mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-07-16 13:43:48 +03:00
Compare commits
10 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
cfeb035548 | ||
|
|
66dcd1f7a8 | ||
|
|
ef82119226 | ||
|
|
1b9ec75903 | ||
|
|
d1bde2fc78 | ||
|
|
16562816c5 | ||
|
|
cf648906e9 | ||
|
|
fddeb9030b | ||
|
|
99a704698d | ||
|
|
fc220dea39 |
@@ -22,4 +22,10 @@ trait HandlesPartialLogins
|
||||
|
||||
return $user;
|
||||
}
|
||||
|
||||
protected function clearLastAttemptedUser(): void
|
||||
{
|
||||
$loginService = app()->make(LoginService::class);
|
||||
$loginService->clearLastLoginAttempted();
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,6 +6,7 @@ use BookStack\Access\LoginService;
|
||||
use BookStack\Access\Mfa\BackupCodeService;
|
||||
use BookStack\Access\Mfa\MfaSession;
|
||||
use BookStack\Access\Mfa\MfaValue;
|
||||
use BookStack\Access\Mfa\MfaVerificationLimiter;
|
||||
use BookStack\Activity\ActivityType;
|
||||
use BookStack\Exceptions\NotFoundException;
|
||||
use BookStack\Http\Controller;
|
||||
@@ -19,6 +20,11 @@ class MfaBackupCodesController extends Controller
|
||||
|
||||
protected const SETUP_SECRET_SESSION_KEY = 'mfa-setup-backup-codes';
|
||||
|
||||
public function __construct(
|
||||
protected MfaVerificationLimiter $limiter,
|
||||
) {
|
||||
}
|
||||
|
||||
/**
|
||||
* Show a view that generates and displays backup codes.
|
||||
*/
|
||||
@@ -71,6 +77,12 @@ class MfaBackupCodesController extends Controller
|
||||
public function verify(Request $request, BackupCodeService $codeService, MfaSession $mfaSession, LoginService $loginService)
|
||||
{
|
||||
$user = $this->currentOrLastAttemptedUser();
|
||||
$this->limiter->incrementAttempts($user, $request);
|
||||
if ($this->limiter->hasHitLimit($user, $request)) {
|
||||
$this->clearLastAttemptedUser();
|
||||
$this->limiter->throwException();
|
||||
}
|
||||
|
||||
$codes = MfaValue::getValueForUser($user, MfaValue::METHOD_BACKUP_CODES) ?? '[]';
|
||||
|
||||
$this->validate($request, [
|
||||
@@ -89,6 +101,7 @@ class MfaBackupCodesController extends Controller
|
||||
|
||||
$mfaSession->markVerifiedForUser($user);
|
||||
$loginService->reattemptLoginFor($user);
|
||||
$this->limiter->decrementAttempts($user, $request);
|
||||
|
||||
if ($codeService->countCodesInSet($updatedCodes) < 5) {
|
||||
$this->showWarningNotification(trans('auth.mfa_backup_codes_usage_limit_warning'));
|
||||
|
||||
@@ -5,6 +5,7 @@ namespace BookStack\Access\Controllers;
|
||||
use BookStack\Access\LoginService;
|
||||
use BookStack\Access\Mfa\MfaSession;
|
||||
use BookStack\Access\Mfa\MfaValue;
|
||||
use BookStack\Access\Mfa\MfaVerificationLimiter;
|
||||
use BookStack\Access\Mfa\TotpService;
|
||||
use BookStack\Access\Mfa\TotpValidationRule;
|
||||
use BookStack\Activity\ActivityType;
|
||||
@@ -20,7 +21,8 @@ class MfaTotpController extends Controller
|
||||
protected const SETUP_SECRET_SESSION_KEY = 'mfa-setup-totp-secret';
|
||||
|
||||
public function __construct(
|
||||
protected TotpService $totp
|
||||
protected TotpService $totp,
|
||||
protected MfaVerificationLimiter $limiter,
|
||||
) {
|
||||
}
|
||||
|
||||
@@ -86,6 +88,12 @@ class MfaTotpController extends Controller
|
||||
public function verify(Request $request, LoginService $loginService, MfaSession $mfaSession)
|
||||
{
|
||||
$user = $this->currentOrLastAttemptedUser();
|
||||
$this->limiter->incrementAttempts($user, $request);
|
||||
if ($this->limiter->hasHitLimit($user, $request)) {
|
||||
$this->clearLastAttemptedUser();
|
||||
$this->limiter->throwException();
|
||||
}
|
||||
|
||||
$totpSecret = MfaValue::getValueForUser($user, MfaValue::METHOD_TOTP);
|
||||
|
||||
$this->validate($request, [
|
||||
@@ -98,6 +106,7 @@ class MfaTotpController extends Controller
|
||||
|
||||
$mfaSession->markVerifiedForUser($user);
|
||||
$loginService->reattemptLoginFor($user);
|
||||
$this->limiter->decrementAttempts($user, $request);
|
||||
|
||||
return redirect()->intended();
|
||||
}
|
||||
|
||||
@@ -126,7 +126,7 @@ class LoginService
|
||||
/**
|
||||
* Clear the last login attempted session value.
