2018-12-14 20:10:20 +01:00
|
|
|
import re
|
|
|
|
|
2021-10-20 03:08:44 +02:00
|
|
|
from django.core.exceptions import ValidationError
|
|
|
|
|
2016-02-13 19:17:15 +01:00
|
|
|
from zerver.lib.test_classes import ZulipTestCase
|
2021-10-20 03:08:44 +02:00
|
|
|
from zerver.models import RealmFilter, filter_format_validator
|
2016-02-13 19:17:15 +01:00
|
|
|
|
2020-06-11 00:54:34 +02:00
|
|
|
|
2016-02-13 19:17:15 +01:00
|
|
|
class RealmFilterTest(ZulipTestCase):
|
2017-11-05 10:51:25 +01:00
|
|
|
def test_list(self) -> None:
|
2021-02-12 08:20:45 +01:00
|
|
|
self.login("iago")
|
2021-04-15 19:41:12 +02:00
|
|
|
data = {
|
|
|
|
"pattern": "#(?P<id>[123])",
|
|
|
|
"url_format_string": "https://realm.com/my_realm_filter/%(id)s",
|
|
|
|
}
|
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
|
|
|
self.assert_json_success(result)
|
|
|
|
|
2021-03-30 12:51:54 +02:00
|
|
|
result = self.client_get("/json/realm/linkifiers")
|
2016-02-13 19:17:15 +01:00
|
|
|
self.assert_json_success(result)
|
2021-04-15 19:41:12 +02:00
|
|
|
linkifiers = result.json()["linkifiers"]
|
2021-05-17 05:41:32 +02:00
|
|
|
self.assert_length(linkifiers, 1)
|
2021-04-15 19:41:12 +02:00
|
|
|
self.assertEqual(linkifiers[0]["pattern"], "#(?P<id>[123])")
|
|
|
|
self.assertEqual(linkifiers[0]["url_format"], "https://realm.com/my_realm_filter/%(id)s")
|
2016-02-13 19:17:15 +01:00
|
|
|
|
2017-11-05 10:51:25 +01:00
|
|
|
def test_create(self) -> None:
|
2021-02-12 08:20:45 +01:00
|
|
|
self.login("iago")
|
2016-02-13 19:17:15 +01:00
|
|
|
data = {"pattern": "", "url_format_string": "https://realm.com/my_realm_filter/%(id)s"}
|
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
2021-02-12 08:20:45 +01:00
|
|
|
self.assert_json_error(result, "This field cannot be blank.")
|
2016-02-13 19:17:15 +01:00
|
|
|
|
CVE-2021-41115: Use re2 for user-supplied linkifier patterns.
Zulip attempts to validate that the regular expressions that admins
enter for linkifiers are well-formatted, and only contain a specific
subset of regex grammar. The process of checking these
properties (via a regex!) can cause denial-of-service via
backtracking.
Furthermore, this validation itself does not prevent the creation of
linkifiers which themselves cause denial-of-service when they are
executed. As the validator accepts literally anything inside of a
`(?P<word>...)` block, any quadratic backtracking expression can be
hidden therein.
Switch user-provided linkifier patterns to be matched in the Markdown
processor by the `re2` library, which is guaranteed constant-time.
This somewhat limits the possible features of the regular
expression (notably, look-head and -behind, and back-references);
however, these features had never been advertised as working in the
context of linkifiers.
A migration removes any existing linkifiers which would not function
under re2, after printing them for posterity during the upgrade; they
are unlikely to be common, and are impossible to fix automatically.
The denial-of-service in the linkifier validator was discovered by
@erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
|
|
|
data["pattern"] = "(foo"
|
2016-02-13 19:17:15 +01:00
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
CVE-2021-41115: Use re2 for user-supplied linkifier patterns.
Zulip attempts to validate that the regular expressions that admins
enter for linkifiers are well-formatted, and only contain a specific
subset of regex grammar. The process of checking these
properties (via a regex!) can cause denial-of-service via
backtracking.
Furthermore, this validation itself does not prevent the creation of
linkifiers which themselves cause denial-of-service when they are
executed. As the validator accepts literally anything inside of a
`(?P<word>...)` block, any quadratic backtracking expression can be
hidden therein.
