:alert(\'XSS\')">')).to eq('')
    60. 

  60.       expect(sanitize(' <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-')).to eq('  +ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-')
    61. 

  61.       expect(sanitize('<SCRIPT a=">" SRC="httx://xss.rocks/xss.js"></SCRIPT>')).to eq('')
    62. 

  62.       expect(sanitize("<A HREF=\"h\ntt  p://6 6.000146.0x7.147/\">XSS</A>")).to eq('<a href="h%0Att%20%20p://6%206.000146.0x7.147/" rel="nofollow noreferrer noopener" target="_blank" title="h%0Att%20%20p://6%206.000146.0x7.147/">XSS</a>')
    63. 

  63.       expect(sanitize("<A HREF=\"h\ntt  p://6 6.000146.0x7.147/\">XSS</A>", external: true)).to eq('<a href="http://h%0Att%20%20p://6%206.000146.0x7.147/" rel="nofollow noreferrer noopener" target="_blank" title="http://h%0Att%20%20p://6%206.000146.0x7.147/">XSS</a>')
    64. 

  64.       expect(sanitize('<A HREF="//www.google.com/">XSS</A>')).to eq('<a href="//www.google.com/" rel="nofollow noreferrer noopener" target="_blank" title="//www.google.com/">XSS</a>')
    65. 

  65.       expect(sanitize('<A HREF="//www.google.com/">XSS</A>', external: true)).to eq('<a href="//www.google.com/" rel="nofollow noreferrer noopener" target="_blank" title="//www.google.com/">XSS</a>')
    66. 

  66.       expect(sanitize('<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>')).to eq('X')
    67. 

  67.       expect(sanitize('<maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction>')).to eq('CLICKME')
    68. 

  68.       expect(sanitize('<a xlink:href="javascript:alert(2)">CLICKME</a>')).to eq('CLICKME')
    69. 

  69.       expect(sanitize('<a xlink:href="javascript:alert(2)">CLICKME</a>', external: true)).to eq('CLICKME')
    70. 

  70.       expect(sanitize('<!--<img src="--><img src=x onerror=alert(1)//">')).to eq('<img src="x">')
    71. 

  71.       expect(sanitize('<![><img src="]><img src=x onerror=alert(1)//">')).to eq('<img src="]&gt;&lt;img%20src=x%20onerror=alert(1)//">')
    72. 

  72.       expect(sanitize('<svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>')).to eq('')
    73. 

  73.       expect(sanitize('<abc><img src="</abc><img src=x onerror=alert(1)//">')).to eq('<img src="&lt;/abc&gt;&lt;img%20src=x%20onerror=alert(1)//">')
    74. 

  74.       expect(sanitize('<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>')).to eq('')
    75. 

  75.       expect(sanitize('<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>')).to eq('')
    76. 

  76.       expect(sanitize('<img[a][b]src=x[d]onerror[c]=[e]"alert(1)">')).to eq('<img>')
    77. 

  77.       expect(sanitize('<a href="[a]java[b]script[c]:alert(1)">XXX</a>')).to eq('<a href="[a]java[b]script[c]:alert(1)">XXX</a>')
    78. 

  78.       expect(sanitize('<a href="[a]java[b]script[c]:alert(1)">XXX</a>', external: true)).to eq('<a href="http://[a]java[b]script[c]:alert(1)" rel="nofollow noreferrer noopener" target="_blank" title="http://[a]java[b]script[c]:alert(1)">XXX</a>')
    79. 

  79.       expect(sanitize('<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>')).to eq('')
    80. 

  80.     end
    81. 

  81. 

  82.     it 'performs style cleanups' do
    83. 

  83.       expect(sanitize('<a style="position:fixed;top:0;left:0;width: 260px;height:100vh;background-color:red;display: block;" href="http://example.com"></a>')).to eq('<a href="http://example.com" rel="nofollow noreferrer noopener" target="_blank" title="http://example.com"></a>')
    84. 

  84.       expect(sanitize('<a style="position:fixed;top:0;left:0;width: 260px;height:100vh;background-color:red;display: block;" href="http://example.com"></a>', external: true)).to eq('<a href="http://example.com" rel="nofollow noreferrer noopener" target="_blank" title="http://example.com"></a>')
    85. 

  85.       expect(sanitize('<table><tr style="font-size: 0"><td>123</td></tr></table>')).to eq('<table><tr><td>123</td></tr></table>')
    86. 

  86.       expect(sanitize('<table><tr style="font-size: 0px"><td>123</td></tr></table>')).to eq('<table><tr><td>123</td></tr></table>')
    87. 

  87.       expect(sanitize('<table><tr style="font-size: 0pt"><td>123</td></tr></table>')).to eq('<table><tr><td>123</td></tr></table>')
    88. 

