Add homepage url to user profile

[jacklynhma]

Objective:

1. Add form to the edit profile
2. Update the user profile to display the homepage URL
3. Display the homepage URL on the dashboard

More context: This PR opened during the Ruby Conf Hack day. After speaking with Martin, it was decided that I add a basic homepage URL that can later be iterated on for future social media links.

How to test part 1: Add form to the edit profile

• Login
• On the upper right click the drop-down menu
• Click Edit Profile
• Add your homepage with the format https://yourwebsite.com
• Add your password
• Submit form
• You should see the below image
  Note: I was told that the icon will show on production:

How to test part 2: Update the user profile to display the homepage URL

• Create a user
• Login as a ruby gem user and navigate to /profiles/new-user-username
• You should see the new image:

How to test part 3: Navigate to /dashboard

• You should see the below image with the homepage listed

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.19%. Comparing base (1143eba) to head (9b2bf91).
Report is 9 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5240      +/-   ##
==========================================
- Coverage   96.85%   94.19%   -2.67%     
==========================================
  Files         456      456              
  Lines        9517     9577      +60     
==========================================
- Hits         9218     9021     -197     
- Misses        299      556     +257     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[segiddins]

don't worry about the coverage change

[martinemde]

Maybe we should consider something like HackerOne's "you're about to leave this site for ...". Github appends http:// to urls that don't have either http / https in the front, and they are probably doing more.

[martinemde]

Blocking temporarily while we make sure we're sanitizing the urls. I suspect that since we already allow urls from gems, this isn't a whole lot worse, but I want to double check.

[jacklynhma]

@martinemde Thanks for calling this out.

I could be wrong, but while I was looking at the code, I did not see any sanitizing for the URL.

There are some safeguards though.

• If I comment out this new line of code https://github.com/rubygems/rubygems.org/pull/5240/files#diff-9802ca3c9c4cf89904fd44bc114e35ebdf2c5dd3d5b645491e2b253e1afef29bR357
• Add javascript:alert('XSS'); to the homepage_url field in the edit profile
• Navigate to /profiles/(user_name)
• Try to click on the homepage_url
• I will see the below message

which is tied to https://github.com/rubygems/rubygems.org/blob/master/config/initializers/content_security_policy.rb#L33 and which protects against XXS attacks.

However with this validation https://github.com/rubygems/rubygems.org/pull/5240/files#diff-9802ca3c9c4cf89904fd44bc114e35ebdf2c5dd3d5b645491e2b253e1afef29bR357
It looks like the code does prevent javascript:alert('XSS'); from even being submitted
https://github.com/mdespuits/validates_formatting_of/blob/664b7c8b1ae8c9016549944fc833737c74f1d752/lib/validates_formatting_of/method.rb#L19
So something like this will be caught and the below error message will show:

What we can also do is with that sanitize method

      sanitize( link_to(
         user.homepage_url,
         user.homepage_url,
        rel: "nofollow"
      ), tags: %w(a), attributes: %w(href rel))

And then it will remove the href from the link and make it unclickable.

But I understand that true sanitizing would remove everything we don't want in the string. I could also look into this. Please let me know how you would like me to proceed or if I am completely off the mark.

[martinemde]

I'm happy to see that our Content Security Policy is correctly enforced. We probably agree that we don't want to rely on only that.

Can we write tests that ensure that no data: javascript: file: or similar urls are allowed? That's a good start.

The validation for a link being allowed in a rubygem is this: https://github.com/rubygems/rubygems/blob/master/lib/rubygems/specification_policy.rb#L450-L459

[jacklynhma]

I read about how the URI validation occurs in the Ruby gem(https://github.com/rubygems/rubygems/blob/master/lib/rubygems/specification_policy.rb#L450-L459) and tried to mimic it since I figured we would want the same validations to happen in both places.

I extracted this validation into a custom validator because I knew that other URLs would eventually be added to the user profile, and we could establish a consistent way of validating the URLs.