Do not normalize URL before fetching it (#26219)

2023-07-31 23:17:37 +02:00 · 2023-07-31 23:17:37 +02:00 · fd284311e7
commit fd284311e7
parent 51768de16e
3 changed files with 143 additions and 4 deletions
--- a/spec/controllers/concerns/signature_verification_spec.rb
+++ b/spec/controllers/concerns/signature_verification_spec.rb
@ -129,6 +129,37 @@ describe SignatureVerification do
      end
    end

+    context 'with non-normalized URL' do
+      before do
+        get :success
+
+        fake_request = Request.new(:get, 'http://test.host/subdir/../success')
+        fake_request.on_behalf_of(author)
+
+        request.headers.merge!(fake_request.headers)
+
+        allow(controller).to receive(:actor_refresh_key!).and_return(author)
+      end
+
+      describe '#build_signed_string' do
+        it 'includes the normalized request path' do
+          expect(controller.send(:build_signed_string)).to start_with "(request-target): get /success\n"
+        end
+      end
+
+      describe '#signed_request?' do
+        it 'returns true' do
+          expect(controller.signed_request?).to be true
+        end
+      end
+
+      describe '#signed_request_actor' do
+        it 'returns an account' do
+          expect(controller.signed_request_account).to eq author
+        end
+      end
+    end
+
    context 'with request with unparsable Date header' do
      before do
        get :success
@ -202,7 +233,7 @@ describe SignatureVerification do

        request.headers.merge!(fake_request.headers)

-        stub_request(:get, 'http://localhost:5000/actor#main-key').to_raise(Mastodon::HostValidationError)
+        stub_request(:get, 'http://localhost:5000/actor').to_raise(Mastodon::HostValidationError)
      end

      describe '#signed_request?' do