|
||||
*/
|
||||
protected function clearLastLoginAttempted(): void
|
||||
public function clearLastLoginAttempted(): void
|
||||
{
|
||||
session()->remove(self::LAST_LOGIN_ATTEMPTED_SESSION_KEY);
|
||||
}
|
||||
|
||||
62
app/Access/Mfa/MfaVerificationLimiter.php
Normal file
62
app/Access/Mfa/MfaVerificationLimiter.php
Normal file
@@ -0,0 +1,62 @@
|
||||
<?php
|
||||
|
||||
namespace BookStack\Access\Mfa;
|
||||
|
||||
use BookStack\Exceptions\NotifyException;
|
||||
use BookStack\Users\Models\User;
|
||||
use Illuminate\Cache\RateLimiter;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Http\Response;
|
||||
|
||||
/**
|
||||
* A rate limit specifically for MFA verification.
|
||||
* Limits across both the attempted user (on a tight limit) and the
|
||||
* request IP (on a less strict limit).
|
||||
*/
|
||||
class MfaVerificationLimiter
|
||||
{
|
||||
protected int $maxUserAttemptsPerMinute = 5;
|
||||
protected int $maxIpAttemptsPerMinute = 60;
|
||||
|
||||
public function __construct(
|
||||
protected RateLimiter $rateLimiter
|
||||
) {
|
||||
}
|
||||
|
||||
public function throwException(): never
|
||||
{
|
||||
throw new NotifyException(
|
||||
trans('auth.mfa_throttle', ['seconds' => 60]),
|
||||
'/login',
|
||||
Response::HTTP_TOO_MANY_REQUESTS
|
||||
);
|
||||
}
|
||||
|
||||
public function incrementAttempts(User $user, Request $request): void
|
||||
{
|
||||
$this->rateLimiter->hit($this->getUserKey($user));
|
||||
$this->rateLimiter->hit($this->getRequestKey($request));
|
||||
}
|
||||
|
||||
public function decrementAttempts(User $user, Request $request): void
|
||||
{
|
||||
$this->rateLimiter->decrement($this->getUserKey($user));
|
||||
$this->rateLimiter->decrement($this->getRequestKey($request));
|
||||
}
|
||||
|
||||
public function hasHitLimit(User $user, Request $request): bool
|
||||
{
|
||||
return $this->rateLimiter->tooManyAttempts($this->getUserKey($user), $this->maxUserAttemptsPerMinute + 1)
|
||||
|| $this->rateLimiter->tooManyAttempts($this->getRequestKey($request), $this->maxIpAttemptsPerMinute + 1);
|
||||
}
|
||||
|
||||
protected function getUserKey(User $user): string
|
||||
{
|
||||
return "mfa-attempt::user::{$user->id}";
|
||||
}
|
||||
|
||||
protected function getRequestKey(Request $request): string
|
||||
{
|
||||
return "mfa-attempt::request::{$request->ip()}";
|
||||
}
|
||||
}
|
||||
@@ -120,8 +120,14 @@ class SearchRunner
|
||||
$filter = function (EloquentBuilder $query) use ($exact) {
|
||||
$inputTerm = str_replace('\\', '\\\\', $exact->value);
|
||||
$query->where('name', 'like', '%' . $inputTerm . '%')
|
||||
->orWhere('description', 'like', '%' . $inputTerm . '%')
|
||||
->orWhere('text', 'like', '%' . $inputTerm . '%');
|
||||
->orWhere(function (EloquentBuilder $query) use ($inputTerm) {
|
||||
$query->whereNotNull('description')
|
||||
->where('description', 'like', '%' . $inputTerm . '%');
|
||||
})
|
||||
->orWhere(function (EloquentBuilder $query) use ($inputTerm) {
|
||||
$query->whereNotNull('text')
|
||||
->where('text', 'like', '%' . $inputTerm . '%');
|
||||
});
|
||||
};
|
||||
|
||||
$exact->negated ? $entityQuery->whereNot($filter) : $entityQuery->where($filter);
|
||||
|
||||
@@ -195,6 +195,7 @@ class AttachmentController extends Controller
|
||||
$this->validate($request, [
|
||||
'order' => ['required', 'array'],
|
||||
]);
|
||||
|
||||
$page = $this->pageQueries->findVisibleByIdOrFail($pageId);
|
||||
$this->checkOwnablePermission(Permission::PageUpdate, $page);
|
||||
|
||||
@@ -221,8 +222,6 @@ class AttachmentController extends Controller