  88.       expect(sanitize('<table><tr style="font-size:0"><td>123</td></tr></table>')).to eq('<table><tr><td>123</td></tr></table>')
    89. 

  89.       expect(sanitize('<table><tr style="font-Size:0px"><td>123</td></tr></table>')).to eq('<table><tr><td>123</td></tr></table>')
    90. 

  90.       expect(sanitize('<table><tr style="font-size:0em"><td>123</td></tr></table>')).to eq('<table><tr><td>123</td></tr></table>')
    91. 

  91.       expect(sanitize('<table><tr style=" Font-size:0%"><td>123</td></tr></table>')).to eq('<table><tr><td>123</td></tr></table>')
    92. 

  92.       expect(sanitize('<table><tr style="font-size:0%;display: none;"><td>123</td></tr></table>')).to eq('<table><tr><td>123</td></tr></table>')
    93. 

  93.       expect(sanitize('<table><tr style="font-size:0%;visibility:hidden;"><td>123</td></tr></table>')).to eq('<table><tr><td>123</td></tr></table>')
    94. 

  94.       expect(sanitize('<table><tr style="font-size:0%;visibility:hidden;"><td>123</td></tr></table>')).to eq('<table><tr><td>123</td></tr></table>')
    95. 

  95.       expect(sanitize('<html><body><div style="font-family: Meiryo, メイリオ, &quot;Hiragino Sans&quot;, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">このアドレスへのメルマガを解除してください。</div></body></html>')).to eq('<div>このアドレスへのメルマガを解除してください。</div>')
    96. 

  96.     end
    97. 

  97. 

  98.     context 'when performing multiline style cleanup' do
    99. 

  99.       let(:input) { <<~INPUT }
    100. 

  100.         <div>
    101. 

  101.         <style type="text/css">#outlook A {
    102. 

  102.         .content { WIDTH: 100%; MAX-WIDTH: 740px }
    103. 

  103.         A { COLOR: #666666; TEXT-DECORATION: none }
    104. 

  104.         A:link { COLOR: #666666; TEXT-DECORATION: none }
    105. 

  105.         A:hover { COLOR: #666666; TEXT-DECORATION: none }
    106. 

  106.         A:active { COLOR: #666666; TEXT-DECORATION: none }
    107. 

  107.         A:focus { COLOR: #666666; TEXT-DECORATION: none }
    108. 

  108.         BODY { FONT-FAMILY: Calibri, Arial, Verdana, sans-serif }
    109. 

  109.         </style>
    110. 

  110.         <!--[if (gte mso 9)|(IE)]>
    111. 

  111.         <META name=GENERATOR content="MSHTML 9.00.8112.16800"></HEAD>
    112. 

  112.         <BODY bgColor=#ffffff>
    113. 

  113.         <DIV><FONT size=2 face=Arial></FONT>&nbsp;</DIV>
    114. 

  114.         <BLOCKQUOTE
    115. 

  115.         style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
    116. 

  116.           <DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
    117. 

  117.           <DIV style="FONT: 10pt arial"><B>To:</B> <A title=smith.test@example.dk
    118. 

  118.           href="mailto:smith.test@example.dk">smith.test@example.dk</A> </DIV>
    119. 

  119.           <DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, November 10, 2017 9:11
    120. 

  120.           PM</DIV>
    121. 

  121.           <DIV style="FONT: 10pt arial"><B>Subject:</B> Din bestilling hos
    122. 

  122.           example.dk - M123 - KD1234</DIV>
    123. 

  123.           <div>&nbsp;</div>
    124. 

  124.         <![endif]-->test 123
    125. 

  125.         <blockquote></div>
    126. 

  126.       INPUT
    127. 

  127.       let(:output) { <<~OUTPUT }
    128. 

  128. 

  129.         <div>
    130. 

  130. 

  131.         test 123
    132. 

  132.         <blockquote></blockquote>
    133. 

  133.         </div>
    134. 

  134.       OUTPUT
    135. 

  135. 

  136.       it 'filters correctly' do
    137. 

  137.         expect(sanitize(input)).to eq(output)
    138. 

  138.       end
    139. 

  139.     end
    140. 

  140. 

  141.     context 'when performing more multiline style cleanup' do
    142. 

  142.       let(:input) { <<~INPUT }
    143. 

  143.         <style><!--
    144. 

  144.         /* Font Definitions */
    145. 

  145.         @font-face
    146. 

  146.           {font-family:"Cambria Math";
    147. 

  147.           panose-1:2 4 5 3 5 4 6 3 2 4;}
    148. 

  148.           {page:WordSection1;}</style><!--[if gte mso 9]><xml>
    149. 

  149.         <o:shapedefaults v:ext="edit" spidmax="1026" />
    150. 