Switch user-provided linkifier patterns to be matched in the Markdown
processor by the `re2` library, which is guaranteed constant-time.
This somewhat limits the possible features of the regular
expression (notably, look-head and -behind, and back-references);
however, these features had never been advertised as working in the
context of linkifiers.
A migration removes any existing linkifiers which would not function
under re2, after printing them for posterity during the upgrade; they
are unlikely to be common, and are impossible to fix automatically.
The denial-of-service in the linkifier validator was discovered by
@erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
|
|
|
self.assert_json_error(result, "Bad regular expression: missing ): (foo")
|
2016-02-13 19:17:15 +01:00
|
|
|
|
CVE-2021-41115: Use re2 for user-supplied linkifier patterns.
Zulip attempts to validate that the regular expressions that admins
enter for linkifiers are well-formatted, and only contain a specific
subset of regex grammar. The process of checking these
properties (via a regex!) can cause denial-of-service via
backtracking.
Furthermore, this validation itself does not prevent the creation of
linkifiers which themselves cause denial-of-service when they are
executed. As the validator accepts literally anything inside of a
`(?P<word>...)` block, any quadratic backtracking expression can be
hidden therein.
Switch user-provided linkifier patterns to be matched in the Markdown
processor by the `re2` library, which is guaranteed constant-time.
This somewhat limits the possible features of the regular
expression (notably, look-head and -behind, and back-references);
however, these features had never been advertised as working in the
context of linkifiers.
A migration removes any existing linkifiers which would not function
under re2, after printing them for posterity during the upgrade; they
are unlikely to be common, and are impossible to fix automatically.
The denial-of-service in the linkifier validator was discovered by
@erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
|
|
|
data["pattern"] = r"ZUL-(?P<id>\d????)"
|
2016-02-13 19:17:15 +01:00
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
CVE-2021-41115: Use re2 for user-supplied linkifier patterns.
Zulip attempts to validate that the regular expressions that admins
enter for linkifiers are well-formatted, and only contain a specific
subset of regex grammar. The process of checking these
properties (via a regex!) can cause denial-of-service via
backtracking.
Furthermore, this validation itself does not prevent the creation of
linkifiers which themselves cause denial-of-service when they are
executed. As the validator accepts literally anything inside of a
`(?P<word>...)` block, any quadratic backtracking expression can be
hidden therein.
Switch user-provided linkifier patterns to be matched in the Markdown
processor by the `re2` library, which is guaranteed constant-time.
This somewhat limits the possible features of the regular
expression (notably, look-head and -behind, and back-references);
however, these features had never been advertised as working in the
context of linkifiers.
A migration removes any existing linkifiers which would not function
under re2, after printing them for posterity during the upgrade; they
are unlikely to be common, and are impossible to fix automatically.
The denial-of-service in the linkifier validator was discovered by
@erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
|
|
|
self.assert_json_error(result, "Bad regular expression: bad repetition operator: ????")
|
2016-02-13 19:17:15 +01:00
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
data["pattern"] = r"ZUL-(?P<id>\d+)"
|
|
|
|
data["url_format_string"] = "$fgfg"
|
2016-02-13 19:17:15 +01:00
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
2021-02-12 08:20:45 +01:00
|
|
|
self.assert_json_error(result, "Enter a valid URL.")
|
2017-07-22 01:08:26 +02:00
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
data["pattern"] = r"ZUL-(?P<id>\d+)"
|
|
|
|
data["url_format_string"] = "https://realm.com/my_realm_filter/"
|
2017-07-22 01:08:26 +02:00
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
2021-10-20 03:08:44 +02:00
|
|
|
self.assert_json_error(
|
|
|
|
result, "Group 'id' in linkifier pattern is not present in URL format string."
