keith/WP-Content-Sync
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: prevent unsafe url rewrites

Browse Source
This commit is contained in:
Keith Solomon
2026-04-26 14:42:11 -05:00
parent ddb0e12a9b
commit badd58ada6
2 changed files with 100 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Unit/Url/UrlTransformerTest.php
+61
View File
@@ -81,4 +81,65 @@ class UrlTransformerTest extends TestCase {
$transformer->transformString( 'https://example.test https://cdn.example.test/image.jpg', $mappings )
);
}
public function test_it_does_not_cascade_mapping_destinations_into_other_sources(): void {
$transformer = new UrlTransformer();
$mappings = new UrlMappingCollection(
array(
new UrlMapping( 'https://a.example.test', 'https://b.example.test' ),
new UrlMapping( 'https://b.example.test', 'https://c.example.test' ),
)
);
self::assertSame(
'https://b.example.test/page https://c.example.test/page',
$transformer->transformString( 'https://a.example.test/page https://b.example.test/page', $mappings )
);
}
public function test_it_does_not_rewrite_partial_host_matches(): void {
$transformer = new UrlTransformer();
$mappings = new UrlMappingCollection(
array(
new UrlMapping( 'https://example.test', 'https://staging.example.test' ),
)
);
self::assertSame(
'https://example.test.evil/path https://staging.example.test/path',
$transformer->transformString(
'https://example.test.evil/path https://example.test/path',
$mappings
)
);
}
public function test_it_prefers_more_specific_overlapping_mappings(): void {
$transformer = new UrlTransformer();
$mappings = new UrlMappingCollection(
array(
new UrlMapping( 'https://example.test', 'https://staging.example.test' ),
new UrlMapping( 'https://example.test/uploads', 'https://media.staging.example.test/uploads' ),
)
);
self::assertSame(
'https://media.staging.example.test/uploads/image.jpg',
$transformer->transformString( 'https://example.test/uploads/image.jpg', $mappings )
);
}
public function test_it_rewrites_escaped_protocol_relative_urls(): void {
$transformer = new UrlTransformer();
$mappings = new UrlMappingCollection(
array(
new UrlMapping( 'https://example.test/path?a=1&b=2', 'https://staging.example.test/path?a=1&b=2' ),
)
);
self::assertSame(
'//staging.example.test/path?a=1&b=2',
$transformer->transformString( '//example.test/path?a=1&b=2', $mappings )
);
}
}