bookstack/tests/Unit/SsrUrlValidatorTest.php

<?php

namespace Tests\Unit;

use BookStack\Exceptions\HttpFetchException;
use BookStack\Util\SsrUrlValidator;
use Tests\TestCase;

class SsrUrlValidatorTest extends TestCase
{
    public function test_allowed()
    {
        $testMap = [
            // Single values
            ['config' => '', 'url' => '', 'result' => false],
            ['config' => '', 'url' => 'https://example.com', 'result' => false],
            ['config' => '    ', 'url' => 'https://example.com', 'result' => false],
            ['config' => '*', 'url' => '', 'result' => false],
            ['config' => '*', 'url' => 'https://example.com', 'result' => true],
            ['config' => 'https://*', 'url' => 'https://example.com', 'result' => true],
            ['config' => 'http://*', 'url' => 'https://example.com', 'result' => false],
            ['config' => 'https://*example.com', 'url' => 'https://example.com', 'result' => true],
            ['config' => 'https://*ample.com', 'url' => 'https://example.com', 'result' => true],
            ['config' => 'https://*.example.com', 'url' => 'https://example.com', 'result' => false],
            ['config' => 'https://*.example.com', 'url' => 'https://test.example.com', 'result' => true],
            ['config' => '*//example.com', 'url' => 'https://example.com', 'result' => true],
            ['config' => '*//example.com', 'url' => 'http://example.com', 'result' => true],
            ['config' => 'https://example.com', 'url' => 'https://example.com/a/b/c?test=cat', 'result' => true],
            ['config' => 'https://example.com', 'url' => 'https://example.co.uk', 'result' => false],

            // Escapes
            ['config' => 'https://(.*?).com', 'url' => 'https://example.com', 'result' => false],
            ['config' => 'https://example.com', 'url' => 'https://example.co.uk#https://example.com', 'result' => false],

            // Multi values
            ['config' => '*//example.org *//example.com', 'url' => 'https://example.com', 'result' => true],
            ['config' => '*//example.org *//example.com', 'url' => 'https://example.com/a/b/c?test=cat#hello', 'result' => true],
            ['config' => '*.example.org *.example.com', 'url' => 'https://example.co.uk', 'result' => false],
            ['config' => '  *.example.org  *.example.com  ', 'url' => 'https://example.co.uk', 'result' => false],
            ['config' => '* *.example.com', 'url' => 'https://example.co.uk', 'result' => true],
            ['config' => '*//example.org *//example.com *//example.co.uk', 'url' => 'https://example.co.uk', 'result' => true],
            ['config' => '*//example.org *//example.com *//example.co.uk', 'url' => 'https://example.net', 'result' => false],
        ];

        foreach ($testMap as $test) {
            $result = (new SsrUrlValidator($test['config']))->allowed($test['url']);
            $this->assertEquals($test['result'], $result, "Failed asserting url '{$test['url']}' with config '{$test['config']}' results " . ($test['result'] ? 'true' : 'false'));
        }
    }

    public function test_enssure_allowed()
    {
        $result = (new SsrUrlValidator('https://example.com'))->ensureAllowed('https://example.com');
        $this->assertNull($result);

        $this->expectException(HttpFetchException::class);
        (new SsrUrlValidator('https://example.com'))->ensureAllowed('https://test.example.com');
    }
}
Security: Added new SSR allow list and validator Included unit tests to cover validator functionality. Added to webhooks. Still need to do testing specifically for webhooks. 2023-08-26 22:28:29 +08:00			`<?php`

			`namespace Tests\Unit;`

			`use BookStack\Exceptions\HttpFetchException;`
			`use BookStack\Util\SsrUrlValidator;`
			`use Tests\TestCase;`

			`class SsrUrlValidatorTest extends TestCase`
			`{`
			`public function test_allowed()`
			`{`
			`$testMap = [`
			`// Single values`
			`['config' => '', 'url' => '', 'result' => false],`
			`['config' => '', 'url' => 'https://example.com', 'result' => false],`
			`['config' => ' ', 'url' => 'https://example.com', 'result' => false],`
			`['config' => '*', 'url' => '', 'result' => false],`
			`['config' => '*', 'url' => 'https://example.com', 'result' => true],`
			`['config' => 'https://*', 'url' => 'https://example.com', 'result' => true],`
			`['config' => 'http://*', 'url' => 'https://example.com', 'result' => false],`
			`['config' => 'https://*example.com', 'url' => 'https://example.com', 'result' => true],`
			`['config' => 'https://*ample.com', 'url' => 'https://example.com', 'result' => true],`
			`['config' => 'https://*.example.com', 'url' => 'https://example.com', 'result' => false],`
			`['config' => 'https://*.example.com', 'url' => 'https://test.example.com', 'result' => true],`
			`['config' => '*//example.com', 'url' => 'https://example.com', 'result' => true],`
			`['config' => '*//example.com', 'url' => 'http://example.com', 'result' => true],`
			`['config' => 'https://example.com', 'url' => 'https://example.com/a/b/c?test=cat', 'result' => true],`
			`['config' => 'https://example.com', 'url' => 'https://example.co.uk', 'result' => false],`

			`// Escapes`
			`['config' => 'https://(.*?).com', 'url' => 'https://example.com', 'result' => false],`
			`['config' => 'https://example.com', 'url' => 'https://example.co.uk#https://example.com', 'result' => false],`

			`// Multi values`
			`['config' => '//example.org //example.com', 'url' => 'https://example.com', 'result' => true],`
			`['config' => '//example.org //example.com', 'url' => 'https://example.com/a/b/c?test=cat#hello', 'result' => true],`
			`['config' => '.example.org .example.com', 'url' => 'https://example.co.uk', 'result' => false],`
			`['config' => ' .example.org .example.com ', 'url' => 'https://example.co.uk', 'result' => false],`
			`['config' => '* *.example.com', 'url' => 'https://example.co.uk', 'result' => true],`
			`['config' => '//example.org //example.com *//example.co.uk', 'url' => 'https://example.co.uk', 'result' => true],`
			`['config' => '//example.org //example.com *//example.co.uk', 'url' => 'https://example.net', 'result' => false],`
			`];`

			`foreach ($testMap as $test) {`
			`$result = (new SsrUrlValidator($test['config']))->allowed($test['url']);`
			`$this->assertEquals($test['result'], $result, "Failed asserting url '{$test['url']}' with config '{$test['config']}' results " . ($test['result'] ? 'true' : 'false'));`
			`}`
			`}`

			`public function test_enssure_allowed()`
			`{`
			`$result = (new SsrUrlValidator('https://example.com'))->ensureAllowed('https://example.com');`
			`$this->assertNull($result);`

			`$this->expectException(HttpFetchException::class);`
			`(new SsrUrlValidator('https://example.com'))->ensureAllowed('https://test.example.com');`
			`}`
			`}`