Compare commits

...

10 Commits

Author SHA1 Message Date
Dan Brown
cfeb035548 Updated version and assets for release v26.03.5 2026-05-21 13:56:56 +01:00
Dan Brown
66dcd1f7a8 Merge branch 'v26-03' into release 2026-05-21 13:51:41 +01:00
Dan Brown
ef82119226 MFA: Added verify attempt rate limiting 2026-05-21 13:25:57 +01:00
Dan Brown
1b9ec75903 Deps: Updated PHP package versions 2026-05-21 09:48:20 +01:00
Dan Brown
d1bde2fc78 Updated version and assets for release v26.03.4 2026-04-30 11:38:43 +01:00
Dan Brown
16562816c5 Merge branch 'v26-03' into release 2026-04-30 11:36:39 +01:00
Dan Brown
cf648906e9 SSR: Hardened URL validator against a range of workarounds
Added a more comprehensive range of tests to cover.
Thanks to naruhodoowl (https://github.com/kilhsrito-crypto) for
reporting.
2026-04-30 10:18:50 +01:00
Dan Brown
fddeb9030b Attachments: Added page access check to attachment delete
Thanks to github.com/404-pkj for reporting.
2026-04-29 18:31:11 +01:00
Dan Brown
99a704698d Deps: Updated PHP package versions 2026-04-29 18:12:24 +01:00
Dan Brown
fc220dea39 Search: Fixed exact saerch term negation causing no results
Closes #6121
2026-04-29 18:07:32 +01:00
21 changed files with 687 additions and 410 deletions

View File

@@ -22,4 +22,10 @@ trait HandlesPartialLogins
return $user;
}
protected function clearLastAttemptedUser(): void
{
$loginService = app()->make(LoginService::class);
$loginService->clearLastLoginAttempted();
}
}

View File

@@ -6,6 +6,7 @@ use BookStack\Access\LoginService;
use BookStack\Access\Mfa\BackupCodeService;
use BookStack\Access\Mfa\MfaSession;
use BookStack\Access\Mfa\MfaValue;
use BookStack\Access\Mfa\MfaVerificationLimiter;
use BookStack\Activity\ActivityType;
use BookStack\Exceptions\NotFoundException;
use BookStack\Http\Controller;
@@ -19,6 +20,11 @@ class MfaBackupCodesController extends Controller
protected const SETUP_SECRET_SESSION_KEY = 'mfa-setup-backup-codes';
public function __construct(
protected MfaVerificationLimiter $limiter,
) {
}
/**
* Show a view that generates and displays backup codes.
*/
@@ -71,6 +77,12 @@ class MfaBackupCodesController extends Controller
public function verify(Request $request, BackupCodeService $codeService, MfaSession $mfaSession, LoginService $loginService)
{
$user = $this->currentOrLastAttemptedUser();
$this->limiter->incrementAttempts($user, $request);
if ($this->limiter->hasHitLimit($user, $request)) {
$this->clearLastAttemptedUser();
$this->limiter->throwException();
}
$codes = MfaValue::getValueForUser($user, MfaValue::METHOD_BACKUP_CODES) ?? '[]';
$this->validate($request, [
@@ -89,6 +101,7 @@ class MfaBackupCodesController extends Controller
$mfaSession->markVerifiedForUser($user);
$loginService->reattemptLoginFor($user);
$this->limiter->decrementAttempts($user, $request);
if ($codeService->countCodesInSet($updatedCodes) < 5) {
$this->showWarningNotification(trans('auth.mfa_backup_codes_usage_limit_warning'));

