Merge branch 'security-project-import-zoom-xss' into 'master'

Validate zoom links to start with https only See merge request gitlab-org/security/gitlab!1055

Merge branch 'security-project-import-zoom-xss' into 'master'
Validate zoom links to start with https only See merge request gitlab-org/security/gitlab!1055
db1314b8 · GitLab Release Tools Bot · 448c10dd · 53743ff3 · db1314b8 · db1314b8
Commit db1314b8 authored Dec 01, 2020 by GitLab Release Tools Bot
3 changed files
--- a/app/validators/zoom_url_validator.rb
+++ b/app/validators/zoom_url_validator.rb
@@ -5,8 +5,13 @@
 # Custom validator for zoom urls
 #
 class ZoomUrlValidator < ActiveModel::EachValidator
+  ALLOWED_SCHEMES = %w(https).freeze
  def validate_each(record, attribute, value)
-    return if Gitlab::ZoomLinkExtractor.new(value).links.size == 1
+    links_count = Gitlab::ZoomLinkExtractor.new(value).links.size
+    valid = Gitlab::UrlSanitizer.valid?(value, allowed_schemes: ALLOWED_SCHEMES)
+    return if links_count == 1 && valid
    record.errors.add(:url, 'must contain one valid Zoom URL')
  end

--- a/changelogs/unreleased/security-project-import-zoom-xss.yml
+++ b/changelogs/unreleased/security-project-import-zoom-xss.yml
+---
+title: Validate zoom links to start with https only
+merge_request: 1055
+author:
+type: security
--- a/spec/validators/zoom_url_validator_spec.rb
+++ b/spec/validators/zoom_url_validator_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe ZoomUrlValidator do
+  let(:zoom_meeting) { build(:zoom_meeting) }
+  describe 'validations' do
+    context 'when zoom link starts with https' do
+      it 'passes validation' do
+        zoom_meeting.url = 'https://zoom.us/j/123456789'
+        expect(zoom_meeting.valid?).to eq(true)
+        expect(zoom_meeting.errors).to be_empty
+      end
+    end
+    shared_examples 'zoom link does not start with https' do |url|
+      it 'fails validation' do
+        zoom_meeting.url = url
+        expect(zoom_meeting.valid?).to eq(false)
+        expect(zoom_meeting.errors).to be_present
+        expect(zoom_meeting.errors.first[1]).to eq 'must contain one valid Zoom URL'
+      end
+    end
+    context 'when zoom link does not start with https' do
+      include_examples 'zoom link does not start with https', 'http://zoom.us/j/123456789'
+      context 'when zoom link does not start with a scheme' do
+        include_examples 'zoom link does not start with https', 'testinghttp://zoom.us/j/123456789'
+      end
+    end
+  end
+end