Skip to content
Permalink
Browse files Browse the repository at this point in the history
add tests for validate_redirect_url
  • Loading branch information
briancappello committed May 27, 2021
1 parent 2bfeedf commit 71e36b2
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 3 deletions.
2 changes: 1 addition & 1 deletion flask_unchained/bundles/controller/utils.py
Expand Up @@ -185,7 +185,7 @@ def method_name_to_url(method_name) -> str:

def encode_non_url_reserved_characters(url):
# safe url reserved characters: https://datatracker.ietf.org/doc/html/rfc3986#section-2.2
return urlquote(url, safe=":/?#[]@!$&'()*+,;=")
return urlquote(url, safe=":/?#[]@!$&'()*+,;=<>")


# modified from flask_security.utils.get_post_action_redirect
Expand Down
1 change: 1 addition & 0 deletions requirements.txt
Expand Up @@ -18,6 +18,7 @@ flask_migrate==2.7.0
flask-oauthlib==0.9.5
flask-principal==0.4.0
flask-session==0.3.2
flask-sqlalchemy==2.5.1
flask-sqlalchemy-unchained==0.7.4
flask_wtf==0.14.3
graphene==2.1.8
Expand Down
20 changes: 18 additions & 2 deletions tests/bundles/controller/test_utils.py
Expand Up @@ -190,24 +190,40 @@ class TestValidateRedirectUrl:
def test_it_fails_on_garbage(self):
assert _validate_redirect_url(None) is False
assert _validate_redirect_url(' ') is False
assert _validate_redirect_url('///evil.com') is False
assert _validate_redirect_url('\\\\\\evil.com') is False
assert _validate_redirect_url('\x00evil.com') is False

def test_it_fails_with_invalid_netloc(self, app, monkeypatch):
with app.test_request_context():
monkeypatch.setattr('flask.request.host_url', 'http://example.com')
assert _validate_redirect_url('http://fail.com') is False
monkeypatch.undo()

@pytest.mark.options(EXTERNAL_SERVER_NAME='works.com')
def test_it_requires_same_scheme(self, app, monkeypatch):
with app.test_request_context():
monkeypatch.setattr('flask.request.host_url', 'https://example.com')
assert _validate_redirect_url('http://example.com/foo') is False
monkeypatch.undo()

@pytest.mark.options(EXTERNAL_SERVER_NAME='http://works.com')
def test_it_works_with_external_server_name(self, app, monkeypatch):
with app.test_request_context():
monkeypatch.setattr('flask.request.host_url', 'http://example.com')
assert _validate_redirect_url('http://works.com') is True
monkeypatch.undo()

@pytest.mark.options(EXTERNAL_SERVER_NAME='https://works.com')
def test_it_requires_same_external_server_name_scheme(self, app, monkeypatch):
with app.test_request_context():
monkeypatch.setattr('flask.request.host_url', 'http://example.com')
assert _validate_redirect_url('http://works.com') is False
monkeypatch.undo()

def test_it_works_with_explicit_external_host(self, app, monkeypatch):
with app.test_request_context():
monkeypatch.setattr('flask.request.host_url', 'http://example.com')
result = _validate_redirect_url('http://works.com',
_external_host='works.com')
_external_host='http://works.com')
assert result is True
monkeypatch.undo()

0 comments on commit 71e36b2

Please sign in to comment.