Be more strict with URL (#2477)
This commit is contained in:
Christophe Maudoux
Yadd
parent
3732cdcc19
commit
71fa5d09f7
|
|
@ -5,6 +5,7 @@ use Mouse;
|
|||
use JSON qw(from_json);
|
||||
use Lemonldap::NG::Common::UserAgent;
|
||||
use Lemonldap::NG::Portal::Main::Constants qw(
|
||||
URIRE
|
||||
PE_OK
|
||||
PE_ERROR
|
||||
PE_BADURL
|
||||
|
|
@ -124,27 +125,26 @@ sub run {
|
|||
# Check URL if allowed and exists
|
||||
if ( $self->conf->{checkDevOpsDownload} and $url = $req->param('url') ) {
|
||||
undef $url if $self->p->checkXSSAttack( 'CheckDevOps URL', $url );
|
||||
if ( $url && $url =~ m#^(?:https?://)?([^/]*)(.*)#i ) {
|
||||
if ( $url && $url =~ URIRE ) {
|
||||
|
||||
# Reformat url
|
||||
my ( $vhost, $appuri ) = $url =~ m#^(?:https?://)?([^/]*)(.*)#i;
|
||||
my ($proto) = $url =~ m#^(https?://).*#i;
|
||||
$proto ||= 'http://';
|
||||
$url = "$proto$vhost/rules.json";
|
||||
my ( $proto, $vhost, $appuri ) = ( $2, $3, $5 );
|
||||
$url = "$proto://$vhost/rules.json";
|
||||
my $resp = $self->ua->get( $url, 'Accept' => 'application/json' );
|
||||
$self->logger->debug( "Code/Message from $url: "
|
||||
. $resp->code . '/'
|
||||
. $resp->message );
|
||||
my $content = $resp->decoded_content;
|
||||
$self->logger->debug("Content received from $url: $content") if $content;
|
||||
$self->logger->debug("Content received from $url: $content")
|
||||
if $content;
|
||||
|
||||
if ( $resp->is_success ) {
|
||||
$json = eval { from_json($content, { allow_nonref => 1 }) };
|
||||
$json = eval { from_json( $content, { allow_nonref => 1 } ) };
|
||||
if ($@) {
|
||||
|
||||
# Prepare form params
|
||||
undef $json;
|
||||
$msg = 'PE' . PE_BAD_DEVOPS_FILE;
|
||||
$msg = 'PE' . PE_BAD_DEVOPS_FILE;
|
||||
$self->userLogger->error(
|
||||
"CheckDevOps: bad 'rules.json' file retrieved from $url ($@)"
|
||||
);
|
||||
|
|
@ -153,7 +153,7 @@ sub run {
|
|||
else {
|
||||
|
||||
# Prepare form params
|
||||
$msg = 'PE' . PE_FILENOTFOUND;
|
||||
$msg = 'PE' . PE_FILENOTFOUND;
|
||||
$self->userLogger->error(
|
||||
"CheckDevOps: Unable to download 'rules.json' file from $url"
|
||||
);
|
||||
|
|
@ -162,8 +162,8 @@ sub run {
|
|||
else {
|
||||
|
||||
# Prepare form params
|
||||
$msg = 'PE' . PE_BADURL;
|
||||
$self->userLogger->error('CheckDevOps: bad provided URL');
|
||||
$msg = 'PE' . PE_BADURL;
|
||||
$self->userLogger->error('CheckDevOps: bad URL provided');
|
||||
}
|
||||
}
|
||||
unless ( $json || $msg ) {
|
||||
|
|
|
|||
|
|
@ -192,7 +192,7 @@ sub check {
|
|||
};
|
||||
return $self->p->sendJSONresponse( $req, $params )
|
||||
if $req->wantJSON && $msg;
|
||||
|
||||
|
||||
# Display form
|
||||
return $self->p->sendHtml( $req, 'checkuser', params => $params )
|
||||
if $msg;
|
||||
|
|
@ -405,7 +405,7 @@ sub check {
|
|||
sub _resolveURL {
|
||||
