Fixed local_secure_restricted preventing attachment uploads

[bookstack] / tests / Entity / ExportTest.php

diff --git a/tests/Entity/ExportTest.php b/tests/Entity/ExportTest.php
index 7031c3875a77edb925527d4dc4cd272d18111e55..0d13d208e9f0409fe2006c4471e1ea738a5008d9 100644 (file)
--- a/tests/Entity/ExportTest.php
+++ b/tests/Entity/ExportTest.php
@@ -6,6 +6,7 @@ use BookStack\Auth\Role;
 use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Chapter;
 use BookStack\Entities\Models\Page;
 use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Chapter;
 use BookStack\Entities\Models\Page;

+use BookStack\Entities\Tools\PdfGenerator;

 use Illuminate\Support\Facades\Storage;
 use Illuminate\Support\Str;
 use Tests\TestCase;
 use Illuminate\Support\Facades\Storage;
 use Illuminate\Support\Str;
 use Tests\TestCase;


@@ -139,7 +140,7 @@ class ExportTest extends TestCase
         $this->setSettings(['app-custom-head' => $customHeadContent]);
 
         $resp = $this->asEditor()->get($page->getUrl('/export/html'));
         $this->setSettings(['app-custom-head' => $customHeadContent]);
 
         $resp = $this->asEditor()->get($page->getUrl('/export/html'));

-        $resp->assertSee($customHeadContent);
+        $resp->assertSee($customHeadContent, false);

     }
 
     public function test_page_html_export_does_not_break_with_only_comments_in_custom_head()
     }
 
     public function test_page_html_export_does_not_break_with_only_comments_in_custom_head()


@@ -151,7 +152,7 @@ class ExportTest extends TestCase
 
         $resp = $this->asEditor()->get($page->getUrl('/export/html'));
         $resp->assertStatus(200);
 
         $resp = $this->asEditor()->get($page->getUrl('/export/html'));
         $resp->assertStatus(200);

-        $resp->assertSee($customHeadContent);
+        $resp->assertSee($customHeadContent, false);

     }
 
     public function test_page_html_export_use_absolute_dates()
     }
 
     public function test_page_html_export_use_absolute_dates()


@@ -188,7 +189,7 @@ class ExportTest extends TestCase
         Storage::disk('local')->delete('uploads/images/gallery/svg_test.svg');
 
         $resp->assertStatus(200);
         Storage::disk('local')->delete('uploads/images/gallery/svg_test.svg');
 
         $resp->assertStatus(200);

-        $resp->assertSee('<img src="data:image/svg+xml;base64');
+        $resp->assertSee('<img src="data:image/svg+xml;base64', false);

     }
 
     public function test_page_image_containment_works_on_multiple_images_within_a_single_line()
     }
 
     public function test_page_image_containment_works_on_multiple_images_within_a_single_line()


@@ -224,9 +225,37 @@ class ExportTest extends TestCase
         $storageDisk->delete('uploads/images/gallery/svg_test.svg');
         $storageDisk->delete('uploads/svg_test.svg');
 
         $storageDisk->delete('uploads/images/gallery/svg_test.svg');
         $storageDisk->delete('uploads/svg_test.svg');
 

-        $resp->assertDontSee('http://localhost/uploads/images/gallery/svg_test.svg');
+        $resp->assertDontSee('http://localhost/uploads/images/gallery/svg_test.svg', false);

         $resp->assertSee('http://localhost/uploads/svg_test.svg');
         $resp->assertSee('http://localhost/uploads/svg_test.svg');

-        $resp->assertSee('src="/uploads/svg_test.svg"');
+        $resp->assertSee('src="/uploads/svg_test.svg"', false);
+    }
+
+    public function test_page_export_contained_html_does_not_allow_upward_traversal_with_local()
+    {
+        $contents = file_get_contents(public_path('.htaccess'));
+        config()->set('filesystems.images', 'local');
+
+        $page = Page::query()->first();
+        $page->html = '<img src="http://localhost/uploads/images/../../.htaccess"/>';
+        $page->save();
+
+        $resp = $this->asEditor()->get($page->getUrl('/export/html'));
+        $resp->assertDontSee(base64_encode($contents));
+    }
+
+    public function test_page_export_contained_html_does_not_allow_upward_traversal_with_local_secure()
+    {
+        $testFilePath = storage_path('logs/test.txt');
+        config()->set('filesystems.images', 'local_secure');
+        file_put_contents($testFilePath, 'I am a cat');
+
+        $page = Page::query()->first();
+        $page->html = '<img src="http://localhost/uploads/images/../../logs/test.txt"/>';
+        $page->save();
+
+        $resp = $this->asEditor()->get($page->getUrl('/export/html'));
+        $resp->assertDontSee(base64_encode('I am a cat'));
+        unlink($testFilePath);

