fix: [userSettings] Perform URI validation for bookmarks

- As reported by Dawid Czarnecki from Zigrin Security
cli-modification-summary
Sami Mokaddem 2022-02-07 10:48:55 +01:00
parent dfb8d73a92
commit 14ec995c2b
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
3 changed files with 36 additions and 7 deletions

View File

@ -135,4 +135,18 @@ class UserSettingsTable extends AppTable
} }
return $result; return $result;
} }
/**
* validURI - Ensure the provided URI can be safely put as a link
*
* @param String $uri
* @return bool if the URI is safe to be put as a link
*/
public function validURI(String $uri): bool
{
$parsed = parse_url($uri);
$isLocalPath = empty($parsed['scheme']) && empty($parsed['domain']) && !empty($parsed['path']);
$isValidURL = !empty($parsed['scheme']) && in_array($parsed['scheme'], ['http', 'https']) && filter_var($uri, FILTER_SANITIZE_URL);
return $isLocalPath || $isValidURL;
}
} }

View File

@ -1,5 +1,9 @@
<?php <?php
use Cake\ORM\TableRegistry;
$bookmarks = !empty($loggedUser->user_settings_by_name['ui.bookmarks']['value']) ? json_decode($loggedUser->user_settings_by_name['ui.bookmarks']['value'], true) : []; $bookmarks = !empty($loggedUser->user_settings_by_name['ui.bookmarks']['value']) ? json_decode($loggedUser->user_settings_by_name['ui.bookmarks']['value'], true) : [];
$this->userSettingsTable = TableRegistry::getTableLocator()->get('UserSettings');
?> ?>
<h3> <h3>
@ -13,9 +17,15 @@ $bookmarks = !empty($loggedUser->user_settings_by_name['ui.bookmarks']['value'])
<ul class="col-sm-12 col-md-10 col-l-8 col-xl-8 mb-3"> <ul class="col-sm-12 col-md-10 col-l-8 col-xl-8 mb-3">
<?php foreach ($bookmarks as $bookmark) : ?> <?php foreach ($bookmarks as $bookmark) : ?>
<li class="list-group-item"> <li class="list-group-item">
<?php if ($this->userSettingsTable->validURI($bookmark['url'])): ?>
<a href="<?= h($bookmark['url']) ?>" class="w-bold"> <a href="<?= h($bookmark['url']) ?>" class="w-bold">
<?= h($bookmark['label']) ?> <?= h($bookmark['label']) ?>
</a> </a>
<?php else: ?>
<span class="w-bold">
<?= h($bookmark['url']) ?>
</span>
<?php endif; ?>
<span class="ms-3 fw-light"><?= h($bookmark['name']) ?></span> <span class="ms-3 fw-light"><?= h($bookmark['name']) ?></span>
</li> </li>
<?php endforeach; ?> <?php endforeach; ?>

View File

@ -1,5 +1,8 @@
<?php <?php
use Cake\Routing\Router; use Cake\Routing\Router;
use Cake\ORM\TableRegistry;
$this->userSettingsTable = TableRegistry::getTableLocator()->get('UserSettings');
$seed = 'sb-' . mt_rand(); $seed = 'sb-' . mt_rand();
$icon = $entry['icon'] ?? ''; $icon = $entry['icon'] ?? '';
@ -14,6 +17,8 @@
$active = true; $active = true;
} }
$validURI = $this->userSettingsTable->validURI($url);
echo $this->Bootstrap->button([ echo $this->Bootstrap->button([
'nodeType' => 'a', 'nodeType' => 'a',
'text' => h($label), 'text' => h($label),
@ -22,9 +27,9 @@
'outline' => !$active, 'outline' => !$active,
'size' => 'sm', 'size' => 'sm',
'icon' => h($icon), 'icon' => h($icon),
'class' => ['mb-1'], 'class' => ['mb-1', !$validURI ? 'disabled' : ''],
'params' => [ 'params' => [
'href' => h($url), 'href' => $validURI ? h($url) : '#',
] ]
]); ]);
?> ?>