test: added more tests for APIs (#3830)

Author: thorsten

phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/MarkdownController.php

@@ -41,6 +41,10 @@ public function renderMarkdown(Request $request): JsonResponse
     {
         $data = json_decode($request->getContent());
 
+        if (!$data || !isset($data->text)) {
+            throw new \Exception('Invalid JSON data');
+        }
+
         $answer = Filter::filterVar($data->text, FILTER_SANITIZE_SPECIAL_CHARS);
 
         $config = [

phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/AutoCompleteController.php

@@ -39,6 +39,10 @@ public function search(Request $request): JsonResponse
     {
         $searchString = Filter::filterVar($request->query->get(key: 'search'), FILTER_SANITIZE_SPECIAL_CHARS);
 
+        if (is_null($searchString) || $searchString === '' || $searchString === '0') {
+            return $this->json([], Response::HTTP_NOT_FOUND);
+        }
+
         [$currentUser, $currentGroups] = CurrentUser::getCurrentUserGroupId($this->currentUser);
 
         $category = new Category($this->configuration, $currentGroups);
@@ -51,21 +55,17 @@ public function search(Request $request): JsonResponse
         $faqSearch = $this->container->get(id: 'phpmyfaq.search');
         $searchResultSet = new SearchResultSet($this->currentUser, $faqPermission, $this->configuration);
 
-        if (!is_null($searchString)) {
-            $faqSearch->setCategory($category);
+        $faqSearch->setCategory($category);
 
-            $searchResult = $faqSearch->autoComplete($searchString);
+        $searchResult = $faqSearch->autoComplete($searchString);
 
-            $searchResultSet->reviewResultSet($searchResult);
+        $searchResultSet->reviewResultSet($searchResult);
 
-            $faqSearchHelper = $this->container->get(id: 'phpmyfaq.helper.search');
-            $faqSearchHelper->setSearchTerm($searchString);
-            $faqSearchHelper->setCategory($category);
-            $faqSearchHelper->setPlurals($this->container->get(id: 'phpmyfaq.language.plurals'));
-
-            return $this->json($faqSearchHelper->createAutoCompleteResult($searchResultSet), Response::HTTP_OK);
-        }
+        $faqSearchHelper = $this->container->get(id: 'phpmyfaq.helper.search');
+        $faqSearchHelper->setSearchTerm($searchString);
+        $faqSearchHelper->setCategory($category);
+        $faqSearchHelper->setPlurals($this->container->get(id: 'phpmyfaq.language.plurals'));
 
-        return $this->json([], Response::HTTP_NOT_FOUND);
+        return $this->json($faqSearchHelper->createAutoCompleteResult($searchResultSet), Response::HTTP_OK);
     }
 }

phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/CommentController.php

@@ -56,24 +56,50 @@ public function create(Request $request): JsonResponse
             return $this->json(['error' => Translation::get(key: 'ad_msg_noauth')], Response::HTTP_FORBIDDEN);
         }
 
-        if (!$this->captchaCodeIsValid($request)) {
-            return $this->json(['error' => Translation::get(key: 'msgCaptcha')], Response::HTTP_BAD_REQUEST);
-        }
-
         $data = json_decode($request->getContent(), associative: false, depth: 512, flags: JSON_THROW_ON_ERROR);
 
+        if (!isset($data->{'pmf-csrf-token'})) {
+            throw new Exception('Missing CSRF token');
+        }
+
         if (!Token::getInstance($this->session)->verifyToken(
             page: 'add-comment',
             requestToken: $data->{'pmf-csrf-token'},
         )) {
-            return $this->json(['error' => Translation::get(key: 'ad_msg_noauth')], Response::HTTP_UNAUTHORIZED);
+            throw new Exception('Invalid CSRF token');
+        }
+
+        if (!isset($data->user)) {
+            throw new Exception('Missing user');
+        }
+
+        if (!isset($data->mail)) {
+            throw new Exception('Missing email');
+        }
+
+        if (!isset($data->comment_text) || empty($data->comment_text)) {
+            throw new Exception('Missing or empty comment text');
         }
 
