Implement unit tests for the isSameOrigin and createValidAbsoluteUrl utility functions

Moreover, mark the `isValidProtocol` function as private since it's only
used in the utilities file and is not (meant to be) exported.
This commit is contained in:
Tim van der Meij 2018-09-11 15:16:07 +02:00
parent a789368b7a
commit 99de25d6cc
No known key found for this signature in database
GPG Key ID: 8C3FD2925A5F2762
2 changed files with 68 additions and 6 deletions

View File

@ -332,7 +332,7 @@ function isSameOrigin(baseUrl, otherUrl) {
} }
// Checks if URLs use one of the whitelisted protocols, e.g. to avoid XSS. // Checks if URLs use one of the whitelisted protocols, e.g. to avoid XSS.
function isValidProtocol(url) { function _isValidProtocol(url) {
if (!url) { if (!url) {
return false; return false;
} }
@ -349,7 +349,8 @@ function isValidProtocol(url) {
} }
/** /**
* Attempts to create a valid absolute URL (utilizing `isValidProtocol`). * Attempts to create a valid absolute URL.
*
* @param {URL|string} url - An absolute, or relative, URL. * @param {URL|string} url - An absolute, or relative, URL.
* @param {URL|string} baseUrl - An absolute URL. * @param {URL|string} baseUrl - An absolute URL.
* @returns Either a valid {URL}, or `null` otherwise. * @returns Either a valid {URL}, or `null` otherwise.
@ -360,7 +361,7 @@ function createValidAbsoluteUrl(url, baseUrl) {
} }
try { try {
var absoluteUrl = baseUrl ? new URL(url, baseUrl) : new URL(url); var absoluteUrl = baseUrl ? new URL(url, baseUrl) : new URL(url);
if (isValidProtocol(absoluteUrl)) { if (_isValidProtocol(absoluteUrl)) {
return absoluteUrl; return absoluteUrl;
} }
} catch (ex) { /* `new URL()` will throw on incorrect data. */ } } catch (ex) { /* `new URL()` will throw on incorrect data. */ }

View File

@ -14,9 +14,9 @@
*/ */
import { import {
bytesToString, getInheritableProperty, isArrayBuffer, isBool, isEmptyObj, bytesToString, createValidAbsoluteUrl, getInheritableProperty, isArrayBuffer,
isNum, isSpace, isString, log2, ReadableStream, removeNullCharacters, isBool, isEmptyObj, isNum, isSameOrigin, isSpace, isString, log2,
stringToBytes, stringToPDFString, URL ReadableStream, removeNullCharacters, stringToBytes, stringToPDFString, URL
} from '../../src/shared/util'; } from '../../src/shared/util';
import { Dict, Ref } from '../../src/core/primitives'; import { Dict, Ref } from '../../src/core/primitives';
import { XRefMock } from './test_utils'; import { XRefMock } from './test_utils';
@ -323,4 +323,65 @@ describe('util', function() {
expect(typeof url.href).toEqual('string'); expect(typeof url.href).toEqual('string');
}); });
}); });
describe('isSameOrigin', function() {
it('handles invalid base URLs', function() {
// The base URL is not valid.
expect(isSameOrigin('/foo', '/bar')).toEqual(false);
// The base URL has no origin.
expect(isSameOrigin('blob:foo', '/bar')).toEqual(false);
});
it('correctly checks if the origin of both URLs matches', function() {
expect(isSameOrigin('https://www.mozilla.org/foo',
'https://www.mozilla.org/bar')).toEqual(true);
expect(isSameOrigin('https://www.mozilla.org/foo',
'https://www.example.com/bar')).toEqual(false);
});
});
describe('createValidAbsoluteUrl', function() {
it('handles invalid URLs', function() {
expect(createValidAbsoluteUrl(undefined, undefined)).toEqual(null);
expect(createValidAbsoluteUrl(null, null)).toEqual(null);
expect(createValidAbsoluteUrl('/foo', '/bar')).toEqual(null);
});
it('handles URLs that do not use a whitelisted protocol', function() {
expect(createValidAbsoluteUrl('magnet:?foo', null)).toEqual(null);
});
it('correctly creates a valid URL for whitelisted protocols', function() {
// `http` protocol
expect(createValidAbsoluteUrl('http://www.mozilla.org/foo', null))
.toEqual(new URL('http://www.mozilla.org/foo'));
expect(createValidAbsoluteUrl('/foo', 'http://www.mozilla.org'))
.toEqual(new URL('http://www.mozilla.org/foo'));
// `https` protocol
expect(createValidAbsoluteUrl('https://www.mozilla.org/foo', null))
.toEqual(new URL('https://www.mozilla.org/foo'));
expect(createValidAbsoluteUrl('/foo', 'https://www.mozilla.org'))
.toEqual(new URL('https://www.mozilla.org/foo'));
// `ftp` protocol
expect(createValidAbsoluteUrl('ftp://www.mozilla.org/foo', null))
.toEqual(new URL('ftp://www.mozilla.org/foo'));
expect(createValidAbsoluteUrl('/foo', 'ftp://www.mozilla.org'))
.toEqual(new URL('ftp://www.mozilla.org/foo'));
// `mailto` protocol (base URLs have no meaning and should yield `null`)
expect(createValidAbsoluteUrl('mailto:foo@bar.baz', null))
.toEqual(new URL('mailto:foo@bar.baz'));
expect(createValidAbsoluteUrl('/foo', 'mailto:foo@bar.baz'))
.toEqual(null);
// `tel` protocol (base URLs have no meaning and should yield `null`)
expect(createValidAbsoluteUrl('tel:+0123456789', null))
.toEqual(new URL('tel:+0123456789'));
expect(createValidAbsoluteUrl('/foo', 'tel:0123456789'))
.toEqual(null);
});
});
}); });