From 51aee11c359dbed1384b7046551fb9d66dcca1c6 Mon Sep 17 00:00:00 2001 From: klezm <20573323+klezm@users.noreply.github.com> Date: Fri, 21 Sep 2018 16:57:18 +0200 Subject: [PATCH 1/6] whitelist & blacklist added --- app/Factories/LinkFactory.php | 12 +++++++ app/Helpers/LinkHelper.php | 42 ++++++++++++++++++++++++ app/Http/Controllers/SetupController.php | 29 ++++++++++++++++ resources/views/env.blade.php | 7 ++++ resources/views/setup.blade.php | 12 +++++++ 5 files changed, 102 insertions(+) diff --git a/app/Factories/LinkFactory.php b/app/Factories/LinkFactory.php index 7ff2bda5d..132d75e37 100644 --- a/app/Factories/LinkFactory.php +++ b/app/Factories/LinkFactory.php @@ -62,6 +62,18 @@ public static function createLink($long_url, $is_secret=false, $custom_ending=nu return self::formatLink($existing_link); } + $is_blacklisted = LinkHelper::checkBlackList($long_url); + + if (!$is_blacklisted) { + throw new \Exception('Sorry, links from the blacklist are not permitted for shortening.'); + } + + $is_whitelisted = LinkHelper::checkWhiteList($long_url); + + if (!$is_whitelisted) { + throw new \Exception('Sorry, only links from the whitelist are supported for shortening.'); + } + if (isset($custom_ending) && $custom_ending !== '') { // has custom ending $ending_conforms = LinkHelper::validateEnding($custom_ending); diff --git a/app/Helpers/LinkHelper.php b/app/Helpers/LinkHelper.php index 5abd67528..438da8392 100644 --- a/app/Helpers/LinkHelper.php +++ b/app/Helpers/LinkHelper.php @@ -142,4 +142,46 @@ static public function findSuitableEnding() { return $base_x_val; } + + static public function checkWhiteList($long_link) { + /** + * Provided a long link (string) + * checks whether the link is on the whitelist or not + * @return boolean + */ + + $white_list = explode(',', env('SETTING_WHITELISTED_DOMAINS')); +// echo ""; +// foreach ($white_list as $x) {echo "";} + + $url_host = parse_url($long_link, PHP_URL_HOST); +// echo ""; + + foreach ($white_list as $allowed_url) { + if (preg_match($allowed_url, $url_host)) { + return true; + } + } + return false; + } + + static public function checkBlackList($long_link) { + /** + * Provided a long link (string) + * checks whether the link is on the blacklist or not + * @return boolean + */ + + $black_list = explode(',', env('SETTING_BLACKLISTED_DOMAINS')); + + $url_host = parse_url($long_link, PHP_URL_HOST); + + foreach ($black_list as $blacklisted_url) { + if (preg_match($blacklisted_url, $url_host)) { + return false; + } + } + return true; + } + } diff --git a/app/Http/Controllers/SetupController.php b/app/Http/Controllers/SetupController.php index d29006548..d50eb6991 100644 --- a/app/Http/Controllers/SetupController.php +++ b/app/Http/Controllers/SetupController.php @@ -55,6 +55,29 @@ public static function