reproduce report of CWE-918 from #1677

umputun · Oct 10, 2023 · 10e4686 · 10e4686
1 parent eba4473
commit 10e4686
Showing 1 changed file with 47 additions and 0 deletions.
diff --git a/backend/app/rest/api/rest_public_test.go b/backend/app/rest/api/rest_public_test.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/http/httptest"
 	"os"
 	"strings"
 	"testing"
@@ -477,6 +478,52 @@ func TestRest_FindUserComments(t *testing.T) {
 	}
 }
 
+func TestRest_FindUserComments_CWE_918(t *testing.T) {
+	ts, srv, teardown := startupT(t)
+	srv.DataService.TitleExtractor = service.NewTitleExtractor(http.Client{Timeout: time.Second}) // required for extracting the title, bad URL test
+	defer srv.DataService.TitleExtractor.Close()
+	defer teardown()
+
+	backendRequestedArbitraryServer := false
+	arbitraryServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Logf("request received: %+v", r)
+		backendRequestedArbitraryServer = true
+	}))
+	defer arbitraryServer.Close()
+
+	arbitraryURLComment := store.Comment{Text: "arbitrary URL request test",
+		Locator: store.Locator{SiteID: "remark42", URL: arbitraryServer.URL}}
+	aHrefTitleComment := store.Comment{Text: "a href title test", PostTitle: "<a href=\"https://example.com\">test</a>",
+		Locator: store.Locator{SiteID: "remark42", URL: "https://radio-t.com/blah1"}}
+	urlTitleComment := store.Comment{Text: "url title test", PostTitle: "https://j5pxshabxb5037lms6z182pkjbp4d01p.oastify.com",
+		Locator: store.Locator{SiteID: "remark42", URL: "https://radio-t.com/blah2"}}
+
+	assert.False(t, backendRequestedArbitraryServer)
+	addComment(t, arbitraryURLComment, ts)
+	assert.True(t, backendRequestedArbitraryServer)
+	addComment(t, aHrefTitleComment, ts)
+	addComment(t, urlTitleComment, ts)
+
+	res, code := get(t, ts.URL+"/api/v1/comments?site=remark42&user=provider1_dev")
+	assert.Equal(t, http.StatusOK, code)
+
+	resp := struct {
+		Comments []store.Comment
+		Count    int
+	}{}
+
+	err := json.Unmarshal([]byte(res), &resp)
+	assert.NoError(t, err)
+	require.Equal(t, 3, len(resp.Comments), "should have 2 comments")
+
+	assert.Equal(t, "https://j5pxshabxb5037lms6z182pkjbp4d01p.oastify.com", resp.Comments[0].PostTitle, "unsanitised post title")
+	assert.Equal(t, "https://radio-t.com/blah2", resp.Comments[0].Locator.URL)
+	assert.Equal(t, "&lt;a href=\"https://example.com\" rel=\"nofollow\"&gt;test&lt;/a&gt;", resp.Comments[1].PostTitle, "unsanitised post title")
+	assert.Equal(t, "https://radio-t.com/blah1", resp.Comments[1].Locator.URL)
+	assert.Equal(t, "", resp.Comments[2].PostTitle, "empty from the first post")
+	assert.Equal(t, arbitraryServer.URL, resp.Comments[2].Locator.URL, "arbitrary URL provided by the request")
+}
+
 func TestRest_UserInfo(t *testing.T) {
 	ts, _, teardown := startupT(t)
 	defer teardown()