Fix E_NOTICE when requesting invalid script (#449)

It is possible to trigger an exception by requesting an invalid script path. The following URL path leads to XSS on the exception page, showing two nice popups: http://myapp/_ignition/scripts/--><svg onload=alert(1337)> The exception is: ErrorException Undefined index: --><svg onload=alert(1337)> Illuminate\Foundation\Bootstrap\HandleExceptions::handleError vendor/facade/ignition/src/Http/Controllers/ScriptController.php:14 This happens with facade/ignition 1.18.0 (the last with laravel 6 support) and should be fixed there. The error probably also occurs in all later versions.
facade · Feb 23, 2022 · 1d71996 · 1d71996
1 parent 8f016e6
commit 1d71996
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/Http/Controllers/ScriptController.php b/src/Http/Controllers/ScriptController.php
@@ -9,6 +9,9 @@ class ScriptController
 {
     public function __invoke(Request $request)
     {
+        if (!isset(Ignition::scripts()[$request->script])) {
+            abort(404, 'Script not found');
+        }
         return response(
             file_get_contents(
                 Ignition::scripts()[$request->script]