displaySetupPage(Request $request) { return view('setup'); } + public static function createRegexForDomains($url) { + /** + * Provided a URL + * creates the corresponding regex + * @return string + */ + + $url_arr = explode(',', $url); + + // escapes all non word characters + $add_escapes = function ($url) { return preg_replace("/(?:(\w*)(\W)(\w*))/m", '$1\\\$2$3', $url); }; + $add_sub_domain = function ($url) { return preg_replace("/^(\\\\\*\\\\\.)(.*)$/m", '(?:.+\\\.)*$2', $url); }; + $add_start_end = function ($url) { return preg_replace("/^(.*)$/m", '/^$1\$/m', $url); }; + + $url_arr = array_map($add_escapes, $url_arr); + $url_arr = array_map($add_sub_domain, $url_arr); + $url_arr = array_map($add_start_end, $url_arr); + + $url_regex = implode(',', $url_arr); + + return $url_regex; + } + public static function performSetup(Request $request) { if (env('POLR_SETUP_RAN')) { return self::setupAlreadyRan(); @@ -118,6 +141,10 @@ public static function performSetup(Request $request) { $st_password_recov = $request->input('setting:password_recovery'); $st_restrict_email_domain = $request->input('setting:restrict_email_domain'); $st_allowed_email_domains = $request->input('setting:allowed_email_domains'); +// TODO: enabled/disable white/black list + $st_whitelisted_domains = SetupController::createRegexForDomains($request->input('setting:whitelisted_domains')); + $st_blacklisted_domains = SetupController::createRegexForDomains($request->input('setting:blacklisted_domains')); + $st_base = $request->input('setting:base'); $st_auto_api_key = $request->input('setting:auto_api_key'); @@ -167,6 +194,8 @@ public static function performSetup(Request $request) { 'ST_ALLOWED_EMAIL_DOMAINS' => $st_allowed_email_domains, 'POLR_RECAPTCHA_SITE_KEY' => $polr_recaptcha_site_key, 'POLR_RECAPTCHA_SECRET' => $polr_recaptcha_secret_key, + 'ST_WHITELISTED_DOMAINS' => $st_whitelisted_domains, + 'ST_BLACKLISTED_DOMAINS' => $st_blacklisted_domains, 'MAIL_ENABLED' => $mail_enabled, 'MAIL_HOST' => $mail_host, diff --git a/resources/views/env.blade.php b/resources/views/env.blade.php index f36b23dbc..b9d07cd5a 100644 --- a/resources/views/env.blade.php +++ b/resources/views/env.blade.php @@ -97,6 +97,13 @@ # reCAPTCHA secret key POLR_RECAPTCHA_SECRET_KEY="{{$POLR_RECAPTCHA_SECRET}}" +# A comma-separated list of whitelisted domains +SETTING_WHITELISTED_DOMAINS={{$ST_WHITELISTED_DOMAINS}} + +# A comma-separated list of blacklisted domains +SETTING_BLACKLISTED_DOMAINS={{$ST_BLACKLISTED_DOMAINS}} + + # Set each to blank to disable mail @if($MAIL_ENABLED) MAIL_DRIVER=smtp diff --git a/resources/views/setup.blade.php b/resources/views/setup.blade.php index 39fbd6c4c..469f0497f 100644 --- a/resources/views/setup.blade.php +++ b/resources/views/setup.blade.php @@ -195,6 +195,18 @@

