security(backurl): re-sanitize back inside helpers
This commit is contained in:
萝卜
36
tests/Unit/BackUrlSanitizeInsideWithBackTest.php
Normal file
36
tests/Unit/BackUrlSanitizeInsideWithBackTest.php
Normal file
@@ -0,0 +1,36 @@
|
||||
<?php
|
||||
|
||||
namespace Tests\Unit;
|
||||
|
||||
use App\Support\BackUrl;
|
||||
use Illuminate\Support\Arr;
|
||||
use Tests\TestCase;
|
||||
|
||||
class BackUrlSanitizeInsideWithBackTest extends TestCase
|
||||
{
|
||||
public function test_with_back_should_drop_unsafe_back_even_if_caller_passes_it_in(): void
|
||||
{
|
||||
$unsafeBack = "'/admin/platform-orders";
|
||||
|
||||
$url = BackUrl::withBack('/admin/site-subscriptions/2', $unsafeBack);
|
||||
|
||||
$this->assertSame('/admin/site-subscriptions/2', $url);
|
||||
}
|
||||
|
||||
public function test_with_back_should_drop_nested_back_even_if_caller_passes_it_in(): void
|
||||
{
|
||||
$nestedBack = '/admin/platform-orders?back=/admin/xx';
|
||||
|
||||
$url = BackUrl::withBack('/admin/site-subscriptions/2', $nestedBack);
|
||||
|
||||
$this->assertSame('/admin/site-subscriptions/2', $url);
|
||||
}
|
||||
|
||||
public function test_with_back_should_keep_safe_back(): void
|
||||
{
|
||||
$back = '/admin/platform-orders/2';
|
||||
$url = BackUrl::withBack('/admin/site-subscriptions/2', $back);
|
||||
|
||||
$this->assertSame('/admin/site-subscriptions/2?' . Arr::query(['back' => $back]), $url);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user