bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2026-02-19 02:44:01 +00:00
Code Issues Releases Wiki Activity

Update QA phishing url to be normalized

Browse Source
This commit is contained in:
Leslie Tilton
2026-01-23 13:17:16 -06:00
parent e82eea6bce
commit 494b4b711c
2 changed files with 48 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
apps/browser/src/dirt/phishing-detection/services/phishing-data.service.spec.ts
View File

@@ -69,13 +69,44 @@ describe("PhishingDataService", () => {
expect(service["indexedDbService"]).toBeDefined();
});
it("should detect QA test addresses", async () => {
// The QA test address should always return true
const QAurl = new URL("http://phishing.testcategory.com");
expect(await service.isPhishingWebAddress(QAurl)).toBe(true);
it("should detect QA test addresses - http protocol", async () => {
const url = new URL("http://phishing.testcategory.com");
expect(await service.isPhishingWebAddress(url)).toBe(true);
// IndexedDB should not be called for test addresses
expect(mockIndexedDbService.hasUrl).not.toHaveBeenCalled();
});
it("should detect QA test addresses - https protocol", async () => {
const url = new URL("https://phishing.testcategory.com");
expect(await service.isPhishingWebAddress(url)).toBe(true);
expect(mockIndexedDbService.hasUrl).not.toHaveBeenCalled();
});
it("should detect QA test addresses - specific subpath /block", async () => {
const url = new URL("https://phishing.testcategory.com/block");
expect(await service.isPhishingWebAddress(url)).toBe(true);
expect(mockIndexedDbService.hasUrl).not.toHaveBeenCalled();
});
it("should NOT detect QA test addresses - different subpath", async () => {
mockIndexedDbService.hasUrl.mockResolvedValue(false);
mockIndexedDbService.loadAllUrls.mockResolvedValue([]);
const url = new URL("https://phishing.testcategory.com/other");
const result = await service.isPhishingWebAddress(url);
// This should NOT be detected as a test address since only /block subpath is hardcoded
expect(result).toBe(false);
});
it("should detect QA test addresses - root path with trailing slash", async () => {
const url = new URL("https://phishing.testcategory.com/");
const result = await service.isPhishingWebAddress(url);
// This SHOULD be detected since URLs are normalized (trailing slash added to root URLs)
expect(result).toBe(true);
expect(mockIndexedDbService.hasUrl).not.toHaveBeenCalled();
});
});
describe("isPhishingWebAddress", () => {

18
apps/browser/src/dirt/phishing-detection/services/phishing-data.service.ts
View File

@@ -83,7 +83,7 @@ export class PhishingDataService {
// We are adding the destroy to guard against accidental leaks.
private _destroy$ = new Subject<void>();
private _testWebAddresses = this.getTestWebAddresses().concat("phishing.testcategory.com"); // Included for QA to test in prod
private _testWebAddresses = this.getTestWebAddresses();
private _phishingMetaState = this.globalStateProvider.get(PHISHING_DOMAINS_META_KEY);
private indexedDbService: PhishingIndexedDbService;
@@ -154,7 +154,7 @@ export class PhishingDataService {
*/
async isPhishingWebAddress(url: URL): Promise<boolean> {
// Quick check for QA/dev test addresses
if (this._testWebAddresses.includes(url.hostname)) {
if (this._testWebAddresses.includes(url.href)) {
return true;
}
@@ -223,8 +223,14 @@ export class PhishingDataService {
private getTestWebAddresses() {
const flag = devFlagEnabled("testPhishingUrls");
// Normalize URLs by converting to URL object and back to ensure consistent format (e.g., trailing slashes)
const testWebAddresses: string[] = [
new URL("http://phishing.testcategory.com").href,
new URL("https://phishing.testcategory.com").href,
new URL("https://phishing.testcategory.com/block").href,
];
if (!flag) {
return [];
return testWebAddresses;
}
const webAddresses = devFlagValue("testPhishingUrls") as unknown[];
@@ -233,9 +239,11 @@ export class PhishingDataService {
"[PhishingDataService] Dev flag enabled for testing phishing detection. Adding test phishing web addresses:",
webAddresses,
);
return webAddresses as string[];
// Normalize dev flag URLs as well
const normalizedDevAddresses = (webAddresses as string[]).map((addr) => new URL(addr).href);
return testWebAddresses.concat(normalizedDevAddresses);
}
return [];
return testWebAddresses;
}
private _getUpdatedMeta(): Observable<PhishingDataMeta> {