Merge pull request #26 from shopware/next-39504/sanitize-shop-url-dur…

…ing-the-registration-process NEXT-39504 - Sanitize the Shop URL during the registration process
shopware · Nov 18, 2024 · 4d78e47 · 4d78e47
2 parents c5514e2 + fd15027
commit 4d78e47
Show file tree

Hide file tree

Showing 2 changed files with 107 additions and 1 deletion.
diff --git a/src/Registration/RegistrationService.php b/src/Registration/RegistrationService.php
@@ -57,7 +57,7 @@ public function register(RequestInterface $request): ResponseInterface
         if ($shop === null) {
             $shop = $this->shopRepository->createShopStruct(
                 $queries['shop-id'],
-                $queries['shop-url'],
+                $this->sanitizeShopUrl($queries['shop-url']),
                 $this->shopSecretGeneratorInterface->generate()
             );
 
@@ -127,4 +127,26 @@ public function registerConfirm(RequestInterface $request): ResponseInterface
 
         return (new Psr17Factory())->createResponse(204);
     }
+
+    private function sanitizeShopUrl(string $shopUrl): string
+    {
+        $parsedUrl = parse_url($shopUrl);
+
+        $protocol = $parsedUrl['scheme'] ?? '';
+        $host = $parsedUrl['host'] ?? '';
+        $path = $parsedUrl['path'] ?? '';
+        $port = $parsedUrl['port'] ?? '';
+
+        /** @var string $normalizedPath */
+        $normalizedPath = preg_replace('#/{2,}#', '/', $path);
+        $normalizedPath = rtrim($normalizedPath, '/');
+
+        return sprintf(
+            '%s://%s%s%s',
+            $protocol,
+            $host,
+            $port ? ':' . $port : null,
+            $normalizedPath
+        );
+    }
 }
diff --git a/tests/Registration/RegistrationServiceTest.php b/tests/Registration/RegistrationServiceTest.php
@@ -6,6 +6,7 @@
 
 use Nyholm\Psr7\Request;
 use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\DataProvider;
 use Psr\EventDispatcher\EventDispatcherInterface;
 use Psr\Http\Message\StreamInterface;
 use Psr\Log\LoggerInterface;
@@ -337,6 +338,23 @@ public function testRegisterConfirmMissingShopParameters(array $params): void
         $registrationService->registerConfirm($request);
     }
 
+    #[DataProvider('shopUrlsProvider')]
+    public function testRegisterShopUrlIsSanitized(
+        string $shopUrl,
+        string $expectedUrl,
+    ): void {
+        $request = new Request(
+            'GET',
+            sprintf('http://localhost?shop-id=123&shop-url=%s&timestamp=1234567890', $shopUrl)
+        );
+
+        $this->registerService->register($request);
+
+        $shop = $this->shopRepository->getShopFromId('123');
+
+        static::assertSame($expectedUrl, $shop->getShopUrl());
+    }
+
     /**
      * @return iterable<array<array<string, mixed>>>
      */
@@ -359,4 +377,70 @@ public static function missingShopParametersProvider(): iterable
         yield [['shop-id' => '123', 'apiKey' => '123']];
         yield [['shop-id' => '123', 'apiKey' => '123', 'secretKey' => 123]];
     }
+
+    /**
+     * @return iterable<array<string, string|null>>
+     */
+    public static function shopUrlsProvider(): iterable
+    {
+        yield 'Valid URL with port' => [
+            'shopUrl' => 'https://my-shop.com:80',
+            'expectedUrl' => 'https://my-shop.com:80',
+        ];
+
+        yield 'Valid URL with port and trailing slash' => [
+            'shopUrl' => 'https://my-shop.com:8080/',
+            'expectedUrl' => 'https://my-shop.com:8080',
+        ];
+
+        yield 'Valid URL with port, path and trailing slash' => [
+            'shopUrl' => 'https://my-shop.com:8080//test/',
+            'expectedUrl' => 'https://my-shop.com:8080/test',
+        ];
+
+        yield 'Valid URL without trailing slash' => [
+            'shopUrl' => 'https://my-shop.com',
+            'expectedUrl' => 'https://my-shop.com',
+        ];
+
+        yield 'Valid URL with trailing slash' => [
+            'shopUrl' => 'https://my-shop.com/',
+            'expectedUrl' => 'https://my-shop.com',
+        ];
+
+        yield 'Invalid URL with trailing slash' => [
+            'shopUrl' => 'https://my-shop.com/test/',
+            'expectedUrl' => 'https://my-shop.com/test',
+        ];
+
+        yield 'Invalid URL with double slashes' => [
+            'shopUrl' => 'https://my-shop.com//test',
+            'expectedUrl' => 'https://my-shop.com/test',
+        ];
+
+        yield 'Invalid URL with 2 slashes and trailing slash' => [
+            'shopUrl' => 'https://my-shop.com//test/',
+            'expectedUrl' => 'https://my-shop.com/test',
+        ];
+
+        yield 'Invalid URL with 3 slashes and trailing slash' => [
+            'shopUrl' => 'https://my-shop.com///test/',
+            'expectedUrl' => 'https://my-shop.com/test',
+        ];
+
+        yield 'Invalid URL with multiple slashes' => [
+            'shopUrl' => 'https://my-shop.com///test/test1//test2',
+            'expectedUrl' => 'https://my-shop.com/test/test1/test2',
+        ];
+
+        yield 'Invalid URL with multiple slashes and trailing slash' => [
+            'shopUrl' => 'https://my-shop.com///test/test1//test2/',
+            'expectedUrl' => 'https://my-shop.com/test/test1/test2',
+        ];
+
+        yield 'Invalid URL with multiple slashes and multplie trailing slash' => [
+            'shopUrl' => 'https://my-shop.com///test/test1//test2//',
+            'expectedUrl' => 'https://my-shop.com/test/test1/test2',
+        ];
+    }
 }