From 14ec995c2bd618b181197dc6b64e63fd966b4860 Mon Sep 17 00:00:00 2001
From: Sami Mokaddem <sami.mokaddem@circl.lu>
Date: Mon, 7 Feb 2022 10:48:55 +0100
Subject: [PATCH] fix: [userSettings] Perform URI validation for bookmarks

- As reported by Dawid Czarnecki from Zigrin Security
---
 src/Model/Table/UserSettingsTable.php         | 14 +++++++++++++
 templates/Instance/home.php                   | 20 ++++++++++++++-----
 .../layouts/sidebar/bookmark-entry.php        |  9 +++++++--
 3 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/src/Model/Table/UserSettingsTable.php b/src/Model/Table/UserSettingsTable.php
index bdfe535..cc4b5db 100644
--- a/src/Model/Table/UserSettingsTable.php
+++ b/src/Model/Table/UserSettingsTable.php
@@ -135,4 +135,18 @@ class UserSettingsTable extends AppTable
         }
         return $result;
     }
+
+    /**
+     * validURI - Ensure the provided URI can be safely put as a link
+     *
+     * @param String $uri
+     * @return bool if the URI is safe to be put as a link
+     */
+    public function validURI(String $uri): bool
+    {
+        $parsed = parse_url($uri);
+        $isLocalPath = empty($parsed['scheme']) && empty($parsed['domain']) && !empty($parsed['path']);
+        $isValidURL = !empty($parsed['scheme']) && in_array($parsed['scheme'], ['http', 'https']) && filter_var($uri, FILTER_SANITIZE_URL);
+        return $isLocalPath || $isValidURL;
+    }
 }
diff --git a/templates/Instance/home.php b/templates/Instance/home.php
index 6d91266..e5803c2 100644
--- a/templates/Instance/home.php
+++ b/templates/Instance/home.php
@@ -1,5 +1,9 @@
 <?php
+
+use Cake\ORM\TableRegistry;
+
 $bookmarks = !empty($loggedUser->user_settings_by_name['ui.bookmarks']['value']) ? json_decode($loggedUser->user_settings_by_name['ui.bookmarks']['value'], true) : [];
+$this->userSettingsTable = TableRegistry::getTableLocator()->get('UserSettings');
 ?>
 
 <h3>
@@ -9,18 +13,24 @@ $bookmarks = !empty($loggedUser->user_settings_by_name['ui.bookmarks']['value'])
     <?= __('Bookmarks') ?>
 </h3>
 <div class="row">
-    <?php if (!empty($bookmarks)): ?>
+    <?php if (!empty($bookmarks)) : ?>
         <ul class="col-sm-12 col-md-10 col-l-8 col-xl-8 mb-3">
             <?php foreach ($bookmarks as $bookmark) : ?>
                 <li class="list-group-item">
-                    <a href="<?= h($bookmark['url']) ?>" class="w-bold">
-                        <?= h($bookmark['label']) ?>
-                    </a>
+                    <?php if ($this->userSettingsTable->validURI($bookmark['url'])): ?>
+                        <a href="<?= h($bookmark['url']) ?>" class="w-bold">
+                            <?= h($bookmark['label']) ?>
+                        </a>
+                    <?php else: ?>
+                        <span class="w-bold">
+                            <?= h($bookmark['url']) ?>
+                        </span>
+                    <?php endif; ?>
                     <span class="ms-3 fw-light"><?= h($bookmark['name']) ?></span>
                 </li>
             <?php endforeach; ?>
         </ul>
-    <?php else: ?>
+    <?php else : ?>
         <p class="fw-light"><?= __('No bookmarks') ?></p>
     <?php endif; ?>
 </div>
diff --git a/templates/element/layouts/sidebar/bookmark-entry.php b/templates/element/layouts/sidebar/bookmark-entry.php
index f2d01c1..a33ffe4 100644
--- a/templates/element/layouts/sidebar/bookmark-entry.php
+++ b/templates/element/layouts/sidebar/bookmark-entry.php
@@ -1,5 +1,8 @@
 <?php
     use Cake\Routing\Router;
+    use Cake\ORM\TableRegistry;
+
+    $this->userSettingsTable = TableRegistry::getTableLocator()->get('UserSettings');
 
     $seed = 'sb-' . mt_rand();
     $icon = $entry['icon'] ?? '';
@@ -14,6 +17,8 @@
         $active = true;
     }
 
+    $validURI = $this->userSettingsTable->validURI($url);
+
     echo $this->Bootstrap->button([
         'nodeType' => 'a',
         'text' => h($label),
@@ -22,9 +27,9 @@
         'outline' => !$active,
         'size' => 'sm',
         'icon' => h($icon),
-        'class' => ['mb-1'],
+        'class' => ['mb-1', !$validURI ? 'disabled' : ''],
         'params' => [
-            'href' => h($url),
+            'href' => $validURI ? h($url) : '#',
         ]
     ]);
 ?>