Accept protocol-agnostic URLs as valid

coyote-team · Apr 14, 2023 · c71036c · c71036c
1 parent 3ac6a8c
commit c71036c
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 5 deletions.
diff --git a/app/models/resource.rb b/app/models/resource.rb
@@ -328,11 +328,11 @@ def source_uri_is_valid_uri
     return unless source_uri.present?
     uri = URI.parse(source_uri)
 
-    errors.add(:source_uri, "is not a valid UI") if
-      uri.scheme.nil? ||
-      uri.host.nil? ||
-      uri.path.blank? ||
-      ['http', 'https'].exclude?(uri.scheme)
+    errors.add(:source_uri, "is not a valid URI") if
+      (uri.scheme.nil? && uri.host.nil?) ||
+      uri.host.present? && !/[^.\\]+/.match?(uri.host) ||
+      uri.path.empty? ||
+      uri.scheme.present? && ['http', 'https'].exclude?(uri.scheme)
   end
 
   def check_canonical_id?

diff --git a/spec/models/resource_spec.rb b/spec/models/resource_spec.rb
@@ -76,11 +76,15 @@ def with_uri(uri)
     specify do
       expect(with_uri("../foo.jpg")).not_to be_valid
       expect(with_uri("//foo.jpg")).not_to be_valid
+      expect(with_uri("//../foo.jpg")).not_to be_valid
+      expect(with_uri("//../")).not_to be_valid
       expect(with_uri("javascript://foo.jpg")).not_to be_valid
       expect(with_uri("https://foo.jpg")).not_to be_valid
 
       expect(with_uri("http://example.org/foo.jpg")).to be_valid
+      expect(with_uri("http://example.org/images/misc/../foo.jpg")).to be_valid
       expect(with_uri("https://example.org/foo.jpg")).to be_valid
+      expect(with_uri("//example.org/foo.jpg")).to be_valid
     end
   end