Skip to content

Commit

Permalink
Merge pull request from GHSA-j74q-mv2c-rxmp
Browse files Browse the repository at this point in the history
  • Loading branch information
@bergmania
bergmania committed May 17, 2024
1 parent fa4fe47 commit c8f71af
Show file tree
Hide file tree
Showing 5 changed files with 135 additions and 1 deletion.
97 changes: 97 additions & 0 deletions src/Umbraco.Tests/Routing/WebPathTests.cs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
using NUnit.Framework;
using System;
using Umbraco.Web.Routing;

namespace Umbraco.Tests.Routing
{

[TestFixture]
public class WebPathTests
{

[Test]
[TestCase("ftp://hello.com/", UriKind.Absolute, ExpectedResult = true)]
[TestCase("file:///hello.com/", UriKind.Absolute, ExpectedResult = true)]
[TestCase("ws://hello.com/", UriKind.Absolute, ExpectedResult = true)]
[TestCase("wss://hello.com/", UriKind.Absolute, ExpectedResult = true)]
[TestCase("https://hello.com:8080/", UriKind.Absolute, ExpectedResult = true)]
[TestCase("http://hello.com:8080/", UriKind.Absolute, ExpectedResult = true)]
[TestCase("https://hello.com/path", UriKind.Absolute, ExpectedResult = true)]
[TestCase("http://hello.com/path", UriKind.Absolute, ExpectedResult = true)]
[TestCase("https://hello.com/path?query=param", UriKind.Absolute, ExpectedResult = true)]
[TestCase("http://hello.com/path?query=param", UriKind.Absolute, ExpectedResult = true)]
[TestCase("https://hello.com/path#fragment", UriKind.Absolute, ExpectedResult = true)]
[TestCase("http://hello.com/path#fragment", UriKind.Absolute, ExpectedResult = true)]
[TestCase("https://hello.com/path?query=param#fragment", UriKind.Absolute, ExpectedResult = true)]
[TestCase("http://hello.com/path?query=param#fragment", UriKind.Absolute, ExpectedResult = true)]
[TestCase("https://hello.com:8080/path?query=param#fragment", UriKind.Absolute, ExpectedResult = true)]
[TestCase("http://hello.com:8080/path?query=param#fragment", UriKind.Absolute, ExpectedResult = true)]
[TestCase("//hello.com:8080/path?query=param#fragment", UriKind.Absolute, ExpectedResult = true)]
[TestCase("//hello.com:8080/path", UriKind.Absolute, ExpectedResult = true)]
[TestCase("//hello.com:8080", UriKind.Absolute, ExpectedResult = true)]
[TestCase("//hello.com", UriKind.Absolute, ExpectedResult = true)]
[TestCase("/test/test.jpg", UriKind.Absolute, ExpectedResult = false)]
[TestCase("/test", UriKind.Absolute, ExpectedResult = false)]
[TestCase("test", UriKind.Absolute, ExpectedResult = false)]
[TestCase("", UriKind.Absolute, ExpectedResult = false)]
[TestCase(null, UriKind.Absolute, ExpectedResult = false)]
[TestCase("this is not welformed", UriKind.Absolute, ExpectedResult = false)]
[TestCase("ftp://hello.com/", UriKind.Relative, ExpectedResult = false)]
[TestCase("file:///hello.com/", UriKind.Relative, ExpectedResult = false)]
[TestCase("ws://hello.com/", UriKind.Relative, ExpectedResult = false)]
[TestCase("wss://hello.com/", UriKind.Relative, ExpectedResult = false)]
[TestCase("https://hello.com:8080/", UriKind.Relative, ExpectedResult = false)]
[TestCase("http://hello.com:8080/", UriKind.Relative, ExpectedResult = false)]
[TestCase("https://hello.com/path", UriKind.Relative, ExpectedResult = false)]
[TestCase("http://hello.com/path", UriKind.Relative, ExpectedResult = false)]
[TestCase("https://hello.com/path?query=param", UriKind.Relative, ExpectedResult = false)]
[TestCase("http://hello.com/path?query=param", UriKind.Relative, ExpectedResult = false)]
[TestCase("https://hello.com/path#fragment", UriKind.Relative, ExpectedResult = false)]
[TestCase("http://hello.com/path#fragment", UriKind.Relative, ExpectedResult = false)]
[TestCase("https://hello.com/path?query=param#fragment", UriKind.Relative, ExpectedResult = false)]
[TestCase("http://hello.com/path?query=param#fragment", UriKind.Relative, ExpectedResult = false)]
[TestCase("https://hello.com:8080/path?query=param#fragment", UriKind.Relative, ExpectedResult = false)]
[TestCase("http://hello.com:8080/path?query=param#fragment", UriKind.Relative, ExpectedResult = false)]
[TestCase("//hello.com:8080/path?query=param#fragment", UriKind.Relative, ExpectedResult = false)]
[TestCase("//hello.com:8080/path", UriKind.Relative, ExpectedResult = false)]
[TestCase("//hello.com:8080", UriKind.Relative, ExpectedResult = false)]
[TestCase("//hello.com", UriKind.Relative, ExpectedResult = false)]
[TestCase("/test/test.jpg", UriKind.Relative, ExpectedResult = true)]
[TestCase("/test", UriKind.Relative, ExpectedResult = true)]
[TestCase("test", UriKind.Relative, ExpectedResult = true)]
[TestCase("", UriKind.Relative, ExpectedResult = false)]
[TestCase(null, UriKind.Relative, ExpectedResult = false)]
[TestCase("this is not welformed", UriKind.Relative, ExpectedResult = false)]
[TestCase("ftp://hello.com/", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("file:///hello.com/", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("ws://hello.com/", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("wss://hello.com/", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("https://hello.com:8080/", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("http://hello.com:8080/", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("https://hello.com/path", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("http://hello.com/path", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("https://hello.com/path?query=param", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("http://hello.com/path?query=param", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("https://hello.com/path#fragment", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("http://hello.com/path#fragment", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("https://hello.com/path?query=param#fragment", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("http://hello.com/path?query=param#fragment", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("https://hello.com:8080/path?query=param#fragment", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("http://hello.com:8080/path?query=param#fragment", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("//hello.com:8080/path?query=param#fragment", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("//hello.com:8080/path", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("//hello.com:8080", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("//hello.com", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("/test/test.jpg", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("/test", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("test", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
[TestCase("", UriKind.RelativeOrAbsolute, ExpectedResult = false)]
[TestCase(null, UriKind.RelativeOrAbsolute, ExpectedResult = false)]
[TestCase("this is not welformed", UriKind.RelativeOrAbsolute, ExpectedResult = false)]
public bool IsWellFormedWebPath(string? webPath, UriKind uriKind)
{
return WebPath.IsWellFormedWebPath(webPath, uriKind);
}