|
|
|
|
)
|
2016-02-13 19:17:15 +01:00
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
data["url_format_string"] = "https://realm.com/my_realm_filter/#hashtag/%(id)s"
|
2016-02-13 19:17:15 +01:00
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
|
|
|
self.assert_json_success(result)
|
2021-02-12 08:20:45 +01:00
|
|
|
self.assertIsNotNone(re.match(data["pattern"], "ZUL-15"))
|
2016-02-13 19:17:15 +01:00
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
data["pattern"] = r"ZUL2-(?P<id>\d+)"
|
|
|
|
data["url_format_string"] = "https://realm.com/my_realm_filter/?value=%(id)s"
|
2017-03-26 01:13:34 +01:00
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
|
|
|
self.assert_json_success(result)
|
2021-02-12 08:20:45 +01:00
|
|
|
self.assertIsNotNone(re.match(data["pattern"], "ZUL2-15"))
|
2018-12-14 20:10:20 +01:00
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
data["pattern"] = r"_code=(?P<id>[0-9a-zA-Z]+)"
|
|
|
|
data["url_format_string"] = "https://example.com/product/%(id)s/details"
|
2018-12-14 20:10:20 +01:00
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
|
|
|
self.assert_json_success(result)
|
2021-02-12 08:20:45 +01:00
|
|
|
self.assertIsNotNone(re.match(data["pattern"], "_code=123abcdZ"))
|
2018-12-14 20:10:20 +01:00
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
data["pattern"] = r"PR (?P<id>[0-9]+)"
|
2021-02-12 08:19:30 +01:00
|
|
|
data[
|
2021-02-12 08:20:45 +01:00
|
|
|
"url_format_string"
|
|
|
|
] = "https://example.com/~user/web#view_type=type&model=model&action=12345&id=%(id)s"
|
2018-12-14 20:10:20 +01:00
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
|
|
|
self.assert_json_success(result)
|
2021-02-12 08:20:45 +01:00
|
|
|
self.assertIsNotNone(re.match(data["pattern"], "PR 123"))
|
2018-12-14 20:10:20 +01:00
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
data["pattern"] = r"lp/(?P<id>[0-9]+)"
|
|
|
|
data["url_format_string"] = "https://realm.com/my_realm_filter/?value=%(id)s&sort=reverse"
|
2018-12-14 20:10:20 +01:00
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
|
|
|
self.assert_json_success(result)
|
2021-02-12 08:20:45 +01:00
|
|
|
self.assertIsNotNone(re.match(data["pattern"], "lp/123"))
|
2018-12-14 20:10:20 +01:00
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
data["pattern"] = r"lp:(?P<id>[0-9]+)"
|
|
|
|
data["url_format_string"] = "https://realm.com/my_realm_filter/?sort=reverse&value=%(id)s"
|
2018-12-14 20:10:20 +01:00
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
|
|
|
self.assert_json_success(result)
|
2021-02-12 08:20:45 +01:00
|
|
|
self.assertIsNotNone(re.match(data["pattern"], "lp:123"))
|
2018-12-14 20:10:20 +01:00
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
data["pattern"] = r"!(?P<id>[0-9]+)"
|
2021-02-12 08:19:30 +01:00
|
|
|
data[
|
2021-02-12 08:20:45 +01:00
|
|
|
"url_format_string"
|
|
|
|
] = "https://realm.com/index.pl?Action=AgentTicketZoom;TicketNumber=%(id)s"
|
2018-12-14 20:10:20 +01:00
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
|
|
|
self.assert_json_success(result)
|
2021-02-12 08:20:45 +01:00
|
|
|
self.assertIsNotNone(re.match(data["pattern"], "!123"))
|
2017-03-26 01:13:34 +01:00
|
|
|
|
2021-06-07 11:38:57 +02:00
|
|
|
# This block of tests is for mismatches between field sets
|
|
|
|
data["pattern"] = r"ZUL-(?P<id>\d+)"
|
|
|
|
data["url_format_string"] = r"https://realm.com/my_realm_filter/%(hello)s"
|
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
|
|
|
self.assert_json_error(
|
|
|
|
result, "Group 'hello' in URL format string is not present in linkifier pattern."
