fix(back): 订阅详情页 back 校验拒绝 nested back + 护栏测试

2026-03-14 02:09:07 +00:00
parent 56bf040252
commit 7479eb0e77
2 changed files with 69 additions and 1 deletions
--- a/resources/views/admin/site_subscriptions/show.blade.php
+++ b/resources/views/admin/site_subscriptions/show.blade.php
@@ -121,7 +121,12 @@
        @php
            $back = (string) request()->query('back', '');
            // back 安全校验：只接受相对路径，且拒绝引号/尖括号（由于下方 href 采用原样输出以避免 &amp; 影响回链/断言）
-            $safeBack = (str_starts_with($back, '/') && !preg_match('/["\'<>]/', $back)) ? $back : '';
+            $safeBack = (str_starts_with($back, '/')
+                && !preg_match('/["\'<>]/', $back)
+                // back 本身不应再包含 back（避免无限嵌套导致 URL 膨胀）
+                && !preg_match('/(?:^|[?&])back=/', $back))
+                ? $back
+                : '';
        @endphp

        @if($safeBack)
--- a/tests/Feature/AdminSiteSubscriptionShowBackValidationTest.php
+++ b/tests/Feature/AdminSiteSubscriptionShowBackValidationTest.php
@@ -0,0 +1,63 @@
+<?php
+
+namespace Tests\Feature;
+
+use App\Models\Merchant;
+use App\Models\Plan;
+use App\Models\SiteSubscription;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class AdminSiteSubscriptionShowBackValidationTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function loginAsPlatformAdmin(): void
+    {
+        $this->seed();
+
+        $this->post('/admin/login', [
+            'email' => 'platform.admin@demo.local',
+            'password' => 'Platform@123456',
+        ])->assertRedirect('/admin');
+    }
+
+    public function test_show_should_not_render_back_link_when_back_contains_nested_back_param(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $merchant = Merchant::query()->firstOrFail();
+        $plan = Plan::query()->create([
+            'code' => 'sub_show_back_nested_plan',
+            'name' => '订阅详情 nested back 校验测试套餐',
+            'billing_cycle' => 'monthly',
+            'price' => 10,
+            'list_price' => 10,
+            'status' => 'active',
+            'sort' => 10,
+            'published_at' => now(),
+        ]);
+
+        $sub = SiteSubscription::query()->create([
+            'merchant_id' => $merchant->id,
+            'plan_id' => $plan->id,
+            'status' => 'active',
+            'source' => 'manual',
+            'subscription_no' => 'SUB_SHOW_BACK_NESTED_0001',
+            'plan_name' => $plan->name,
+            'billing_cycle' => $plan->billing_cycle,
+            'period_months' => 1,
+            'amount' => 10,
+            'starts_at' => now(),
+            'ends_at' => now()->addMonth(),
+        ]);
+
+        $nestedBack = '/admin/site-subscriptions?status=active&back=/admin/platform-orders';
+
+        $res = $this->get('/admin/site-subscriptions/' . $sub->id . '?back=' . urlencode($nestedBack));
+        $res->assertOk();
+
+        $res->assertDontSee('返回上一页（保留上下文）');
+        $res->assertDontSee($nestedBack, false);
+    }
+}