From 624444d51d1c633db707ddfaf89477751da5db76 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Sat, 29 Jul 2017 01:37:30 -0500
Subject: [PATCH] artists: validate that urls are well-formed (fix #2346).

---
 app/models/artist_url.rb | 8 ++++++++
 test/unit/artist_test.rb | 7 +++++++
 2 files changed, 15 insertions(+)

diff --git a/app/models/artist_url.rb b/app/models/artist_url.rb
index 9a95ecda5..dc18a3d2a 100644
--- a/app/models/artist_url.rb
+++ b/app/models/artist_url.rb
@@ -2,6 +2,7 @@ class ArtistUrl < ApplicationRecord
   before_save :initialize_normalized_url, on: [ :create ]
   before_save :normalize
   validates_presence_of :url
+  validate :validate_url_format
   belongs_to :artist, :touch => true
   attr_accessible :url, :artist_id, :normalized_url
 
@@ -65,4 +66,11 @@ class ArtistUrl < ApplicationRecord
   def to_s
     url
   end
+
+  def validate_url_format
+    uri = Addressable::URI.parse(url)
+    errors[:base] << "'#{url}' must begin with http:// or https://" if !uri.scheme.in?(%w[http https])
+  rescue Addressable::URI::InvalidURIError => error
+    errors[:base] << "'#{url}' is malformed: #{error}"
+  end
 end
diff --git a/test/unit/artist_test.rb b/test/unit/artist_test.rb
index 85fb312e5..afcb9ddfd 100644
--- a/test/unit/artist_test.rb
+++ b/test/unit/artist_test.rb
@@ -134,6 +134,13 @@ class ArtistTest < ActiveSupport::TestCase
       assert_equal(["http://aaa.com", "http://rembrandt.com/test.jpg"], artist.urls.map(&:to_s).sort)
     end
 
+    should "not allow invalid urls" do
+      artist = FactoryGirl.build(:artist, :url_string => "blah")
+
+      assert_equal(false, artist.valid?)
+      assert_equal(["'blah' must begin with http:// or https://"], artist.errors[:url])
+    end
+
     should "make sure old urls are deleted" do
       artist = FactoryGirl.create(:artist, :name => "rembrandt", :url_string => "http://rembrandt.com/test.jpg")
       artist.url_string = "http://not.rembrandt.com/test.jpg"