Merge pull request #2 from mastodon/main

Don't allow URLs that contain non-normalized paths to be verified (#2…
Corpi-42 · Nov 20, 2022 · 4f3b39d · 4f3b39d
2 parents f29422e + 69378ea
commit 4f3b39d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/app/models/account/field.rb b/app/models/account/field.rb
@@ -46,7 +46,8 @@ def verifiable?
       parsed_url.user.nil? &&
       parsed_url.password.nil? &&
       parsed_url.host.present? &&
-      parsed_url.normalized_host == parsed_url.host
+      parsed_url.normalized_host == parsed_url.host &&
+      (parsed_url.path.empty? || parsed_url.path == parsed_url.normalized_path)
   rescue Addressable::URI::InvalidURIError, IDN::Idna::IdnaError
     false
   end

diff --git a/spec/models/account/field_spec.rb b/spec/models/account/field_spec.rb
@@ -67,7 +67,15 @@
       end
 
       context 'for an IDN URL' do
-        let(:value) { 'http://twitter.com∕dougallj∕status∕1590357240443437057.ê.cc/twitter.html' }
+        let(:value) { 'https://twitter.com∕dougallj∕status∕1590357240443437057.ê.cc/twitter.html' }
+
+        it 'returns false' do
+          expect(subject.verifiable?).to be false
+        end
+      end
+
+      context 'for a URL with a non-normalized path' do
+        let(:value) { 'https://github.com/octocatxxxxxxxx/../mastodon' }
 
         it 'returns false' do
           expect(subject.verifiable?).to be false