View File

@@ -5,6 +5,7 @@ namespace BookStack\Access\Controllers;
use BookStack\Access\LoginService;
use BookStack\Access\Mfa\MfaSession;
use BookStack\Access\Mfa\MfaValue;
use BookStack\Access\Mfa\MfaVerificationLimiter;
use BookStack\Access\Mfa\TotpService;
use BookStack\Access\Mfa\TotpValidationRule;
use BookStack\Activity\ActivityType;
@@ -20,7 +21,8 @@ class MfaTotpController extends Controller
protected const SETUP_SECRET_SESSION_KEY = 'mfa-setup-totp-secret';
public function __construct(
protected TotpService $totp
protected TotpService $totp,
protected MfaVerificationLimiter $limiter,
) {
}
@@ -86,6 +88,12 @@ class MfaTotpController extends Controller
public function verify(Request $request, LoginService $loginService, MfaSession $mfaSession)
{
$user = $this->currentOrLastAttemptedUser();
$this->limiter->incrementAttempts($user, $request);
if ($this->limiter->hasHitLimit($user, $request)) {
$this->clearLastAttemptedUser();
$this->limiter->throwException();
}
$totpSecret = MfaValue::getValueForUser($user, MfaValue::METHOD_TOTP);
$this->validate($request, [
@@ -98,6 +106,7 @@ class MfaTotpController extends Controller
$mfaSession->markVerifiedForUser($user);
$loginService->reattemptLoginFor($user);
$this->limiter->decrementAttempts($user, $request);
return redirect()->intended();
}

View File

@@ -126,7 +126,7 @@ class LoginService
/**
* Clear the last login attempted session value.
*/
protected function clearLastLoginAttempted(): void
public function clearLastLoginAttempted(): void
{
session()->remove(self::LAST_LOGIN_ATTEMPTED_SESSION_KEY);
}

View File

@@ -0,0 +1,62 @@
<?php
namespace BookStack\Access\Mfa;
use BookStack\Exceptions\NotifyException;
use BookStack\Users\Models\User;
use Illuminate\Cache\RateLimiter;
use Illuminate\Http\Request;
use Illuminate\Http\Response;
/**
* A rate limit specifically for MFA verification.
* Limits across both the attempted user (on a tight limit) and the
* request IP (on a less strict limit).
*/
class MfaVerificationLimiter
{
protected int $maxUserAttemptsPerMinute = 5;
protected int $maxIpAttemptsPerMinute = 60;
public function __construct(
protected RateLimiter $rateLimiter
) {
}
public function throwException(): never
{
throw new NotifyException(
trans('auth.mfa_throttle', ['seconds' => 60]),
'/login',
Response::HTTP_TOO_MANY_REQUESTS
);
}
public function incrementAttempts(User $user, Request $request): void
{
$this->rateLimiter->hit($this->getUserKey($user));
$this->rateLimiter->hit($this->getRequestKey($request));
}
public function decrementAttempts(User $user, Request $request): void
{
$this->rateLimiter->decrement($this->getUserKey($user));
$this->rateLimiter->decrement($this->getRequestKey($request));
}
public function hasHitLimit(User $user, Request $request): bool
{
return $this->rateLimiter->tooManyAttempts($this->getUserKey($user), $this->maxUserAttemptsPerMinute + 1)
|| $this->rateLimiter->tooManyAttempts($this->getRequestKey($request), $this->maxIpAttemptsPerMinute + 1);
}
protected function getUserKey(User $user): string
{
return "mfa-attempt::user::{$user->id}";
}
protected function getRequestKey(Request $request): string
{
return "mfa-attempt::request::{$request->ip()}";
}
}

View File

@@ -120,8 +120,14 @@ class SearchRunner
$filter = function (EloquentBuilder $query) use ($exact) {
$inputTerm = str_replace('\\', '\\\\', $exact->value);
$query->where('name', 'like', '%' . $inputTerm . '%')
->orWhere('description', 'like', '%' . $inputTerm . '%')
->orWhere('text', 'like', '%' . $inputTerm . '%');
->orWhere(function (EloquentBuilder $query) use ($inputTerm) {
$query->whereNotNull('description')
->where('description', 'like', '%' . $inputTerm . '%');
})
->orWhere(function (EloquentBuilder $query) use ($inputTerm) {
$query->whereNotNull('text')
->where('text', 'like', '%' . $inputTerm . '%');
});
};
$exact->negated ? $entityQuery->whereNot($filter) : $entityQuery->where($filter);