     }
 
     public function test_exports_removes_scripts_from_custom_head()
     }
 
     public function test_exports_removes_scripts_from_custom_head()


@@ -239,7 +268,7 @@ class ExportTest extends TestCase
         foreach ($entities as $entity) {
             $resp = $this->asEditor()->get($entity->getUrl('/export/html'));
             $resp->assertDontSee('window.donkey');
         foreach ($entities as $entity) {
             $resp = $this->asEditor()->get($entity->getUrl('/export/html'));
             $resp->assertDontSee('window.donkey');

-            $resp->assertDontSee('script');
+            $resp->assertDontSee('<script', false);

             $resp->assertSee('.my-test-class { color: red; }');
         }
     }
             $resp->assertSee('.my-test-class { color: red; }');
         }
     }


@@ -261,6 +290,43 @@ class ExportTest extends TestCase
         $resp->assertDontSee('ExportWizardTheFifth');
     }
 
         $resp->assertDontSee('ExportWizardTheFifth');
     }
 

+    public function test_page_pdf_export_converts_iframes_to_links()
+    {
+        $page = Page::query()->first()->forceFill([
+            'html'     => '<iframe width="560" height="315" src="//www.youtube.com/embed/ShqUjt33uOs"></iframe>',
+        ]);
+        $page->save();
+
+        $pdfHtml = '';
+        $mockPdfGenerator = $this->mock(PdfGenerator::class);
+        $mockPdfGenerator->shouldReceive('fromHtml')
+            ->with(\Mockery::capture($pdfHtml))
+            ->andReturn('');
+        $mockPdfGenerator->shouldReceive('getActiveEngine')->andReturn(PdfGenerator::ENGINE_DOMPDF);
+
+        $this->asEditor()->get($page->getUrl('/export/pdf'));
+        $this->assertStringNotContainsString('iframe>', $pdfHtml);
+        $this->assertStringContainsString('<p><a href="https://www.youtube.com/embed/ShqUjt33uOs">https://www.youtube.com/embed/ShqUjt33uOs</a></p>', $pdfHtml);
+    }
+
+    public function test_page_pdf_export_opens_details_blocks()
+    {
+        $page = Page::query()->first()->forceFill([
+            'html'     => '<details><summary>Hello</summary><p>Content!</p></details>',
+        ]);
+        $page->save();
+
+        $pdfHtml = '';
+        $mockPdfGenerator = $this->mock(PdfGenerator::class);
+        $mockPdfGenerator->shouldReceive('fromHtml')
+            ->with(\Mockery::capture($pdfHtml))
+            ->andReturn('');
+        $mockPdfGenerator->shouldReceive('getActiveEngine')->andReturn(PdfGenerator::ENGINE_DOMPDF);
+
+        $this->asEditor()->get($page->getUrl('/export/pdf'));
+        $this->assertStringContainsString('<details open="open"', $pdfHtml);
+    }
+

     public function test_page_markdown_export()
     {
         $page = Page::query()->first();
     public function test_page_markdown_export()
     {
         $page = Page::query()->first();


@@ -296,30 +362,6 @@ class ExportTest extends TestCase
         $resp->assertSee("# Dogcat\n\nSome **bold** text");
     }
 