+

+ Whitelisted Domains: + +

+ {{--TODO: delete value--}} + +

+ Blacklisted Domains: + +

+ +

Password Recovery: From c55cc0b115a34737fd9df4c7f7233dd81063a296 Mon Sep 17 00:00:00 2001 From: klezm <20573323+klezm@users.noreply.github.com> Date: Fri, 21 Sep 2018 17:03:41 +0200 Subject: [PATCH 2/6] en/disable: whitelist & blacklist --- app/Factories/LinkFactory.php | 18 ++++++++++-------- app/Http/Controllers/SetupController.php | 8 +++++--- resources/views/setup.blade.php | 2 +- 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/app/Factories/LinkFactory.php b/app/Factories/LinkFactory.php index 132d75e37..f3fe5143b 100644 --- a/app/Factories/LinkFactory.php +++ b/app/Factories/LinkFactory.php @@ -62,16 +62,18 @@ public static function createLink($long_url, $is_secret=false, $custom_ending=nu return self::formatLink($existing_link); } - $is_blacklisted = LinkHelper::checkBlackList($long_url); - - if (!$is_blacklisted) { - throw new \Exception('Sorry, links from the blacklist are not permitted for shortening.'); + if (!empty(env('SETTING_WHITELISTED_DOMAINS'))) { + $is_whitelisted = LinkHelper::checkWhiteList($long_url); + if (!$is_whitelisted) { + throw new \Exception('Sorry, only links from the whitelist are supported for shortening.'); + } } - $is_whitelisted = LinkHelper::checkWhiteList($long_url); - - if (!$is_whitelisted) { - throw new \Exception('Sorry, only links from the whitelist are supported for shortening.'); + if (!empty(env('SETTING_BLACKLISTED_DOMAINS'))) { + $is_blacklisted = LinkHelper::checkBlackList($long_url); + if (!$is_blacklisted) { + throw new \Exception('Sorry, links from the blacklist are not permitted for shortening.'); + } } if (isset($custom_ending) && $custom_ending !== '') { diff --git a/app/Http/Controllers/SetupController.php b/app/Http/Controllers/SetupController.php index d50eb6991..c71acad81 100644 --- a/app/Http/Controllers/SetupController.php +++ b/app/Http/Controllers/SetupController.php @@ -141,9 +141,11 @@ public static function performSetup(Request $request) { $st_password_recov = $request->input('setting:password_recovery'); $st_restrict_email_domain = $request->input('setting:restrict_email_domain'); $st_allowed_email_domains = $request->input('setting:allowed_email_domains'); -// TODO: enabled/disable white/black list - $st_whitelisted_domains = SetupController::createRegexForDomains($request->input('setting:whitelisted_domains')); - $st_blacklisted_domains = SetupController::createRegexForDomains($request->input('setting:blacklisted_domains')); + + $st_whitelisted_domains = empty($request->input('setting:whitelisted_domains')) ? '' : + SetupController::createRegexForDomains($request->input('setting:whitelisted_domains')); + $st_blacklisted_domains = empty($request->input('setting:blacklisted_domains')) ? '' : + SetupController::createRegexForDomains($request->input('setting:blacklisted_domains')); $st_base = $request->input('setting:base'); diff --git a/resources/views/setup.blade.php b/resources/views/setup.blade.php index 469f0497f..9f0457047 100644 --- a/resources/views/setup.blade.php +++ b/resources/views/setup.blade.php @@ -199,7 +199,7 @@ Whitelisted Domains:

- {{--TODO: delete value--}} +

