Fixed frontend regex to parse URI

Merge branch 'security-sg-fix-frontend-uri-parse-regex-17-1' into '17-1-stable-ee' See merge request gitlab-org/security/gitlab!4421 Changelog: security

Fixed frontend regex to parse URI
0ee3b0c7 · Smriti Garg · GitLab Release Tools Bot · dd9081f3 · 0ee3b0c7 · 0ee3b0c7
Commit 0ee3b0c7 authored 5 months ago by Smriti Garg Committed by GitLab Release Tools Bot 5 months ago
--- a/app/views/doorkeeper/authorizations/new.html.haml
+++ b/app/views/doorkeeper/authorizations/new.html.haml
@@ -24,7 +24,7 @@
        = html_escape(_('Make sure you trust %{client_name} before authorizing.')) % { client_name: "<strong>#{html_escape(@pre_auth.client.name)}</strong>".html_safe }
      %p
        = html_escape(_('%{owner} %{created_date} ago.')) % { owner: auth_app_owner_text(@pre_auth.client.application.owner), created_date: time_ago_in_words(@pre_auth.client.application.created_at.to_date) }
-        - domain = URI.parse(@pre_auth.redirect_uri).host.gsub('www.', '')
+        - domain = URI.parse(@pre_auth.redirect_uri).host.gsub(/^www\./, '')
        - if @pre_auth.redirect_uri.start_with?('http://', 'https://') && domain != 'localhost'
          = html_escape(_('You will be redirected to %{domain} after authorizing.')) % { domain: "<strong>#{domain}</strong>".html_safe }
  %div

--- a/spec/controllers/oauth/authorizations_controller_spec.rb
+++ b/spec/controllers/oauth/authorizations_controller_spec.rb
@@ -128,6 +128,38 @@
          expect(response).to render_template('doorkeeper/authorizations/redirect')
        end
  
+        context 'when showing applications as provided' do
+          let!(:application) do
+            create(
+              :oauth_application,
+              owner_id: nil,
+              owner_type: nil,
+              scopes: application_scopes,
+              redirect_uri: 'http://example.com',
+              confidential: confidential
+            )
+          end
+
+          it 'displays the warning message' do
+            subject
+            expect(response.body).to have_css(
+              'p.gl-text-orange-500', text: "Make sure you trust #{application.name} before authorizing.")
+            expect(response.body).to have_css('[data-testid="warning-solid-icon"]')
+          end
+
+          context 'when redirect uri has www pattern' do
+            before do
+              application.redirect_uri = "http://www.examplewww.com"
+              application.save!
+            end
+
+            it 'substitutes pattern correctly on display' do
+              subject
+              expect(response.body).to have_css('p', text: "You will be redirected to examplewww.com")
+            end
+          end
+        end
+
        context 'with gl_auth_type=login' do
          let(:minimal_scope) { Gitlab::Auth::READ_USER_SCOPE.to_s }