Make sure Easter egg substrings are not used as blog post slugs or ta…

…lk actions
spaze · Jan 15, 2025 · 0f70589 · 0f70589
1 parent 416be91
commit 0f70589
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 8 deletions.
diff --git a/app/src/EasterEgg/FourOhFourButFound.php b/app/src/EasterEgg/FourOhFourButFound.php
@@ -38,4 +38,13 @@ public function sendItMaybe(Presenter $presenter): void
 		}
 	}
 
+
+	/**
+	 * @return list<string>
+	 */
+	public function getRequestSubstrings(): array
+	{
+		return array_keys(self::TEMPLATES);
+	}
+
 }
diff --git a/app/src/Form/FormValidators.php b/app/src/Form/FormValidators.php
@@ -4,6 +4,7 @@
 namespace MichalSpacekCz\Form;
 
 use Contributte\Translation\Translator;
+use MichalSpacekCz\EasterEgg\FourOhFourButFound;
 use Nette\Forms\Controls\TextInput;
 use Nette\Forms\Form;
 
@@ -12,13 +13,16 @@
 
 	public function __construct(
 		private Translator $translator,
+		private FourOhFourButFound $fourOhFourButFound,
 	) {
 	}
 
 
 	public function addValidateSlugRules(TextInput $input): void
 	{
-		$input->addRule(Form::Pattern, $this->translator->translate('messages.forms.validateSlugParamsError'), '[a-z0-9.,_-]+');
+		$input
+			->addRule(Form::Pattern, $this->translator->translate('messages.forms.validateSlugParamsError'), '[a-z0-9.,_-]+')
+			->addRule(Form::IsNotIn, $this->translator->translate('messages.forms.validateSlugParamsEasterEgg'), $this->fourOhFourButFound->getRequestSubstrings());
 	}
 
 }
diff --git a/app/src/lang/messages.cs_CZ.neon b/app/src/lang/messages.cs_CZ.neon
@@ -398,3 +398,4 @@ httpHeaders:
 	headerNotSent: "hlavička neposlána"
 forms:
 	validateSlugParamsError: "%label musí odpovídat formátu %d"
+	validateSlugParamsEasterEgg: "%label nemůže být '%value', protože to spustí Easter egg"
diff --git a/app/src/lang/messages.en_US.neon b/app/src/lang/messages.en_US.neon
@@ -398,3 +398,4 @@ httpHeaders:
 	headerNotSent: "header not sent"
 forms:
 	validateSlugParamsError: "%label must match %d"
+	validateSlugParamsEasterEgg: "%label can't be '%value', because that's used by an Easter egg"
diff --git a/app/tests/EasterEgg/FourOhFourButFoundTest.phpt b/app/tests/EasterEgg/FourOhFourButFoundTest.phpt
@@ -39,6 +39,8 @@ class FourOhFourButFoundTest extends TestCase
 			['/etc/foo?file=..%2F..%2F..%2Fetc%2Fpasswd', 'rick:x:1337:1337:Astley'],
 			['/etc/foo?file=../../../etc/passwd&foo/bar', 'rick:x:1337:1337:Astley'],
 			['/etc/foo?file=..%2F..%2F..%2Fetc%2Fpasswd&foo/bar', 'rick:x:1337:1337:Astley'],
+			['/?%adfoo', 'Parse error'],
+			['/?%ad=/etc/passwd&bar', 'Parse error'],
 		];
 	}
 
@@ -57,13 +59,8 @@ class FourOhFourButFoundTest extends TestCase
 				$this->fourOhFourButFound->sendItMaybe($presenter);
 			}));
 			$response = $presenter->getResponse();
-			if (!$response instanceof TextResponse) {
-				Assert::fail('Response is of a wrong type ' . get_debug_type($response));
-			} elseif (!is_string($response->getSource())) {
-				Assert::fail('Source should be a string but is ' . get_debug_type($response->getSource()));
-			} else {
-				Assert::contains($contains, $response->getSource());
-			}
+			assert ($response instanceof TextResponse && is_string($response->getSource()));
+			Assert::contains($contains, $response->getSource());
 		}
 	}