diff --git a/backend/app/rest/api/rest_public_test.go b/backend/app/rest/api/rest_public_test.go index 1faa00ec21..8a0c0da45a 100644 --- a/backend/app/rest/api/rest_public_test.go +++ b/backend/app/rest/api/rest_public_test.go @@ -5,6 +5,7 @@ import ( "fmt" "io" "net/http" + "net/http/httptest" "os" "strings" "testing" @@ -477,6 +478,52 @@ func TestRest_FindUserComments(t *testing.T) { } } +func TestRest_FindUserComments_CWE_918(t *testing.T) { + ts, srv, teardown := startupT(t) + srv.DataService.TitleExtractor = service.NewTitleExtractor(http.Client{Timeout: time.Second}) // required for extracting the title, bad URL test + defer srv.DataService.TitleExtractor.Close() + defer teardown() + + backendRequestedArbitraryServer := false + arbitraryServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + t.Logf("request received: %+v", r) + backendRequestedArbitraryServer = true + })) + defer arbitraryServer.Close() + + arbitraryURLComment := store.Comment{Text: "arbitrary URL request test", + Locator: store.Locator{SiteID: "remark42", URL: arbitraryServer.URL}} + aHrefTitleComment := store.Comment{Text: "a href title test", PostTitle: "test", + Locator: store.Locator{SiteID: "remark42", URL: "https://radio-t.com/blah1"}} + urlTitleComment := store.Comment{Text: "url title test", PostTitle: "https://j5pxshabxb5037lms6z182pkjbp4d01p.oastify.com", + Locator: store.Locator{SiteID: "remark42", URL: "https://radio-t.com/blah2"}} + + assert.False(t, backendRequestedArbitraryServer) + addComment(t, arbitraryURLComment, ts) + assert.True(t, backendRequestedArbitraryServer) + addComment(t, aHrefTitleComment, ts) + addComment(t, urlTitleComment, ts) + + res, code := get(t, ts.URL+"/api/v1/comments?site=remark42&user=provider1_dev") + assert.Equal(t, http.StatusOK, code) + + resp := struct { + Comments []store.Comment + Count int + }{} + + err := json.Unmarshal([]byte(res), &resp) + assert.NoError(t, err) + require.Equal(t, 3, len(resp.Comments), "should have 2 comments") + + assert.Equal(t, "https://j5pxshabxb5037lms6z182pkjbp4d01p.oastify.com", resp.Comments[0].PostTitle, "unsanitised post title") + assert.Equal(t, "https://radio-t.com/blah2", resp.Comments[0].Locator.URL) + assert.Equal(t, "<a href=\"https://example.com\" rel=\"nofollow\">test</a>", resp.Comments[1].PostTitle, "unsanitised post title") + assert.Equal(t, "https://radio-t.com/blah1", resp.Comments[1].Locator.URL) + assert.Equal(t, "", resp.Comments[2].PostTitle, "empty from the first post") + assert.Equal(t, arbitraryServer.URL, resp.Comments[2].Locator.URL, "arbitrary URL provided by the request") +} + func TestRest_UserInfo(t *testing.T) { ts, _, teardown := startupT(t) defer teardown()