Mm 16694 master validate urls (#1000)

* validate urls before deeplink or link click * tests for isValidURL utility function * review change - invert condition * add validation for loaded files bounds-info.json, app-state.json, config.json * further validation and tweaks certificate.json, permission.json * add 2 more files for validation * parse and validate deeplinks - includes fix for windows deeplink when app is open * disable auto-updator when in dev * Squirrel is not used anymore * fix validating allowedProtocols * discard any args following a deeplink url * tweaks * update test * support scheme’s with and without slashes * stop after finding the first occurance of a deep link * test updates * updates to run tests successfully * port updates to validation from 4.2 * url validation updates changed validation package to better support internal domains and punycode domains
2019-09-09 12:38:31 -04:00
parent f12f9da798
commit e12d47ea62
25 changed files with 585 additions and 171 deletions
--- a/test/specs/utils/util_test.js
+++ b/test/specs/utils/util_test.js
@@ -8,6 +8,54 @@ import assert from 'assert';
 import Utils from '../../../src/utils/util';

 describe('Utils', () => {
+  describe('isValidURL', () => {
+    it('should be true for a valid web url', () => {
+      const testURL = 'https://developers.mattermost.com/';
+      assert.equal(Utils.isValidURL(testURL), true);
+    });
+    it('should be true for a valid, non-https web url', () => {
+      const testURL = 'http://developers.mattermost.com/';
+      assert.equal(Utils.isValidURL(testURL), true);
+    });
+    it('should be true for an invalid, self-defined, top-level domain', () => {
+      const testURL = 'https://www.example.x';
+      assert.equal(Utils.isValidURL(testURL), true);
+    });
+    it('should be true for a file download url', () => {
+      const testURL = 'https://community.mattermost.com/api/v4/files/ka3xbfmb3ffnmgdmww8otkidfw?download=1';
+      assert.equal(Utils.isValidURL(testURL), true);
+    });
+    it('should be true for a permalink url', () => {
+      const testURL = 'https://community.mattermost.com/test-channel/pl/pdqowkij47rmbyk78m5hwc7r6r';
+      assert.equal(Utils.isValidURL(testURL), true);
+    });
+    it('should be true for a valid, internal domain', () => {
+      const testURL = 'https://mattermost.company-internal';
+      assert.equal(Utils.isValidURL(testURL), true);
+    });
+    it('should be true for a second, valid internal domain', () => {
+      const testURL = 'https://serverXY/mattermost';
+      assert.equal(Utils.isValidURL(testURL), true);
+    });
+    it('should be true for a valid, non-https internal domain', () => {
+      const testURL = 'http://mattermost.local';
+      assert.equal(Utils.isValidURL(testURL), true);
+    });
+    it('should be true for a valid, non-https, ip address with port number', () => {
+      const testURL = 'http://localhost:8065';
+      assert.equal(Utils.isValidURL(testURL), true);
+    });
+  });
+  describe('isValidURI', () => {
+    it('should be true for a deeplink url', () => {
+      const testURL = 'mattermost://community-release.mattermost.com/core/channels/developers';
+      assert.equal(Utils.isValidURI(testURL), true);
+    });
+    it('should be false for a malicious url', () => {
+      const testURL = String.raw`mattermost:///" --data-dir "\\deans-mbp\mattermost`;
+      assert.equal(Utils.isValidURI(testURL), false);
+    });
+  });
  describe('isInternalURL', () => {
    it('should be false for different hosts', () => {
      const currentURL = url.parse('http://localhost/team/channel1');