View File

@@ -195,6 +195,7 @@ class AttachmentController extends Controller
$this->validate($request, [
'order' => ['required', 'array'],
]);
$page = $this->pageQueries->findVisibleByIdOrFail($pageId);
$this->checkOwnablePermission(Permission::PageUpdate, $page);
@@ -221,8 +222,6 @@ class AttachmentController extends Controller
throw new NotFoundException(trans('errors.attachment_not_found'));
}
$this->checkOwnablePermission(Permission::PageView, $page);
if ($attachment->external) {
return redirect($attachment->path);
}
@@ -247,6 +246,13 @@ class AttachmentController extends Controller
{
/** @var Attachment $attachment */
$attachment = Attachment::query()->findOrFail($attachmentId);
try {
$this->pageQueries->findVisibleByIdOrFail($attachment->uploaded_to);
} catch (NotFoundException $exception) {
throw new NotFoundException(trans('errors.attachment_not_found'));
}
$this->checkOwnablePermission(Permission::AttachmentDelete, $attachment);
$this->attachmentService->deleteFile($attachment);

View File

@@ -8,6 +8,10 @@ use BookStack\Exceptions\HttpFetchException;
* Validate the host we're connecting to when making a server-side-request.
* Will use the given hosts config if given during construction otherwise
* will look to the app configured config.
*
* The config format is a space-seperated list of URL prefixes which should contain the
* protocol and host. It can optionally define a path prefix as part of the URL.
* Wildcards, via a '*', can be used within these elements to match anything but a '/'.
*/
class SsrUrlValidator
{
@@ -48,15 +52,34 @@ class SsrUrlValidator
{
$pattern = rtrim(trim($pattern), '/');
$url = trim($url);
$urlParts = parse_url($url);
if (empty($pattern) || empty($url)) {
if (empty($pattern) || empty($url) || $urlParts === false) {
return false;
}
$quoted = preg_quote($pattern, '/');
$regexPattern = str_replace('\*', '.*', $quoted);
// Prevent potential tricks using percent encoded slashes
if (str_contains(strtolower($urlParts['host'] ?? ''), '%2f')) {
return false;
}
return preg_match('/^' . $regexPattern . '($|\/.*$|#.*$)/i', $url);
// Disregard query and fragment
$url = explode('?', $url, 2)[0];
$url = explode('#', $url, 2)[0];
// Disregard userinfo if existing
if (!empty($urlParts['user']) || !empty($urlParts['pass'])) {
[$start, $postUserinfo] = explode('@', $url, 2);
$preUserinfo = explode('//', $start, 2)[0];
$url = ($preUserinfo ? $preUserinfo . '//' : '') . $postUserinfo;
}
// Prepare pattern
$quoted = preg_quote($pattern, '/');
$regexPattern = str_replace('\*', '[^\/]*', $quoted);
// Check against our URL
return preg_match('/^' . $regexPattern . '($|\/.*$)/i', $url);
}
/**

599
composer.lock generated

File diff suppressed because it is too large Load Diff

View File

@@ -1 +1 @@
81469eb1251aaba324ba3c82d67474e2d9197d29b2b0566429e83d4bfe6291f0
dae691f45e3714020abafdc1d6c10a50ae81fee9630e292237d75ca8b2070e6e

View File

@@ -8,6 +8,7 @@ return [
'failed' => 'These credentials do not match our records.',
'throttle' => 'Too many login attempts. Please try again in :seconds seconds.',
'mfa_throttle' => 'Too many multi-factor verification attempts. Please try again in :seconds seconds.',
// Login & Register
'sign_up' => 'Sign up',

