From: Dan Brown Date: Fri, 8 Oct 2021 20:47:59 +0000 (+0100) Subject: Added testing to cover work done in last commit X-Git-Tag: v21.08.5~1^2~3 X-Git-Url: http://source.bookstackapp.com/bookstack/commitdiff_plain/41541df6ec2e6173de8c36c074d8726b1f1d1560 Added testing to cover work done in last commit Relevant to comments in 7224fbcc89f00f2b71644e36bb1b1d96addd1d5a. Added test cases. Ensured they failed pre-commit. Also tested a range of the altered endpoints manually on both local and s3-like filesystems. --- diff --git a/tests/Entity/ExportTest.php b/tests/Entity/ExportTest.php index aebc5f245..c8397b695 100644 --- a/tests/Entity/ExportTest.php +++ b/tests/Entity/ExportTest.php @@ -229,6 +229,34 @@ class ExportTest extends TestCase $resp->assertSee('src="/uploads/svg_test.svg"'); } + public function test_page_export_contained_html_does_not_allow_upward_traversal_with_local() + { + $contents = file_get_contents(public_path('.htaccess')); + config()->set('filesystems.images', 'local'); + + $page = Page::query()->first(); + $page->html = ''; + $page->save(); + + $resp = $this->asEditor()->get($page->getUrl('/export/html')); + $resp->assertDontSee(base64_encode($contents)); + } + + public function test_page_export_contained_html_does_not_allow_upward_traversal_with_local_secure() + { + $testFilePath = storage_path('logs/test.txt'); + config()->set('filesystems.images', 'local_secure'); + file_put_contents($testFilePath, 'I am a cat'); + + $page = Page::query()->first(); + $page->html = ''; + $page->save(); + + $resp = $this->asEditor()->get($page->getUrl('/export/html')); + $resp->assertDontSee(base64_encode('I am a cat')); + unlink($testFilePath); + } + public function test_exports_removes_scripts_from_custom_head() { $entities = [