|
||||
throw new NotFoundException(trans('errors.attachment_not_found'));
|
||||
}
|
||||
|
||||
$this->checkOwnablePermission(Permission::PageView, $page);
|
||||
|
||||
if ($attachment->external) {
|
||||
return redirect($attachment->path);
|
||||
}
|
||||
@@ -247,6 +246,13 @@ class AttachmentController extends Controller
|
||||
{
|
||||
/** @var Attachment $attachment */
|
||||
$attachment = Attachment::query()->findOrFail($attachmentId);
|
||||
|
||||
try {
|
||||
$this->pageQueries->findVisibleByIdOrFail($attachment->uploaded_to);
|
||||
} catch (NotFoundException $exception) {
|
||||
throw new NotFoundException(trans('errors.attachment_not_found'));
|
||||
}
|
||||
|
||||
$this->checkOwnablePermission(Permission::AttachmentDelete, $attachment);
|
||||
$this->attachmentService->deleteFile($attachment);
|
||||
|
||||
|
||||
@@ -8,6 +8,10 @@ use BookStack\Exceptions\HttpFetchException;
|
||||
* Validate the host we're connecting to when making a server-side-request.
|
||||
* Will use the given hosts config if given during construction otherwise
|
||||
* will look to the app configured config.
|
||||
*
|
||||
* The config format is a space-seperated list of URL prefixes which should contain the
|
||||
* protocol and host. It can optionally define a path prefix as part of the URL.
|
||||
* Wildcards, via a '*', can be used within these elements to match anything but a '/'.
|
||||
*/
|
||||
class SsrUrlValidator
|
||||
{
|
||||
@@ -48,15 +52,34 @@ class SsrUrlValidator
|
||||
{
|
||||
$pattern = rtrim(trim($pattern), '/');
|
||||
$url = trim($url);
|
||||
$urlParts = parse_url($url);
|
||||
|
||||
if (empty($pattern) || empty($url)) {
|
||||
if (empty($pattern) || empty($url) || $urlParts === false) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$quoted = preg_quote($pattern, '/');
|
||||
$regexPattern = str_replace('\*', '.*', $quoted);
|
||||
// Prevent potential tricks using percent encoded slashes
|
||||
if (str_contains(strtolower($urlParts['host'] ?? ''), '%2f')) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return preg_match('/^' . $regexPattern . '($|\/.*$|#.*$)/i', $url);
|
||||
// Disregard query and fragment
|
||||
$url = explode('?', $url, 2)[0];
|
||||
$url = explode('#', $url, 2)[0];
|
||||
|
||||
// Disregard userinfo if existing
|
||||
if (!empty($urlParts['user']) || !empty($urlParts['pass'])) {
|
||||
[$start, $postUserinfo] = explode('@', $url, 2);
|
||||
$preUserinfo = explode('//', $start, 2)[0];
|
||||
$url = ($preUserinfo ? $preUserinfo . '//' : '') . $postUserinfo;
|
||||
}
|
||||
|
||||
// Prepare pattern
|
||||
$quoted = preg_quote($pattern, '/');
|
||||
$regexPattern = str_replace('\*', '[^\/]*', $quoted);
|
||||
|
||||
// Check against our URL
|
||||
return preg_match('/^' . $regexPattern . '($|\/.*$)/i', $url);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
599
composer.lock
generated
599
composer.lock
generated
File diff suppressed because it is too large
Load Diff
@@ -1 +1 @@
|
||||
81469eb1251aaba324ba3c82d67474e2d9197d29b2b0566429e83d4bfe6291f0
|
||||
dae691f45e3714020abafdc1d6c10a50ae81fee9630e292237d75ca8b2070e6e
|
||||
@@ -8,6 +8,7 @@ return [
|
||||
|
||||
'failed' => 'These credentials do not match our records.',
|
||||
'throttle' => 'Too many login attempts. Please try again in :seconds seconds.',
|
||||
'mfa_throttle' => 'Too many multi-factor verification attempts. Please try again in :seconds seconds.',
|
||||
|
||||
// Login & Register
|
||||
'sign_up' => 'Sign up',
|
||||
|
||||
14
public/dist/app.js
