From d287efb3437303eca634ac73de131dec8d6ddaa7 Mon Sep 17 00:00:00 2001
From: Maxime Besson <maxime.besson@worteks.com>
Date: Thu, 24 Jun 2021 13:59:02 +0200
Subject: [PATCH] Unit test for #2535

---
 lemonldap-ng-portal/t/66-CDA.t | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/lemonldap-ng-portal/t/66-CDA.t b/lemonldap-ng-portal/t/66-CDA.t
index bd23dec04..ac25e8430 100644
--- a/lemonldap-ng-portal/t/66-CDA.t
+++ b/lemonldap-ng-portal/t/66-CDA.t
@@ -24,7 +24,10 @@ my $client = LLNG::Manager::Test->new( {
 ok(
     $res = $client->_get(
         '/',
-        query  => 'url=aHR0cDovL3Rlc3QuZXhhbXBsZS5vcmcv',
+        query => buildForm( {
+                url => encodeUrl('http://test.example.org/'),
+            }
+        ),
         accept => 'text/html',
     ),
     'Unauth CDA request'
@@ -44,10 +47,30 @@ ok(
     'Post credentials'
 );
 count(1);
+my $id = expectCookie($res);
 
 ($query) =
   expectRedirection( $res, qr#^http://test.example.org/\?(lemonldapcda=.*)$# );
 
+# Check URLs are correctly filtered
+ok(
+    $res = $client->_get(
+        '/',
+        query => buildForm( {
+                url => encodeUrl(
+'http://your-untrusted-domain.com/?attack=http://test.example.org/'
+                ),
+            }
+        ),
+        cookie => "lemonldap=$id",
+        accept => 'text/html',
+    ),
+    'Dangerous request'
+);
+count(1);
+
+expectPortalError( $res, 37, "Untrusted URL denied by portal" );
+
 # Handler part
 use_ok('Lemonldap::NG::Handler::Server');
 use_ok('Lemonldap::NG::Common::PSGI::Cli::Lib');