Do not use unserialize()

arrilot · Jul 31, 2016 · 5cddda5 · 5cddda5
1 parent 596cad8
commit 5cddda5
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 4 deletions.
diff --git a/src/Controllers/WidgetController.php b/src/Controllers/WidgetController.php
@@ -22,7 +22,7 @@ public function showWidget(Request $request)
 
         $factory = app()->make('arrilot.widget');
         $widgetName = $request->input('name', '');
-        $widgetParams = unserialize($request->input('params', ''));
+        $widgetParams = $factory->decryptWidgetParams($request->input('params', ''));
 
         return call_user_func_array([$factory, $widgetName], $widgetParams);
     }

diff --git a/src/Factories/AbstractWidgetFactory.php b/src/Factories/AbstractWidgetFactory.php
@@ -155,4 +155,28 @@ protected function wrapContentInContainer($content)
 
         return '<'.$container['element'].' id="'.$this->javascriptFactory->getContainerId().'" '.$container['attributes'].'>'.$content.'</'.$container['element'].'>';
     }
+
+    /**
+     * Encrypt widget params to be transported via HTTP.
+     * 
+     * @param array $params
+     * @return string 
+     */
+    public function encryptWidgetParams($params)
+    {
+        return $this->app->make('encrypter')->encrypt(json_encode($params));
+    }
+
+    /**
+     * Decrypt widget params that were transported via HTTP.
+     *
+     * @param string $params
+     * @return array
+     */
+    public function decryptWidgetParams($params)
+    {
+        $params = json_decode($this->app->make('encrypter')->decrypt($params), true);
+
+        return $params ? $params : [];
+    }
 }
diff --git a/src/Factories/JavascriptFactory.php b/src/Factories/JavascriptFactory.php
@@ -90,7 +90,7 @@ protected function constructAjaxCall()
         $queryParams = [
             'id'     => WidgetId::get(),
             'name'   => $this->widgetFactory->widgetName,
-            'params' => serialize($this->widgetFactory->widgetFullParams),
+            'params' => $this->widgetFactory->encryptWidgetParams($this->widgetFactory->widgetFullParams),
         ];
 
         $url = $this->ajaxLink.'?'.http_build_query($queryParams);

diff --git a/tests/Support/TestApplicationWrapper.php b/tests/Support/TestApplicationWrapper.php
@@ -25,7 +25,7 @@ class TestApplicationWrapper implements ApplicationWrapperContract
      *
      * @param $key
      * @param $minutes
-     * @param callable $callback
+     * @param Closure $callback
      *
      * @return mixed
      */
@@ -91,6 +91,10 @@ public function make($abstract, array $parameters = [])
         if ($abstract == 'arrilot.async-widget') {
             return new AsyncWidgetFactory($this);
         }
+
+        if ($abstract == 'encrypter') {
+            return new TestEncrypter();
+        }
 
         throw new InvalidArgumentException("Binding {$abstract} cannot be resolved while testing");
     }

diff --git a/tests/Support/TestCase.php b/tests/Support/TestCase.php
@@ -17,7 +17,7 @@ public function ajaxUrl($widgetName, $widgetParams = [], $id = 1)
         return '/arrilot/load-widget?'.http_build_query([
             'id'     => $id,
             'name'   => $widgetName,
-            'params' => serialize($widgetParams),
+            'params' => json_encode($widgetParams),
         ]);
     }
 }
diff --git a/tests/Support/TestEncrypter.php b/tests/Support/TestEncrypter.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Arrilot\Widgets\Test\Support;
+
+class TestEncrypter
+{
+    public function encrypt($value)
+    {
+        return $value;
+    }
+}