vendored
14
public/dist/app.js
vendored
File diff suppressed because one or more lines are too long
42
public/dist/code.js
vendored
42
public/dist/code.js
vendored
File diff suppressed because one or more lines are too long
20
public/dist/markdown.js
vendored
20
public/dist/markdown.js
vendored
File diff suppressed because one or more lines are too long
6
public/dist/wysiwyg.js
vendored
6
public/dist/wysiwyg.js
vendored
File diff suppressed because one or more lines are too long
@@ -66,6 +66,27 @@ class MfaVerificationTest extends TestCase
|
||||
$html->assertElementExists('input[autocomplete="one-time-code"][name="code"]');
|
||||
}
|
||||
|
||||
public function test_totp_verification_is_rate_limited()
|
||||
{
|
||||
[$user, $secret, $loginResp] = $this->startTotpLogin();
|
||||
$loginService = $this->app->make(LoginService::class);
|
||||
|
||||
$resp = $this->get('/mfa/verify');
|
||||
for ($i = 0; $i < 5; $i++) {
|
||||
$this->post('/mfa/totp/verify', [
|
||||
'code' => '123456',
|
||||
])->assertRedirect('/mfa/verify');
|
||||
$this->assertNotNull($loginService->getLastLoginAttemptUser());
|
||||
}
|
||||
|
||||
$resp = $this->post('/mfa/totp/verify', [
|
||||
'code' => '123456',
|
||||
]);
|
||||
$resp->assertRedirect('/login');
|
||||
$this->assertSessionError('Too many multi-factor verification attempts. Please try again in 60 seconds.');
|
||||
$this->assertNull($loginService->getLastLoginAttemptUser());
|
||||
}
|
||||
|
||||
public function test_backup_code_verification()
|
||||
{
|
||||
[$user, $codes, $loginResp] = $this->startBackupCodeLogin();
|
||||
@@ -147,6 +168,27 @@ class MfaVerificationTest extends TestCase
|
||||
$resp->assertSeeText('You have less than 5 backup codes remaining, Please generate and store a new set before you run out of codes to prevent being locked out of your account.');
|
||||
}
|
||||
|
||||
public function test_backup_code_verification_is_rate_limited()
|
||||
{
|
||||
[$user, $codes, $loginResp] = $this->startBackupCodeLogin(['abc12-def45', 'abc12-def46']);
|
||||
$loginService = $this->app->make(LoginService::class);
|
||||
|
||||
$resp = $this->get('/mfa/verify');
|
||||
for ($i = 0; $i < 5; $i++) {
|
||||
$this->post('/mfa/backup_codes/verify', [
|
||||
'code' => '123456abcd',
|
||||
])->assertRedirect('/mfa/verify');
|
||||
$this->assertNotNull($loginService->getLastLoginAttemptUser());
|
||||
}
|
||||
|
||||
$resp = $this->post('/mfa/backup_codes/verify', [
|
||||
'code' => '123456abcd',
|
||||
]);
|
||||
$resp->assertRedirect('/login');
|
||||
$this->assertSessionError('Too many multi-factor verification attempts. Please try again in 60 seconds.');
|
||||
$this->assertNull($loginService->getLastLoginAttemptUser());
|
||||
}
|
||||
|
||||
public function test_backup_code_form_has_autofill_configured()
|
||||
{
|
||||
[$user, $codes, $loginResp] = $this->startBackupCodeLogin();
|
||||
|
||||
@@ -136,17 +136,21 @@ class EntitySearchTest extends TestCase
|
||||
$page->tags()->saveMany([new Tag(['name' => 'DonkCount', 'value' => '500'])]);
|
||||
$page->created_by = $this->users->admin()->id;
|
||||
$page->save();
|
||||
$otherPage = $this->entities->newPage(['name' => 'A different page in negation tests', 'html' => '<p>A different page in negation tests</p>']);
|
||||
|
||||
$editor = $this->users->editor();
|
||||
$this->actingAs($editor);
|
||||
|
||||
$exactSearch = $this->get('/search?term=' . urlencode('negation -"tortoise"'));
|
||||
$exactSearch->assertStatus(200)->assertDontSeeText($page->name);
|
||||
$exactSearch->assertSeeText($otherPage->name);
