Skip to content

Commit

Permalink
Port last changes from HEY
Browse files Browse the repository at this point in the history
  • Loading branch information
intrip committed Jun 19, 2024
1 parent 5f72496 commit 706540a
Show file tree
Hide file tree
Showing 5 changed files with 26 additions and 6 deletions.
14 changes: 13 additions & 1 deletion lib/homographic_spoofing/detector/idn.rb
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,18 @@ def contexts
end

def public_suffix
@public_suffix ||= PublicSuffix.parse(domain, ignore_private: true)
@public_suffix ||= icann_domain || non_icann_domain
end

def icann_domain
PublicSuffix.parse(domain, ignore_private: true) if PublicSuffix.valid?(domain)
end

def non_icann_domain
if PublicSuffix::List.default.find(domain, default: nil, ignore_private: true).present?
PublicSuffix::Domain.new(domain)
else
raise PublicSuffix::DomainInvalid
end
end
end
11 changes: 9 additions & 2 deletions test/detector/email_address_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@ class HomographicSpoofing::Detector::EmailAddressTest < ActiveSupport::TestCase
end

test "detect local part" do
assert_attack "tᴡitter@twitter.com"
assert_attack "t\u{1D21}itter@twitter.com" # tᴡitter@twitter.com
end

test "detect idn" do
assert_attack "jacopo@tᴡitter.com"
assert_attack "jacopo@t\u{1D21}itter.com" # jacopo@tᴡitter.com
end

test "ignore nil email address parts" do
Expand All @@ -23,6 +23,13 @@ class HomographicSpoofing::Detector::EmailAddressTest < ActiveSupport::TestCase
assert_safe "jacopo"
end

test "private domains are allowed but idn attacks are detected" do
assert_safe "someone.from@notaires.fr"
assert_attack "someone.from@n\u{1D0F}taires.fr" # someone.from@nᴏtaires.fr
assert_safe "someone.from@blogspot.com"
assert_attack "someone.from@bl\u{1D0F}gspot.com" # someone.from@blᴏgspot.com
end

private
def assert_attack(email_address)
assert HomographicSpoofing::Detector::EmailAddress.detected?(email_address), "No attack detected for #{email_address}."
Expand Down
3 changes: 2 additions & 1 deletion test/detector/idn_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ class HomographicSpoofing::Detector::IdnTest < ActiveSupport::TestCase
test "Valid mixed scripts" do
assert_safe("おaかbがcキdギeクf.co.jp") # Latin, Hiragana, Katakana
assert_safe("aㄉbㄊcde夕f.com") # Latin, Bopomofo, Han
assert_safe("example.বাংলা") # Latin, Bengali
end

test "Invalid mixed scripts" do
Expand Down Expand Up @@ -265,8 +266,8 @@ class HomographicSpoofing::Detector::IdnTest < ActiveSupport::TestCase
end

test "PublixSuffix parsing errors" do
assert_attack("nic.bd", reason: "invalid_domain")
assert_attack(" ", reason: "invalid_domain")
assert_attack("example|.com", reason: "disallowed_characters")
end

private
Expand Down
2 changes: 1 addition & 1 deletion test/detector/local_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ class HomographicSpoofing::Detector::LocalTest < ActiveSupport::TestCase

test "Unicode NFKC format" do
# Invalid unicode
assert_attack("text".force_encoding("ISO-8859-1"), reason: "invalid_unicode")
assert_attack("text".encode("ISO-8859-1"), reason: "invalid_unicode")
assert_attack("1𝟤3rf".unicode_normalize(:nfc), reason: "nfkc")
assert_safe("scope")
end
Expand Down
2 changes: 1 addition & 1 deletion test/detector/quoted_string_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
class HomographicSpoofing::Detector::QuotedStringTest < ActiveSupport::TestCase
test "Unicode NFC format" do
# Invalid unicode
assert_attack("text".force_encoding("ISO-8859-1"), reason: "invalid_unicode")
assert_attack("text".dup.force_encoding("ISO-8859-1"), reason: "invalid_unicode")
assert_attack("1A\u030A3rf", reason: "nfc")
assert_safe("scope")
end
Expand Down

0 comments on commit 706540a

Please sign in to comment.