Knah-Tsaeb/MyShaarli
Knah-Tsaeb/MyShaarli
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request from ArthurHoaro/hotfix/allowed-protocols

Browse source 
Add a whitelist of protocols for URLs
This commit is contained in:
ArthurHoaro 2017-05-31 17:52:19 +02:00 committed by GitHub
commit ac94db1e36
8 changed files with 151 additions and 16 deletions

63
tests/Url/WhitelistProtocolsTest.php Normal file
View file

@ -0,0 +1,63 @@
<?php
require_once 'application/Url.php';
use Shaarli\Config\ConfigManager;
/**
* Class WhitelistProtocolsTest
*
* Test whitelist_protocols() function of Url.
*/
class WhitelistProtocolsTest extends PHPUnit_Framework_TestCase
{
/**
* Test whitelist_protocols() on a note (relative URL).
*/
public function testWhitelistProtocolsRelative()
{
$whitelist = ['ftp', 'magnet'];
$url = '?12443564';
$this->assertEquals($url, whitelist_protocols($url, $whitelist));
$url = '/path.jpg';
$this->assertEquals($url, whitelist_protocols($url, $whitelist));
}
/**
* Test whitelist_protocols() on a note (relative URL).
*/
public function testWhitelistProtocolMissing()
{
$whitelist = ['ftp', 'magnet'];
$url = 'test.tld/path/?query=value#hash';
$this->assertEquals('http://'. $url, whitelist_protocols($url, $whitelist));
}
/**
* Test whitelist_protocols() with allowed protocols.
*/
public function testWhitelistAllowedProtocol()
{
$whitelist = ['ftp', 'magnet'];
$url = 'http://test.tld/path/?query=value#hash';
$this->assertEquals($url, whitelist_protocols($url, $whitelist));
$url = 'https://test.tld/path/?query=value#hash';
$this->assertEquals($url, whitelist_protocols($url, $whitelist));
$url = 'ftp://test.tld/path/?query=value#hash';
$this->assertEquals($url, whitelist_protocols($url, $whitelist));
$url = 'magnet:test.tld/path/?query=value#hash';
$this->assertEquals($url, whitelist_protocols($url, $whitelist));
}
/**
* Test whitelist_protocols() with allowed protocols.
*/
public function testWhitelistDisallowedProtocol()
{
$whitelist = ['ftp', 'magnet'];
$url = 'javascript:alert("xss");';
$this->assertEquals('http://alert("xss");', whitelist_protocols($url, $whitelist));
$url = 'other://test.tld/path/?query=value#hash';
$this->assertEquals('http://test.tld/path/?query=value#hash', whitelist_protocols($url, $whitelist));
}
}

11
tests/plugins/PluginMarkdownTest.php
View file

@ -26,6 +26,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
{
PluginManager::$PLUGINS_PATH = 'plugins';
$this->conf = new ConfigManager('tests/utils/config/configJson');
$this->conf->set('security.allowed_protocols', ['ftp', 'magnet']);
}
/**
@ -183,15 +184,19 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
}
/**
* Test hashtag links processed with markdown.
* Make sure that the generated HTML match the reference HTML file.
*/
public function testMarkdownHashtagLinks()
public function testMarkdownGlobalProcessDescription()
{
$md = file_get_contents('tests/plugins/resources/markdown.md');
$md = format_description($md);
$html = file_get_contents('tests/plugins/resources/markdown.html');
$data = process_markdown($md);
$data = process_markdown(
$md,
$this->conf->get('security.markdown_escape', true),
$this->conf->get('security.allowed_protocols')
);
$this->assertEquals($html, $data);
}

11
tests/plugins/resources/markdown.html
View file

@ -21,4 +21,13 @@
next #foo</code></pre>
<p>Block:</p>
<pre><code>lorem ipsum #foobar http://link.tld
#foobar http://link.tld</code></pre></div>
#foobar http://link.tld</code></pre>
<p><a href="?123456">link</a><br />
<img src="/img/train.png" alt="link" /><br />
<a href="http://test.tld/path/?query=value#hash">link</a><br />
<a href="http://test.tld/path/?query=value#hash">link</a><br />
<a href="https://test.tld/path/?query=value#hash">link</a><br />
<a href="ftp://test.tld/path/?query=value#hash">link</a><br />
<a href="magnet:test.tld/path/?query=value#hash">link</a><br />
<a href="http://alert('xss')">link</a><br />
<a href="http://test.tld/path/?query=value#hash">link</a></p></div>

12
tests/plugins/resources/markdown.md
View file

@ -21,4 +21,14 @@ Block:
```
lorem ipsum #foobar http://link.tld
#foobar http://link.tld
```
```
[link](?123456)
![link](/img/train.png)
[link](test.tld/path/?query=value#hash)
[link](http://test.tld/path/?query=value#hash)
[link](https://test.tld/path/?query=value#hash)
[link](ftp://test.tld/path/?query=value#hash)
[link](magnet:test.tld/path/?query=value#hash)
[link](javascript:alert('xss'))
[link](other://test.tld/path/?query=value#hash)