CoCalc -- utils.test.ts

GitHub Repository: gitpod-io/gitpod
Path: blob/main/components/dashboard/src/utils.test.ts
²⁴⁹⁸ views
1
/**
2
 * Copyright (c) 2022 Gitpod GmbH. All rights reserved.
3
 * Licensed under the GNU Affero General Public License (AGPL).
4
 * See License.AGPL.txt in the project root for license information.
5
 */
6

7
import { inResource, getURLHash, isTrustedUrlOrPath } from "./utils";
8

9
test("inResource", () => {
10
    // Given root path is a part of resources specified
11
    expect(inResource("/app", ["new", "app", "teams"])).toBe(true);
12

13
    // Given path is a part of resources specified
14
    expect(inResource("/app/testing", ["new", "app", "teams"])).toBe(true);
15

16
    // Empty resources
17
    expect(inResource("/just/a/path", [])).toBe(false);
18

19
    // Both resources starting with '/'
20
    expect(inResource("/app", ["/app"])).toBe(true);
21

22
    // Both resources ending with '/'
23
    expect(inResource("app/", ["app/"])).toBe(true);
24

25
    // Both resources containing path with subdirectories
26
    expect(inResource("/admin/teams/someTeam/somePerson", ["/admin/teams"])).toBe(true);
27
});
28

29
test("urlHash and isTrustedUrlOrPath", () => {
30
    global.window = Object.create(window);
31
    Object.defineProperty(window, "location", {
32
        value: {
33
            hash: "#https://example.org/user/repo",
34
            hostname: "example.org",
35
        },
36
    });
37

38
    expect(getURLHash()).toBe("https://example.org/user/repo");
39

40
    const isTrustedUrlOrPathCases: { location: string; trusted: boolean }[] = [
41
        { location: "https://example.org/user/repo", trusted: true },
42
        { location: "https://example.org/user", trusted: true },
43
        { location: "https://example2.org/user", trusted: false },
44
        { location: "/api/hello", trusted: true },
45
        { location: "/", trusted: true },
46
        // eslint-disable-next-line no-script-url
47
        { location: "javascript:alert(1)", trusted: false },
48
        // XSS bypass attempt with javascript: protocol and matching hostname
49
        // eslint-disable-next-line no-script-url
50
        { location: "javascript://example.org/%250aalert(1)", trusted: false },
51
        // Other protocol attempts
52
        { location: "data:text/html,<script>alert(1)</script>", trusted: false },
53
        { location: "vbscript:alert(1)", trusted: false },
54
    ];
55
    isTrustedUrlOrPathCases.forEach(({ location, trusted }) => {
56
        expect(isTrustedUrlOrPath(location)).toBe(trusted);
57
    });
58
});
59

60
Product

Resources

Company
