Security: Added new SSR allow list and validator

Included unit tests to cover validator functionality. Added to webhooks. Still need to do testing specifically for webhooks.
2025-08-07 23:03:00 +03:00 · 2023-08-26 15:28:29 +01:00
parent 9100a82b47
commit c324ad928d
5 changed files with 137 additions and 0 deletions
--- a/app/Util/SsrUrlValidator.php
+++ b/app/Util/SsrUrlValidator.php
@@ -0,0 +1,64 @@
+<?php
+
+namespace BookStack\Util;
+
+use BookStack\Exceptions\HttpFetchException;
+
+class SsrUrlValidator
+{
+    protected string $config;
+
+    public function __construct(string $config = null)
+    {
+        $this->config = $config ?? config('app.ssr_hosts') ?? '';
+    }
+
+    /**
+     * @throws HttpFetchException
+     */
+    public function ensureAllowed(string $url): void
+    {
+        if (!$this->allowed($url)) {
+            throw new HttpFetchException(trans('errors.http_ssr_url_no_match'));
+        }
+    }
+
+    /**
+     * Check if the given URL is allowed by the configured SSR host values.
+     */
+    public function allowed(string $url): bool
+    {
+        $allowed = $this->getHostPatterns();
+
+        foreach ($allowed as $pattern) {
+            if ($this->urlMatchesPattern($url, $pattern)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    protected function urlMatchesPattern($url, $pattern): bool
+    {
+        $pattern = trim($pattern);
+        $url = trim($url);
+
+        if (empty($pattern) || empty($url)) {
+            return false;
+        }
+
+        $quoted = preg_quote($pattern, '/');
+        $regexPattern = str_replace('\*', '.*', $quoted);
+
+        return preg_match('/^' . $regexPattern . '.*$/i', $url);
+    }
+
+    /**
+     * @return string[]
+     */
+    protected function getHostPatterns(): array
+    {
+        return explode(' ', strtolower($this->config));
+    }
+}