Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Modified the AttachedFile model to always escape the html to avoid XS…
…S attacks using the file name. Also added a unit test to prevent regressions. ------ Modificado el modelo AttachedFile para escapar siempre el html y evitar así ataques XSS usando el nombre del archivo. Añadido también un test unitario para prevenir regresiones.
- Loading branch information
Showing
3 changed files
with
59 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
<?php | ||
/** | ||
* This file is part of FacturaScripts | ||
* Copyright (C) 2022 Carlos Garcia Gomez <carlos@facturascripts.com> | ||
* | ||
* This program is free software: you can redistribute it and/or modify | ||
* it under the terms of the GNU Lesser General Public License as | ||
* published by the Free Software Foundation, either version 3 of the | ||
* License, or (at your option) any later version. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU Lesser General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU Lesser General Public License | ||
* along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
*/ | ||
|
||
namespace FacturaScripts\Test\Core\Model; | ||
|
||
use FacturaScripts\Core\Base\ToolBox; | ||
use FacturaScripts\Core\Model\AttachedFile; | ||
use PHPUnit\Framework\TestCase; | ||
|
||
final class AttachedFileTest extends TestCase | ||
{ | ||
public function testSaveFile() | ||
{ | ||
$name = 'xss"\'><img src=x onerror=alert(123)>.jpeg'; | ||
$filePath = FS_FOLDER . '/Test/__files/' . $name; | ||
$this->assertTrue(file_exists($filePath), 'File not found: ' . $filePath); | ||
|
||
// copiamos el archivo a MyFiles | ||
$this->assertTrue(copy($filePath, FS_FOLDER . '/MyFiles/' . $name), 'File not copied'); | ||
|
||
$model = new AttachedFile(); | ||
$model->path = $name; | ||
$this->assertTrue($model->save(), 'can-not-save-file'); | ||
|
||
// filename no puede contener html | ||
$fileNameNoHtml = ToolBox::utils()::noHtml($name); | ||
$this->assertEquals($fileNameNoHtml, $model->filename); | ||
|
||
// si forzamos el html en el filename, debe quitar el html | ||
$model->filename = $name; | ||
$this->assertTrue($model->save(), 'can-not-update-file'); | ||
$this->assertEquals($fileNameNoHtml, $model->filename); | ||
|
||
// podemos eliminar | ||
$this->assertTrue($model->delete(), 'can-not-delete-file'); | ||
|
||
// el archivo ya no está en el path | ||
$this->assertFalse(file_exists($model->path)); | ||
} | ||
} |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.