Merge branch 'djadmin-hot-fix-redirect-url-check' into 'master'

Fix DAST Profile redirection on save See merge request gitlab-org/gitlab!64071

Merge branch 'djadmin-hot-fix-redirect-url-check' into 'master'
Fix DAST Profile redirection on save See merge request gitlab-org/gitlab!64071
bca5b24f · Miguel Rincon · b94a562a · 746edbd6 · bca5b24f · bca5b24f
Commit bca5b24f authored Jun 16, 2021 by Miguel Rincon
2 changed files
--- a/ee/app/assets/javascripts/security_configuration/dast_profiles/redirect.js
+++ b/ee/app/assets/javascripts/security_configuration/dast_profiles/redirect.js
@@ -6,12 +6,18 @@ import {
  getBaseURL,
 } from '~/lib/utils/url_utility';

+const getReferrerPath = (referrer) => {
+  if (!referrer) return '';
+  return new URL(referrer).pathname;
+};
+
 export const returnToPreviousPageFactory = ({
  allowedPaths,
  profilesLibraryPath,
  urlParamKey,
 }) => ({ id } = {}) => {
-  const redirectPath = allowedPaths.find((path) => document.referrer?.includes(path));
+  const referrerPath = getReferrerPath(document.referrer);
+  const redirectPath = allowedPaths.find((allowedPath) => referrerPath === allowedPath);

  // when previous page is not an allowed path
  if (!redirectPath) return redirectTo(profilesLibraryPath);

--- a/ee/spec/frontend/security_configuration/dast_profiles/redirect_spec.js
+++ b/ee/spec/frontend/security_configuration/dast_profiles/redirect_spec.js
@@ -2,24 +2,28 @@ import { returnToPreviousPageFactory } from 'ee/security_configuration/dast_prof
 import { TEST_HOST } from 'helpers/test_constants';
 import * as urlUtility from '~/lib/utils/url_utility';

-const fullPath = 'group/project';
-const profilesLibraryPath = `${TEST_HOST}/${fullPath}/-/security/configuration/dast_scans`;
-const onDemandScansPath = `${TEST_HOST}/${fullPath}/-/on_demand_scans`;
-const dastConfigPath = `${TEST_HOST}/${fullPath}/-/security/configuration/dast`;
+const fullPath = '/group/project';
+const profilesLibraryPath = `${fullPath}/-/security/configuration/dast_scans`;
+const onDemandScansPath = `${fullPath}/-/on_demand_scans`;
+const dastConfigPath = `${fullPath}/-/security/configuration/dast`;
 const urlParamKey = 'site_profile_id';
 const originalReferrer = document.referrer;

+const allowedPaths = [onDemandScansPath, dastConfigPath];
+const disallowedPaths = [profilesLibraryPath, fullPath];
+const defaultRedirectionPath = profilesLibraryPath;
+
 const params = {
-  allowedPaths: [onDemandScansPath, dastConfigPath],
-  profilesLibraryPath,
+  allowedPaths,
+  profilesLibraryPath: defaultRedirectionPath,
  urlParamKey,
 };

 const factory = (id) => returnToPreviousPageFactory(params)(id);

-const setReferrer = (value = onDemandScansPath) => {
+const setReferrer = (value) => {
  Object.defineProperty(document, 'referrer', {
-    value,
+    value: new URL(value, TEST_HOST).href,
    configurable: true,
  });
 };
@@ -34,31 +38,43 @@ describe('DAST Profiles redirector', () => {
      jest.spyOn(urlUtility, 'redirectTo').mockImplementation();
    });

-    it('default - redirects to profile library page', () => {
-      factory();
-      expect(urlUtility.redirectTo).toHaveBeenCalledWith(profilesLibraryPath);
-    });
+    describe('redirects to default page', () => {
+      it('when no referrer is present', () => {
+        factory();
+        expect(urlUtility.redirectTo).toHaveBeenCalledWith(defaultRedirectionPath);
+      });

-    describe.each([
-      ['On-demand scans', onDemandScansPath],
-      ['DAST Configuration', dastConfigPath],
-    ])('when previous page is %s', (_pathName, path) => {
-      beforeEach(() => {
+      it.each(disallowedPaths)('when previous path is %s', (path) => {
        setReferrer(path);
-      });

-      afterEach(() => {
+        factory();
+        expect(urlUtility.redirectTo).toHaveBeenCalledWith(defaultRedirectionPath);
+
        resetReferrer();
      });
+    });

-      it('redirects to previous page', () => {
-        factory();
-        expect(urlUtility.redirectTo).toHaveBeenCalledWith(path);
-      });
+    describe('redirects to previous page', () => {
+      describe.each(allowedPaths)('when previous path is %s', (path) => {
+        beforeEach(() => {
+          setReferrer(path);
+        });
+
+        afterEach(() => {
+          resetReferrer();
+        });
+
+        it('without params', () => {
+          factory();
+          expect(urlUtility.redirectTo).toHaveBeenCalledWith(path);
+        });

-      it('redirects to previous page with id', () => {
-        factory({ id: 2 });
-        expect(urlUtility.redirectTo).toHaveBeenCalledWith(`${path}?site_profile_id=2`);
+        it('with params', () => {
+          factory({ id: 2 });
+          expect(urlUtility.redirectTo).toHaveBeenCalledWith(
+            `${TEST_HOST}${path}?site_profile_id=2`,
+          );
+        });
      });
    });
  });