Merge remote-tracking branch 'Origin/main' into feature/queue-and-rate-tweaks

Author: SniperSister

app/Http/Requests/SiteRequest.php

@@ -2,14 +2,21 @@
 
 namespace App\Http\Requests;
 
+use App\Rules\RemoteURL;
 use Illuminate\Foundation\Http\FormRequest;
 
 class SiteRequest extends FormRequest
 {
     public function rules(): array
     {
         return [
-            'url' => 'required|url',
+            'url' => [
+                'required',
+                'string',
+                'url',
+                'max:255',
+                new RemoteURL()
+            ],
             'key' => 'required|string|min:32|max:64',
         ];
     }

app/Network/DNSLookup.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace App\Network;
+
+class DNSLookup
+{
+    public function getIPs(string $hostname): array
+    {
+        // IP as host given
+        $ips = filter_var($hostname, FILTER_VALIDATE_IP) ? [$hostname] : [];
+
+        // Hostname given, resolve IPs
+        if (count($ips) === 0) {
+            try {
+                $dnsResults = dns_get_record($hostname, DNS_A + DNS_AAAA);
+            } catch (\Throwable $e) {
+                return [];
+            }
+
+            if ($dnsResults) {
+                $ips = array_map(function ($dnsResult) {
+                    return !empty($dnsResult['ip']) ? $dnsResult['ip'] : $dnsResult['ipv6'];
+                }, $dnsResults);
+            }
+        }
+
+        return $ips;
+    }
+}

app/Rules/RemoteURL.php

@@ -0,0 +1,45 @@
+<?php
+
+namespace App\Rules;
+
+use App\Network\DNSLookup;
+use Closure;
+use Illuminate\Contracts\Validation\ValidationRule;
+use Illuminate\Support\Facades\App;
+
+class RemoteURL implements ValidationRule
+{
+    /**
+     * Run the validation rule.
+     *
+     * @param  \Closure(string, ?string=): \Illuminate\Translation\PotentiallyTranslatedString  $fail
+     */
+    public function validate(string $attribute, mixed $value, Closure $fail): void
+    {
+        if (!is_string($value)) {
+            $fail("Invalid URL: URL must be a string.");
+
+            return;
+        }
+
+        $host = (string) parse_url($value, PHP_URL_HOST);
+        $ips = App::make(DNSLookup::class)->getIPs($host);
+
+        // Could not resolve given address
+        if (count($ips) === 0) {
+            $fail("Invalid URL: unresolvable site URL.");
+        }
+
+        // Check each resolved IP
+        foreach ($ips as $ip) {
+            if (!filter_var(
+                $ip,
+                FILTER_VALIDATE_IP,
+                FILTER_FLAG_NO_PRIV_RANGE |  FILTER_FLAG_NO_RES_RANGE
+            )
+            ) {
+                $fail("Invalid URL: local address are disallowed as site URL.");
+            }
+        }
+    }
+}

tests/Feature/Api/SiteControllerTest.php

@@ -123,7 +123,7 @@ public function testCheckingASiteReturns404ForInvalidSite(): void
             ["url" => "https://www.joomlaf.org", "key" => "foobar123foobar123foobar123foobar123"]
         );
 
-        $response->assertStatus(404);
+        $response->assertStatus(422);
     }
 
     public function testDeleteASiteReturns404ForInvalidSite(): void
@@ -133,7 +133,7 @@ public function testDeleteASiteReturns404ForInvalidSite(): void
             ["url" => "https://www.joomlaf.org", "key" => "foobar123foobar123foobar123foobar123"]
         );
 
-        $response->assertStatus(404);
+        $response->assertStatus(422);
     }
 
     public function testDeleteASiteRemovesRow(): void

tests/Unit/Network/DNSLookupTest.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace Tests\Unit\Network;
+
+use App\Network\DNSLookup;
+use Tests\TestCase;
+
+class DNSLookupTest extends TestCase
+{
+    public function testIpAsHostIsReturned()
+    {
+        $object = new DNSLookup();
+        $this->assertSame(['127.0.0.1'], $object->getIPs('127.0.0.1'));
+    }
+
+    public function testEmptyArrayIsReturnedForInvalidHost()
+    {
+        $object = new DNSLookup();
+        $this->assertSame([], $object->getIPs('invalid.host.with.bogus.tld'));
+    }
+
+    public function testIpsAreReturned()
+    {
+        $object = new DNSLookup();
+        $this->assertGreaterThan(5, $object->getIPs('joomla.org'));
+    }
+}

tests/Unit/Rules/RemoteURLTest.php

@@ -0,0 +1,38 @@
+<?php
+
+namespace Tests\Unit\Rules;
+
+use App\Rules\RemoteURL;
+use PHPUnit\Framework\Attributes\DataProvider;
+use Tests\TestCase;
+
+class RemoteURLTest extends TestCase
+{
+    #[DataProvider('urlDataProvider')]
+    public function testRuleHandlesIpsAndHosts($host, $expectedResult, $expectedMessage)
+    {
+        $object = new RemoteURL();
+
+        $object->validate('url', $host, function ($message) use ($expectedResult, $expectedMessage) {
+            if (!$expectedResult) {
+                $this->assertTrue(true);
+                $this->assertSame($expectedMessage, $message);
+            }
+        });
+
+        if ($expectedResult) {
+            $this->assertTrue(true);
+        }
+    }
+
+    public static function urlDataProvider(): array
+    {
+        return [
+            ['https://127.0.0.1', false, 'Invalid URL: local address are disallowed as site URL.'],
+            ['https://localhost', false, 'Invalid URL: local address are disallowed as site URL.'],
+            ['https://10.0.0.1', false, 'Invalid URL: local address are disallowed as site URL.'],
+            ['https://joomla.org', true, ''],
+            ['https://invalid.host.tld', false,'Invalid URL: unresolvable site URL.'],
+        ];
+    }
+}