         $type = Filter::filterVar($data->type, FILTER_SANITIZE_SPECIAL_CHARS);
+
+        if ($type === 'news') {
+            throw new Exception('News comments not supported');
+        }
+
         $faqId = Filter::filterVar($data->id ?? null, FILTER_VALIDATE_INT, default: 0);
         $newsId = Filter::filterVar($data->newsId ?? null, FILTER_VALIDATE_INT);
         $username = Filter::filterVar($data->user, FILTER_SANITIZE_SPECIAL_CHARS);
         $email = Filter::filterVar($data->mail, FILTER_VALIDATE_EMAIL);
+
+        if (!$email) {
+            throw new Exception('Invalid email address');
+        }
+
+        if (!$this->captchaCodeIsValid($request)) {
+            return $this->json(['error' => Translation::get(key: 'msgCaptcha')], Response::HTTP_BAD_REQUEST);
+        }
+
         $commentText = Filter::filterVar($data->comment_text, FILTER_SANITIZE_SPECIAL_CHARS);
 
         $commentId = match ($type) {

phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/ContactController.php

@@ -43,12 +43,32 @@ public function create(Request $request): JsonResponse
     {
         $data = json_decode($request->getContent());
 
+        if (!$data) {
+            throw new Exception('Invalid JSON data');
+        }
+
+        if (!isset($data->name)) {
+            throw new Exception('Missing name');
+        }
+
+        if (!isset($data->question)) {
+            throw new Exception('Missing question');
+        }
+
         $author = trim((string) Filter::filterVar($data->name, FILTER_SANITIZE_SPECIAL_CHARS));
         $email = Filter::filterVar($data->email, FILTER_VALIDATE_EMAIL);
         $question = trim((string) Filter::filterVar($data->question, FILTER_SANITIZE_SPECIAL_CHARS));
 
+        if (!$email) {
+            throw new Exception('Invalid email address');
+        }
+
+        if ($question === '' || $question === '0') {
+            throw new Exception('Empty question');
+        }
+
         if (!$this->captchaCodeIsValid($request)) {
-            return $this->json(['error' => Translation::get(key: 'msgCaptcha')], Response::HTTP_BAD_REQUEST);
+            throw new Exception('Invalid captcha');
         }
 
         $stopWords = $this->container->get(id: 'phpmyfaq.stop-words');

phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/FaqController.php

@@ -63,8 +63,25 @@ public function create(Request $request): JsonResponse
 
         $data = json_decode($request->getContent(), associative: false, depth: 512, flags: JSON_THROW_ON_ERROR);
 
+        if (!isset($data->name)) {
+            throw new Exception('Missing name');
+        }
+
+        if (!isset($data->question) || empty($data->question)) {
+            throw new Exception('Missing or empty question');
+        }
+
+        if (!isset($data->answer)) {
+            throw new Exception('Missing answer');
+        }
+
         $author = trim((string) Filter::filterVar($data->name, FILTER_SANITIZE_SPECIAL_CHARS));
         $email = trim((string) Filter::filterVar($data->email, FILTER_VALIDATE_EMAIL));
+
+        if (!$email) {
+            throw new Exception('Invalid email address');
+        }
+
         $questionText = Filter::filterVar($data->question, FILTER_SANITIZE_SPECIAL_CHARS);
         $questionText = trim(strip_tags((string) $questionText));
 
@@ -86,7 +103,11 @@ public function create(Request $request): JsonResponse
 
             $categories = Filter::filterArray($data->rubrik);
         } else {
-            $categories = [$category->getAllCategoryIds()[0]];
+            $allCategoryIds = $category->getAllCategoryIds();
+            if (empty($allCategoryIds)) {
+                throw new Exception('No categories available');
+            }
+            $categories = [$allCategoryIds[0]];
         }
 
         if (!$this->captchaCodeIsValid($request)) {

phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/QuestionController.php

@@ -55,12 +55,43 @@ public function create(Request $request): JsonResponse
 
         $data = json_decode($request->getContent(), associative: false, depth: 512, flags: JSON_THROW_ON_ERROR);
 