|
||||
|
||||
$tagSearchA = $this->get('/search?term=' . urlencode('negation [DonkCount=500]'));
|
||||
$tagSearchA->assertStatus(200)->assertSeeText($page->name);
|
||||
$tagSearchA->assertDontSeeText($otherPage->name);
|
||||
$tagSearchB = $this->get('/search?term=' . urlencode('negation -[DonkCount=500]'));
|
||||
$tagSearchB->assertStatus(200)->assertDontSeeText($page->name);
|
||||
$tagSearchB->assertSeeText($otherPage->name);
|
||||
|
||||
$filterSearchA = $this->get('/search?term=' . urlencode('negation -{created_by:me}'));
|
||||
$filterSearchA->assertStatus(200)->assertSeeText($page->name);
|
||||
|
||||
@@ -1,62 +0,0 @@
|
||||
<?php
|
||||
|
||||
namespace Tests\Unit;
|
||||
|
||||
use BookStack\Exceptions\HttpFetchException;
|
||||
use BookStack\Util\SsrUrlValidator;
|
||||
use Tests\TestCase;
|
||||
|
||||
class SsrUrlValidatorTest extends TestCase
|
||||
{
|
||||
public function test_allowed()
|
||||
{
|
||||
$testMap = [
|
||||
// Single values
|
||||
['config' => '', 'url' => '', 'result' => false],
|
||||
['config' => '', 'url' => 'https://example.com', 'result' => false],
|
||||
['config' => ' ', 'url' => 'https://example.com', 'result' => false],
|
||||
['config' => '*', 'url' => '', 'result' => false],
|
||||
['config' => '*', 'url' => 'https://example.com', 'result' => true],
|
||||
['config' => 'https://*', 'url' => 'https://example.com', 'result' => true],
|
||||
['config' => 'http://*', 'url' => 'https://example.com', 'result' => false],
|
||||
['config' => 'https://*example.com', 'url' => 'https://example.com', 'result' => true],
|
||||
['config' => 'https://*ample.com', 'url' => 'https://example.com', 'result' => true],
|
||||
['config' => 'https://*.example.com', 'url' => 'https://example.com', 'result' => false],
|
||||
['config' => 'https://*.example.com', 'url' => 'https://test.example.com', 'result' => true],
|
||||
['config' => '*//example.com', 'url' => 'https://example.com', 'result' => true],
|
||||
['config' => '*//example.com', 'url' => 'http://example.com', 'result' => true],
|
||||
['config' => '*//example.co', 'url' => 'http://example.co.uk', 'result' => false],
|
||||
['config' => '*//example.co/bookstack', 'url' => 'https://example.co/bookstack/a/path', 'result' => true],
|
||||
['config' => '*//example.co*', 'url' => 'https://example.co.uk/bookstack/a/path', 'result' => true],
|
||||
['config' => 'https://example.com', 'url' => 'https://example.com/a/b/c?test=cat', 'result' => true],
|
||||
['config' => 'https://example.com', 'url' => 'https://example.co.uk', 'result' => false],
|
||||
|
||||
// Escapes
|
||||
['config' => 'https://(.*?).com', 'url' => 'https://example.com', 'result' => false],
|
||||
['config' => 'https://example.com', 'url' => 'https://example.co.uk#https://example.com', 'result' => false],
|
||||
|
||||
// Multi values
|
||||
['config' => '*//example.org *//example.com', 'url' => 'https://example.com', 'result' => true],
|
||||
['config' => '*//example.org *//example.com', 'url' => 'https://example.com/a/b/c?test=cat#hello', 'result' => true],
|
||||
['config' => '*.example.org *.example.com', 'url' => 'https://example.co.uk', 'result' => false],
|
||||
['config' => ' *.example.org *.example.com ', 'url' => 'https://example.co.uk', 'result' => false],
|
||||
['config' => '* *.example.com', 'url' => 'https://example.co.uk', 'result' => true],
|
||||
['config' => '*//example.org *//example.com *//example.co.uk', 'url' => 'https://example.co.uk', 'result' => true],
|
||||
