fix: adds test for RequestInterface::getRequestTarget origin-form

weierophinney · weierophinney · commit 13ef0b2490bb · 2022-11-22T16:14:27.000-06:00
Adds RequestIntegrationTest::testGetRequestTargetInOriginFormNormalizesUriWithMultipleLeadingSlashesInPath(), which verifies that calling `getRequestTarget()` with a URI that contains a path with multiple leading slashes normalizes those slases to a single leading slash, in order to prevent XSS attacks.

Signed-off-by: Matthew Weier O'Phinney &lt;matthew@weierophinney.net&gt;
diff --git a/src/RequestIntegrationTest.php b/src/RequestIntegrationTest.php
@@ -169,4 +169,20 @@ public function testUriPreserveHost_Host_Host()
         $request2 = $request->withUri($this->buildUri('http://www.bar.com/foo'), true);
         $this->assertEquals($host, $request2->getHeaderLine('host'));
     }
+
+    /**
+     * @see UriIntegrationTest::testGetPathNormalizesMultipleLeadingSlashesToSingleSlashToPreventXSS
+     */
+    public function testGetRequestTargetInOriginFormNormalizesUriWithMultipleLeadingSlashesInPath()
+    {
+        if (isset($this->skippedTests[__FUNCTION__])) {
+            $this->markTestSkipped($this->skippedTests[__FUNCTION__]);
+        }
+
+        $url = 'http://example.org//valid///path';
+        $request = $this->request->withUri($this->buildUri($url));
+        $requestTarget = $request->getRequestTarget();
+
+        $this->assertSame('/valid///path', $requestTarget);
+    }
 }
