Increased attachment link limit from 192 to 2k

Added test to cover. Did attempt a 64k limit, but values over 2k significantly increase chance of other issues since this URL may be used in redirect headers. Would rather catch issues in-app. For BookStackApp#4044
CaffeineSheep · Feb 20, 2023 · c803961 · c803961
1 parent 8da3e64
commit c803961
Show file tree

Hide file tree

Showing 6 changed files with 71 additions and 26 deletions.
diff --git a/app/Http/Controllers/Api/AttachmentApiController.php b/app/Http/Controllers/Api/AttachmentApiController.php
@@ -13,11 +13,9 @@
 
 class AttachmentApiController extends ApiController
 {
-    protected $attachmentService;
-
-    public function __construct(AttachmentService $attachmentService)
-    {
-        $this->attachmentService = $attachmentService;
+    public function __construct(
+        protected AttachmentService $attachmentService
+    ) {
     }
 
     /**
@@ -174,13 +172,13 @@ protected function rules(): array
                 'name'        => ['required', 'min:1', 'max:255', 'string'],
                 'uploaded_to' => ['required', 'integer', 'exists:pages,id'],
                 'file'        => array_merge(['required_without:link'], $this->attachmentService->getFileValidationRules()),
-                'link'        => ['required_without:file', 'min:1', 'max:255', 'safe_url'],
+                'link'        => ['required_without:file', 'min:1', 'max:2000', 'safe_url'],
             ],
             'update' => [
                 'name'        => ['min:1', 'max:255', 'string'],
                 'uploaded_to' => ['integer', 'exists:pages,id'],
                 'file'        => $this->attachmentService->getFileValidationRules(),
-                'link'        => ['min:1', 'max:255', 'safe_url'],
+                'link'        => ['min:1', 'max:2000', 'safe_url'],
             ],
         ];
     }

diff --git a/app/Http/Controllers/AttachmentController.php b/app/Http/Controllers/AttachmentController.php
@@ -15,16 +15,10 @@
 
 class AttachmentController extends Controller
 {
-    protected AttachmentService $attachmentService;
-    protected PageRepo $pageRepo;
-
-    /**
-     * AttachmentController constructor.
-     */
-    public function __construct(AttachmentService $attachmentService, PageRepo $pageRepo)
-    {
-        $this->attachmentService = $attachmentService;
-        $this->pageRepo = $pageRepo;
+    public function __construct(
+        protected AttachmentService $attachmentService,
+        protected PageRepo $pageRepo
+    ) {
     }
 
     /**
@@ -112,7 +106,7 @@ public function update(Request $request, string $attachmentId)
         try {
             $this->validate($request, [
                 'attachment_edit_name' => ['required', 'string', 'min:1', 'max:255'],
-                'attachment_edit_url'  => ['string', 'min:1', 'max:255', 'safe_url'],
+                'attachment_edit_url'  => ['string', 'min:1', 'max:2000', 'safe_url'],
             ]);
         } catch (ValidationException $exception) {
             return response()->view('attachments.manager-edit-form', array_merge($request->only(['attachment_edit_name', 'attachment_edit_url']), [
@@ -148,7 +142,7 @@ public function attachLink(Request $request)
             $this->validate($request, [
                 'attachment_link_uploaded_to' => ['required', 'integer', 'exists:pages,id'],
                 'attachment_link_name'        => ['required', 'string', 'min:1', 'max:255'],
-                'attachment_link_url'         => ['required', 'string', 'min:1', 'max:255', 'safe_url'],
+                'attachment_link_url'         => ['required', 'string', 'min:1', 'max:2000', 'safe_url'],
             ]);
         } catch (ValidationException $exception) {
             return response()->view('attachments.manager-link-form', array_merge($request->only(['attachment_link_name', 'attachment_link_url']), [

diff --git a/app/Providers/ValidationRuleServiceProvider.php b/app/Providers/ValidationRuleServiceProvider.php
@@ -21,8 +21,8 @@ public function boot(): void
 
         Validator::extend('safe_url', function ($attribute, $value, $parameters, $validator) {
             $cleanLinkName = strtolower(trim($value));
-            $isJs = strpos($cleanLinkName, 'javascript:') === 0;
-            $isData = strpos($cleanLinkName, 'data:') === 0;
+            $isJs = str_starts_with($cleanLinkName, 'javascript:');
+            $isData = str_starts_with($cleanLinkName, 'data:');
 
             return !$isJs && !$isData;
         });

diff --git a/app/Uploads/Attachment.php b/app/Uploads/Attachment.php
@@ -40,12 +40,10 @@ class Attachment extends Model
 
     /**
      * Get the downloadable file name for this upload.
-     *
-     * @return mixed|string
      */
-    public function getFileName()
+    public function getFileName(): string
     {
-        if (strpos($this->name, '.') !== false) {
+        if (str_contains($this->name, '.')) {
             return $this->name;
         }
 
@@ -71,7 +69,7 @@ public function jointPermissions(): HasMany
      */
     public function getUrl($openInline = false): string
     {
-        if ($this->external && strpos($this->path, 'http') !== 0) {
+        if ($this->external && !str_starts_with($this->path, 'http')) {
             return $this->path;
         }
 

diff --git a/database/migrations/2023_02_20_093655_increase_attachments_path_length.php b/database/migrations/2023_02_20_093655_increase_attachments_path_length.php
@@ -0,0 +1,32 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        Schema::table('attachments', function (Blueprint $table) {
+            $table->text('path')->change();
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        Schema::table('attachments', function (Blueprint $table) {
+            $table->string('path')->change();
+        });
+    }
+};
diff --git a/tests/Uploads/AttachmentTest.php b/tests/Uploads/AttachmentTest.php
@@ -111,6 +111,29 @@ public function test_attaching_link_to_page()
         $this->files->deleteAllAttachmentFiles();
     }
 
+    public function test_attaching_long_links_to_a_page()
+    {
+        $page = $this->entities->page();
+
+        $link = 'https://example.com?query=' . str_repeat('catsIScool', 195);
+        $linkReq = $this->asAdmin()->post('attachments/link', [
+            'attachment_link_url'         => $link,
+            'attachment_link_name'        => 'Example Attachment Link',
+            'attachment_link_uploaded_to' => $page->id,
+        ]);
+
+        $linkReq->assertStatus(200);
+        $this->assertDatabaseHas('attachments', [
+            'uploaded_to' => $page->id,
+            'path' => $link,
+            'external' => true,
+        ]);
+
+        $attachment = $page->attachments()->where('external', '=', true)->first();
+        $resp = $this->get($attachment->getUrl());
+        $resp->assertRedirect($link);
+    }
+
     public function test_attachment_updating()
     {
         $page = $this->entities->page();