Be more strict with URL (#2477)
This commit is contained in:
parent
3732cdcc19
commit
71fa5d09f7
|
@ -5,6 +5,7 @@ use Mouse;
|
||||||
use JSON qw(from_json);
|
use JSON qw(from_json);
|
||||||
use Lemonldap::NG::Common::UserAgent;
|
use Lemonldap::NG::Common::UserAgent;
|
||||||
use Lemonldap::NG::Portal::Main::Constants qw(
|
use Lemonldap::NG::Portal::Main::Constants qw(
|
||||||
|
URIRE
|
||||||
PE_OK
|
PE_OK
|
||||||
PE_ERROR
|
PE_ERROR
|
||||||
PE_BADURL
|
PE_BADURL
|
||||||
|
@ -124,27 +125,26 @@ sub run {
|
||||||
# Check URL if allowed and exists
|
# Check URL if allowed and exists
|
||||||
if ( $self->conf->{checkDevOpsDownload} and $url = $req->param('url') ) {
|
if ( $self->conf->{checkDevOpsDownload} and $url = $req->param('url') ) {
|
||||||
undef $url if $self->p->checkXSSAttack( 'CheckDevOps URL', $url );
|
undef $url if $self->p->checkXSSAttack( 'CheckDevOps URL', $url );
|
||||||
if ( $url && $url =~ m#^(?:https?://)?([^/]*)(.*)#i ) {
|
if ( $url && $url =~ URIRE ) {
|
||||||
|
|
||||||
# Reformat url
|
# Reformat url
|
||||||
my ( $vhost, $appuri ) = $url =~ m#^(?:https?://)?([^/]*)(.*)#i;
|
my ( $proto, $vhost, $appuri ) = ( $2, $3, $5 );
|
||||||
my ($proto) = $url =~ m#^(https?://).*#i;
|
$url = "$proto://$vhost/rules.json";
|
||||||
$proto ||= 'http://';
|
|
||||||
$url = "$proto$vhost/rules.json";
|
|
||||||
my $resp = $self->ua->get( $url, 'Accept' => 'application/json' );
|
my $resp = $self->ua->get( $url, 'Accept' => 'application/json' );
|
||||||
$self->logger->debug( "Code/Message from $url: "
|
$self->logger->debug( "Code/Message from $url: "
|
||||||
. $resp->code . '/'
|
. $resp->code . '/'
|
||||||
. $resp->message );
|
. $resp->message );
|
||||||
my $content = $resp->decoded_content;
|
my $content = $resp->decoded_content;
|
||||||
$self->logger->debug("Content received from $url: $content") if $content;
|
$self->logger->debug("Content received from $url: $content")
|
||||||
|
if $content;
|
||||||
|
|
||||||
if ( $resp->is_success ) {
|
if ( $resp->is_success ) {
|
||||||
$json = eval { from_json($content, { allow_nonref => 1 }) };
|
$json = eval { from_json( $content, { allow_nonref => 1 } ) };
|
||||||
if ($@) {
|
if ($@) {
|
||||||
|
|
||||||
# Prepare form params
|
# Prepare form params
|
||||||
undef $json;
|
undef $json;
|
||||||
$msg = 'PE' . PE_BAD_DEVOPS_FILE;
|
$msg = 'PE' . PE_BAD_DEVOPS_FILE;
|
||||||
$self->userLogger->error(
|
$self->userLogger->error(
|
||||||
"CheckDevOps: bad 'rules.json' file retrieved from $url ($@)"
|
"CheckDevOps: bad 'rules.json' file retrieved from $url ($@)"
|
||||||
);
|
);
|
||||||
|
@ -153,7 +153,7 @@ sub run {
|
||||||
else {
|
else {
|
||||||
|
|
||||||
# Prepare form params
|
# Prepare form params
|
||||||
$msg = 'PE' . PE_FILENOTFOUND;
|
$msg = 'PE' . PE_FILENOTFOUND;
|
||||||
$self->userLogger->error(
|
$self->userLogger->error(
|
||||||
"CheckDevOps: Unable to download 'rules.json' file from $url"
|
"CheckDevOps: Unable to download 'rules.json' file from $url"
|
||||||
);
|
);
|
||||||
|
@ -162,8 +162,8 @@ sub run {
|
||||||
else {
|
else {
|
||||||
|
|
||||||
# Prepare form params
|
# Prepare form params
|
||||||
$msg = 'PE' . PE_BADURL;
|
$msg = 'PE' . PE_BADURL;
|
||||||
$self->userLogger->error('CheckDevOps: bad provided URL');
|
$self->userLogger->error('CheckDevOps: bad URL provided');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
unless ( $json || $msg ) {
|
unless ( $json || $msg ) {
|
||||||
|
|
|
@ -192,7 +192,7 @@ sub check {
|
||||||
};
|
};
|
||||||
return $self->p->sendJSONresponse( $req, $params )
|
return $self->p->sendJSONresponse( $req, $params )
|
||||||
if $req->wantJSON && $msg;
|
if $req->wantJSON && $msg;
|
||||||
|
|
||||||
# Display form
|
# Display form
|
||||||
return $self->p->sendHtml( $req, 'checkuser', params => $params )
|
