Add logic for validating storage URLs to StorageUrlTrait.

Potherca · Potherca · commit cff842c6024d · 2025-05-21T09:58:19.000+02:00
diff --git a/solid/lib/Controller/GetStorageUrlTrait.php b/solid/lib/Controller/GetStorageUrlTrait.php
@@ -4,6 +4,7 @@
 
 use OCA\Solid\ServerConfig;
 use OCP\IURLGenerator;
+use Psr\Http\Message\RequestInterface;
 
 trait GetStorageUrlTrait
 {
@@ -55,6 +56,27 @@ public function getStorageUrl($userId) {
 		return $storageUrl;
 	}
 
+	public function validateUrl(RequestInterface $request): bool {
+		$isValid = false;
+
+		$host = $request->getUri()->getHost();
+		$path = $request->getUri()->getPath();
+		$pathParts = explode('/', $path);
+
+		$pathUsers = array_filter($pathParts, static function ($value) {
+			return str_starts_with($value, '@');
+		});
+
+		if (count($pathUsers) === 1) {
+			$pathUser = reset($pathUsers);
+			$subDomainUser = explode('.', $host)[0];
+
+			$isValid = $pathUser === '@' . $subDomainUser;
+		}
+
+		return $isValid;
+	}
+
 	////////////////////////////// UTILITY METHODS \\\\\\\\\\\\\\\\\\\\\\\\\\\\\
 
 	private function build_url(array $parts) {
diff --git a/solid/tests/Unit/Controller/GetStorageUrlTraitTest.php b/solid/tests/Unit/Controller/GetStorageUrlTraitTest.php
@@ -3,11 +3,13 @@
 namespace OCA\Solid\Controller;
 
 use Error;
+use Laminas\Diactoros\Request;
+use Laminas\Diactoros\Uri;
 use OCA\Solid\ServerConfig;
 use OCP\IURLGenerator;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
-use ReflectionObject;
+use Psr\Http\Message\RequestInterface;
 
 /**
  * @coversDefaultClass \OCA\Solid\Controller\GetStorageUrlTrait
@@ -98,6 +100,20 @@ public function testGetStorageUrlWithUserSubDomainsEnabled($url, $userId, $expec
 		$this->assertEquals($expected, $actual);
 	}
 
+	/**
+	 * @testdox GetStorageUrlTrait should return expected validity when asked to validateUrl
+	 *
+	 * @covers ::validateUrl
+	 *
+	 * @dataProvider provideRequests
+	 */
+	public function testValidateUrl(RequestInterface $response, $expected)
+	{
+		$actual = $this->trait->validateUrl($response);
+
+		$this->assertEquals($expected, $actual);
+	}
+
 	////////////////////////////// MOCKS AND STUBS \\\\\\\\\\\\\\\\\\\\\\\\\\\\\
 
 	public function getMockConfig($enabled = false): MockObject|ServerConfig
@@ -128,6 +144,22 @@ public function getMockUrlGenerator($url): MockObject|IURLGenerator
 
 	/////////////////////////////// DATAPROVIDERS \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
 
+	public function provideRequests()
+	{
+		$request = new Request();
+
+		return [
+			'invalid: invalid URL' => ['request' => $request->withUri(new Uri('!@#$%^&*()_')), 'expected' => false],
+			'invalid: no domain user' => ['request' => $request->withUri(new Uri('https://example.com/@alice/profile/card#me')), 'expected' => false],
+			'invalid: no path or domain user' => ['request' => $request->withUri(new Uri('https://example.com/')), 'expected' => false],
+			'invalid: no path user' => ['request' => $request->withUri(new Uri('https://alice.example.com/profile/card#me')), 'expected' => false],
+			'invalid: no URL' => ['request' => $request, 'expected' => false],
+			'invalid: path and domain user mismatch' => ['request' => $request->withUri(new Uri('https://bob.example.com/@alice/profile/card#me')), 'expected' => false],
+			'valid: minimal path and domain user match' => ['request' => $request->withUri(new Uri('https://alice.example.com/apps/@alice')), 'expected' => true],
+			'valid: path and domain user match' => ['request' => $request->withUri(new Uri('https://alice.example.com/apps/solid/@alice/profile/card#me')), 'expected' => true],
+		];
+	}
+
 	public function provideSubDomainsDisabledUrls()
 	{
 		return [
