From aff14b697f8ebf1cb09f6f70236e5db911675893 Mon Sep 17 00:00:00 2001
From: Muhsin Keloth <muhsinkeramam@gmail.com>
Date: Mon, 28 Feb 2022 15:44:02 +0530
Subject: [PATCH] chore: Add webhook URL validation (#4080)

---
 app/models/webhook.rb                                    | 2 +-
 .../api/v1/accounts/webhook_controller_spec.rb           | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/app/models/webhook.rb b/app/models/webhook.rb
index 2895978f9..a78e7c267 100644
--- a/app/models/webhook.rb
+++ b/app/models/webhook.rb
@@ -20,7 +20,7 @@ class Webhook < ApplicationRecord
   belongs_to :inbox, optional: true
 
   validates :account_id, presence: true
-  validates :url, uniqueness: { scope: [:account_id] }, format: { with: URI::DEFAULT_PARSER.make_regexp }
+  validates :url, uniqueness: { scope: [:account_id] }, format: URI::DEFAULT_PARSER.make_regexp(%w[http https])
 
   enum webhook_type: { account: 0, inbox: 1 }
 end
diff --git a/spec/controllers/api/v1/accounts/webhook_controller_spec.rb b/spec/controllers/api/v1/accounts/webhook_controller_spec.rb
index 5b839ebef..ccafe2f56 100644
--- a/spec/controllers/api/v1/accounts/webhook_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/webhook_controller_spec.rb
@@ -48,6 +48,15 @@ RSpec.describe 'Webhooks API', type: :request do
 
         expect(JSON.parse(response.body)['payload']['webhook']['url']).to eql 'https://hello.com'
       end
+
+      it 'throws error when invalid url provided' do
+        post "/api/v1/accounts/#{account.id}/webhooks",
+             params: { account_id: account.id, inbox_id: inbox.id, url: 'javascript:alert(1)' },
+             headers: administrator.create_new_auth_token,
+             as: :json
+        expect(response).to have_http_status(:unprocessable_entity)
+        expect(JSON.parse(response.body)['message']).to eql 'Url is invalid'
+      end
     end
   end