['config' => '*//example.org *//example.com *//example.co.uk', 'url' => 'https://example.net', 'result' => false],
|
||||
];
|
||||
|
||||
foreach ($testMap as $test) {
|
||||
$result = (new SsrUrlValidator($test['config']))->allowed($test['url']);
|
||||
$this->assertEquals($test['result'], $result, "Failed asserting url '{$test['url']}' with config '{$test['config']}' results " . ($test['result'] ? 'true' : 'false'));
|
||||
}
|
||||
}
|
||||
|
||||
public function test_enssure_allowed()
|
||||
{
|
||||
$result = (new SsrUrlValidator('https://example.com'))->ensureAllowed('https://example.com');
|
||||
$this->assertNull($result);
|
||||
|
||||
$this->expectException(HttpFetchException::class);
|
||||
(new SsrUrlValidator('https://example.com'))->ensureAllowed('https://test.example.com');
|
||||
}
|
||||
}
|
||||
@@ -5,6 +5,7 @@ namespace Tests\Uploads;
|
||||
use BookStack\Entities\Models\Page;
|
||||
use BookStack\Entities\Repos\PageRepo;
|
||||
use BookStack\Entities\Tools\TrashCan;
|
||||
use BookStack\Permissions\Permission;
|
||||
use BookStack\Uploads\Attachment;
|
||||
use Tests\TestCase;
|
||||
|
||||
@@ -206,6 +207,21 @@ class AttachmentTest extends TestCase
|
||||
$this->files->deleteAllAttachmentFiles();
|
||||
}
|
||||
|
||||
public function test_attachment_deletion_requires_page_access()
|
||||
{
|
||||
$page = $this->entities->page();
|
||||
$attachment = Attachment::factory()->create(['uploaded_to' => $page->id]);
|
||||
$editor = $this->users->editor();
|
||||
|
||||
$this->permissions->disableEntityInheritedPermissions($page);
|
||||
$this->permissions->grantUserRolePermissions($editor, [Permission::AttachmentDeleteAll]);
|
||||
|
||||
$resp = $this->actingAs($editor)->delete($attachment->getUrl());
|
||||
$resp->assertNotFound();
|
||||
|
||||
$this->assertDatabaseHas('attachments', ['id' => $attachment->id]);
|
||||
}
|
||||
|
||||
public function test_attachment_access_without_permission_shows_404()
|
||||
{
|
||||
$admin = $this->users->admin();
|
||||
|
||||
142
tests/Util/SsrUrlValidatorTest.php
Normal file
142
tests/Util/SsrUrlValidatorTest.php
Normal file
@@ -0,0 +1,142 @@
|
||||
<?php
|
||||
|
||||
namespace Tests\Util;
|
||||
|
||||
use BookStack\Exceptions\HttpFetchException;
|
||||
use BookStack\Util\SsrUrlValidator;
|
||||
use Tests\TestCase;
|
||||
|
||||
class SsrUrlValidatorTest extends TestCase
|
||||
{
|
||||
public function test_is_uses_app_config_by_default()
|
||||
{
|
||||
config()->set([
|
||||
'app.ssr_hosts' => 'https://donkey.example.com',
|
||||
]);
|
||||
|
||||
$validator = new SsrUrlValidator();
|
||||
|
||||
$this->assertTrue($validator->allowed('https://donkey.example.com'));
|
||||
$this->assertFalse($validator->allowed('https://monkey.example.com'));
|
||||
}
|
||||
|
||||
public function test_config_string_can_be_passed_in_constructor()
|
||||
{
|
||||
config()->set([
|
||||
'app.ssr_hosts' => 'https://donkey.example.com',
|
||||
]);
|
||||
|
||||
$validator = new SsrUrlValidator('https://monkey.example.com');
|
||||
|
||||
$this->assertFalse($validator->allowed('https://donkey.example.com'));
|
||||
$this->assertTrue($validator->allowed('https://monkey.example.com'));
|
||||
}
|
||||
|
||||
public function test_config_string_can_include_multiple_space_seperated_values()
|
||||
{
|
||||
$validator = new SsrUrlValidator('https://monkey.example.com https://cat.example.com');
|
||||
|
||||
$this->assertFalse($validator->allowed('https://donkey.example.com'));
|
||||
$this->assertTrue($validator->allowed('https://monkey.example.com'));
|
||||