Blacklisted Domains: From 48b93af6bc6df5b57eb2c26a5ab7067db8a75a79 Mon Sep 17 00:00:00 2001 From: klezm <20573323+klezm@users.noreply.github.com> Date: Fri, 21 Sep 2018 17:06:44 +0200 Subject: [PATCH 3/6] cleanup --- app/Helpers/LinkHelper.php | 6 +++--- app/Http/Controllers/SetupController.php | 7 +++++-- resources/views/setup.blade.php | 6 +++--- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/app/Helpers/LinkHelper.php b/app/Helpers/LinkHelper.php index 438da8392..90ac8b82a 100644 --- a/app/Helpers/LinkHelper.php +++ b/app/Helpers/LinkHelper.php @@ -145,7 +145,7 @@ static public function findSuitableEnding() { static public function checkWhiteList($long_link) { /** - * Provided a long link (string) + * @param long_link a long link (string) * checks whether the link is on the whitelist or not * @return boolean */ @@ -167,7 +167,7 @@ static public function checkWhiteList($long_link) { static public function checkBlackList($long_link) { /** - * Provided a long link (string) + * @param long_link a long link (string) * checks whether the link is on the blacklist or not * @return boolean */ @@ -184,4 +184,4 @@ static public function checkBlackList($long_link) { return true; } -} +} \ No newline at end of file diff --git a/app/Http/Controllers/SetupController.php b/app/Http/Controllers/SetupController.php index c71acad81..bbe080d4e 100644 --- a/app/Http/Controllers/SetupController.php +++ b/app/Http/Controllers/SetupController.php @@ -57,7 +57,7 @@ public static function displaySetupPage(Request $request) { public static function createRegexForDomains($url) { /** - * Provided a URL + * @param $url a tld domain (string) * creates the corresponding regex * @return string */ @@ -66,7 +66,9 @@ public static function createRegexForDomains($url) { // escapes all non word characters $add_escapes = function ($url) { return preg_replace("/(?:(\w*)(\W)(\w*))/m", '$1\\\$2$3', $url); }; + // replaces "*." in front of a domain with the regex for subdomains $add_sub_domain = function ($url) { return preg_replace("/^(\\\\\*\\\\\.)(.*)$/m", '(?:.+\\\.)*$2', $url); }; + // adds the missing regex syntax surrounding the actual regex $add_start_end = function ($url) { return preg_replace("/^(.*)$/m", '/^$1\$/m', $url); }; $url_arr = array_map($add_escapes, $url_arr); @@ -142,6 +144,7 @@ public static function performSetup(Request $request) { $st_restrict_email_domain = $request->input('setting:restrict_email_domain'); $st_allowed_email_domains = $request->input('setting:allowed_email_domains'); + // sets the variables for the white/blacklist to '' or the corresponding regex $st_whitelisted_domains = empty($request->input('setting:whitelisted_domains')) ? '' : SetupController::createRegexForDomains($request->input('setting:whitelisted_domains')); $st_blacklisted_domains = empty($request->input('setting:blacklisted_domains')) ? '' : @@ -279,4 +282,4 @@ public static function finishSetup(Request $request) { return view('setup_thanks')->with('success', 'Set up completed! Thanks for using Polr!'); } -} +} \ No newline at end of file diff --git a/resources/views/setup.blade.php b/resources/views/setup.blade.php index 9f0457047..8608c82d0 100644 --- a/resources/views/setup.blade.php +++ b/resources/views/setup.blade.php @@ -199,13 +199,13 @@ Whitelisted Domains:

