rename file and function to be backto specific

viamrobotics · Nov 14, 2024 · b751982 · b751982
1 parent 49b1ad4
commit b751982
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 69 deletions.
diff --git a/web/auth.go b/web/auth.go
@@ -528,7 +528,7 @@ func (h *loginHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	if r.FormValue("backto") != "" {
 		backto := r.FormValue("backto")
-		if IsLocalRedirectPath(backto) {
+		if IsValidBacktoURL(backto) {
 			session.Data["backto"] = backto
 		}
 	}

diff --git a/web/redirect_url.go → web/backto.go b/web/redirect_url.go → web/backto.go
@@ -15,13 +15,13 @@ func isWhitelisted(hostname string) bool {
 	return hostnameWhitelist[hostname]
 }
 
-// IsLocalRedirectPath returns true if the passed string is a secure URL to a whitelisted
+// IsValidBacktoURL returns true if the passed string is a secure URL to a whitelisted
 // hostname. The whitelisted hostnames are: "localhost", "viam.dev", and "viam.com".
 //
 //   - https://example.com -> false
 //   - http://viam.com/path/name -> false
 //   - https://viam.com/path/name -> true
-func IsLocalRedirectPath(path string) bool {
+func IsValidBacktoURL(path string) bool {
 	normalized := strings.ReplaceAll(path, "\\", "/")
 	url, err := url.ParseRequestURI(normalized)
 	if err != nil {

diff --git a/web/backto_test.go b/web/backto_test.go
@@ -0,0 +1,66 @@
+package web
+
+import (
+	"testing"
+
+	"go.viam.com/test"
+)
+
+func TestIsValidBacktoURL(t *testing.T) {
+	t.Run("rejects external URLs", func(t *testing.T) {
+		test.That(t, IsValidBacktoURL("https://example.com"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("http://example.com"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("ftp://example.com"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("://example.com"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("//example.com"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("example.com"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("www.example.com"), test.ShouldBeFalse)
+	})
+
+	t.Run("rejects invalid production URLs", func(t *testing.T) {
+		test.That(t, IsValidBacktoURL("http://viam.com"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("ftp://viam.com"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("://viam.com"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("//viam.com"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("//viam.com/some/path"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("viam.com"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("viam.com/some/path"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("www.viam.com"), test.ShouldBeFalse)
+	})
+
+	t.Run("accepts valid production URLs", func(t *testing.T) {
+		test.That(t, IsValidBacktoURL("https://viam.com"), test.ShouldBeTrue)
+		test.That(t, IsValidBacktoURL("https://viam.com/some/path"), test.ShouldBeTrue)
+	})
+
+	t.Run("rejects invalid staging URLs", func(t *testing.T) {
+		test.That(t, IsValidBacktoURL("http://viam.dev"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("ftp://viam.dev"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("://viam.dev"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("//viam.dev"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("//viam.dev/some/path"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("viam.dev"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("viam.dev/some/path"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("www.viam.dev"), test.ShouldBeFalse)
+	})
+
+	t.Run("accepts valid staging URLs", func(t *testing.T) {
+		test.That(t, IsValidBacktoURL("https://viam.dev"), test.ShouldBeTrue)
+		test.That(t, IsValidBacktoURL("https://viam.dev/some/path"), test.ShouldBeTrue)
+	})
+
+	t.Run("rejects invalid local URLs", func(t *testing.T) {
+		test.That(t, IsValidBacktoURL("http://localhost"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("ftp://localhost"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("://localhost"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("//localhost"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("//localhost/some/path"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("localhost"), test.ShouldBeFalse)
+		test.That(t, IsValidBacktoURL("localhost/some/path"), test.ShouldBeFalse)
+	})
+
+	t.Run("accepts valid local URLs", func(t *testing.T) {
+		test.That(t, IsValidBacktoURL("https://localhost"), test.ShouldBeTrue)
+		test.That(t, IsValidBacktoURL("https://localhost/some/path"), test.ShouldBeTrue)
+	})
+}
diff --git a/web/redirect_url_test.go b/web/redirect_url_test.go