fix(http): inconsistencies on urlpattern usage on scope (#1059)

lucasfernog · web-flow · commit c873e4d6c74e · 2024-03-11T13:39:35.000-03:00
* fix(http): inconsistencies on urlpattern usage on scope

* fix tests

* enhance tests
diff --git a/.changes/fix-http-scope-url-match.md b/.changes/fix-http-scope-url-match.md
@@ -0,0 +1,5 @@
+---
+"http": patch
+---
+
+Fixes scope not allowing subpaths, query parameters and hash when those values are empty.
diff --git a/plugins/http/src/scope.rs b/plugins/http/src/scope.rs
@@ -6,7 +6,7 @@ use std::sync::Arc;
 
 use serde::{Deserialize, Deserializer};
 use url::Url;
-use urlpattern::{UrlPattern, UrlPatternInit, UrlPatternMatchInput};
+use urlpattern::{UrlPattern, UrlPatternMatchInput};
 
 #[allow(rustdoc::bare_urls)]
 #[derive(Debug)]
@@ -15,7 +15,21 @@ pub struct Entry {
 }
 
 fn parse_url_pattern(s: &str) -> Result<UrlPattern, urlpattern::quirks::Error> {
-    let init = UrlPatternInit::parse_constructor_string::<regex::Regex>(s, None)?;
+    let mut init = urlpattern::UrlPatternInit::parse_constructor_string::<regex::Regex>(s, None)?;
+    if init.search.as_ref().map(|p| p.is_empty()).unwrap_or(true) {
+        init.search.replace("*".to_string());
+    }
+    if init.hash.as_ref().map(|p| p.is_empty()).unwrap_or(true) {
+        init.hash.replace("*".to_string());
+    }
+    if init
+        .pathname
+        .as_ref()
+        .map(|p| p.is_empty() || p == "/")
+        .unwrap_or(true)
+    {
+        init.pathname.replace("*".to_string());
+    }
     UrlPattern::parse(init)
 }
 
@@ -100,6 +114,7 @@ mod tests {
         let deny = Arc::new("http://localhost:8080/*".parse().unwrap());
         let scope = super::Scope::new(vec![&allow], vec![&deny]);
         assert!(!scope.is_allowed(&"http://localhost:8080/file.png".parse().unwrap()));
+        assert!(!scope.is_allowed(&"http://localhost:8080?framework=tauri".parse().unwrap()));
     }
 
     #[test]
@@ -109,9 +124,10 @@ mod tests {
         let scope = super::Scope::new(vec![&entry], Vec::new());
         assert!(scope.is_allowed(&"http://localhost:8080".parse().unwrap()));
         assert!(scope.is_allowed(&"http://localhost:8080/".parse().unwrap()));
+        assert!(scope.is_allowed(&"http://localhost:8080/file".parse().unwrap()));
+        assert!(scope.is_allowed(&"http://localhost:8080/path/to/asset.png".parse().unwrap()));
+        assert!(scope.is_allowed(&"http://localhost:8080/path/list?limit=50".parse().unwrap()));
 
-        assert!(!scope.is_allowed(&"http://localhost:8080/file".parse().unwrap()));
-        assert!(!scope.is_allowed(&"http://localhost:8080/path/to/asset.png".parse().unwrap()));
         assert!(!scope.is_allowed(&"https://localhost:8080".parse().unwrap()));
         assert!(!scope.is_allowed(&"http://localhost:8081".parse().unwrap()));
         assert!(!scope.is_allowed(&"http://local:8080".parse().unwrap()));
@@ -124,6 +140,7 @@ mod tests {
         let scope = super::Scope::new(vec![&entry], Vec::new());
 
         assert!(scope.is_allowed(&"http://localhost:8080/file.png".parse().unwrap()));
+        assert!(scope.is_allowed(&"http://localhost:8080/file.png?q=1".parse().unwrap()));
 
