b3a7f98e5a
CI / E2E Cloudflare (4/8) (push) Failing after 0s
CI / E2E Cloudflare (8/8) (push) Failing after 1s
CI / Lint (push) Failing after 1s
Auto Extract / Extract (push) Failing after 4s
CI / Version Check (push) Failing after 9s
CI / Integration Tests (push) Failing after 1s
CI / E2E tests (1/8) (push) Failing after 1s
CI / E2E tests (2/8) (push) Failing after 2s
CI / E2E tests (3/8) (push) Failing after 2s
CI / Browser Tests (push) Failing after 1s
CI / E2E tests (5/8) (push) Failing after 1s
CI / E2E Cloudflare (2/8) (push) Failing after 2s
CI / Typecheck (push) Failing after 1s
CI / Changeset Validation (push) Failing after 2s
CI / E2E Cloudflare (5/8) (push) Failing after 1s
CI / E2E Cloudflare (6/8) (push) Failing after 1s
CI / E2E Cloudflare (7/8) (push) Failing after 1s
CodeQL / Analyze (javascript-typescript) (push) Failing after 1s
Format / Format (push) Failing after 0s
CodeQL / Analyze (actions) (push) Failing after 4s
CI / E2E tests (4/8) (push) Failing after 1s
CI / E2E tests (6/8) (push) Failing after 1s
CI / E2E tests (7/8) (push) Failing after 2s
CI / E2E tests (8/8) (push) Failing after 1s
CI / E2E Cloudflare (1/8) (push) Failing after 1s
CI / E2E Cloudflare (3/8) (push) Failing after 2s
Preview Releases / Publish Preview (push) Failing after 0s
zizmor / Run zizmor (push) Failing after 1s
Release / Release (push) Failing after 2s
CI / Smoke Tests (push) Failing after 5m36s
CI / Tests (push) Failing after 6m36s
Release / Sync Templates (push) Has been skipped
CI / E2E Tests (push) Has been cancelled
60 lines
1.8 KiB
TypeScript
60 lines
1.8 KiB
TypeScript
import { describe, it, expect } from "vitest";
|
|
|
|
import { sanitizeRedirectUrl } from "../../src/lib/url";
|
|
|
|
describe("sanitizeRedirectUrl", () => {
|
|
it("allows simple relative paths", () => {
|
|
expect(sanitizeRedirectUrl("/_emdash/admin")).toBe("/_emdash/admin");
|
|
});
|
|
|
|
it("allows deep relative paths", () => {
|
|
expect(sanitizeRedirectUrl("/_emdash/admin/content/posts")).toBe(
|
|
"/_emdash/admin/content/posts",
|
|
);
|
|
});
|
|
|
|
it("allows root path", () => {
|
|
expect(sanitizeRedirectUrl("/")).toBe("/");
|
|
});
|
|
|
|
it("allows paths with query strings", () => {
|
|
expect(sanitizeRedirectUrl("/_emdash/admin?tab=settings")).toBe("/_emdash/admin?tab=settings");
|
|
});
|
|
|
|
it("allows paths with hash fragments", () => {
|
|
expect(sanitizeRedirectUrl("/_emdash/admin#section")).toBe("/_emdash/admin#section");
|
|
});
|
|
|
|
it("rejects absolute http URLs (open redirect)", () => {
|
|
expect(sanitizeRedirectUrl("https://evil.com/phishing")).toBe("/_emdash/admin");
|
|
});
|
|
|
|
it("rejects absolute http URLs without TLS", () => {
|
|
expect(sanitizeRedirectUrl("http://evil.com")).toBe("/_emdash/admin");
|
|
});
|
|
|
|
it("rejects protocol-relative URLs (//evil.com)", () => {
|
|
expect(sanitizeRedirectUrl("//evil.com/phishing")).toBe("/_emdash/admin");
|
|
});
|
|
|
|
it("rejects javascript: scheme (DOM XSS)", () => {
|
|
expect(sanitizeRedirectUrl("javascript:alert(document.cookie)")).toBe("/_emdash/admin");
|
|
});
|
|
|
|
it("rejects data: scheme", () => {
|
|
expect(sanitizeRedirectUrl("data:text/html,<script>alert(1)</script>")).toBe("/_emdash/admin");
|
|
});
|
|
|
|
it("rejects backslash trick (/\\evil.com)", () => {
|
|
expect(sanitizeRedirectUrl("/\\evil.com")).toBe("/_emdash/admin");
|
|
});
|
|
|
|
it("rejects empty string", () => {
|
|
expect(sanitizeRedirectUrl("")).toBe("/_emdash/admin");
|
|
});
|
|
|
|
it("rejects bare domain", () => {
|
|
expect(sanitizeRedirectUrl("evil.com")).toBe("/_emdash/admin");
|
|
});
|
|
});
|