14
public/dist/app.js vendored

File diff suppressed because one or more lines are too long

42
public/dist/code.js vendored

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View File

@@ -66,6 +66,27 @@ class MfaVerificationTest extends TestCase
$html->assertElementExists('input[autocomplete="one-time-code"][name="code"]');
}
public function test_totp_verification_is_rate_limited()
{
[$user, $secret, $loginResp] = $this->startTotpLogin();
$loginService = $this->app->make(LoginService::class);
$resp = $this->get('/mfa/verify');
for ($i = 0; $i < 5; $i++) {
$this->post('/mfa/totp/verify', [
'code' => '123456',
])->assertRedirect('/mfa/verify');
$this->assertNotNull($loginService->getLastLoginAttemptUser());
}
$resp = $this->post('/mfa/totp/verify', [
'code' => '123456',
]);
$resp->assertRedirect('/login');
$this->assertSessionError('Too many multi-factor verification attempts. Please try again in 60 seconds.');
$this->assertNull($loginService->getLastLoginAttemptUser());
}
public function test_backup_code_verification()
{
[$user, $codes, $loginResp] = $this->startBackupCodeLogin();
@@ -147,6 +168,27 @@ class MfaVerificationTest extends TestCase
$resp->assertSeeText('You have less than 5 backup codes remaining, Please generate and store a new set before you run out of codes to prevent being locked out of your account.');
}
public function test_backup_code_verification_is_rate_limited()
{
[$user, $codes, $loginResp] = $this->startBackupCodeLogin(['abc12-def45', 'abc12-def46']);
$loginService = $this->app->make(LoginService::class);
$resp = $this->get('/mfa/verify');
for ($i = 0; $i < 5; $i++) {
$this->post('/mfa/backup_codes/verify', [
'code' => '123456abcd',
])->assertRedirect('/mfa/verify');
$this->assertNotNull($loginService->getLastLoginAttemptUser());
}
$resp = $this->post('/mfa/backup_codes/verify', [
'code' => '123456abcd',
]);
$resp->assertRedirect('/login');
$this->assertSessionError('Too many multi-factor verification attempts. Please try again in 60 seconds.');
$this->assertNull($loginService->getLastLoginAttemptUser());
}
public function test_backup_code_form_has_autofill_configured()
{
[$user, $codes, $loginResp] = $this->startBackupCodeLogin();

View File

@@ -136,17 +136,21 @@ class EntitySearchTest extends TestCase
$page->tags()->saveMany([new Tag(['name' => 'DonkCount', 'value' => '500'])]);
$page->created_by = $this->users->admin()->id;
$page->save();
$otherPage = $this->entities->newPage(['name' => 'A different page in negation tests', 'html' => '<p>A different page in negation tests</p>']);
$editor = $this->users->editor();
$this->actingAs($editor);
$exactSearch = $this->get('/search?term=' . urlencode('negation -"tortoise"'));
$exactSearch->assertStatus(200)->assertDontSeeText($page->name);
$exactSearch->assertSeeText($otherPage->name);
$tagSearchA = $this->get('/search?term=' . urlencode('negation [DonkCount=500]'));
$tagSearchA->assertStatus(200)->assertSeeText($page->name);
$tagSearchA->assertDontSeeText($otherPage->name);
$tagSearchB = $this->get('/search?term=' . urlencode('negation -[DonkCount=500]'));
$tagSearchB->assertStatus(200)->assertDontSeeText($page->name);
$tagSearchB->assertSeeText($otherPage->name);
$filterSearchA = $this->get('/search?term=' . urlencode('negation -{created_by:me}'));
$filterSearchA->assertStatus(200)->assertSeeText($page->name);

