fix: [userSettings] Perform URI validation for bookmarks

- As reported by Dawid Czarnecki from Zigrin Security
2022-02-07 10:48:55 +01:00 · 2022-02-07 10:48:55 +01:00 · 14ec995c2b
parent dfb8d73a92
commit 14ec995c2b
3 changed files with 36 additions and 7 deletions
--- a/src/Model/Table/UserSettingsTable.php
+++ b/src/Model/Table/UserSettingsTable.php
@ -135,4 +135,18 @@ class UserSettingsTable extends AppTable
        }
        return $result;
    }
+
+    /**
+     * validURI - Ensure the provided URI can be safely put as a link
+     *
+     * @param String $uri
+     * @return bool if the URI is safe to be put as a link
+     */
+    public function validURI(String $uri): bool
+    {
+        $parsed = parse_url($uri);
+        $isLocalPath = empty($parsed['scheme']) && empty($parsed['domain']) && !empty($parsed['path']);
+        $isValidURL = !empty($parsed['scheme']) && in_array($parsed['scheme'], ['http', 'https']) && filter_var($uri, FILTER_SANITIZE_URL);
+        return $isLocalPath || $isValidURL;
+    }
 }
--- a/templates/Instance/home.php
+++ b/templates/Instance/home.php
@ -1,5 +1,9 @@
 <?php
+
+use Cake\ORM\TableRegistry;
+
 $bookmarks = !empty($loggedUser->user_settings_by_name['ui.bookmarks']['value']) ? json_decode($loggedUser->user_settings_by_name['ui.bookmarks']['value'], true) : [];
+$this->userSettingsTable = TableRegistry::getTableLocator()->get('UserSettings');
 ?>

 <h3>
@ -9,18 +13,24 @@ $bookmarks = !empty($loggedUser->user_settings_by_name['ui.bookmarks']['value'])
    <?= __('Bookmarks') ?>
 </h3>
 <div class="row">
-    <?php if (!empty($bookmarks)): ?>
+    <?php if (!empty($bookmarks)) : ?>
        <ul class="col-sm-12 col-md-10 col-l-8 col-xl-8 mb-3">
            <?php foreach ($bookmarks as $bookmark) : ?>
                <li class="list-group-item">
-                    <a href="<?= h($bookmark['url']) ?>" class="w-bold">
-                        <?= h($bookmark['label']) ?>
-                    </a>
+                    <?php if ($this->userSettingsTable->validURI($bookmark['url'])): ?>
+                        <a href="<?= h($bookmark['url']) ?>" class="w-bold">
+                            <?= h($bookmark['label']) ?>
+                        </a>
+                    <?php else: ?>
+                        <span class="w-bold">
+                            <?= h($bookmark['url']) ?>
+                        </span>
+                    <?php endif; ?>
                    <span class="ms-3 fw-light"><?= h($bookmark['name']) ?></span>
                </li>
            <?php endforeach; ?>
        </ul>
-    <?php else: ?>
+    <?php else : ?>
        <p class="fw-light"><?= __('No bookmarks') ?></p>
    <?php endif; ?>
 </div>
--- a/templates/element/layouts/sidebar/bookmark-entry.php
+++ b/templates/element/layouts/sidebar/bookmark-entry.php
@ -1,5 +1,8 @@
 <?php
    use Cake\Routing\Router;
+    use Cake\ORM\TableRegistry;
+
+    $this->userSettingsTable = TableRegistry::getTableLocator()->get('UserSettings');

    $seed = 'sb-' . mt_rand();
    $icon = $entry['icon'] ?? '';
@ -14,6 +17,8 @@
        $active = true;
    }

+    $validURI = $this->userSettingsTable->validURI($url);
+
    echo $this->Bootstrap->button([
        'nodeType' => 'a',
        'text' => h($label),
@ -22,9 +27,9 @@
        'outline' => !$active,
        'size' => 'sm',
        'icon' => h($icon),
-        'class' => ['mb-1'],
+        'class' => ['mb-1', !$validURI ? 'disabled' : ''],
        'params' => [
-            'href' => h($url),
+            'href' => $validURI ? h($url) : '#',
        ]
    ]);
 ?>