Mailspring/spec-nylas/components/evented-iframe-spec.cjsx
Evan Morikawa 06a1eb42b2 fix(iframe): catch relative and malformed uris
Summary:
Fixes T3252

When links were clicked with malformed, relative, or malicious href links
we'd perform default behavior instead of catching them.

If you have href="www.foo.bar" the browser by default thinks it's a
relative link. In our case it would prepend the full default base URI
which is file://path/to/edgehill. This would at best fail to do anything
and at worst execute an arbitrary file.

We now blacklist `file:` and check for the existence of a valid RFC 3986
schema on the URI.

Test Plan: manual

Reviewers: bengotow

Reviewed By: bengotow

Maniphest Tasks: T3252

Differential Revision: https://phab.nylas.com/D1888
2015-08-19 10:20:41 -07:00

75 lines
2.3 KiB
CoffeeScript

React = require "react/addons"
ReactTestUtils = React.addons.TestUtils
EventedIFrame = require '../../src/components/evented-iframe'
describe 'EventedIFrame', ->
describe 'link clicking behavior', ->
beforeEach ->
@frame = ReactTestUtils.renderIntoDocument(
<EventedIFrame src="about:blank" />
)
@setAttributeSpy = jasmine.createSpy('setAttribute')
@preventDefaultSpy = jasmine.createSpy('preventDefault')
@openLinkSpy = jasmine.createSpy("openLink")
@oldOpenLink = atom.windowEventHandler.openLink
atom.windowEventHandler.openLink = @openLinkSpy
@fakeEvent = (href) =>
stopPropagation: ->
preventDefault: @preventDefaultSpy
target:
getAttribute: (attr) -> return href
setAttribute: @setAttributeSpy
afterEach ->
atom.windowEventHandler.openLink = @oldOpenLink
it 'works for acceptable link types', ->
hrefs = [
"http://nylas.com"
"https://www.nylas.com"
"mailto:evan@nylas.com"
"tel:8585311718"
"custom:www.nylas.com"
]
for href, i in hrefs
@frame._onIFrameClick(@fakeEvent(href))
expect(@setAttributeSpy).not.toHaveBeenCalled()
expect(@openLinkSpy).toHaveBeenCalled()
target = @openLinkSpy.calls[i].args[0].target
expect(target.getAttribute('href')).toBe href
it 'corrects relative uris', ->
hrefs = [
"nylas.com"
"www.nylas.com"
]
for href, i in hrefs
@frame._onIFrameClick(@fakeEvent(href))
expect(@setAttributeSpy).toHaveBeenCalled()
modifiedHref = @setAttributeSpy.calls[i].args[1]
expect(modifiedHref).toBe "http://#{href}"
it 'corrects protocol-relative uris', ->
hrefs = [
"//nylas.com"
"//www.nylas.com"
]
for href, i in hrefs
@frame._onIFrameClick(@fakeEvent(href))
expect(@setAttributeSpy).toHaveBeenCalled()
modifiedHref = @setAttributeSpy.calls[i].args[1]
expect(modifiedHref).toBe "https:#{href}"
it 'disallows malicious uris', ->
hrefs = [
"file://usr/bin/bad"
]
for href in hrefs
@frame._onIFrameClick(@fakeEvent(href))
expect(@preventDefaultSpy).toHaveBeenCalled()
expect(@openLinkSpy).not.toHaveBeenCalled()