Add homepage url to user profile

[jacklynhma]

Objective:

1. Add form to the edit profile
2. Update the user profile to display the homepage URL
3. Display the homepage URL on the dashboard
4. Display confirmation dialog prior to redirecting user to homepage URL
5. Truncate long homepage URLs

More context: This PR opened during the Ruby Conf Hack day. After speaking with Martin, it was decided that I add a basic homepage URL that can later be iterated on for future social media links.

How to test part 1: Add form to the edit profile

• Login
• On the upper right click the drop-down menu
• Click Edit Profile
• Add your homepage with the format https://yourwebsite.com
• Add your password
• Submit form
• You should see the below image
  Note: I was told that the icon will show on production:

How to test part 2: Update the user profile to display the homepage URL

• Create a user
• Login as a ruby gem user and navigate to /profiles/new-user-username
• You should see the new image:

How to test part 3: Navigate to /dashboard

• You should see the below image with the homepage listed

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.37%. Comparing base (94e09f7) to head (59de7fa).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5240      +/-   ##
==========================================
- Coverage   97.13%   94.37%   -2.77%     
==========================================
  Files         457      459       +2     
  Lines        9567     9637      +70     
==========================================
- Hits         9293     9095     -198     
- Misses        274      542     +268     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[segiddins]

don't worry about the coverage change

[martinemde]

Blocking temporarily while we make sure we're sanitizing the urls. I suspect that since we already allow urls from gems, this isn't a whole lot worse, but I want to double check.

[jacklynhma]

@martinemde Thanks for calling this out.

I could be wrong, but while I was looking at the code, I did not see any sanitizing for the URL.

There are some safeguards though.

• If I comment out this new line of code https://github.com/rubygems/rubygems.org/pull/5240/files#diff-9802ca3c9c4cf89904fd44bc114e35ebdf2c5dd3d5b645491e2b253e1afef29bR357
• Add javascript:alert('XSS'); to the homepage_url field in the edit profile
• Navigate to /profiles/(user_name)
• Try to click on the homepage_url
• I will see the below message

which is tied to https://github.com/rubygems/rubygems.org/blob/master/config/initializers/content_security_policy.rb#L33 and which protects against XXS attacks.

However with this validation https://github.com/rubygems/rubygems.org/pull/5240/files#diff-9802ca3c9c4cf89904fd44bc114e35ebdf2c5dd3d5b645491e2b253e1afef29bR357
It looks like the code does prevent javascript:alert('XSS'); from even being submitted
https://github.com/mdespuits/validates_formatting_of/blob/664b7c8b1ae8c9016549944fc833737c74f1d752/lib/validates_formatting_of/method.rb#L19
So something like this will be caught and the below error message will show:

What we can also do is with that sanitize method

      sanitize( link_to(
         user.homepage_url,
         user.homepage_url,
        rel: "nofollow"
      ), tags: %w(a), attributes: %w(href rel))

And then it will remove the href from the link and make it unclickable.

But I understand that true sanitizing would remove everything we don't want in the string. I could also look into this. Please let me know how you would like me to proceed or if I am completely off the mark.

[martinemde]

I'm happy to see that our Content Security Policy is correctly enforced. We probably agree that we don't want to rely on only that.

Can we write tests that ensure that no data: javascript: file: or similar urls are allowed? That's a good start.

The validation for a link being allowed in a rubygem is this: https://github.com/rubygems/rubygems/blob/master/lib/rubygems/specification_policy.rb#L450-L459

[jacklynhma]

Taking into account really long homepage URLs.
I chose length 20 because I saw that is the length we limit our Twitter username

Before:

After

[jacklynhma]

#5240 (comment)
#5240 (comment)
@martinemde After rereading your above messages, I think below are the use cases you are expecting. Please let me know and I can update the code. Thank you for your feedback.

User Enters in homepage URL	Expected outcome
www.userhomepage.com	http://www.userhomepage.com
javascript:alert('hello')	Error message rendered, record is not updated
file:///etc/passwd	Error message rendered, record is not updated
http://javascript:alert('hello')	Error message rendered, record is not updated
http://www.userhomepage.com	http://www.userhomepage.com
https://www.userhomepage.com	https://www.userhomepage.com

[martinemde]

I think these are being flagged "correctly", in that it's a valid concern. Ultimately it could be that we're validating the inputs correctly but we should take whatever care is necessary to also convince the security bots that we are not doing something dumb.

[jacklynhma]

When running tests locally, I receive the below error:

I realize this is a bug I created in a previous PR since I used the same class name. Changing the file to another name allowed the tests to run.

[jacklynhma]

@martinemde I was able to get the brakeman build to pass by prepending https:// to the urls just in case in the future the model changes by accident and adding your suggestion to add h() 🥳

This build test failed but it passes locally ..I do not think it might be related to my PR (?)