Add homepage url to user profile

[jacklynhma]

Objective:

1. Add form to the edit profile
2. Update the user profile to display the homepage URL
3. Display the homepage URL on the dashboard

More context: This PR opened during the Ruby Conf Hack day. After speaking with Martin, it was decided that I add a basic homepage URL that can later be iterated on for future social media links.

How to test part 1: Add form to the edit profile

• Login
• On the upper right click the drop-down menu
• Click Edit Profile
• Add your homepage with the format https://yourwebsite.com
• Add your password
• Submit form
• You should see the below image
  Note: I was told that the icon will show on production:

How to test part 2: Update the user profile to display the homepage URL

• Create a user
• Login as a ruby gem user and navigate to /profiles/new-user-username
• You should see the new image:

How to test part 3: Navigate to /dashboard

• You should see the below image with the homepage listed

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.19%. Comparing base (1143eba) to head (9b2bf91).
Report is 9 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5240      +/-   ##
==========================================
- Coverage   96.85%   94.19%   -2.67%     
==========================================
  Files         456      456              
  Lines        9517     9577      +60     
==========================================
- Hits         9218     9021     -197     
- Misses        299      556     +257     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[segiddins]

don't worry about the coverage change

[segiddins]

note to self: suggest the appropriate rel=none; noreferrer options

[martinemde]

looks like rel="nofollow" is what github uses on their profile links. I'm agnostic about "noreferrer" in addition.

[martinemde]

Maybe we should consider something like HackerOne's "you're about to leave this site for ...". Github appends http:// to urls that don't have either http / https in the front, and they are probably doing more.

[jacklynhma]

opps sorry I didn't realize there was a final decision on the rel="nofollow". Thank you for adding these changes :) @martinemde

[martinemde]

Blocking temporarily while we make sure we're sanitizing the urls. I suspect that since we already allow urls from gems, this isn't a whole lot worse, but I want to double check.

[jacklynhma]

@martinemde Thanks for calling this out.

I could be wrong, but while I was looking at the code, I did not see any sanitizing for the URL.

There are some safeguards though.

• If I comment out this new line of code https://github.com/rubygems/rubygems.org/pull/5240/files#diff-9802ca3c9c4cf89904fd44bc114e35ebdf2c5dd3d5b645491e2b253e1afef29bR357
• Add javascript:alert('XSS'); to the homepage_url field in the edit profile
• Navigate to /profiles/(user_name)
• Try to click on the homepage_url
• I will see the below message

which is tied to https://github.com/rubygems/rubygems.org/blob/master/config/initializers/content_security_policy.rb#L33 and which protects against XXS attacks.

However with this validation https://github.com/rubygems/rubygems.org/pull/5240/files#diff-9802ca3c9c4cf89904fd44bc114e35ebdf2c5dd3d5b645491e2b253e1afef29bR357
It looks like the code does prevent javascript:alert('XSS'); from even being submitted
https://github.com/mdespuits/validates_formatting_of/blob/664b7c8b1ae8c9016549944fc833737c74f1d752/lib/validates_formatting_of/method.rb#L19
So something like this will be caught and the below error message will show:

What we can also do is with that sanitize method

      sanitize( link_to(
         user.homepage_url,
         user.homepage_url,
        rel: "nofollow"
      ), tags: %w(a), attributes: %w(href rel))

And then it will remove the href from the link and make it unclickable.

But I understand that true sanitizing would remove everything we don't want in the string. I could also look into this. Please let me know how you would like me to proceed or if I am completely off the mark.