authelia/internal/utils/url_test.go

84 lines
3.3 KiB
Go
Raw Normal View History

package utils
import (
"net/url"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestURLPathFullClean(t *testing.T) {
testCases := []struct {
name string
have string
expected string
}{
{"ShouldReturnFullPathSingleSlash", "https://example.com/", "/"},
{"ShouldReturnFullPathSingleSlashWithQuery", "https://example.com/?query=1&alt=2", "/?query=1&alt=2"},
{"ShouldReturnFullPathNormal", "https://example.com/test", "/test"},
{"ShouldReturnFullPathNormalWithSlashSuffix", "https://example.com/test/", "/test/"},
{"ShouldReturnFullPathNormalWithSlashSuffixAndQuery", "https://example.com/test/?query=1&alt=2", "/test/?query=1&alt=2"},
{"ShouldReturnFullPathWithQuery", "https://example.com/test?query=1&alt=2", "/test?query=1&alt=2"},
{"ShouldReturnCleanedPath", "https://example.com/five/../test?query=1&alt=2", "/test?query=1&alt=2"},
{"ShouldReturnCleanedPathEscaped", "https://example.com/five/..%2ftest?query=1&alt=2", "/test?query=1&alt=2"},
{"ShouldReturnCleanedPathEscapedExtra", "https://example.com/five/..%2ftest?query=1&alt=2", "/test?query=1&alt=2"},
{"ShouldReturnCleanedPathEscapedExtraSurrounding", "https://example.com/five/%2f..%2f/test?query=1&alt=2", "/test?query=1&alt=2"},
{"ShouldReturnCleanedPathEscapedPeriods", "https://example.com/five/%2f%2e%2e%2f/test?query=1&alt=2", "/test?query=1&alt=2"},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
u, err := url.Parse(tc.have)
require.NoError(t, err)
actual := URLPathFullClean(u)
assert.Equal(t, tc.expected, actual)
})
}
}
func isURLSafe(requestURI string, domain string) bool { //nolint:unparam
u, _ := url.ParseRequestURI(requestURI)
return URLDomainHasSuffix(*u, domain)
}
func TestIsRedirectionSafe_ShouldReturnTrueOnExactDomain(t *testing.T) {
assert.True(t, isURLSafe("https://example.com", "example.com"))
}
func TestIsRedirectionSafe_ShouldReturnFalseOnBadScheme(t *testing.T) {
assert.False(t, isURLSafe("http://secure.example.com", "example.com"))
assert.False(t, isURLSafe("ftp://secure.example.com", "example.com"))
assert.True(t, isURLSafe("https://secure.example.com", "example.com"))
}
func TestIsRedirectionSafe_ShouldReturnFalseOnBadDomain(t *testing.T) {
assert.False(t, isURLSafe("https://secure.example.com.c", "example.com"))
assert.False(t, isURLSafe("https://secure.example.comc", "example.com"))
assert.False(t, isURLSafe("https://secure.example.co", "example.com"))
assert.False(t, isURLSafe("https://secure.notexample.com", "example.com"))
}
func TestIsRedirectionURISafe_CannotParseURI(t *testing.T) {
_, err := IsRedirectionURISafe("http//invalid", "example.com")
assert.EqualError(t, err, "failed to parse URI 'http//invalid': parse \"http//invalid\": invalid URI for request")
}
func TestIsRedirectionURISafe_InvalidRedirectionURI(t *testing.T) {
valid, err := IsRedirectionURISafe("http://myurl.com/myresource", "example.com")
assert.NoError(t, err)
assert.False(t, valid)
}
func TestIsRedirectionURISafe_ValidRedirectionURI(t *testing.T) {
valid, err := IsRedirectionURISafe("http://myurl.example.com/myresource", "example.com")
assert.NoError(t, err)
assert.False(t, valid)
valid, err = IsRedirectionURISafe("http://example.com/myresource", "example.com")
assert.NoError(t, err)
assert.False(t, valid)
}