$resp->assertSee('src="/uploads/svg_test.svg"');
}
+ public function test_page_export_contained_html_does_not_allow_upward_traversal_with_local()
+ {
+ $contents = file_get_contents(public_path('.htaccess'));
+ config()->set('filesystems.images', 'local');
+
+ $page = Page::query()->first();
+ $page->html = '<img src="http://localhost/uploads/images/../../.htaccess"/>';
+ $page->save();
+
+ $resp = $this->asEditor()->get($page->getUrl('/export/html'));
+ $resp->assertDontSee(base64_encode($contents));
+ }
+
+ public function test_page_export_contained_html_does_not_allow_upward_traversal_with_local_secure()
+ {
+ $testFilePath = storage_path('logs/test.txt');
+ config()->set('filesystems.images', 'local_secure');
+ file_put_contents($testFilePath, 'I am a cat');
+
+ $page = Page::query()->first();
+ $page->html = '<img src="http://localhost/uploads/images/../../logs/test.txt"/>';
+ $page->save();
+
+ $resp = $this->asEditor()->get($page->getUrl('/export/html'));
+ $resp->assertDontSee(base64_encode('I am a cat'));
+ unlink($testFilePath);
+ }
+
public function test_exports_removes_scripts_from_custom_head()
{
$entities = [
$this->assertPermissionError($resp);
}
}
+
+ public function test_wkhtmltopdf_only_used_when_allow_untrusted_is_true()
+ {
+ /** @var Page $page */
+ $page = Page::query()->first();
+
+ config()->set('snappy.pdf.binary', '/abc123');
+ config()->set('app.allow_untrusted_server_fetching', false);
+
+ $resp = $this->asEditor()->get($page->getUrl('/export/pdf'));
+ $resp->assertStatus(200); // Sucessful response with invalid snappy binary indicates dompdf usage.
+
+ config()->set('app.allow_untrusted_server_fetching', true);
+ $resp = $this->get($page->getUrl('/export/pdf'));
+ $resp->assertStatus(500); // Bad response indicates wkhtml usage
+ }
}
projects / bookstack / blobdiff