From f83e7e1b6be6d2260d91ade8561cb1a17361b049 Mon Sep 17 00:00:00 2001 From: Chris Halbert Date: Fri, 19 Jan 2024 20:58:05 -0500 Subject: [PATCH] Add light url validation and sanitization with tests. Signed-off-by: Chris Halbert --- google/google.go | 13 ++++++++++--- google/google_test.go | 41 ++++++++++++++++++++++++++++++++++------- 2 files changed, 44 insertions(+), 10 deletions(-) diff --git a/google/google.go b/google/google.go index 430ec2e..4a43271 100644 --- a/google/google.go +++ b/google/google.go @@ -10,9 +10,10 @@ import ( "encoding/gob" "encoding/json" "fmt" - "net/http" + "net/url" "os" + "strings" "github.com/gin-contrib/sessions" "github.com/gin-contrib/sessions/cookie" @@ -116,8 +117,14 @@ func GetLoginURL(state string) string { return conf.AuthCodeURL(state) } -func WithLoginURL(url string) { - loginURL = url +func WithLoginURL(s string) error { + s = strings.TrimSpace(s) + url, err := url.ParseRequestURI(s) + if err != nil { + return err + } + loginURL = url.String() + return nil } // Auth is the google authorization middleware. You can use them to protect a routergroup. diff --git a/google/google_test.go b/google/google_test.go index e9c2a90..16aecb1 100644 --- a/google/google_test.go +++ b/google/google_test.go @@ -19,11 +19,38 @@ func TestSetupFromString(t *testing.T) { } func TestWithLoginURL(t *testing.T) { - t.Run("should assign the login url", func(t *testing.T) { - loginURL = "" - url := "http://fake.fake" - WithLoginURL(url) - assert.NotEmpty(t, url) - assert.Equal(t, url, loginURL) - }) + + var testCases = []struct { + description string + urlParm string + expectUrlLogin string + isErrNil bool + }{ + { + description: "should assign a valid url without error", + urlParm: "http://fake.fake", + expectUrlLogin: "http://fake.fake", + isErrNil: true, + }, + { + description: "should assign a sanitizable url without error", + urlParm: " http://fake.fake ", + expectUrlLogin: "http://fake.fake", + isErrNil: true, + }, + { + description: "should not assign an invalid url without error", + urlParm: "not a parseable url", + expectUrlLogin: "", + isErrNil: false, + }, + } + for _, testCase := range testCases { + t.Run(testCase.description, func(t *testing.T) { + loginURL = "" + err := WithLoginURL(testCase.urlParm) + assert.Equal(t, testCase.expectUrlLogin, loginURL) + assert.Equal(t, testCase.isErrNil, err == nil) + }) + } }