qa: updates psr-7 integration test version

Updates to 1.2.0, which adds the tests we wrote for mitigating ZF2015-05, with a few changes: - When creating the string representation of the URL, we DO NOT normalize the path to remove multiple leading slashes. In its absolute form, this is not necessary. - All normalization is done via `getPath()`; this mitigates the common XSS scenario. - It adds a test to validate that when using origin-form during a `RequestInterface::getRequestTarget()` call, it will use the results of `getPath()`, as this is a scenario where the XSS could also occur. I have removed one test from `UriTest`, as it contradicts the first point above. Since the scenario is covered in the PSR-7 integration tests, we are covered. See php-http/psr7-integration-tests#54 for more details. Signed-off-by: Matthew Weier O'Phinney <matthew@weierophinney.net>
weierophinney · Dec 14, 2022 · b17abb2 · b17abb2
1 parent cf1dc9e
commit b17abb2
Show file tree

Hide file tree

Showing 4 changed files with 116 additions and 50 deletions.
diff --git a/composer.json b/composer.json
@@ -45,7 +45,7 @@
         "ext-libxml": "*",
         "http-interop/http-factory-tests": "^0.9.0",
         "laminas/laminas-coding-standard": "^2.4.0",
-        "php-http/psr7-integration-tests": "^1.1.1",
+        "php-http/psr7-integration-tests": "^1.2",
         "phpunit/phpunit": "^9.5.26",
         "psalm/plugin-phpunit": "^0.18.0",
         "vimeo/psalm": "^5.0.0"

diff --git a/composer.lock b/composer.lock
diff --git a/src/Uri.php b/src/Uri.php
@@ -113,7 +113,7 @@ public function __toString(): string
         $this->uriString = static::createUriString(
             $this->scheme,
             $this->getAuthority(),
-            $this->getPath(), // Absolute URIs should use a "/" for an empty path
+            $this->path, // Absolute URIs should use a "/" for an empty path
             $this->query,
             $this->fragment
         );
@@ -185,7 +185,18 @@ public function getPort(): ?int
      */
     public function getPath(): string
     {
-        return $this->path;
+        if ('' === $this->path) {
+            // No path
+            return $this->path;
+        }
+
+        if ($this->path[0] !== '/') {
+            // Relative path
+            return $this->path;
+        }
+
+        // Ensure only one leading slash, to prevent XSS attempts.
+        return '/' . ltrim($this->path, '/');
     }
 
     /**
@@ -557,7 +568,7 @@ private function filterPath(string $path): string
     {
         $path = $this->filterInvalidUtf8($path);
 
-        $path = preg_replace_callback(
+        return preg_replace_callback(
             '/(?:[^' . self::CHAR_UNRESERVED . ')(:@&=\+\$,\/;%]+|%(?![A-Fa-f0-9]{2}))/u',
             [$this, 'urlEncodeChar'],
             $path

diff --git a/test/UriTest.php b/test/UriTest.php
@@ -575,13 +575,6 @@ public function testFragmentIsNotDoubleEncoded(): void
         $this->assertSame($expected, $uri->getFragment());
     }
 
-    public function testProperlyTrimsLeadingSlashesToPreventXSS(): void
-    {
-        $url = 'http://example.org//zend.com';
-        $uri = new Uri($url);
-        $this->assertSame('http://example.org/zend.com', (string) $uri);
-    }
-
     /** @return non-empty-array<string, array{'withScheme'|'withUserInfo'|'withHost'|'withPath'|'withQuery'|'withFragment', mixed}> */
     public function invalidStringComponentValues(): array
     {