Skip to content

Commit 5075169

Browse files
marienfressinaudmarienfressinaud
committed
sec: Reject contents from invalid origins
1 parent f81262c commit 5075169

File tree

3 files changed

+31
-0
lines changed

3 files changed

+31
-0
lines changed

src/controllers/Requests.php

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -187,6 +187,12 @@ public function publish(Request $request): Response
187187

188188
$content = new models\Content($url);
189189

190+
if (!$content->isAllowed()) {
191+
return Response::badRequest('requests/error.txt', [
192+
'errors' => ["url \"{$url}\" is not authorized"],
193+
]);
194+
}
195+
190196
$errors = $content->validate();
191197
if ($errors) {
192198
return Response::badRequest('requests/error.txt', [

src/models/Content.php

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44

55
use Minz\Database;
66
use Minz\Validable;
7+
use Webubbub\utils;
78

89
/**
910
* Represent a content created by publishers, it is delivered to subscribers.
@@ -85,6 +86,14 @@ public function deliver(): void
8586
$this->status = 'delivered';
8687
}
8788

89+
/**
90+
* Return wheter a content is allowed on the hub or not.
91+
*/
92+
public function isAllowed(): bool
93+
{
94+
return utils\AllowedOriginHelper::isOriginAllowed($this->url);
95+
}
96+
8897
/**
8998
* Delete the Contents that can be deleted and return the number of
9099
* deletions.

tests/cli/RequestsTest.php

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -251,6 +251,22 @@ public function testPublishWithSameUrlAndFetchedStatus(): void
251251
$this->assertSame(2, models\Content::count());
252252
}
253253

254+
public function testPublishFailsIfUrlIsNotAuthorized(): void
255+
{
256+
\Webubbub\Configuration::$application['allowed_topic_origins'] = 'https://allowed.1.com,https://allowed.2.com';
257+
258+
$response = $this->appRun('CLI', '/requests/publish', [
259+
'hub_url' => 'https://not.allowed.com',
260+
]);
261+
262+
\Webubbub\Configuration::$application['allowed_topic_origins'] = '';
263+
264+
$this->assertResponseCode($response, 400);
265+
$this->assertResponseContains($response, 'url "https://not.allowed.com" is not authorized');
266+
$this->assertResponseHeaders($response, ['Content-Type' => 'text/plain']);
267+
$this->assertSame(0, models\Content::count());
268+
}
269+
254270
#[\PHPUnit\Framework\Attributes\DataProvider('invalidUrlProvider')]
255271
public function testPublishFailsIfUrlIsInvalid(string $invalid_url): void
256272
{

0 commit comments

Comments
 (0)