// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see .
package models
import (
"os"
"strings"
"testing"
"time"
"code.vikunja.io/api/pkg/config"
"code.vikunja.io/api/pkg/notifications"
"code.vikunja.io/api/pkg/user"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestGetThreadID(t *testing.T) {
// Save original config value
originalPublicURL := config.ServicePublicURL.GetString()
defer func() {
config.ServicePublicURL.Set(originalPublicURL)
}()
t.Run("default domain when no public URL", func(t *testing.T) {
config.ServicePublicURL.Set("")
threadID := getThreadID(123)
expectedDomain := "vikunja"
if hostname, err := os.Hostname(); err == nil && hostname != "" {
expectedDomain = hostname
}
assert.Equal(t, "", threadID)
})
t.Run("simple domain without port", func(t *testing.T) {
config.ServicePublicURL.Set("https://vikunja.example.com")
threadID := getThreadID(456)
assert.Equal(t, "", threadID)
})
t.Run("domain with standard HTTPS port", func(t *testing.T) {
config.ServicePublicURL.Set("https://vikunja.example.com:443")
threadID := getThreadID(789)
// Should strip port to create valid RFC 5322 domain
assert.Equal(t, "", threadID)
})
t.Run("domain with non-standard port", func(t *testing.T) {
config.ServicePublicURL.Set("http://localhost:8080")
threadID := getThreadID(999)
// Should strip port to create valid RFC 5322 domain
assert.Equal(t, "", threadID)
})
t.Run("domain with port 3456", func(t *testing.T) {
config.ServicePublicURL.Set("http://vikunja.local:3456")
threadID := getThreadID(111)
// Should strip port to create valid RFC 5322 domain
assert.Equal(t, "", threadID)
})
t.Run("IP address with port", func(t *testing.T) {
config.ServicePublicURL.Set("http://192.168.1.100:8080")
threadID := getThreadID(222)
// Should strip port to create valid RFC 5322 domain
assert.Equal(t, "", threadID)
})
t.Run("invalid URL falls back to default", func(t *testing.T) {
config.ServicePublicURL.Set("not a valid url")
threadID := getThreadID(333)
expectedDomain := "vikunja"
if hostname, err := os.Hostname(); err == nil && hostname != "" {
expectedDomain = hostname
}
assert.Equal(t, "", threadID)
})
t.Run("URL with path", func(t *testing.T) {
config.ServicePublicURL.Set("https://example.com:9000/vikunja")
threadID := getThreadID(444)
// Should use hostname without port
assert.Equal(t, "", threadID)
})
}
func TestUndoneTasksOverdueNotification_TitleIsMarkdownEscaped(t *testing.T) {
originalPublicURL := config.ServicePublicURL.GetString()
t.Cleanup(func() { config.ServicePublicURL.Set(originalPublicURL) })
config.ServicePublicURL.Set("https://vikunja.example.com/")
maliciousTitle := "bad](https://evil.com) [click here"
n := &UndoneTasksOverdueNotification{
User: &user.User{ID: 1, Name: "alice", Username: "alice"},
Tasks: map[int64]*Task{
42: {ID: 42, Title: maliciousTitle, ProjectID: 7, DueDate: time.Now().Add(-1 * time.Hour)},
},
Projects: map[int64]*Project{
7: {ID: 7, Title: "My Project"},
},
}
mail := n.ToMail("en")
require.NotNil(t, mail)
opts, err := notifications.RenderMail(mail, "en")
require.NoError(t, err)
// The rendered HTML must NOT contain an anchor pointing at evil.com —
// that would be a successful injection. The literal string "evil.com"
// may still appear inside the link text because the malicious title is
// rendered verbatim; that is harmless as long as it is not an active
// link/image.
assert.NotContains(t, opts.HTMLMessage, `href="https://evil.com`,
"malicious URL must not be rendered as an anchor")
assert.NotContains(t, opts.HTMLMessage, `src="https://evil.com`,
"malicious URL must not be rendered as an image")
assert.Contains(t, opts.HTMLMessage, "https://vikunja.example.com/tasks/42",
"legitimate task link must still render")
// Exactly one anchor to the task — the injection must not create a
// second one. Vikunja templates also render the Action link, but this
// notification has no Action for the individual task.
assert.Equal(t, 1, strings.Count(opts.HTMLMessage, ` tag. The literal title
// characters may still be present as escaped text.
assert.NotContains(t, opts.HTMLMessage, "
tag")
assert.NotContains(t, opts.HTMLMessage, `href="https://evil.com`,
"tracking URL must not render as an anchor")
}