         $resp->assertSee("# Dogcat\n\nSome **bold** text");
     }
 

-    public function test_page_markdown_export_does_not_convert_callouts()
-    {
-        $page = Page::query()->first()->forceFill([
-            'markdown' => '',
-            'html'     => '<h1>Dogcat</h1><p class="callout info">Some callout text</p><p>Another line</p>',
-        ]);
-        $page->save();
-
-        $resp = $this->asEditor()->get($page->getUrl('/export/markdown'));
-        $resp->assertSee("# Dogcat\n\n<p class=\"callout info\">Some callout text</p>\n\nAnother line");
-    }
-
-    public function test_page_markdown_export_handles_bookstacks_wysiwyg_codeblock_format()
-    {
-        $page = Page::query()->first()->forceFill([
-            'markdown' => '',
-            'html'     => '<h1>Dogcat</h1>' . "\r\n" . '<pre id="bkmrk-var-a-%3D-%27cat%27%3B"><code class="language-JavaScript">var a = \'cat\';</code></pre><p>Another line</p>',
-        ]);
-        $page->save();
-
-        $resp = $this->asEditor()->get($page->getUrl('/export/markdown'));
-        $resp->assertSee("# Dogcat\n\n```JavaScript\nvar a = 'cat';\n```\n\nAnother line");
-    }
-

     public function test_chapter_markdown_export()
     {
         $chapter = Chapter::query()->first();
     public function test_chapter_markdown_export()
     {
         $chapter = Chapter::query()->first();


@@ -342,6 +384,25 @@ class ExportTest extends TestCase
         $resp->assertSee('# ' . $page->name);
     }
 
         $resp->assertSee('# ' . $page->name);
     }
 

+    public function test_book_markdown_export_concats_immediate_pages_with_newlines()
+    {
+        /** @var Book $book */
+        $book = Book::query()->whereHas('pages')->first();
+
+        $this->asEditor()->get($book->getUrl('/create-page'));
+        $this->get($book->getUrl('/create-page'));
+
+        [$pageA, $pageB] = $book->pages()->where('chapter_id', '=', 0)->get();
+        $pageA->html = '<p>hello tester</p>';
+        $pageA->save();
+        $pageB->name = 'The second page in this test';
+        $pageB->save();
+
+        $resp = $this->get($book->getUrl('/export/markdown'));
+        $resp->assertDontSee('hello tester# The second page in this test');
+        $resp->assertSee("hello tester\n\n# The second page in this test");
+    }
+

     public function test_export_option_only_visible_and_accessible_with_permission()
     {
         $book = Book::query()->whereHas('pages')->whereHas('chapters')->first();
     public function test_export_option_only_visible_and_accessible_with_permission()
     {
         $book = Book::query()->whereHas('pages')->whereHas('chapters')->first();


@@ -366,4 +427,42 @@ class ExportTest extends TestCase
             $this->assertPermissionError($resp);
         }
     }
             $this->assertPermissionError($resp);
         }
     }

+
+    public function test_wkhtmltopdf_only_used_when_allow_untrusted_is_true()
+    {
+        /** @var Page $page */
+        $page = Page::query()->first();
+
+        config()->set('snappy.pdf.binary', '/abc123');
+        config()->set('app.allow_untrusted_server_fetching', false);
+
+        $resp = $this->asEditor()->get($page->getUrl('/export/pdf'));
+        $resp->assertStatus(200); // Sucessful response with invalid snappy binary indicates dompdf usage.
+
+        config()->set('app.allow_untrusted_server_fetching', true);
+        $resp = $this->get($page->getUrl('/export/pdf'));
+        $resp->assertStatus(500); // Bad response indicates wkhtml usage
+    }
+
+    public function test_html_exports_contain_csp_meta_tag()
+    {
+        $entities = [
+            Page::query()->first(),
+            Book::query()->first(),
+            Chapter::query()->first(),
+        ];
+
+        foreach ($entities as $entity) {
+            $resp = $this->asEditor()->get($entity->getUrl('/export/html'));
+            $this->withHtml($resp)->assertElementExists('head meta[http-equiv="Content-Security-Policy"][content*="script-src "]');
+        }
+    }
+
+    public function test_html_exports_contain_body_classes_for_export_identification()
+    {
+        $page = Page::query()->first();
+
+        $resp = $this->asEditor()->get($page->getUrl('/export/html'));
+        $this->withHtml($resp)->assertElementExists('body.export.export-format-html.export-engine-none');
+    }

 }
 }