2022-07-05 01:32:10 +00:00
|
|
|
package utils
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/url"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestURLPathFullClean(t *testing.T) {
|
|
|
|
testCases := []struct {
|
|
|
|
name string
|
|
|
|
have string
|
|
|
|
expected string
|
|
|
|
}{
|
2022-07-18 04:59:13 +00:00
|
|
|
{"ShouldReturnFullPathSingleSlash", "https://example.com/", "/"},
|
|
|
|
{"ShouldReturnFullPathSingleSlashWithQuery", "https://example.com/?query=1&alt=2", "/?query=1&alt=2"},
|
2022-07-05 01:32:10 +00:00
|
|
|
{"ShouldReturnFullPathNormal", "https://example.com/test", "/test"},
|
2022-07-18 04:59:13 +00:00
|
|
|
{"ShouldReturnFullPathNormalWithSlashSuffix", "https://example.com/test/", "/test/"},
|
|
|
|
{"ShouldReturnFullPathNormalWithSlashSuffixAndQuery", "https://example.com/test/?query=1&alt=2", "/test/?query=1&alt=2"},
|
|
|
|
{"ShouldReturnFullPathWithQuery", "https://example.com/test?query=1&alt=2", "/test?query=1&alt=2"},
|
|
|
|
{"ShouldReturnCleanedPath", "https://example.com/five/../test?query=1&alt=2", "/test?query=1&alt=2"},
|
|
|
|
{"ShouldReturnCleanedPathEscaped", "https://example.com/five/..%2ftest?query=1&alt=2", "/test?query=1&alt=2"},
|
|
|
|
{"ShouldReturnCleanedPathEscapedExtra", "https://example.com/five/..%2ftest?query=1&alt=2", "/test?query=1&alt=2"},
|
|
|
|
{"ShouldReturnCleanedPathEscapedExtraSurrounding", "https://example.com/five/%2f..%2f/test?query=1&alt=2", "/test?query=1&alt=2"},
|
|
|
|
{"ShouldReturnCleanedPathEscapedPeriods", "https://example.com/five/%2f%2e%2e%2f/test?query=1&alt=2", "/test?query=1&alt=2"},
|
2022-07-05 01:32:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
for _, tc := range testCases {
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
|
|
u, err := url.Parse(tc.have)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
actual := URLPathFullClean(u)
|
|
|
|
|
|
|
|
assert.Equal(t, tc.expected, actual)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
2022-08-07 11:13:56 +00:00
|
|
|
|
|
|
|
func isURLSafe(requestURI string, domain string) bool { //nolint:unparam
|
|
|
|
u, _ := url.ParseRequestURI(requestURI)
|
|
|
|
return URLDomainHasSuffix(*u, domain)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestIsRedirectionSafe_ShouldReturnTrueOnExactDomain(t *testing.T) {
|
|
|
|
assert.True(t, isURLSafe("https://example.com", "example.com"))
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestIsRedirectionSafe_ShouldReturnFalseOnBadScheme(t *testing.T) {
|
|
|
|
assert.False(t, isURLSafe("http://secure.example.com", "example.com"))
|
|
|
|
assert.False(t, isURLSafe("ftp://secure.example.com", "example.com"))
|
|
|
|
assert.True(t, isURLSafe("https://secure.example.com", "example.com"))
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestIsRedirectionSafe_ShouldReturnFalseOnBadDomain(t *testing.T) {
|
|
|
|
assert.False(t, isURLSafe("https://secure.example.com.c", "example.com"))
|
|
|
|
assert.False(t, isURLSafe("https://secure.example.comc", "example.com"))
|
|
|
|
assert.False(t, isURLSafe("https://secure.example.co", "example.com"))
|
|
|
|
assert.False(t, isURLSafe("https://secure.notexample.com", "example.com"))
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestIsRedirectionURISafe_CannotParseURI(t *testing.T) {
|
|
|
|
_, err := IsRedirectionURISafe("http//invalid", "example.com")
|
|
|
|
assert.EqualError(t, err, "failed to parse URI 'http//invalid': parse \"http//invalid\": invalid URI for request")
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestIsRedirectionURISafe_InvalidRedirectionURI(t *testing.T) {
|
|
|
|
valid, err := IsRedirectionURISafe("http://myurl.com/myresource", "example.com")
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.False(t, valid)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestIsRedirectionURISafe_ValidRedirectionURI(t *testing.T) {
|
|
|
|
valid, err := IsRedirectionURISafe("http://myurl.example.com/myresource", "example.com")
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.False(t, valid)
|
|
|
|
|
|
|
|
valid, err = IsRedirectionURISafe("http://example.com/myresource", "example.com")
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.False(t, valid)
|
|
|
|
}
|