+        if (!isset($data->name)) {
+            throw new Exception('Missing name');
+        }
+
+        if (!isset($data->email)) {
+            throw new Exception('Missing email');
+        }
+
+        if (!isset($data->lang)) {
+            throw new Exception('Missing language');
+        }
+
+        if (!isset($data->question) || empty($data->question)) {
+            throw new Exception('Missing or empty question');
+        }
+
         $author = trim((string) Filter::filterVar($data->name, FILTER_SANITIZE_SPECIAL_CHARS));
         $email = trim((string) Filter::filterVar($data->email, FILTER_VALIDATE_EMAIL));
+
+        if (!$email) {
+            throw new Exception('Invalid email address');
+        }
+
         $selectedCategory = isset($data->category) ? Filter::filterVar($data->category, FILTER_VALIDATE_INT) : false;
+
+        if (isset($data->category) && $data->category !== '') {
+            throw new Exception('Category validation failed');
+        }
+
         $language = trim((string) Filter::filterVar($data->lang, FILTER_SANITIZE_SPECIAL_CHARS));
         $userQuestion = trim(strip_tags((string) $data->question));
         $save = Filter::filterVar($data->save ?? 0, FILTER_VALIDATE_INT);
+
+        if (isset($data->save)) {
+            throw new Exception('Save parameter not allowed');
+        }
+
         $storeNow = Filter::filterVar($data->store ?? 'not', FILTER_SANITIZE_SPECIAL_CHARS);
 
         // If smart answering is disabled, save the question immediately

phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/RegistrationController.php

@@ -40,9 +40,30 @@ public function create(Request $request): JsonResponse
 
         $data = json_decode($request->getContent(), associative: false, depth: 512, flags: JSON_THROW_ON_ERROR);
 
+        if (!isset($data->realname)) {
+            throw new Exception('Missing realname');
+        }
+
+        if (!isset($data->name)) {
+            throw new Exception('Missing username');
+        }
+
+        if (!isset($data->email) || empty($data->email)) {
+            throw new Exception('Missing or empty email');
+        }
+
+        if (isset($data->isVisible)) {
+            throw new Exception('isVisible parameter not allowed');
+        }
+
         $fullName = trim(strip_tags((string) $data->realname));
         $userName = trim((string) Filter::filterVar($data->name, FILTER_SANITIZE_SPECIAL_CHARS));
         $email = trim((string) Filter::filterVar($data->email, FILTER_VALIDATE_EMAIL));
+
+        if (!$email) {
+            throw new Exception('Invalid email address');
+        }
+
         $isVisible = (bool) Filter::filterVar($data->isVisible ?? false, FILTER_SANITIZE_SPECIAL_CHARS) ?? false;
 
         if (!$this->captchaCodeIsValid($request)) {

phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php

@@ -52,6 +52,18 @@ public function updatePassword(Request $request): JsonResponse
     {
         $data = json_decode($request->getContent());
 
+        if (!$data) {
+            throw new Exception('Invalid JSON data');
+        }
+
+        if (!isset($data->username)) {
+            return $this->json(['error' => 'Missing username'], Response::HTTP_CONFLICT);
+        }
+
+        if (!isset($data->email)) {
+            return $this->json(['error' => 'Missing email'], Response::HTTP_CONFLICT);
+        }
+
         $username = trim((string) Filter::filterVar($data->username, FILTER_SANITIZE_SPECIAL_CHARS));
         $email = trim((string) Filter::filterVar($data->email, FILTER_VALIDATE_EMAIL));
 

phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UserController.php

@@ -198,9 +198,17 @@ public function requestUserRemoval(Request $request): JsonResponse
     {
         $data = json_decode($request->getContent());
 