- +

Blacklisted Domains:

- +

Password Recovery: @@ -300,4 +300,4 @@ -@endsection +@endsection \ No newline at end of file From e8e386a41b19143ae816892028133595e8d3b6de Mon Sep 17 00:00:00 2001 From: klezm <20573323+klezm@users.noreply.github.com> Date: Wed, 26 Sep 2018 17:54:45 +0200 Subject: [PATCH 4/6] fix issue from codacy --- app/Http/Controllers/SetupController.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/Http/Controllers/SetupController.php b/app/Http/Controllers/SetupController.php index bbe080d4e..e7c6d3882 100644 --- a/app/Http/Controllers/SetupController.php +++ b/app/Http/Controllers/SetupController.php @@ -146,9 +146,9 @@ public static function performSetup(Request $request) { // sets the variables for the white/blacklist to '' or the corresponding regex $st_whitelisted_domains = empty($request->input('setting:whitelisted_domains')) ? '' : - SetupController::createRegexForDomains($request->input('setting:whitelisted_domains')); + self::createRegexForDomains($request->input('setting:whitelisted_domains')); $st_blacklisted_domains = empty($request->input('setting:blacklisted_domains')) ? '' : - SetupController::createRegexForDomains($request->input('setting:blacklisted_domains')); + self::createRegexForDomains($request->input('setting:blacklisted_domains')); $st_base = $request->input('setting:base'); From 2cf2e5769fde20406684b8fe803ac1b384e35399 Mon Sep 17 00:00:00 2001 From: klezm <20573323+klezm@users.noreply.github.com> Date: Thu, 27 Sep 2018 12:15:21 +0200 Subject: [PATCH 5/6] static access todo --- app/Factories/LinkFactory.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app/Factories/LinkFactory.php b/app/Factories/LinkFactory.php index f3fe5143b..607d604ff 100644 --- a/app/Factories/LinkFactory.php +++ b/app/Factories/LinkFactory.php @@ -41,6 +41,8 @@ public static function createLink($long_url, $is_secret=false, $custom_ending=nu * @return string $formatted_link */ +// $lh = new LinkHelper(); // TODO: remove static access + if (strlen($long_url) > self::MAXIMUM_LINK_LENGTH) { // If $long_url is longer than the maximum length, then // throw an Exception @@ -63,6 +65,8 @@ public static function createLink($long_url, $is_secret=false, $custom_ending=nu } if (!empty(env('SETTING_WHITELISTED_DOMAINS'))) { +// TODO: remove static access? maybe for all funct calls? +// $is_whitelisted = $lh::checkWhiteList($long_url); $is_whitelisted = LinkHelper::checkWhiteList($long_url); if (!$is_whitelisted) { throw new \Exception('Sorry, only links from the whitelist are supported for shortening.'); From a2874af114814cd5b47994e09117f238f1404c11 Mon Sep 17 00:00:00 2001 From: klezm <20573323+klezm@users.noreply.github.com> Date: Thu, 27 Sep 2018 13:55:18 +0200 Subject: [PATCH 6/6] deleted duplicates --- app/Factories/LinkFactory.php | 6 +++--- app/Helpers/LinkHelper.php | 32 +++++++------------------------- 2 files changed, 10 insertions(+), 28 deletions(-) diff --git a/app/Factories/LinkFactory.php b/app/Factories/LinkFactory.php index 607d604ff..ca5a22826 100644 --- a/app/Factories/LinkFactory.php +++ b/app/Factories/LinkFactory.php @@ -66,15 +66,15 @@ public static function createLink($long_url, $is_secret=false, $custom_ending=nu if (!empty(env('SETTING_WHITELISTED_DOMAINS'))) { // TODO: remove static access? maybe for all funct calls? -// $is_whitelisted = $lh::checkWhiteList($long_url); - $is_whitelisted = LinkHelper::checkWhiteList($long_url); +// $is_whitelisted = $lh::checkAuthUrl($long_url, env('SETTING_WHITELISTED_DOMAINS')); + $is_whitelisted = LinkHelper::checkAuthUrl($long_url, env('SETTING_WHITELISTED_DOMAINS')); if (!$is_whitelisted) { throw new \Exception('Sorry, only links from the whitelist are supported for shortening.'); } } if (!empty(env('SETTING_BLACKLISTED_DOMAINS'))) { - $is_blacklisted = LinkHelper::checkBlackList($long_url); + $is_blacklisted = !LinkHelper::checkAuthUrl($long_url, env('SETTING_BLACKLISTED_DOMAINS')); if (!$is_blacklisted) { throw new \Exception('Sorry, links from the blacklist are not permitted for shortening.'); } diff --git a/app/Helpers/LinkHelper.php b/app/Helpers/LinkHelper.php index 90ac8b82a..0dd02c509 100644 --- a/app/Helpers/LinkHelper.php +++ b/app/Helpers/LinkHelper.php @@ -143,45 +143,27 @@ static public function findSuitableEnding() { return $base_x_val; } - static public function checkWhiteList($long_link) { + static public function checkAuthUrl($long_link, $auth_ls) { /** * @param long_link a long link (string) - * checks whether the link is on the whitelist or not + * @param auth_ls a list of (un)authorized urls for shortening + * checks whether the link is authorized or not * @return boolean */ - $white_list = explode(',', env('SETTING_WHITELISTED_DOMAINS')); + $auth_urls = explode(',', $auth_ls); // echo ""; -// foreach ($white_list as $x) {echo "";} +// foreach ($auth_urls as $x) {echo "";} $url_host = parse_url($long_link, PHP_URL_HOST); // echo ""; - foreach ($white_list as $allowed_url) { - if (preg_match($allowed_url, $url_host)) { + foreach ($auth_urls as $auth_url) { + if (preg_match($auth_url, $url_host)) { return true; } } return false; } - static public function checkBlackList($long_link) { - /** - * @param long_link a long link (string) - * checks whether the link is on the blacklist or not - * @return boolean - */ - - $black_list = explode(',', env('SETTING_BLACKLISTED_DOMAINS')); - - $url_host = parse_url($long_link, PHP_URL_HOST); - - foreach ($black_list as $blacklisted_url) { - if (preg_match($blacklisted_url, $url_host)) { - return false; - } - } - return true; - } - } \ No newline at end of file