|
|
|
|
)
|
|
|
|
|
|
|
|
data["pattern"] = r"ZUL-(?P<id>\d+)-(?P<hello>\d+)"
|
|
|
|
data["url_format_string"] = r"https://realm.com/my_realm_filter/%(hello)s"
|
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
|
|
|
self.assert_json_error(
|
|
|
|
result, "Group 'id' in linkifier pattern is not present in URL format string."
|
|
|
|
)
|
|
|
|
|
|
|
|
data["pattern"] = r"ZULZ-(?P<hello>\d+)-(?P<world>\d+)"
|
|
|
|
data["url_format_string"] = r"https://realm.com/my_realm_filter/%(hello)s/%(world)s"
|
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
|
|
|
self.assert_json_success(result)
|
|
|
|
|
|
|
|
data["pattern"] = r"ZUL-(?P<id>\d+)-(?P<hello>\d+)-(?P<world>\d+)"
|
|
|
|
data["url_format_string"] = r"https://realm.com/my_realm_filter/%(hello)s"
|
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
|
|
|
self.assert_json_error(
|
|
|
|
result, "Group 'id' in linkifier pattern is not present in URL format string."
|
|
|
|
)
|
|
|
|
|
2021-10-20 03:08:44 +02:00
|
|
|
data["pattern"] = r"ZUL-ESCAPE-(?P<id>\d+)"
|
2021-06-07 11:38:57 +02:00
|
|
|
data["url_format_string"] = r"https://realm.com/my_realm_filter/%%(ignored)s/%(id)s"
|
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
2021-10-20 03:08:44 +02:00
|
|
|
self.assert_json_success(result)
|
2021-06-07 11:38:57 +02:00
|
|
|
|
2021-10-20 04:57:53 +02:00
|
|
|
data["pattern"] = r"ZUL-URI-(?P<id>\d+)"
|
|
|
|
data["url_format_string"] = "https://example.com/%ba/%(id)s"
|
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
|
|
|
self.assert_json_success(result)
|
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
data["pattern"] = r"(?P<org>[a-zA-Z0-9_-]+)/(?P<repo>[a-zA-Z0-9_-]+)#(?P<id>[0-9]+)"
|
|
|
|
data["url_format_string"] = "https://github.com/%(org)s/%(repo)s/issue/%(id)s"
|
2018-11-21 04:34:28 +01:00
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
2018-12-17 21:12:52 +01:00
|
|
|
self.assert_json_success(result)
|
2021-02-12 08:20:45 +01:00
|
|
|
self.assertIsNotNone(re.match(data["pattern"], "zulip/zulip#123"))
|
2018-11-21 04:34:28 +01:00
|
|
|
|
2017-11-05 10:51:25 +01:00
|
|
|
def test_not_realm_admin(self) -> None:
|
2021-02-12 08:20:45 +01:00
|
|
|
self.login("hamlet")
|
2016-02-13 19:17:15 +01:00
|
|
|
result = self.client_post("/json/realm/filters")
|
2021-02-12 08:20:45 +01:00
|
|
|
self.assert_json_error(result, "Must be an organization administrator")
|
2016-02-13 19:17:15 +01:00
|
|
|
result = self.client_delete("/json/realm/filters/15")
|
2021-02-12 08:20:45 +01:00
|
|
|
self.assert_json_error(result, "Must be an organization administrator")
|
2016-02-13 19:17:15 +01:00
|
|
|
|
2017-11-05 10:51:25 +01:00
|
|
|
def test_delete(self) -> None:
|
2021-02-12 08:20:45 +01:00
|
|
|
self.login("iago")
|
2021-04-15 19:41:12 +02:00
|
|
|
data = {
|
|
|
|
"pattern": "#(?P<id>[123])",
|
|
|
|
"url_format_string": "https://realm.com/my_realm_filter/%(id)s",
|
|
|
|
}
|
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
|
|
|
self.assert_json_success(result)
|
|
|
|
|
|
|
|
linkifier_id = result.json()["id"]
|
2021-03-30 12:15:39 +02:00
|
|
|
linkifiers_count = RealmFilter.objects.count()
|
|
|
|
result = self.client_delete(f"/json/realm/filters/{linkifier_id + 1}")
|
2021-04-14 04:21:49 +02:00
|
|
|
self.assert_json_error(result, "Linkifier not found.")