View File

@@ -1,62 +0,0 @@
<?php
namespace Tests\Unit;
use BookStack\Exceptions\HttpFetchException;
use BookStack\Util\SsrUrlValidator;
use Tests\TestCase;
class SsrUrlValidatorTest extends TestCase
{
public function test_allowed()
{
$testMap = [
// Single values
['config' => '', 'url' => '', 'result' => false],
['config' => '', 'url' => 'https://example.com', 'result' => false],
['config' => ' ', 'url' => 'https://example.com', 'result' => false],
['config' => '*', 'url' => '', 'result' => false],
['config' => '*', 'url' => 'https://example.com', 'result' => true],
['config' => 'https://*', 'url' => 'https://example.com', 'result' => true],
['config' => 'http://*', 'url' => 'https://example.com', 'result' => false],
['config' => 'https://*example.com', 'url' => 'https://example.com', 'result' => true],
['config' => 'https://*ample.com', 'url' => 'https://example.com', 'result' => true],
['config' => 'https://*.example.com', 'url' => 'https://example.com', 'result' => false],
['config' => 'https://*.example.com', 'url' => 'https://test.example.com', 'result' => true],
['config' => '*//example.com', 'url' => 'https://example.com', 'result' => true],
['config' => '*//example.com', 'url' => 'http://example.com', 'result' => true],
['config' => '*//example.co', 'url' => 'http://example.co.uk', 'result' => false],
['config' => '*//example.co/bookstack', 'url' => 'https://example.co/bookstack/a/path', 'result' => true],
['config' => '*//example.co*', 'url' => 'https://example.co.uk/bookstack/a/path', 'result' => true],
['config' => 'https://example.com', 'url' => 'https://example.com/a/b/c?test=cat', 'result' => true],
['config' => 'https://example.com', 'url' => 'https://example.co.uk', 'result' => false],
// Escapes
['config' => 'https://(.*?).com', 'url' => 'https://example.com', 'result' => false],
['config' => 'https://example.com', 'url' => 'https://example.co.uk#https://example.com', 'result' => false],
// Multi values
['config' => '*//example.org *//example.com', 'url' => 'https://example.com', 'result' => true],
['config' => '*//example.org *//example.com', 'url' => 'https://example.com/a/b/c?test=cat#hello', 'result' => true],
['config' => '*.example.org *.example.com', 'url' => 'https://example.co.uk', 'result' => false],
['config' => ' *.example.org *.example.com ', 'url' => 'https://example.co.uk', 'result' => false],
['config' => '* *.example.com', 'url' => 'https://example.co.uk', 'result' => true],
['config' => '*//example.org *//example.com *//example.co.uk', 'url' => 'https://example.co.uk', 'result' => true],
['config' => '*//example.org *//example.com *//example.co.uk', 'url' => 'https://example.net', 'result' => false],
];
foreach ($testMap as $test) {
$result = (new SsrUrlValidator($test['config']))->allowed($test['url']);
$this->assertEquals($test['result'], $result, "Failed asserting url '{$test['url']}' with config '{$test['config']}' results " . ($test['result'] ? 'true' : 'false'));
}
}
public function test_enssure_allowed()
{
$result = (new SsrUrlValidator('https://example.com'))->ensureAllowed('https://example.com');
$this->assertNull($result);
$this->expectException(HttpFetchException::class);
(new SsrUrlValidator('https://example.com'))->ensureAllowed('https://test.example.com');
}
}

View File

@@ -5,6 +5,7 @@ namespace Tests\Uploads;
use BookStack\Entities\Models\Page;
use BookStack\Entities\Repos\PageRepo;
use BookStack\Entities\Tools\TrashCan;
use BookStack\Permissions\Permission;
use BookStack\Uploads\Attachment;
use Tests\TestCase;
@@ -206,6 +207,21 @@ class AttachmentTest extends TestCase
$this->files->deleteAllAttachmentFiles();
}
public function test_attachment_deletion_requires_page_access()
{
$page = $this->entities->page();
$attachment = Attachment::factory()->create(['uploaded_to' => $page->id]);
$editor = $this->users->editor();
$this->permissions->disableEntityInheritedPermissions($page);
$this->permissions->grantUserRolePermissions($editor, [Permission::AttachmentDeleteAll]);
$resp = $this->actingAs($editor)->delete($attachment->getUrl());
$resp->assertNotFound();
$this->assertDatabaseHas('attachments', ['id' => $attachment->id]);
}
public function test_attachment_access_without_permission_shows_404()
{
$admin = $this->users->admin();

