linxianzhuang/saasshop
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden products batch return_url: reject quotes and nested back

Browse Source
This commit is contained in:
萝卜
2026-03-14 10:41:48 +00:00
parent ffd125f972
commit 722f4a1f44
4 changed files with 173 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
app/Http/Controllers/Admin/ProductController.php
View File

@@ -649,7 +649,23 @@ class ProductController extends Controller
return $default;
}
return str_starts_with($candidate, '/admin/products') ? $candidate : $default;
// 作为“批量操作返回地址”,只允许站内相对路径,并且需要稳定可控:
// - 限定前缀(避免跳出 admin/products 语义域)
// - 拒绝引号/尖括号(降低注入风险)
// - 拒绝 nested back=(避免 URL 膨胀/绕过)
if (! str_starts_with($candidate, '/admin/products')) {
return $default;
}
if (preg_match('/["\'<>]/', $candidate)) {
return $default;
}
if (preg_match('/(?:^|[?&])back=/', $candidate)) {
return $default;
}
return $candidate;
}
protected function filters(Request $request): array

18
app/Http/Controllers/MerchantAdmin/ProductController.php
View File

@@ -621,7 +621,23 @@ class ProductController extends Controller
return $default;
}
return str_starts_with($candidate, '/merchant-admin/products') ? $candidate : $default;
// 作为“批量操作返回地址”,只允许站内相对路径,并且需要稳定可控:
// - 限定前缀(避免跳出 merchant-admin/products 语义域)
// - 拒绝引号/尖括号(降低注入风险)
// - 拒绝 nested back=(避免 URL 膨胀/绕过)
if (! str_starts_with($candidate, '/merchant-admin/products')) {
return $default;
}
if (preg_match('/["\'<>]/', $candidate)) {
return $default;
}
if (preg_match('/(?:^|[?&])back=/', $candidate)) {
return $default;
}
return $candidate;
}
protected function filters(Request $request): array

70
tests/Feature/AdminProductsBatchReturnUrlSanitizeTest.php Normal file
View File

@@ -0,0 +1,70 @@
<?php
namespace Tests\Feature;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;
class AdminProductsBatchReturnUrlSanitizeTest extends TestCase
{
use RefreshDatabase;
protected function loginAsPlatformAdmin(): void
{
$this->seed();
$this->post('/admin/login', [
'email' => 'platform.admin@demo.local',
'password' => 'Platform@123456',
])->assertRedirect('/admin');
}
public function test_admin_products_batch_redirects_to_default_when_return_url_has_nested_back(): void
{
$this->loginAsPlatformAdmin();
$product = \App\Models\Product::query()->orderBy('id')->firstOrFail();
$response = $this->post('/admin/products/batch', [
'product_ids' => [$product->id],
'action' => 'change_status',
'status' => 'offline',
// nested back= should be rejected
'return_url' => '/admin/products?status=published&back=/admin',
]);
$response->assertRedirect('/admin/products');
}
public function test_admin_products_batch_redirects_to_default_when_return_url_contains_quotes(): void
{
$this->loginAsPlatformAdmin();
$product = \App\Models\Product::query()->orderBy('id')->firstOrFail();
$response = $this->post('/admin/products/batch', [
'product_ids' => [$product->id],
'action' => 'change_status',
'status' => 'offline',
'return_url' => '/admin/products?status=published"',
]);
$response->assertRedirect('/admin/products');
}
public function test_admin_products_batch_keeps_return_url_when_safe(): void
{
$this->loginAsPlatformAdmin();
$product = \App\Models\Product::query()->orderBy('id')->firstOrFail();
$response = $this->post('/admin/products/batch', [
'product_ids' => [$product->id],
'action' => 'change_status',
'status' => 'offline',
'return_url' => '/admin/products?status=published&merchant_id=1',
]);
$response->assertRedirect('/admin/products?status=published&merchant_id=1');
}
}

69
tests/Feature/MerchantProductsBatchReturnUrlSanitizeTest.php Normal file
View File

@@ -0,0 +1,69 @@
<?php
namespace Tests\Feature;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;
class MerchantProductsBatchReturnUrlSanitizeTest extends TestCase
{
use RefreshDatabase;
protected function loginAsMerchantAdmin(): void
{
$this->seed();
$this->post('/merchant-admin/login', [
'email' => 'merchant.admin@demo.local',
'password' => 'Merchant@123456',
])->assertRedirect('/merchant-admin');
}
public function test_merchant_products_batch_redirects_to_default_when_return_url_has_nested_back(): void
{
$this->loginAsMerchantAdmin();
$product = \App\Models\Product::query()->where('merchant_id', 1)->orderBy('id')->firstOrFail();
$response = $this->post('/merchant-admin/products/batch', [
'product_ids' => [$product->id],
'action' => 'change_status',
'status' => 'offline',
'return_url' => '/merchant-admin/products?status=published&back=/merchant-admin',
]);
$response->assertRedirect('/merchant-admin/products');
}
public function test_merchant_products_batch_redirects_to_default_when_return_url_contains_quotes(): void
{
$this->loginAsMerchantAdmin();
$product = \App\Models\Product::query()->where('merchant_id', 1)->orderBy('id')->firstOrFail();
$response = $this->post('/merchant-admin/products/batch', [
'product_ids' => [$product->id],
'action' => 'change_status',
'status' => 'offline',
'return_url' => '/merchant-admin/products?status=published\'',
]);
$response->assertRedirect('/merchant-admin/products');
}
public function test_merchant_products_batch_keeps_return_url_when_safe(): void
{
$this->loginAsMerchantAdmin();
$product = \App\Models\Product::query()->where('merchant_id', 1)->orderBy('id')->firstOrFail();
$response = $this->post('/merchant-admin/products/batch', [
'product_ids' => [$product->id],
'action' => 'change_status',
'status' => 'offline',
'return_url' => '/merchant-admin/products?status=published&keyword=SKU',
]);
$response->assertRedirect('/merchant-admin/products?status=published&keyword=SKU');
}
}