$this->assertTrue($validator->allowed('https://cat.example.com'));
|
||||
}
|
||||
|
||||
public function test_ensure_allowed_throws_if_not_allowed()
|
||||
{
|
||||
$validator = new SsrUrlValidator('https://monkey.example.com');
|
||||
|
||||
$this->assertNull($validator->ensureAllowed('https://monkey.example.com'));
|
||||
|
||||
$this->assertThrows(function () use ($validator) {
|
||||
$validator->ensureAllowed('https://donkey.example.com');
|
||||
}, HttpFetchException::class, 'The URL does not match the configured allowed SSR hosts');
|
||||
}
|
||||
|
||||
public function test_basic_url_matching()
|
||||
{
|
||||
$tests = [
|
||||
// Single values
|
||||
['config' => '', 'url' => '', 'result' => false],
|
||||
['config' => '', 'url' => 'https://example.com', 'result' => false],
|
||||
['config' => ' ', 'url' => 'https://example.com', 'result' => false],
|
||||
['config' => '*', 'url' => '', 'result' => false],
|
||||
['config' => '*', 'url' => 'https://example.com', 'result' => true],
|
||||
['config' => 'https://*', 'url' => 'https://example.com', 'result' => true],
|
||||
['config' => 'http://*', 'url' => 'https://example.com', 'result' => false],
|
||||
['config' => 'https://*example.com', 'url' => 'https://example.com', 'result' => true],
|
||||
['config' => 'https://*ample.com', 'url' => 'https://example.com', 'result' => true],
|
||||
['config' => 'https://*.example.com', 'url' => 'https://example.com', 'result' => false],
|
||||
['config' => 'https://*.example.com', 'url' => 'https://test.example.com', 'result' => true],
|
||||
['config' => '*//example.com', 'url' => 'https://example.com', 'result' => true],
|
||||
['config' => '*//example.com', 'url' => 'http://example.com', 'result' => true],
|
||||
['config' => '*//example.co', 'url' => 'http://example.co.uk', 'result' => false],
|
||||
['config' => '*//example.co/bookstack', 'url' => 'https://example.co/bookstack/a/path', 'result' => true],
|
||||
['config' => '*//example.co*', 'url' => 'https://example.co.uk/bookstack/a/path', 'result' => true],
|
||||
['config' => 'https://example.com', 'url' => 'https://example.com/a/b/c?test=cat', 'result' => true],
|
||||
['config' => 'https://example.com', 'url' => 'https://example.co.uk', 'result' => false],
|
||||
|
||||
// Escapes
|
||||
['config' => 'https://(.*?).com', 'url' => 'https://example.com', 'result' => false],
|
||||
['config' => 'https://example.com', 'url' => 'https://example.co.uk#https://example.com', 'result' => false],
|
||||
|
||||
// Multi values
|
||||
['config' => '*//example.org *//example.com', 'url' => 'https://example.com', 'result' => true],
|
||||
['config' => '*//example.org *//example.com', 'url' => 'https://example.com/a/b/c?test=cat#hello', 'result' => true],
|
||||
['config' => '*.example.org *.example.com', 'url' => 'https://example.co.uk', 'result' => false],
|
||||
['config' => ' *.example.org *.example.com ', 'url' => 'https://example.co.uk', 'result' => false],
|
||||
['config' => '* *.example.com', 'url' => 'https://example.co.uk', 'result' => true],
|
||||
['config' => '*//example.org *//example.com *//example.co.uk', 'url' => 'https://example.co.uk', 'result' => true],
|
||||
['config' => '*//example.org *//example.com *//example.co.uk', 'url' => 'https://example.net', 'result' => false],
|
||||
|
||||
// Further tests
|
||||
['config' => 'https://monkey.example.com', 'url' => 'https://monkey.example.com/a/b', 'result' => true,],
|
||||
['config' => 'https://monkey.example.com', 'url' => 'https://monkey.example.com/a/b?a=b#ab', 'result' => true,],
|
||||
