From 7a9c098cb2fd235861c86085eb2e374f92914242 Mon Sep 17 00:00:00 2001 From: Donald Hutchison Date: Thu, 7 Dec 2023 11:15:37 +0100 Subject: [PATCH 1/3] Failing test. --- .../tokens/instance/overview_view_test.exs | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs b/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs index ec01e6a2070b..a1783b9cc957 100644 --- a/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs +++ b/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs @@ -119,4 +119,23 @@ defmodule BlockScoutWeb.Tokens.Instance.OverviewViewTest do "https://assets.cargo.build/611a883b0d039100261bfe79/b89cf189-13e9-47ed-b801-a1f6aa15a7bf/a0784ea0-45be-41cd-9cdd-cc40ad20f20d-zombiepngpng.png" end end + + describe "external_url/1" do + test "does not return invalid url scheme" do + json = """ + { + "name": "CELO XSS", + "image": "https://0-a.nl/nft/nft.jpg", + "description": "CELO XSS", + "external_url": "javascript:eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYW'))" + } + """ + + data = Jason.decode!(json) + + result = OverviewView.external_url(%{metadata: data}) + + refute String.starts_with?(result, "javascript"), "non http url schemes should be stripped from external_url" + end + end end From 83daba8a3c05abd0ea3398e60860985118590880 Mon Sep 17 00:00:00 2001 From: Donald Hutchison Date: Thu, 7 Dec 2023 11:29:01 +0100 Subject: [PATCH 2/3] Fix test. --- .../instance/overview/_details.html.eex | 2 +- .../views/tokens/instance/overview_view.ex | 6 +++++- .../tokens/instance/overview_view_test.exs | 21 +++++++++++++++++-- 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/apps/block_scout_web/lib/block_scout_web/templates/tokens/instance/overview/_details.html.eex b/apps/block_scout_web/lib/block_scout_web/templates/tokens/instance/overview/_details.html.eex index bcb1734091f0..ecf98e0c96f6 100644 --- a/apps/block_scout_web/lib/block_scout_web/templates/tokens/instance/overview/_details.html.eex +++ b/apps/block_scout_web/lib/block_scout_web/templates/tokens/instance/overview/_details.html.eex @@ -41,7 +41,7 @@
<%= if external_url(@token_instance.instance) do %> - target="_blank"> + target="_blank"> View In App <%= render BlockScoutWeb.IconsView, "_external_link.html" %> diff --git a/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex b/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex index 1c0c748dc415..ba62117bd6a3 100644 --- a/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex +++ b/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex @@ -102,10 +102,14 @@ defmodule BlockScoutWeb.Tokens.Instance.OverviewView do def external_url(nil), do: nil + def external_url("http" <> _rest = external_url), do: external_url + + def external_url(string) when is_binary(string), do: external_url(nil) + def external_url(instance) do result = if instance.metadata && instance.metadata["external_url"] do - instance.metadata["external_url"] + instance.metadata["external_url"] |> external_url() else external_url(nil) end diff --git a/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs b/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs index a1783b9cc957..37d0417cf88c 100644 --- a/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs +++ b/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs @@ -127,7 +127,7 @@ defmodule BlockScoutWeb.Tokens.Instance.OverviewViewTest do "name": "CELO XSS", "image": "https://0-a.nl/nft/nft.jpg", "description": "CELO XSS", - "external_url": "javascript:eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYW'))" + "external_url": "javascript:eval(atob('YWxlcnQoIndoYXRzdXAgaXQncyB5YSBib3l5Iik'))" } """ @@ -135,7 +135,24 @@ defmodule BlockScoutWeb.Tokens.Instance.OverviewViewTest do result = OverviewView.external_url(%{metadata: data}) - refute String.starts_with?(result, "javascript"), "non http url schemes should be stripped from external_url" + assert result == nil, "non http url schemes should be stripped from external_url and treated as missing" + end + + test "Returns valid uri scheme" do + json = """ + { + "name": "CELO NFT test", + "image": "https://0-a.nl/nft/nft.jpg", + "description": "CELO NFT test", + "external_url": "https://happyland.nft" + } + """ + + data = Jason.decode!(json) + + result = OverviewView.external_url(%{metadata: data}) + + assert String.starts_with?(result, "http"), "Valid url should be returned" end end end From 0f5c53d688473d718356807a487c4ffb95737f95 Mon Sep 17 00:00:00 2001 From: Donald Hutchison Date: Thu, 7 Dec 2023 12:03:05 +0100 Subject: [PATCH 3/3] Update translations (idk). --- apps/block_scout_web/priv/gettext/default.pot | 4 ++-- apps/block_scout_web/priv/gettext/en/LC_MESSAGES/default.po | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/block_scout_web/priv/gettext/default.pot b/apps/block_scout_web/priv/gettext/default.pot index f12a4b53c4c9..268b33cd9b34 100644 --- a/apps/block_scout_web/priv/gettext/default.pot +++ b/apps/block_scout_web/priv/gettext/default.pot @@ -1642,7 +1642,7 @@ msgstr "" #: lib/block_scout_web/templates/tokens/instance/metadata/index.html.eex:18 #: lib/block_scout_web/templates/tokens/instance/overview/_tabs.html.eex:10 -#: lib/block_scout_web/views/tokens/instance/overview_view.ex:198 +#: lib/block_scout_web/views/tokens/instance/overview_view.ex:202 #, elixir-autogen, elixir-format msgid "Metadata" msgstr "" @@ -2659,7 +2659,7 @@ msgstr "" #: lib/block_scout_web/templates/transaction/_tabs.html.eex:4 #: lib/block_scout_web/templates/transaction_token_transfer/index.html.eex:7 #: lib/block_scout_web/views/address_view.ex:434 -#: lib/block_scout_web/views/tokens/instance/overview_view.ex:197 +#: lib/block_scout_web/views/tokens/instance/overview_view.ex:201 #: lib/block_scout_web/views/tokens/overview_view.ex:39 #: lib/block_scout_web/views/transaction_view.ex:526 #, elixir-autogen, elixir-format diff --git a/apps/block_scout_web/priv/gettext/en/LC_MESSAGES/default.po b/apps/block_scout_web/priv/gettext/en/LC_MESSAGES/default.po index d7f10ff53419..248cea3a41a9 100644 --- a/apps/block_scout_web/priv/gettext/en/LC_MESSAGES/default.po +++ b/apps/block_scout_web/priv/gettext/en/LC_MESSAGES/default.po @@ -1642,7 +1642,7 @@ msgstr "" #: lib/block_scout_web/templates/tokens/instance/metadata/index.html.eex:18 #: lib/block_scout_web/templates/tokens/instance/overview/_tabs.html.eex:10 -#: lib/block_scout_web/views/tokens/instance/overview_view.ex:198 +#: lib/block_scout_web/views/tokens/instance/overview_view.ex:202 #, elixir-autogen, elixir-format msgid "Metadata" msgstr "" @@ -2659,7 +2659,7 @@ msgstr "" #: lib/block_scout_web/templates/transaction/_tabs.html.eex:4 #: lib/block_scout_web/templates/transaction_token_transfer/index.html.eex:7 #: lib/block_scout_web/views/address_view.ex:434 -#: lib/block_scout_web/views/tokens/instance/overview_view.ex:197 +#: lib/block_scout_web/views/tokens/instance/overview_view.ex:201 #: lib/block_scout_web/views/tokens/overview_view.ex:39 #: lib/block_scout_web/views/transaction_view.ex:526 #, elixir-autogen, elixir-format