         assert!(!scope.is_allowed(&"http://localhost:8080".parse().unwrap()));
         assert!(!scope.is_allowed(&"http://localhost:8080/file".parse().unwrap()));
@@ -136,7 +153,13 @@ mod tests {
         let scope = super::Scope::new(vec![&entry], Vec::new());
 
         assert!(scope.is_allowed(&"http://localhost:8080/file.png".parse().unwrap()));
+        assert!(scope.is_allowed(&"http://localhost:8080/file.png#head".parse().unwrap()));
         assert!(scope.is_allowed(&"http://localhost:8080/assets/file.png".parse().unwrap()));
+        assert!(scope.is_allowed(
+            &"http://localhost:8080/assets/file.png?width=100&height=200"
+                .parse()
+                .unwrap()
+        ));
 
         assert!(!scope.is_allowed(&"http://localhost:8080/file.jpeg".parse().unwrap()));
     }
@@ -147,7 +170,15 @@ mod tests {
         let scope = super::Scope::new(vec![&entry], Vec::new());
 
         assert!(scope.is_allowed(&"http://something.else".parse().unwrap()));
-        assert!(!scope.is_allowed(&"http://something.else/path/to/file".parse().unwrap()));
+        assert!(scope.is_allowed(&"http://something.else#tauri".parse().unwrap()));
+        assert!(scope.is_allowed(&"http://something.else/path/to/file".parse().unwrap()));
+        assert!(scope.is_allowed(&"http://something.else?rel=tauri".parse().unwrap()));
+        assert!(scope.is_allowed(
+            &"http://something.else/path/to/file.mp4?start=500"
+                .parse()
+                .unwrap()
+        ));
+
         assert!(!scope.is_allowed(&"https://something.else".parse().unwrap()));
 
         let entry = Arc::new("http://*/*".parse().unwrap());
@@ -163,10 +194,11 @@ mod tests {
         let scope = super::Scope::new(vec![&entry], Vec::new());
 
         assert!(scope.is_allowed(&"http://something.else".parse().unwrap()));
-        assert!(!scope.is_allowed(&"http://something.else/path/to/file".parse().unwrap()));
+        assert!(scope.is_allowed(&"http://something.else/path/to/file".parse().unwrap()));
         assert!(scope.is_allowed(&"file://path".parse().unwrap()));
-        assert!(!scope.is_allowed(&"file://path/to/file".parse().unwrap()));
+        assert!(scope.is_allowed(&"file://path/to/file".parse().unwrap()));
         assert!(scope.is_allowed(&"https://something.else".parse().unwrap()));
+        assert!(scope.is_allowed(&"https://something.else?x=1#frag".parse().unwrap()));
 
         let entry = Arc::new("*://*/*".parse().unwrap());
         let scope = super::Scope::new(vec![&entry], Vec::new());
@@ -176,4 +208,24 @@ mod tests {
         assert!(scope.is_allowed(&"file://path/to/file".parse().unwrap()));
         assert!(scope.is_allowed(&"https://something.else".parse().unwrap()));
     }
+
+    #[test]
+    fn validate_query() {
+        let entry = Arc::new("https://tauri.app/path?x=*".parse().unwrap());
+        let scope = super::Scope::new(vec![&entry], Vec::new());
+
+        assert!(scope.is_allowed(&"https://tauri.app/path?x=5".parse().unwrap()));
+
+        assert!(!scope.is_allowed(&"https://tauri.app/path?y=5".parse().unwrap()));
+    }
+
+    #[test]
+    fn validate_hash() {
+        let entry = Arc::new("https://tauri.app/path#frame*".parse().unwrap());
+        let scope = super::Scope::new(vec![&entry], Vec::new());
+
+        assert!(scope.is_allowed(&"https://tauri.app/path#frame".parse().unwrap()));
+
+        assert!(!scope.is_allowed(&"https://tauri.app/path#work".parse().unwrap()));
+    }
 }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"http": patch
 +---
++
 +Fixes scope not allowing subpaths, query parameters and hash when those values are empty.