my ( $self, $req, $url ) = @_;
|
||||
my ($proto) = $url =~ m#^(https?://).*#i;
|
||||
my ( $vhost, $appuri ) = $url =~ m#^(?:https?://)?([^/]*)(.*)#i;
|
||||
my ( $vhost, $appuri ) = $url =~ m@^(?:https?://)?([^/#]*)(.*)@i;
|
||||
my ($port) = $vhost =~ m#^.+(:\d+)$#;
|
||||
$port ||= '';
|
||||
$vhost =~ s/:\d+$//;
|
||||
|
|
@ -467,7 +467,7 @@ sub _userData {
|
|||
|
||||
sub _authorization {
|
||||
my ( $self, $req, $uri, $attrs ) = @_;
|
||||
my ( $vhost, $appuri ) = $uri =~ m#^https?://([^/]*)(.*)#;
|
||||
my ( $vhost, $appuri ) = $uri =~ m@^https?://([^/#]*)(.*)@;
|
||||
my $exist = 0;
|
||||
|
||||
$vhost =~ s/:\d+$//;
|
||||
|
|
@ -489,7 +489,7 @@ sub _authorization {
|
|||
|
||||
sub _headers {
|
||||
my ( $self, $req, $uri, $attrs, $savedUserData ) = @_;
|
||||
my ($vhost) = $uri =~ m#^https?://([^/]*).*#;
|
||||
my ($vhost) = $uri =~ m@^https?://([^/#]*).*@;
|
||||
|
||||
$vhost =~ s/:\d+$//;
|
||||
$req->{env}->{HTTP_HOST} = $vhost;
|
||||
|
|
|
|||
|
|
@ -143,9 +143,9 @@ ok( $res->{MSG} eq 'PE105', 'PE105' )
|
|||
or print STDERR Dumper($res);
|
||||
count(4);
|
||||
|
||||
# Download file
|
||||
# -------------
|
||||
$query = 'url=http://test3.example.com';
|
||||
# Bad URLs
|
||||
# --------
|
||||
$query = 'url=test3.example.com';
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/checkdevops',
|
||||
|
|
@ -157,19 +157,26 @@ ok(
|
|||
);
|
||||
ok( $res = eval { from_json( $res->[2]->[0] ) }, 'Response is JSON' )
|
||||
or print STDERR "$@\n" . Dumper($res);
|
||||
ok( $res->{ALERTE} eq 'alert-info', 'alert-info found' )
|
||||
ok( $res->{MSG} eq 'PE37', 'Bad URL' )
|
||||
or print STDERR Dumper($res);
|
||||
ok( $res->{FILE} =~ /headers/, 'headers found' )
|
||||
count(3);
|
||||
|
||||
# --------
|
||||
$query = 'url=http://test3.example.com#test';
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/checkdevops',
|
||||
IO::String->new($query),
|
||||
cookie => "lemonldap=$id",
|
||||
length => length($query),
|
||||
),
|
||||
'POST checkdevops with wrong url'
|
||||
);
|
||||
ok( $res = eval { from_json( $res->[2]->[0] ) }, 'Response is JSON' )
|
||||
or print STDERR "$@\n" . Dumper($res);
|
||||
ok( $res->{URL} eq 'http://test3.example.com/rules.json', 'Well formated URL' )
|
||||
or print STDERR Dumper($res);
|
||||
ok( $res->{FILE} =~ /rules/, 'rules found' )
|
||||
or print STDERR Dumper($res);
|
||||
ok( $res->{FILE} =~ /"\$uid ne qq#dwho#"/, 'rule found' )
|
||||
or print STDERR Dumper($res);
|
||||
ok( $res->{URL} eq 'http://test3.example.com/rules.json', 'URL found' )
|
||||
or print STDERR Dumper($res);
|
||||
ok( $res->{MSG} eq 'checkDevOps', 'MSG found' )
|
||||
or print STDERR Dumper($res);
|
||||
count(8);
|
||||
count(3);
|
||||
|
||||
$client->logout($id);
|
||||
clean_sessions();
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user