  150.         </xml><![endif]--><!--[if gte mso 9]><xml>
    151. 

  151.         <o:shapelayout v:ext="edit">
    152. 

  152.         <o:idmap v:ext="edit" data="1" />
    153. 

  153.         </o:shapelayout></xml><![endif]-->
    154. 

  154.         <div>123</div>
    155. 

  155.         <a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1">abc</a></div>
    156. 

  156.       INPUT
    157. 

  157.       let(:output) { <<~OUTPUT }
    158. 

  158. 

  159.         <div>123</div>
    160. 

  160.         <a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2">abc</a>
    161. 

  161.       OUTPUT
    162. 

  162. 

  163.       it 'filters correctly' do
    164. 

  164.         expect(sanitize(input)).to eq(output)
    165. 

  165.       end
    166. 

  166.     end
    167. 

  167. 

  168.     it 'handles mailto: links' do
    169. 

  169.       expect(sanitize('<a href="mailto:testäöü@example.com" id="123">test</a>')).to eq('<a href="mailto:test%C3%A4%C3%B6%C3%BC@example.com">test</a>')
    170. 

  170.     end
    171. 

  171. 

  172.     context 'when handling code blocks' do
    173. 

  173.       let(:input) { <<~INPUT }
    174. 

  174.               <pre><code>apt-get update
    175. 

  175.         Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
    176. 

  176.         Hit:2 http://de.archive.ubuntu.com/ubuntu focal InRelease
    177. 

  177.         Hit:3 http://de.archive.ubuntu.com/ubuntu focal-updates InRelease
    178. 

  178.         Get:4 http://10.10.21.205:3207/dprepo/ubuntu experimental/20.04_x86_64/ InR=
    179. 

  179.         elease [3820 B]
    180. 

  180.         Hit:5 http://de.archive.ubuntu.com/ubuntu focal-backports InRelease
    181. 

  181.         Get:6 http://10.10.21.205:3207/dprepo/ubuntu 20.04_x86_64/ InRelease [3781 =
    182. 

  182.         B]
    183. 

  183.         Get:7 http://10.10.21.205:3207/dprepo/ubuntu experimental/20.04_x86_64/ Sou=
    184. 

  184.         rces [2710 B]
    185. 

  185.         Get:8 http://10.10.21.205:3207/dprepo/ubuntu experimental/20.04_x86_64/ Pac=
    186. 

  186.         kages [6507 B]
    187. 

  187.         Get:9 http://10.10.21.205:3207/dprepo/ubuntu 20.04_x86_64/ Sources [9066 B]
    188. 

  188.         Get:10 http://10.10.21.205:3207/dprepo/ubuntu 20.04_x86_64/ Packages [23.8 =
    189. 

  189.         kB]
    190. 

  190.         Get:11 http://security.ubuntu.com/ubuntu focal-security/main amd64 DEP-11 M=
    191. 

  191.         etadata [40.6 kB]
    192. 

  192.         Get:12 http://security.ubuntu.com/ubuntu focal-security/universe amd64 DEP-=
    193. 

  193.         11 Metadata [66.3 kB]
    194. 

  194.         Get:13 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 DE=
    195. 

  195.         P-11 Metadata [2464 B]
    196. 

  196.         Fetched 273 kB in 1s (288 kB/s)
    197. 

  197.         Reading package lists...
    198. 

  198.         Batterie-Status pr&uuml;fen
    199. 

  199.         Reading package lists...
    200. 

  200.         Building dependency tree...</code></pre>
    201. 

  201.       INPUT
    202. 

  202. 

  203.       let(:output) { <<~OUTPUT }
    204. 

  204.               <pre><code>apt-get update
    205. 

  205.         Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
    206. 

  206.         Hit:2 http://de.archive.ubuntu.com/ubuntu focal InRelease
    207. 

  207.         Hit:3 http://de.archive.ubuntu.com/ubuntu focal-updates InRelease
    208. 

  208.         Get:4 http://10.10.21.205:3207/dprepo/ubuntu experimental/20.04_x86_64/ InR=
    209. 

  209.         elease [3820 B]
    210. 

  210.         Hit:5 http://de.archive.ubuntu.com/ubuntu focal-backports InRelease
    211. 

  211.         Get:6 http://10.10.21.205:3207/dprepo/ubuntu 20.04_x86_64/ InRelease [3781 =
    212. 

  212.         B]
    213. 

  213.         Get:7 http://10.10.21.205:3207/dprepo/ubuntu experimental/20.04_x86_64/ Sou=
    214. 

  214.         rces [2710 B]
    215. 

  215.         Get:8 http://10.10.21.205:3207/dprepo/ubuntu experimental/20.04_x86_64/ Pac=
    216. 

  216.         kages [6507 B]
    217. 