|
2016-02-13 19:17:15 +01:00
|
|
|
|
2021-03-30 12:15:39 +02:00
|
|
|
result = self.client_delete(f"/json/realm/filters/{linkifier_id}")
|
2016-02-13 19:17:15 +01:00
|
|
|
self.assert_json_success(result)
|
2021-03-30 12:15:39 +02:00
|
|
|
self.assertEqual(RealmFilter.objects.count(), linkifiers_count - 1)
|
2021-04-15 19:51:36 +02:00
|
|
|
|
|
|
|
def test_update(self) -> None:
|
|
|
|
self.login("iago")
|
|
|
|
data = {
|
|
|
|
"pattern": "#(?P<id>[123])",
|
|
|
|
"url_format_string": "https://realm.com/my_realm_filter/%(id)s",
|
|
|
|
}
|
|
|
|
result = self.client_post("/json/realm/filters", info=data)
|
|
|
|
self.assert_json_success(result)
|
|
|
|
|
|
|
|
linkifier_id = result.json()["id"]
|
|
|
|
data = {
|
|
|
|
"pattern": "#(?P<id>[0-9]+)",
|
|
|
|
"url_format_string": "https://realm.com/my_realm_filter/issues/%(id)s",
|
|
|
|
}
|
|
|
|
result = self.client_patch(f"/json/realm/filters/{linkifier_id}", info=data)
|
|
|
|
self.assert_json_success(result)
|
|
|
|
self.assertIsNotNone(re.match(data["pattern"], "#1234"))
|
|
|
|
|
|
|
|
# Verify that the linkifier is updated accordingly.
|
|
|
|
result = self.client_get("/json/realm/linkifiers")
|
|
|
|
self.assert_json_success(result)
|
|
|
|
linkifier = result.json()["linkifiers"]
|
2021-05-17 05:41:32 +02:00
|
|
|
self.assert_length(linkifier, 1)
|
2021-04-15 19:51:36 +02:00
|
|
|
self.assertEqual(linkifier[0]["pattern"], "#(?P<id>[0-9]+)")
|
|
|
|
self.assertEqual(
|
|
|
|
linkifier[0]["url_format"], "https://realm.com/my_realm_filter/issues/%(id)s"
|
|
|
|
)
|
|
|
|
|
|
|
|
data = {
|
CVE-2021-41115: Use re2 for user-supplied linkifier patterns.
Zulip attempts to validate that the regular expressions that admins
enter for linkifiers are well-formatted, and only contain a specific
subset of regex grammar. The process of checking these
properties (via a regex!) can cause denial-of-service via
backtracking.
Furthermore, this validation itself does not prevent the creation of
linkifiers which themselves cause denial-of-service when they are
executed. As the validator accepts literally anything inside of a
`(?P<word>...)` block, any quadratic backtracking expression can be
hidden therein.
Switch user-provided linkifier patterns to be matched in the Markdown
processor by the `re2` library, which is guaranteed constant-time.
This somewhat limits the possible features of the regular
expression (notably, look-head and -behind, and back-references);
however, these features had never been advertised as working in the
context of linkifiers.
A migration removes any existing linkifiers which would not function
under re2, after printing them for posterity during the upgrade; they
are unlikely to be common, and are impossible to fix automatically.
The denial-of-service in the linkifier validator was discovered by
@erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
|
|
|
"pattern": r"ZUL-(?P<id>\d????)",
|
2021-04-15 19:51:36 +02:00
|
|
|
"url_format_string": "https://realm.com/my_realm_filter/%(id)s",
|
|
|
|
}
|
|
|
|
result = self.client_patch(f"/json/realm/filters/{linkifier_id}", info=data)
|
CVE-2021-41115: Use re2 for user-supplied linkifier patterns.
Zulip attempts to validate that the regular expressions that admins
enter for linkifiers are well-formatted, and only contain a specific
subset of regex grammar. The process of checking these
properties (via a regex!) can cause denial-of-service via
backtracking.