['config' => 'https://monkey.example.com', 'url' => 'https://monkey.example.com:8080/a', 'result' => false,],
|
||||
['config' => '*', 'url' => 'https://a.example.com', 'result' => true,],
|
||||
['config' => 'https://monkey.example.com', 'url' => 'http://monkey.example.com/a/b?a=b#ab', 'result' => false,],
|
||||
['config' => 'https://monkey.example.com', 'url' => 'https://beans.monkey.example.com/a/b?a=b#ab', 'result' => false,],
|
||||
['config' => 'https://*monkey.example.com', 'url' => 'https://amonkey.example.com/a/b?a=b#ab', 'result' => true,],
|
||||
['config' => 'https://*monkey.example.com', 'url' => 'https://donkey.example.com/a/b/monkey.example.com/b?a=b#ab', 'result' => false,],
|
||||
['config' => 'https://monkey.example.com', 'url' => 'https://example.com/monkey.example.com/b?a=monkey.example.com#monkey.example.com', 'result' => false,],
|
||||
['config' => 'https://*.example.com', 'url' => 'https://a.b.example.com/a/b', 'result' => true,],
|
||||
['config' => 'https://*.example.com', 'url' => 'https://a.b.example.a.com/a/b', 'result' => false,],
|
||||
['config' => 'https://*.example.com', 'url' => 'https://a.com/a/b?val=a.example.com', 'result' => false,],
|
||||
['config' => 'https://*.example.com', 'url' => 'https://a.com/a/b#example.com', 'result' => false,],
|
||||
['config' => 'https://a.*.example.com', 'url' => 'https://a.b.c.example.com/c/d', 'result' => true,],
|
||||
['config' => 'https://example.com/webhooks/', 'url' => 'https://example.com/webhooks/beans', 'result' => true,],
|
||||
['config' => 'https://example.com/webhooks/', 'url' => 'https://example.com/a/webhooks/', 'result' => false,],
|
||||
['config' => 'https://example.com:8080', 'url' => 'https://example.com/a/b', 'result' => false,],
|
||||
['config' => 'https://example.com:8080', 'url' => 'https://example.com:8080/a/b', 'result' => true,],
|
||||
['config' => 'https://example.com/*', 'url' => 'https://example.com:8080/a/b', 'result' => false,],
|
||||
];
|
||||
|
||||
foreach ($tests as $testCase) {
|
||||
$validator = new SsrUrlValidator($testCase['config']);
|
||||
$result = $validator->allowed($testCase['url']);
|
||||
$this->assertEquals($testCase['result'], $result, "Failed asserting expected result for config {$testCase['config']} and test value {$testCase['url']}");
|
||||
}
|
||||
}
|
||||
|
||||
public function test_wildcard_does_not_match_userinfo_data_but_still_allows_it()
|
||||
{
|
||||
$validator = new SsrUrlValidator('https://*monkey.example.com');
|
||||
$this->assertFalse($validator->allowed('https://monkey.example.com@a.example.com'));
|
||||
|
||||
$validator = new SsrUrlValidator('https://monkey.example.com*');
|
||||
$this->assertFalse($validator->allowed('https://monkey.example.com@a.example.com'));
|
||||
$this->assertFalse($validator->allowed('https://monkey.example.com:monkey.example.com@a.example.com'));
|
||||
|
||||
$validator = new SsrUrlValidator('https://monkey.example.com');
|
||||
$this->assertTrue($validator->allowed('https://a:b@monkey.example.com'));
|
||||
}
|
||||
|
||||
public function test_percent_encoded_slashes_in_host_are_rejected()
|
||||
{
|
||||
$validator = new SsrUrlValidator('*');
|
||||
|
||||
$this->assertFalse($validator->allowed('https://cat.example.com%2Fa/b'));
|
||||
$this->assertFalse($validator->allowed('https://cat.example.com%2fa/b'));
|
||||
$this->assertFalse($validator->allowed('https://cat%2f.example.com/a/b'));
|
||||
$this->assertFalse($validator->allowed('https://cat.exa%2Fmple.com'));
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user