SSR: Updated allow list handling & covered webhook usage

ssddanbrown · ssddanbrown · commit 903895814ace · 2023-08-26T20:13:37.000+01:00
- Covered webhook SSR allow list useage via test.
- Updated allow list handling to use trailing slash, or hash, or end of
  line as late anchor for better handling for hosts (prevent .co.uk
passing for .co domain host)
diff --git a/app/Util/SsrUrlValidator.php b/app/Util/SsrUrlValidator.php
@@ -41,7 +41,7 @@ public function allowed(string $url): bool
 
     protected function urlMatchesPattern($url, $pattern): bool
     {
-        $pattern = trim($pattern);
+        $pattern = rtrim(trim($pattern), '/');
         $url = trim($url);
 
         if (empty($pattern) || empty($url)) {
@@ -51,7 +51,7 @@ protected function urlMatchesPattern($url, $pattern): bool
         $quoted = preg_quote($pattern, '/');
         $regexPattern = str_replace('\*', '.*', $quoted);
 
-        return preg_match('/^' . $regexPattern . '.*$/i', $url);
+        return preg_match('/^' . $regexPattern . '($|\/.*$|#.*$)/i', $url);
     }
 
     /**
diff --git a/tests/Actions/WebhookCallTest.php b/tests/Actions/WebhookCallTest.php
@@ -101,6 +101,20 @@ public function test_webhook_call_exception_is_caught_and_logged()
         $this->assertNotNull($webhook->last_errored_at);
     }
 
+    public function test_webhook_uses_ssr_hosts_option_if_set()
+    {
+        config()->set('app.ssr_hosts', 'https://*.example.com');
+        $http = Http::fake();
+
+        $webhook = $this->newWebhook(['active' => true, 'endpoint' => 'https://wh.example.co.uk'], ['all']);
+        $this->runEvent(ActivityType::ROLE_CREATE);
+        $http->assertNothingSent();
+
+        $webhook->refresh();
+        $this->assertEquals('The URL does not match the configured allowed SSR hosts', $webhook->last_error);
+        $this->assertNotNull($webhook->last_errored_at);
+    }
+
     public function test_webhook_call_data_format()
     {
         Http::fake([
diff --git a/tests/Unit/SsrUrlValidatorTest.php b/tests/Unit/SsrUrlValidatorTest.php
@@ -25,6 +25,9 @@ public function test_allowed()
             ['config' => 'https://*.example.com', 'url' => 'https://test.example.com', 'result' => true],
             ['config' => '*//example.com', 'url' => 'https://example.com', 'result' => true],
             ['config' => '*//example.com', 'url' => 'http://example.com', 'result' => true],
+            ['config' => '*//example.co', 'url' => 'http://example.co.uk', 'result' => false],
+            ['config' => '*//example.co/bookstack', 'url' => 'https://example.co/bookstack/a/path', 'result' => true],
+            ['config' => '*//example.co*', 'url' => 'https://example.co.uk/bookstack/a/path', 'result' => true],
             ['config' => 'https://example.com', 'url' => 'https://example.com/a/b/c?test=cat', 'result' => true],
             ['config' => 'https://example.com', 'url' => 'https://example.co.uk', 'result' => false],
 

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ public function allowed(string $url): bool`
`41`	`41`
`42`	`42`	`protected function urlMatchesPattern($url, $pattern): bool`
`43`	`43`	`{`
`44`		`- $pattern = trim($pattern);`
	`44`	`+ $pattern = rtrim(trim($pattern), '/');`
`45`	`45`	`$url = trim($url);`
`46`	`46`
`47`	`47`	`if (empty($pattern) \|\| empty($url)) {`
`@@ -51,7 +51,7 @@ protected function urlMatchesPattern($url, $pattern): bool`
`51`	`51`	`$quoted = preg_quote($pattern, '/');`
`52`	`52`	`$regexPattern = str_replace('\', '.', $quoted);`
`53`	`53`
`54`		`- return preg_match('/^' . $regexPattern . '.*$/i', $url);`
	`54`	`+ return preg_match('/^' . $regexPattern . '($\|\/.$\|#.$)/i', $url);`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`/**`