Furthermore, this validation itself does not prevent the creation of
linkifiers which themselves cause denial-of-service when they are
executed. As the validator accepts literally anything inside of a
`(?P<word>...)` block, any quadratic backtracking expression can be
hidden therein.
Switch user-provided linkifier patterns to be matched in the Markdown
processor by the `re2` library, which is guaranteed constant-time.
This somewhat limits the possible features of the regular
expression (notably, look-head and -behind, and back-references);
however, these features had never been advertised as working in the
context of linkifiers.
A migration removes any existing linkifiers which would not function
under re2, after printing them for posterity during the upgrade; they
are unlikely to be common, and are impossible to fix automatically.
The denial-of-service in the linkifier validator was discovered by
@erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
|
|
|
self.assert_json_error(result, "Bad regular expression: bad repetition operator: ????")
|
2021-04-15 19:51:36 +02:00
|
|
|
|
|
|
|
data["pattern"] = r"ZUL-(?P<id>\d+)"
|
|
|
|
data["url_format_string"] = "$fgfg"
|
|
|
|
result = self.client_patch(f"/json/realm/filters/{linkifier_id}", info=data)
|
|
|
|
self.assert_json_error(result, "Enter a valid URL.")
|
|
|
|
|
|
|
|
data["pattern"] = r"#(?P<id>[123])"
|
|
|
|
data["url_format_string"] = "https://realm.com/my_realm_filter/%(id)s"
|
|
|
|
result = self.client_patch(f"/json/realm/filters/{linkifier_id + 1}", info=data)
|
|
|
|
self.assert_json_error(result, "Linkifier not found.")
|
2021-10-20 03:08:44 +02:00
|
|
|
|
|
|
|
def test_valid_urls(self) -> None:
|
|
|
|
valid_urls = [
|
2021-10-21 00:26:01 +02:00
|
|
|
"http://example.com/",
|
2021-10-20 03:08:44 +02:00
|
|
|
"https://example.com/",
|
|
|
|
"https://user:password@example.com/",
|
|
|
|
"https://example.com/@user/thing",
|
|
|
|
"https://example.com/!path",
|
|
|
|
"https://example.com/foo.bar",
|
|
|
|
"https://example.com/foo[bar]",
|
|
|
|
"https://example.com/%(foo)s",
|
|
|
|
"https://example.com/%(foo)s%(bars)s",
|
|
|
|
"https://example.com/%(foo)s/and/%(bar)s",
|
|
|
|
"https://example.com/?foo=%(foo)s",
|
2021-10-20 04:57:53 +02:00
|
|
|
"https://example.com/%ab",
|
|
|
|
"https://example.com/%ba",
|
|
|
|
"https://example.com/%21",
|
|
|
|
"https://example.com/words%20with%20spaces",
|
|
|
|
"https://example.com/back%20to%20%(back)s",
|
|
|
|
"https://example.com/encoded%2fwith%2fletters",
|
|
|
|
"https://example.com/encoded%2Fwith%2Fupper%2Fcase%2Fletters",
|
2021-10-20 03:08:44 +02:00
|
|
|
"https://example.com/%%",
|
|
|
|
"https://example.com/%%(",
|
|
|
|
"https://example.com/%%()",
|
|
|
|
"https://example.com/%%(foo",
|
|
|
|
"https://example.com/%%(foo)",
|
|
|
|
"https://example.com/%%(foo)s",
|
|
|
|
]
|
|
|
|
for url in valid_urls:
|
|
|
|
filter_format_validator(url)
|
|
|
|
|
|
|
|
invalid_urls = [
|
2021-10-21 00:26:01 +02:00
|
|
|
"file:///etc/passwd",
|
|
|
|
"data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==",
|
2021-10-20 03:08:44 +02:00
|
|
|
"https://example.com/%(foo)",
|
|
|
|
"https://example.com/%()s",
|
|
|
|
"https://example.com/%4!",
|
|
|
|
"https://example.com/%(foo",
|
|
|
|
"https://example.com/%2(foo)s",
|
|
|
|
]
|
|
|
|
for url in invalid_urls:
|
|
|
|
with self.assertRaises(ValidationError):
|
|
|
|
filter_format_validator(url)
|