linxianzhuang/saasshop
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c5da67ae108eec150c5ae7420b34b5c7a0cbff6a
saasshop/tests/Feature/BackUrlSanitizeForLinksShouldRejectUnsafeBackTest.php
萝卜 ddf5c42d79 测试: BackUrl sanitizeForLinks 安全护栏
2026-03-18 14:27:02 +08:00

50 lines
1.9 KiB
PHP
Raw Blame History

<?php
namespace Tests\Feature;
use App\Support\BackUrl;
use PHPUnit\Framework\Attributes\DataProvider;
use Tests\TestCase;
class BackUrlSanitizeForLinksShouldRejectUnsafeBackTest extends TestCase
{
public static function unsafeBackProvider(): array
{
return [
'empty' => ['', ''],
'no_slash_prefix' => ['admin', ''],
'protocol_relative' => ['//evil.com/x', ''],
'absolute_url' => ['https://evil.com/x', ''],
'quote_injection' => ['/admin?x=" onclick="alert(1)', ''],
'angle_injection' => ['/admin?<script>', ''],
'crlf_plain' => ["/admin\nSet-Cookie: x=1", ''],
'crlf_encoded' => ['/admin?x=%0aSet-Cookie%3A1', ''],
'nested_back_query' => ['/admin?back=/admin', ''],
'nested_back_encoded' => ['/admin?x=1%26back%3D%2Fadmin', ''],
'nested_back_double_encoded' => ['/admin?x=1%2526back%253D%252Fadmin', ''],
'too_long' => ['/' . str_repeat('a', 2100), ''],
];
}
public static function safeBackProvider(): array
{
return [
'simple' => ['/admin', '/admin'],
'with_query' => ['/admin/platform-orders?sync_status=failed', '/admin/platform-orders?sync_status=failed'],
'with_fragment' => ['/admin/platform-orders#payment-receipts', '/admin/platform-orders#payment-receipts'],
];
}
#[DataProvider('unsafeBackProvider')]
public function test_sanitize_for_links_should_reject_unsafe_back(string $incoming, string $expected): void
{
$this->assertSame($expected, BackUrl::sanitizeForLinks($incoming));
}
#[DataProvider('safeBackProvider')]
public function test_sanitize_for_links_should_keep_safe_back(string $incoming, string $expected): void
{
$this->assertSame($expected, BackUrl::sanitizeForLinks($incoming));
}
}
Reference in New Issue View Git Blame Copy Permalink