return $self->p->sendHtml( $req, 'checkuser', params => $params )
|
||||||
if $msg;
|
if $msg;
|
||||||
|
@ -405,7 +405,7 @@ sub check {
|
||||||
sub _resolveURL {
|
sub _resolveURL {
|
||||||
my ( $self, $req, $url ) = @_;
|
my ( $self, $req, $url ) = @_;
|
||||||
my ($proto) = $url =~ m#^(https?://).*#i;
|
my ($proto) = $url =~ m#^(https?://).*#i;
|
||||||
my ( $vhost, $appuri ) = $url =~ m#^(?:https?://)?([^/]*)(.*)#i;
|
my ( $vhost, $appuri ) = $url =~ m@^(?:https?://)?([^/#]*)(.*)@i;
|
||||||
my ($port) = $vhost =~ m#^.+(:\d+)$#;
|
my ($port) = $vhost =~ m#^.+(:\d+)$#;
|
||||||
$port ||= '';
|
$port ||= '';
|
||||||
$vhost =~ s/:\d+$//;
|
$vhost =~ s/:\d+$//;
|
||||||
|
@ -467,7 +467,7 @@ sub _userData {
|
||||||
|
|
||||||
sub _authorization {
|
sub _authorization {
|
||||||
my ( $self, $req, $uri, $attrs ) = @_;
|
my ( $self, $req, $uri, $attrs ) = @_;
|
||||||
my ( $vhost, $appuri ) = $uri =~ m#^https?://([^/]*)(.*)#;
|
my ( $vhost, $appuri ) = $uri =~ m@^https?://([^/#]*)(.*)@;
|
||||||
my $exist = 0;
|
my $exist = 0;
|
||||||
|
|
||||||
$vhost =~ s/:\d+$//;
|
$vhost =~ s/:\d+$//;
|
||||||
|
@ -489,7 +489,7 @@ sub _authorization {
|
||||||
|
|
||||||
sub _headers {
|
sub _headers {
|
||||||
my ( $self, $req, $uri, $attrs, $savedUserData ) = @_;
|
my ( $self, $req, $uri, $attrs, $savedUserData ) = @_;
|
||||||
my ($vhost) = $uri =~ m#^https?://([^/]*).*#;
|
my ($vhost) = $uri =~ m@^https?://([^/#]*).*@;
|
||||||
|
|
||||||
$vhost =~ s/:\d+$//;
|
$vhost =~ s/:\d+$//;
|
||||||
$req->{env}->{HTTP_HOST} = $vhost;
|
$req->{env}->{HTTP_HOST} = $vhost;
|
||||||
|
|
|
@ -143,9 +143,9 @@ ok( $res->{MSG} eq 'PE105', 'PE105' )
|
||||||
or print STDERR Dumper($res);
|
or print STDERR Dumper($res);
|
||||||
count(4);
|
count(4);
|
||||||
|
|
||||||
# Download file
|
# Bad URLs
|
||||||
# -------------
|
# --------
|
||||||
$query = 'url=http://test3.example.com';
|
$query = 'url=test3.example.com';
|
||||||
ok(
|
ok(
|
||||||
$res = $client->_post(
|
$res = $client->_post(
|
||||||
'/checkdevops',
|
'/checkdevops',
|
||||||
|
@ -157,19 +157,26 @@ ok(
|
||||||
);
|
);
|
||||||
ok( $res = eval { from_json( $res->[2]->[0] ) }, 'Response is JSON' )
|
ok( $res = eval { from_json( $res->[2]->[0] ) }, 'Response is JSON' )
|
||||||
or print STDERR "$@\n" . Dumper($res);
|
or print STDERR "$@\n" . Dumper($res);
|
||||||
ok( $res->{ALERTE} eq 'alert-info', 'alert-info found' )
|
ok( $res->{MSG} eq 'PE37', 'Bad URL' )
|
||||||
or print STDERR Dumper($res);
|
or print STDERR Dumper($res);
|
||||||
ok( $res->{FILE} =~ /headers/, 'headers found' )
|
count(3);
|
||||||
|
|
||||||
|
# --------
|
||||||
|
$query = 'url=http://test3.example.com#test';
|
||||||
|
ok(
|
||||||
|
$res = $client->_post(
|
||||||
|
'/checkdevops',
|
||||||
|
IO::String->new($query),
|
||||||
|
cookie => "lemonldap=$id",
|
||||||
|
length => length($query),
|
||||||
|
),
|
||||||
|
'POST checkdevops with wrong url'
|
||||||
|
);
|
||||||
|
ok( $res = eval { from_json( $res->[2]->[0] ) }, 'Response is JSON' )
|
||||||
|
or print STDERR "$@\n" . Dumper($res);
|
||||||
|
ok( $res->{URL} eq 'http://test3.example.com/rules.json', 'Well formated URL' )
|
||||||
or print STDERR Dumper($res);
|
or print STDERR Dumper($res);
|
||||||
ok( $res->{FILE} =~ /rules/, 'rules found' )
|
count(3);
|
||||||
or print STDERR Dumper($res);
|
|
||||||
ok( $res->{FILE} =~ /"\$uid ne qq#dwho#"/, 'rule found' )
|
|
||||||
or print STDERR Dumper($res);
|
|
||||||
ok( $res->{URL} eq 'http://test3.example.com/rules.json', 'URL found' )
|
|
||||||
or print STDERR Dumper($res);
|
|
||||||
ok( $res->{MSG} eq 'checkDevOps', 'MSG found' )
|
|
||||||
or print STDERR Dumper($res);
|
|
||||||
count(8);
|
|
||||||
|
|
||||||
$client->logout($id);
|
$client->logout($id);
|
||||||
clean_sessions();
|
clean_sessions();
|
||||||
|
|
Loading…
Reference in New Issue
Block a user