Force http/https for webhook and add error_log in index

2020-06-14 22:17:04 +02:00 · 2020-06-14 22:17:04 +02:00 · 903a8d3770
parent 54a8029b69
commit 903a8d3770
3 changed files with 14 additions and 1 deletions
--- a/controllers/internals/Webhook.php
+++ b/controllers/internals/Webhook.php
@ -27,6 +27,12 @@ class Webhook extends StandardController
     */
    public function create(int $id_user, string $url, string $type)
    {
+        //Must ensure http(s) protocole for protection against ssrf
+        if (!mb_ereg_match('^http(s?)://', $url))
+        {
+            return false;
+        }
+
        $webhook = [
            'id_user' => $id_user,
            'url' => $url,
@ -54,6 +60,12 @@ class Webhook extends StandardController
     */
    public function update_for_user(int $id_user, int $id, string $url, string $type)
    {
+        //Must ensure http(s) protocole for protection against ssrf
+        if (!mb_ereg_match('^http(s?)://', $url))
+        {
+            return false;
+        }
+
        $datas = [
            'url' => $url,
            'type' => $type,
--- a/controllers/publics/Webhook.php
+++ b/controllers/publics/Webhook.php
@ -123,7 +123,7 @@ namespace controllers\publics;
            {
                \FlashMessage\FlashMessage::push('danger', 'Impossible de créer ce webhook.');

-                return $this->redirect(\descartes\Router::url('webhooks', 'add'));
+                return $this->redirect(\descartes\Router::url('Webhook', 'add'));
            }

            \FlashMessage\FlashMessage::push('success', 'La webhook a bien été créé.');
--- a/index.php
+++ b/index.php
@ -25,6 +25,7 @@
    }
    catch (\Throwable $e)
    {
+        error_log($e);
        $controller = new \controllers\internals\HttpError();
        $controller->unknown();
    }