Unit test for #2535

2021-06-24 13:59:02 +02:00 · 2021-06-24 13:59:02 +02:00 · d287efb343
commit d287efb343
parent 3b8222ae8a
1 changed files with 24 additions and 1 deletions
--- a/lemonldap-ng-portal/t/66-CDA.t
+++ b/lemonldap-ng-portal/t/66-CDA.t
@ -24,7 +24,10 @@ my $client = LLNG::Manager::Test->new( {
 ok(
    $res = $client->_get(
        '/',
-        query  => 'url=aHR0cDovL3Rlc3QuZXhhbXBsZS5vcmcv',
+        query => buildForm( {
+                url => encodeUrl('http://test.example.org/'),
+            }
+        ),
        accept => 'text/html',
    ),
    'Unauth CDA request'
@ -44,10 +47,30 @@ ok(
    'Post credentials'
 );
 count(1);
+my $id = expectCookie($res);

 ($query) =
  expectRedirection( $res, qr#^http://test.example.org/\?(lemonldapcda=.*)$# );

+# Check URLs are correctly filtered
+ok(
+    $res = $client->_get(
+        '/',
+        query => buildForm( {
+                url => encodeUrl(
+'http://your-untrusted-domain.com/?attack=http://test.example.org/'
+                ),
+            }
+        ),
+        cookie => "lemonldap=$id",
+        accept => 'text/html',
+    ),
+    'Dangerous request'
+);
+count(1);
+
+expectPortalError( $res, 37, "Untrusted URL denied by portal" );
+
 # Handler part
 use_ok('Lemonldap::NG::Handler::Server');
 use_ok('Lemonldap::NG::Common::PSGI::Cli::Lib');