From 41541df6ec2e6173de8c36c074d8726b1f1d1560 Mon Sep 17 00:00:00 2001 From: Dan Brown Date: Fri, 8 Oct 2021 21:47:59 +0100 Subject: [PATCH] Added testing to cover work done in last commit Relevant to comments in 7224fbcc89f00f2b71644e36bb1b1d96addd1d5a. Added test cases. Ensured they failed pre-commit. Also tested a range of the altered endpoints manually on both local and s3-like filesystems. --- tests/Entity/ExportTest.php | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/tests/Entity/ExportTest.php b/tests/Entity/ExportTest.php index aebc5f245..c8397b695 100644 --- a/tests/Entity/ExportTest.php +++ b/tests/Entity/ExportTest.php @@ -229,6 +229,34 @@ class ExportTest extends TestCase $resp->assertSee('src="/uploads/svg_test.svg"'); } + public function test_page_export_contained_html_does_not_allow_upward_traversal_with_local() + { + $contents = file_get_contents(public_path('.htaccess')); + config()->set('filesystems.images', 'local'); + + $page = Page::query()->first(); + $page->html = ''; + $page->save(); + + $resp = $this->asEditor()->get($page->getUrl('/export/html')); + $resp->assertDontSee(base64_encode($contents)); + } + + public function test_page_export_contained_html_does_not_allow_upward_traversal_with_local_secure() + { + $testFilePath = storage_path('logs/test.txt'); + config()->set('filesystems.images', 'local_secure'); + file_put_contents($testFilePath, 'I am a cat'); + + $page = Page::query()->first(); + $page->html = ''; + $page->save(); + + $resp = $this->asEditor()->get($page->getUrl('/export/html')); + $resp->assertDontSee(base64_encode('I am a cat')); + unlink($testFilePath); + } + public function test_exports_removes_scripts_from_custom_head() { $entities = [