fix: Referer URL validation (#4309)

Fixes #354
2025-10-31 19:17:48 +00:00 · 2022-03-30 14:36:22 +05:30
parent bfe6324d9a
commit 24b20c10ce
6 changed files with 52 additions and 10 deletions
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -17,6 +17,7 @@ Metrics/ClassLength:
    - 'app/builders/messages/facebook/message_builder.rb'
    - 'app/controllers/api/v1/accounts/contacts_controller.rb'
    - 'app/listeners/action_cable_listener.rb'
    - 'app/models/conversation.rb'
 RSpec/ExampleLength:
  Max: 25
 Style/Documentation:
--- a/app/models/campaign.rb
+++ b/app/models/campaign.rb
@@ -33,8 +33,8 @@
 #  fk_rails_...  (account_id => accounts.id) ON DELETE => cascade
 #  fk_rails_...  (inbox_id => inboxes.id) ON DELETE => cascade
 #
 require 'uri'
 class Campaign < ApplicationRecord
  include UrlHelper
  validates :account_id, presence: true
  validates :inbox_id, presence: true
  validates :title, presence: true
@@ -94,15 +94,6 @@ class Campaign < ApplicationRecord
    errors.add(:url, 'invalid') if inbox.inbox_type == 'Website' && !url_valid?(trigger_rules['url'])
  end
  def url_valid?(url)
    url = begin
      URI.parse(url)
    rescue StandardError
      false
    end
    url.is_a?(URI::HTTP) || url.is_a?(URI::HTTPS)
  end
  def prevent_completed_campaign_from_update
    errors.add :status, 'The campaign is already completed' if !campaign_status_changed? && completed?
  end
--- a/app/models/conversation.rb
+++ b/app/models/conversation.rb
@@ -46,12 +46,14 @@ class Conversation < ApplicationRecord
  include AssignmentHandler
  include RoundRobinHandler
  include ActivityMessageHandler
  include UrlHelper
  validates :account_id, presence: true
  validates :inbox_id, presence: true
  before_validation :validate_additional_attributes
  validates :additional_attributes, jsonb_attributes_length: true
  validates :custom_attributes, jsonb_attributes_length: true
  validate :validate_referer_url
  enum status: { open: 0, resolved: 1, pending: 2, snoozed: 3 }
@@ -242,6 +244,12 @@ class Conversation < ApplicationRecord
    6.hours
  end
  def validate_referer_url
    return unless additional_attributes['referer']
    self['additional_attributes']['referer'] = nil unless url_valid?(additional_attributes['referer'])
  end
  # creating db triggers
  trigger.before(:insert).for_each(:row) do
    "NEW.display_id := nextval('conv_dpid_seq_' || NEW.account_id);"
--- a/lib/url_helper.rb
+++ b/lib/url_helper.rb
@@ -0,0 +1,11 @@
 require 'uri'
 module UrlHelper
  def url_valid?(url)
    url = begin
      URI.parse(url)
    rescue StandardError
      false
    end
    url.is_a?(URI::HTTP) || url.is_a?(URI::HTTPS)
  end
 end
--- a/spec/helpers/url_helper_spec.rb
+++ b/spec/helpers/url_helper_spec.rb
@@ -0,0 +1,15 @@
 require 'rails_helper'
 describe UrlHelper, type: :helper do
  describe '#url_valid' do
    context 'when url valid called' do
      it 'return if valid url passed' do
        expect(helper.url_valid?('https://app.chatwoot.com/')).to eq true
      end
      it 'return false if invalid url passed' do
        expect(helper.url_valid?('javascript:alert(document.cookie)')).to eq false
      end
    end
  end
 end
--- a/spec/models/conversation_spec.rb
+++ b/spec/models/conversation_spec.rb
@@ -525,4 +525,20 @@ RSpec.describe Conversation, type: :model do
      expect { notification.reload }.to raise_error ActiveRecord::RecordNotFound
    end
  end
  describe 'validate invalid referer url' do
    let(:conversation) { create(:conversation, additional_attributes: { referer: 'javascript' }) }
    it 'returns nil' do
      expect(conversation['additional_attributes']['referer']).to eq(nil)
    end
  end
  describe 'validate valid referer url' do
    let(:conversation) { create(:conversation, additional_attributes: { referer: 'https://www.chatwoot.com/' }) }
    it 'returns nil' do
      expect(conversation['additional_attributes']['referer']).to eq('https://www.chatwoot.com/')
    end
  end
 end