Merge branch 'security-sg-fix-frontend-uri-parse-regex-17-1' into '17-1-stable-ee'

Fixed frontend regex to parse URI See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4421 Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> Approved-by: Drew Blessing <drew@gitlab.com> Co-authored-by: smriti <sgarg@gitlab.com>

Merge branch 'security-sg-fix-frontend-uri-parse-regex-17-1' into '17-1-stable-ee'
33bfd9e7 · GitLab Release Tools Bot · a5fe1302 · 0ee3b0c7 · 33bfd9e7 · 33bfd9e7
Commit 33bfd9e7 authored 5 months ago by GitLab Release Tools Bot
--- a/app/views/doorkeeper/authorizations/new.html.haml
+++ b/app/views/doorkeeper/authorizations/new.html.haml
@@ -24,7 +24,7 @@
        = html_escape(_('Make sure you trust %{client_name} before authorizing.')) % { client_name: "<strong>#{html_escape(@pre_auth.client.name)}</strong>".html_safe }
      %p
        = html_escape(_('%{owner} %{created_date} ago.')) % { owner: auth_app_owner_text(@pre_auth.client.application.owner), created_date: time_ago_in_words(@pre_auth.client.application.created_at.to_date) }
-        - domain = URI.parse(@pre_auth.redirect_uri).host.gsub('www.', '')
+        - domain = URI.parse(@pre_auth.redirect_uri).host.gsub(/^www\./, '')
        - if @pre_auth.redirect_uri.start_with?('http://', 'https://') && domain != 'localhost'
          = html_escape(_('You will be redirected to %{domain} after authorizing.')) % { domain: "<strong>#{domain}</strong>".html_safe }
  %div

--- a/spec/controllers/oauth/authorizations_controller_spec.rb
+++ b/spec/controllers/oauth/authorizations_controller_spec.rb
@@ -128,6 +128,38 @@
          expect(response).to render_template('doorkeeper/authorizations/redirect')
        end
  
+        context 'when showing applications as provided' do
+          let!(:application) do
+            create(
+              :oauth_application,
+              owner_id: nil,
+              owner_type: nil,
+              scopes: application_scopes,
+              redirect_uri: 'http://example.com',
+              confidential: confidential
+            )
+          end
+
+          it 'displays the warning message' do
+            subject
+            expect(response.body).to have_css(
+              'p.gl-text-orange-500', text: "Make sure you trust #{application.name} before authorizing.")
+            expect(response.body).to have_css('[data-testid="warning-solid-icon"]')
+          end
+
+          context 'when redirect uri has www pattern' do
+            before do
+              application.redirect_uri = "http://www.examplewww.com"
+              application.save!
+            end
+
+            it 'substitutes pattern correctly on display' do
+              subject
+              expect(response.body).to have_css('p', text: "You will be redirected to examplewww.com")
+            end
+          end
+        end
+
        context 'with gl_auth_type=login' do
          let(:minimal_scope) { Gitlab::Auth::READ_USER_SCOPE.to_s }