  217.         Get:9 http://10.10.21.205:3207/dprepo/ubuntu 20.04_x86_64/ Sources [9066 B]
    218. 

  218.         Get:10 http://10.10.21.205:3207/dprepo/ubuntu 20.04_x86_64/ Packages [23.8 =
    219. 

  219.         kB]
    220. 

  220.         Get:11 http://security.ubuntu.com/ubuntu focal-security/main amd64 DEP-11 M=
    221. 

  221.         etadata [40.6 kB]
    222. 

  222.         Get:12 http://security.ubuntu.com/ubuntu focal-security/universe amd64 DEP-=
    223. 

  223.         11 Metadata [66.3 kB]
    224. 

  224.         Get:13 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 DE=
    225. 

  225.         P-11 Metadata [2464 B]
    226. 

  226.         Fetched 273 kB in 1s (288 kB/s)
    227. 

  227.         Reading package lists...
    228. 

  228.         Batterie-Status prüfen
    229. 

  229.         Reading package lists...
    230. 

  230.         Building dependency tree...</code></pre>
    231. 

  231.       OUTPUT
    232. 

  232. 

  233.       it 'handles code blocks correctly' do
    234. 

  234.         expect(sanitize(input)).to eq(output)
    235. 

  235.       end
    236. 

  236.     end
    237. 

  237. 

  238.     context 'when checking attachment URLs' do
    239. 

  239.       let(:api_path)                  { Rails.configuration.api_path }
    240. 

  240.       let(:http_type)                 { Setting.get('http_type') }
    241. 

  241.       let(:fqdn)                      { Setting.get('fqdn') }
    242. 

  242.       let(:attachment_url)            { "#{http_type}://#{fqdn}#{api_path}/ticket_attachment/239/986/1653" }
    243. 

  243.       let(:attachment_url_good)       { "#{attachment_url}?disposition=attachment" }
    244. 

  244.       let(:attachment_url_evil)       { "#{attachment_url}?disposition=inline" }
    245. 

  245.       let(:different_fqdn_url)        { attachment_url_evil.gsub(fqdn, 'some.other.tld') }
    246. 

  246.       let(:attachment_url_evil_other) { "#{attachment_url}?disposition=some_other" }
    247. 

  247. 

  248.       it 'handles attachment URLs correctly' do
    249. 

  249.         expect(sanitize('<a href="/some/path%20test.pdf">test</a>')).to eq('<a href="/some/path%20test.pdf">test</a>')
    250. 

  250.         expect(sanitize('<a href="https://somehost.domain/path%20test.pdf">test</a>')).to eq('<a href="https://somehost.domain/path%20test.pdf" rel="nofollow noreferrer noopener" target="_blank" title="https://somehost.domain/path%20test.pdf">test</a>')
    251. 

  251.         expect(sanitize('<a href="https://somehost.domain/zaihan%20test">test</a>')).to eq('<a href="https://somehost.domain/zaihan%20test" rel="nofollow noreferrer noopener" target="_blank" title="https://somehost.domain/zaihan%20test">test</a>')
    252. 

  252.         expect(sanitize("<a href=\"#{attachment_url_evil}\">Evil link</a>")).to eq("<a href=\"#{attachment_url_good}\" rel=\"nofollow noreferrer noopener\" target=\"_blank\" title=\"#{attachment_url_good}\">Evil link</a>")
    253. 

  253.         expect(sanitize("<a href=\"#{attachment_url_good}\">Good link</a>")).to eq("<a href=\"#{attachment_url_good}\" rel=\"nofollow noreferrer noopener\" target=\"_blank\" title=\"#{attachment_url_good}\">Good link</a>")
    254. 

  254.         expect(sanitize("<a href=\"#{attachment_url}\">No disposition</a>")).to eq("<a href=\"#{attachment_url}\" rel=\"nofollow noreferrer noopener\" target=\"_blank\" title=\"#{attachment_url}\">No disposition</a>")
    255. 

  255.         expect(sanitize("<a href=\"#{different_fqdn_url}\">Different FQDN</a>")).to eq("<a href=\"#{different_fqdn_url}\" rel=\"nofollow noreferrer noopener\" target=\"_blank\" title=\"#{different_fqdn_url}\">Different FQDN</a>")
    256. 

  256.         expect(sanitize("<a href=\"#{attachment_url_evil_other}\">Evil link</a>")).to eq("<a href=\"#{attachment_url_good}\" rel=\"nofollow noreferrer noopener\" target=\"_blank\" title=\"#{attachment_url_good}\">Evil link</a>")
    257. 

  257.       end
    258. 

  258.     end
    259. 

  259.   end
    260. 

  260. end
    261.