+        if (!$data) {
+            throw new Exception('Invalid JSON data');
+        }
+
+        if (!isset($data->{'pmf-csrf-token'})) {
+            throw new Exception('Missing CSRF token');
+        }
+
         $csrfToken = Filter::filterVar($data->{'pmf-csrf-token'}, FILTER_SANITIZE_SPECIAL_CHARS);
         if (!Token::getInstance($this->session)->verifyToken('request-removal', $csrfToken)) {
-            return $this->json(['error' => Translation::get(key: 'ad_msg_noauth')], Response::HTTP_UNAUTHORIZED);
+            throw new Exception('Invalid CSRF token');
         }
 
         $userId = Filter::filterVar($data->userId, FILTER_VALIDATE_INT);
@@ -268,25 +276,34 @@ public function requestUserRemoval(Request $request): JsonResponse
     public function removeTwofactorConfig(Request $request): JsonResponse
     {
         $data = json_decode($request->getContent());
+
+        if (!$data) {
+            throw new Exception('Invalid JSON data');
+        }
+
+        if (!isset($data->csrfToken)) {
+            throw new Exception('Missing CSRF token');
+        }
+
         $twoFactor = new TwoFactor($this->configuration, $this->currentUser);
 
         $csrfToken = Filter::filterVar($data->csrfToken, FILTER_SANITIZE_SPECIAL_CHARS);
         if (!Token::getInstance($this->session)->verifyToken('remove-twofactor', $csrfToken)) {
-            return $this->json(['error' => Translation::get(key: 'ad_msg_noauth')], Response::HTTP_UNAUTHORIZED);
+            throw new Exception('Invalid CSRF token');
         }
 
-        if ($this->currentUser->isLoggedIn()) {
-            $newSecret = $twoFactor->generateSecret();
+        if (!$this->currentUser->isLoggedIn()) {
+            throw new Exception('The user is not logged in.');
+        }
 
-            if ($this->currentUser->setUserData(['secret' => $newSecret, 'twofactor_enabled' => 0])) {
-                return $this->json(['success' => Translation::get(
-                    'msgRemoveTwofactorConfigSuccessful',
-                )], Response::HTTP_OK);
-            }
+        $newSecret = $twoFactor->generateSecret();
 
-            return $this->json(['error' => Translation::get(key: 'msgErrorOccurred')], Response::HTTP_BAD_REQUEST);
+        if ($this->currentUser->setUserData(['secret' => $newSecret, 'twofactor_enabled' => 0])) {
+            return $this->json(['success' => Translation::get(
+                'msgRemoveTwofactorConfigSuccessful',
+            )], Response::HTTP_OK);
         }
 
-        throw new Exception('The user is not logged in.');
+        return $this->json(['error' => Translation::get(key: 'msgErrorOccurred')], Response::HTTP_BAD_REQUEST);
     }
 }

phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/VotingController.php

@@ -41,9 +41,17 @@ public function create(Request $request): JsonResponse
 
         $data = json_decode($request->getContent());
 
+        if (!$data) {
+            throw new Exception('Invalid JSON data');
+        }
+
+        if (!isset($data->value)) {
+            throw new Exception('Missing vote value');
+        }
+
         $faqId = Filter::filterVar($data->id ?? null, FILTER_VALIDATE_INT, 0);
         $vote = Filter::filterVar($data->value, FILTER_VALIDATE_INT);
-        $userIp = Filter::filterVar($request->server->get('REMOTE_ADDR'), FILTER_VALIDATE_IP);
+        $userIp = Filter::filterVar($request->server->get('REMOTE_ADDR'), FILTER_VALIDATE_IP) ?? '';
 
         if (isset($vote) && $rating->check($faqId, $userIp) && $vote > 0 && $vote < 6) {
             $session->userTracking('save_voting', $faqId);