View File

@@ -0,0 +1,142 @@
<?php
namespace Tests\Util;
use BookStack\Exceptions\HttpFetchException;
use BookStack\Util\SsrUrlValidator;
use Tests\TestCase;
class SsrUrlValidatorTest extends TestCase
{
public function test_is_uses_app_config_by_default()
{
config()->set([
'app.ssr_hosts' => 'https://donkey.example.com',
]);
$validator = new SsrUrlValidator();
$this->assertTrue($validator->allowed('https://donkey.example.com'));
$this->assertFalse($validator->allowed('https://monkey.example.com'));
}
public function test_config_string_can_be_passed_in_constructor()
{
config()->set([
'app.ssr_hosts' => 'https://donkey.example.com',
]);
$validator = new SsrUrlValidator('https://monkey.example.com');
$this->assertFalse($validator->allowed('https://donkey.example.com'));
$this->assertTrue($validator->allowed('https://monkey.example.com'));
}
public function test_config_string_can_include_multiple_space_seperated_values()
{
$validator = new SsrUrlValidator('https://monkey.example.com https://cat.example.com');
$this->assertFalse($validator->allowed('https://donkey.example.com'));
$this->assertTrue($validator->allowed('https://monkey.example.com'));
$this->assertTrue($validator->allowed('https://cat.example.com'));
}
public function test_ensure_allowed_throws_if_not_allowed()
{
$validator = new SsrUrlValidator('https://monkey.example.com');
$this->assertNull($validator->ensureAllowed('https://monkey.example.com'));
$this->assertThrows(function () use ($validator) {
$validator->ensureAllowed('https://donkey.example.com');
}, HttpFetchException::class, 'The URL does not match the configured allowed SSR hosts');
}
public function test_basic_url_matching()
{
$tests = [
// Single values
['config' => '', 'url' => '', 'result' => false],
['config' => '', 'url' => 'https://example.com', 'result' => false],
['config' => ' ', 'url' => 'https://example.com', 'result' => false],
['config' => '*', 'url' => '', 'result' => false],
['config' => '*', 'url' => 'https://example.com', 'result' => true],
['config' => 'https://*', 'url' => 'https://example.com', 'result' => true],
['config' => 'http://*', 'url' => 'https://example.com', 'result' => false],
['config' => 'https://*example.com', 'url' => 'https://example.com', 'result' => true],
['config' => 'https://*ample.com', 'url' => 'https://example.com', 'result' => true],
['config' => 'https://*.example.com', 'url' => 'https://example.com', 'result' => false],
['config' => 'https://*.example.com', 'url' => 'https://test.example.com', 'result' => true],
['config' => '*//example.com', 'url' => 'https://example.com', 'result' => true],
['config' => '*//example.com', 'url' => 'http://example.com', 'result' => true],
['config' => '*//example.co', 'url' => 'http://example.co.uk', 'result' => false],
['config' => '*//example.co/bookstack', 'url' => 'https://example.co/bookstack/a/path', 'result' => true],
['config' => '*//example.co*', 'url' => 'https://example.co.uk/bookstack/a/path', 'result' => true],
['config' => 'https://example.com', 'url' => 'https://example.com/a/b/c?test=cat', 'result' => true],
['config' => 'https://example.com', 'url' => 'https://example.co.uk', 'result' => false],
// Escapes
['config' => 'https://(.*?).com', 'url' => 'https://example.com', 'result' => false],
['config' => 'https://example.com', 'url' => 'https://example.co.uk#https://example.com', 'result' => false],
// Multi values
['config' => '*//example.org *//example.com', 'url' => 'https://example.com', 'result' => true],
['config' => '*//example.org *//example.com', 'url' => 'https://example.com/a/b/c?test=cat#hello', 'result' => true],
['config' => '*.example.org *.example.com', 'url' => 'https://example.co.uk', 'result' => false],
['config' => ' *.example.org *.example.com ', 'url' => 'https://example.co.uk', 'result' => false],
