# # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one # or more contributor license agreements. Licensed under the Elastic License 2.0; # you may not use this file except in compliance with the Elastic License 2.0. # # frozen_string_literal: true # rubocop:disable Lint/ConstantDefinitionInBlock RSpec.describe 'Sitemap XXE vulnerability specs' do DO_NOT_VISIT_TXT_PATH = File.expand_path(File.join(FIXTURES_HOME, 'do-not-visit.txt')) SITEMAP_XML = <<~XML.freeze ]> http://127.0.0.1:9393/ 2019-06-19 daily http://127.0.0.1:9393/visit-here 2019-06-19 daily &test; 2019-06-19 daily XML let(:results) { FauxCrawl.run(site) } context 'sitemap' do let(:site) do Faux.site do robots do user_agent '*' sitemap '/sitemap.xml' end sitemap '/sitemap.xml' do def response_body [SITEMAP_XML] end end page '/visit-here' end end it 'extracts links but does not look up files' do expect(results).to have_only_these_results [ mock_response(url: 'http://127.0.0.1:9393/visit-here', status_code: 200) ] end end context 'gzipped sitemap' do let(:site) do Faux.site do robots do user_agent '*' sitemap '/sitemap.xml' end sitemap '/sitemap.xml' do def response_body [gzip(SITEMAP_XML)] end end page '/visit-here' end end it 'extracts links but does not look up files' do expect(results).to have_only_these_results [ mock_response(url: 'http://127.0.0.1:9393/visit-here', status_code: 200) ] end end end # rubocop:enable Lint/ConstantDefinitionInBlock