mirror of
https://github.com/Foundry376/Mailspring.git
synced 2025-01-10 10:11:25 +08:00
a7b652a31d
Summary: Fixes T3252 When links were clicked with malformed, relative, or malicious href links we'd perform default behavior instead of catching them. If you have href="www.foo.bar" the browser by default thinks it's a relative link. In our case it would prepend the full default base URI which is file://path/to/edgehill. This would at best fail to do anything and at worst execute an arbitrary file. We now blacklist `file:` and check for the existence of a valid RFC 3986 schema on the URI. Test Plan: manual Reviewers: bengotow Reviewed By: bengotow Maniphest Tasks: T3252 Differential Revision: https://phab.nylas.com/D1888
75 lines
2.3 KiB
CoffeeScript
75 lines
2.3 KiB
CoffeeScript
React = require "react/addons"
|
|
ReactTestUtils = React.addons.TestUtils
|
|
EventedIFrame = require '../../src/components/evented-iframe'
|
|
|
|
describe 'EventedIFrame', ->
|
|
describe 'link clicking behavior', ->
|
|
|
|
beforeEach ->
|
|
@frame = ReactTestUtils.renderIntoDocument(
|
|
<EventedIFrame src="about:blank" />
|
|
)
|
|
|
|
@setAttributeSpy = jasmine.createSpy('setAttribute')
|
|
@preventDefaultSpy = jasmine.createSpy('preventDefault')
|
|
@openLinkSpy = jasmine.createSpy("openLink")
|
|
|
|
@oldOpenLink = atom.windowEventHandler.openLink
|
|
atom.windowEventHandler.openLink = @openLinkSpy
|
|
|
|
@fakeEvent = (href) =>
|
|
stopPropagation: ->
|
|
preventDefault: @preventDefaultSpy
|
|
target:
|
|
getAttribute: (attr) -> return href
|
|
setAttribute: @setAttributeSpy
|
|
|
|
afterEach ->
|
|
atom.windowEventHandler.openLink = @oldOpenLink
|
|
|
|
it 'works for acceptable link types', ->
|
|
hrefs = [
|
|
"http://nylas.com"
|
|
"https://www.nylas.com"
|
|
"mailto:evan@nylas.com"
|
|
"tel:8585311718"
|
|
"custom:www.nylas.com"
|
|
]
|
|
for href, i in hrefs
|
|
@frame._onIFrameClick(@fakeEvent(href))
|
|
expect(@setAttributeSpy).not.toHaveBeenCalled()
|
|
expect(@openLinkSpy).toHaveBeenCalled()
|
|
target = @openLinkSpy.calls[i].args[0].target
|
|
expect(target.getAttribute('href')).toBe href
|
|
|
|
it 'corrects relative uris', ->
|
|
hrefs = [
|
|
"nylas.com"
|
|
"www.nylas.com"
|
|
]
|
|
for href, i in hrefs
|
|
@frame._onIFrameClick(@fakeEvent(href))
|
|
expect(@setAttributeSpy).toHaveBeenCalled()
|
|
modifiedHref = @setAttributeSpy.calls[i].args[1]
|
|
expect(modifiedHref).toBe "http://#{href}"
|
|
|
|
it 'corrects protocol-relative uris', ->
|
|
hrefs = [
|
|
"//nylas.com"
|
|
"//www.nylas.com"
|
|
]
|
|
for href, i in hrefs
|
|
@frame._onIFrameClick(@fakeEvent(href))
|
|
expect(@setAttributeSpy).toHaveBeenCalled()
|
|
modifiedHref = @setAttributeSpy.calls[i].args[1]
|
|
expect(modifiedHref).toBe "https:#{href}"
|
|
|
|
it 'disallows malicious uris', ->
|
|
hrefs = [
|
|
"file://usr/bin/bad"
|
|
]
|
|
for href in hrefs
|
|
@frame._onIFrameClick(@fakeEvent(href))
|
|
expect(@preventDefaultSpy).toHaveBeenCalled()
|
|
expect(@openLinkSpy).not.toHaveBeenCalled()
|
|
|