['config' => '* *.example.com', 'url' => 'https://example.co.uk', 'result' => true],
['config' => '*//example.org *//example.com *//example.co.uk', 'url' => 'https://example.co.uk', 'result' => true],
['config' => '*//example.org *//example.com *//example.co.uk', 'url' => 'https://example.net', 'result' => false],
// Further tests
['config' => 'https://monkey.example.com', 'url' => 'https://monkey.example.com/a/b', 'result' => true,],
['config' => 'https://monkey.example.com', 'url' => 'https://monkey.example.com/a/b?a=b#ab', 'result' => true,],
['config' => 'https://monkey.example.com', 'url' => 'https://monkey.example.com:8080/a', 'result' => false,],
['config' => '*', 'url' => 'https://a.example.com', 'result' => true,],
['config' => 'https://monkey.example.com', 'url' => 'http://monkey.example.com/a/b?a=b#ab', 'result' => false,],
['config' => 'https://monkey.example.com', 'url' => 'https://beans.monkey.example.com/a/b?a=b#ab', 'result' => false,],
['config' => 'https://*monkey.example.com', 'url' => 'https://amonkey.example.com/a/b?a=b#ab', 'result' => true,],
['config' => 'https://*monkey.example.com', 'url' => 'https://donkey.example.com/a/b/monkey.example.com/b?a=b#ab', 'result' => false,],
['config' => 'https://monkey.example.com', 'url' => 'https://example.com/monkey.example.com/b?a=monkey.example.com#monkey.example.com', 'result' => false,],
['config' => 'https://*.example.com', 'url' => 'https://a.b.example.com/a/b', 'result' => true,],
['config' => 'https://*.example.com', 'url' => 'https://a.b.example.a.com/a/b', 'result' => false,],
['config' => 'https://*.example.com', 'url' => 'https://a.com/a/b?val=a.example.com', 'result' => false,],
['config' => 'https://*.example.com', 'url' => 'https://a.com/a/b#example.com', 'result' => false,],
['config' => 'https://a.*.example.com', 'url' => 'https://a.b.c.example.com/c/d', 'result' => true,],
['config' => 'https://example.com/webhooks/', 'url' => 'https://example.com/webhooks/beans', 'result' => true,],
['config' => 'https://example.com/webhooks/', 'url' => 'https://example.com/a/webhooks/', 'result' => false,],
['config' => 'https://example.com:8080', 'url' => 'https://example.com/a/b', 'result' => false,],
['config' => 'https://example.com:8080', 'url' => 'https://example.com:8080/a/b', 'result' => true,],
['config' => 'https://example.com/*', 'url' => 'https://example.com:8080/a/b', 'result' => false,],
];
foreach ($tests as $testCase) {
$validator = new SsrUrlValidator($testCase['config']);
$result = $validator->allowed($testCase['url']);
$this->assertEquals($testCase['result'], $result, "Failed asserting expected result for config {$testCase['config']} and test value {$testCase['url']}");
}
}
public function test_wildcard_does_not_match_userinfo_data_but_still_allows_it()
{
$validator = new SsrUrlValidator('https://*monkey.example.com');
$this->assertFalse($validator->allowed('https://monkey.example.com@a.example.com'));
$validator = new SsrUrlValidator('https://monkey.example.com*');
$this->assertFalse($validator->allowed('https://monkey.example.com@a.example.com'));
$this->assertFalse($validator->allowed('https://monkey.example.com:monkey.example.com@a.example.com'));
$validator = new SsrUrlValidator('https://monkey.example.com');
$this->assertTrue($validator->allowed('https://a:b@monkey.example.com'));
}
public function test_percent_encoded_slashes_in_host_are_rejected()
{
$validator = new SsrUrlValidator('*');
$this->assertFalse($validator->allowed('https://cat.example.com%2Fa/b'));
$this->assertFalse($validator->allowed('https://cat.example.com%2fa/b'));
$this->assertFalse($validator->allowed('https://cat%2f.example.com/a/b'));
$this->assertFalse($validator->allowed('https://cat.exa%2Fmple.com'));
}
}

View File

@@ -1 +1 @@
v26.03.3
v26.03.5