fix: Referer URL validation (#4309)

Fixes #354

.rubocop.yml

@@ -17,6 +17,7 @@ Metrics/ClassLength:
     - 'app/builders/messages/facebook/message_builder.rb'
     - 'app/controllers/api/v1/accounts/contacts_controller.rb'
     - 'app/listeners/action_cable_listener.rb'
+    - 'app/models/conversation.rb'
 RSpec/ExampleLength:
   Max: 25
 Style/Documentation:

app/models/campaign.rb

@@ -33,8 +33,8 @@
 #  fk_rails_...  (account_id => accounts.id) ON DELETE => cascade
 #  fk_rails_...  (inbox_id => inboxes.id) ON DELETE => cascade
 #
-require 'uri'
 class Campaign < ApplicationRecord
+  include UrlHelper
   validates :account_id, presence: true
   validates :inbox_id, presence: true
   validates :title, presence: true
@@ -94,15 +94,6 @@ def validate_url
     errors.add(:url, 'invalid') if inbox.inbox_type == 'Website' && !url_valid?(trigger_rules['url'])
   end
 
-  def url_valid?(url)
-    url = begin
-      URI.parse(url)
-    rescue StandardError
-      false
-    end
-    url.is_a?(URI::HTTP) || url.is_a?(URI::HTTPS)
-  end
-
   def prevent_completed_campaign_from_update
     errors.add :status, 'The campaign is already completed' if !campaign_status_changed? && completed?
   end

app/models/conversation.rb

@@ -46,12 +46,14 @@ class Conversation < ApplicationRecord
   include AssignmentHandler
   include RoundRobinHandler
   include ActivityMessageHandler
+  include UrlHelper
 
   validates :account_id, presence: true
   validates :inbox_id, presence: true
   before_validation :validate_additional_attributes
   validates :additional_attributes, jsonb_attributes_length: true
   validates :custom_attributes, jsonb_attributes_length: true
+  validate :validate_referer_url
 
   enum status: { open: 0, resolved: 1, pending: 2, snoozed: 3 }
 
@@ -242,6 +244,12 @@ def mute_period
     6.hours
   end
 
+  def validate_referer_url
+    return unless additional_attributes['referer']
+
+    self['additional_attributes']['referer'] = nil unless url_valid?(additional_attributes['referer'])
+  end
+
   # creating db triggers
   trigger.before(:insert).for_each(:row) do
     "NEW.display_id := nextval('conv_dpid_seq_' || NEW.account_id);"

lib/url_helper.rb

@@ -0,0 +1,11 @@
+require 'uri'
+module UrlHelper
+  def url_valid?(url)
+    url = begin
+      URI.parse(url)
+    rescue StandardError
+      false
+    end
+    url.is_a?(URI::HTTP) || url.is_a?(URI::HTTPS)
+  end
+end

spec/helpers/url_helper_spec.rb

@@ -0,0 +1,15 @@
+require 'rails_helper'
+
+describe UrlHelper, type: :helper do
+  describe '#url_valid' do
+    context 'when url valid called' do
+      it 'return if valid url passed' do
+        expect(helper.url_valid?('https://app.chatwoot.com/')).to eq true
+      end
+
+      it 'return false if invalid url passed' do
+        expect(helper.url_valid?('javascript:alert(document.cookie)')).to eq false
+      end
+    end
+  end
+end

spec/models/conversation_spec.rb

@@ -525,4 +525,20 @@
       expect { notification.reload }.to raise_error ActiveRecord::RecordNotFound
     end
   end
+
+  describe 'validate invalid referer url' do
+    let(:conversation) { create(:conversation, additional_attributes: { referer: 'javascript' }) }
+
+    it 'returns nil' do
+      expect(conversation['additional_attributes']['referer']).to eq(nil)
+    end
+  end
+
+  describe 'validate valid referer url' do
+    let(:conversation) { create(:conversation, additional_attributes: { referer: 'https://www.chatwoot.com/' }) }
+
+    it 'returns nil' do
+      expect(conversation['additional_attributes']['referer']).to eq('https://www.chatwoot.com/')
+    end
+  end
 end