}
}
1 change: 1 addition & 0 deletions src/Umbraco.Tests/Umbraco.Tests.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,7 @@
<Compile Include="PublishedContent\NuCacheTests.cs" />
<Compile Include="Routing\MediaUrlProviderTests.cs" />
<Compile Include="Routing\RoutableDocumentFilterTests.cs" />
<Compile Include="Routing\WebPathTests.cs" />
<Compile Include="Runtimes\StandaloneTests.cs" />
<Compile Include="Routing\GetContentUrlsTests.cs" />
<Compile Include="Scheduling\ContentVersionCleanup_Tests_UnitTests.cs" />
Expand Down
3 changes: 2 additions & 1 deletion src/Umbraco.Web/Editors/ImagesController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
using Umbraco.Core.IO;
using Umbraco.Core.Models;
using Umbraco.Web.Mvc;
using Umbraco.Web.Routing;
using Umbraco.Web.WebApi;

namespace Umbraco.Web.Editors
Expand Down Expand Up @@ -102,7 +103,7 @@ public HttpResponseMessage GetResized(string imagePath, int width)
private bool IsAllowed(string encodedImagePath)
{

if(Uri.IsWellFormedUriString(encodedImagePath, UriKind.Relative))
if(WebPath.IsWellFormedWebPath(encodedImagePath, UriKind.Relative))
{
return true;
}
Expand Down
34 changes: 34 additions & 0 deletions src/Umbraco.Web/Routing/WebPath.cs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace Umbraco.Web.Routing
{
public class WebPath
{
/// <summary>
/// Determines whether the provided web path is well-formed according to the specified UriKind.
/// </summary>
/// <param name="webPath">The web path to check. This can be null.</param>
/// <param name="uriKind">The kind of Uri (Absolute, Relative, or RelativeOrAbsolute).</param>
/// <returns>
/// true if <paramref name="webPath"/> is well-formed; otherwise, false.
/// </returns>
public static bool IsWellFormedWebPath(string? webPath, UriKind uriKind)
{
if (string.IsNullOrWhiteSpace(webPath))
{
return false;
}

if (webPath.StartsWith("//"))
{
return uriKind is not UriKind.Relative;
}

return Uri.IsWellFormedUriString(webPath, uriKind);
}
}
}
1 change: 1 addition & 0 deletions src/Umbraco.Web/Umbraco.Web.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -325,6 +325,7 @@
<Compile Include="Routing\IPublishedRouter.cs" />
<Compile Include="Routing\MediaUrlProviderCollection.cs" />
<Compile Include="Routing\MediaUrlProviderCollectionBuilder.cs" />
<Compile Include="Routing\WebPath.cs" />
<Compile Include="Scheduling\ContentVersionCleanup.cs" />
<Compile Include="Scheduling\SimpleTask.cs" />
<Compile Include="Scheduling\TempFileCleanup.cs" />
Expand Down

0 comments on commit c8f71af

Please sign in to comment.