feat: only allow valid base64 encoded adhoc slugs from being used

alkrauss48 · May 17, 2024 · 7279c83 · 7279c83
1 parent fcd4c72
commit 7279c83
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 25 deletions.
diff --git a/app/Http/Controllers/AdhocSlidesController.php b/app/Http/Controllers/AdhocSlidesController.php
@@ -19,6 +19,10 @@ public function index(): Response
 
     public function show(string $slides): Response
     {
+        if (! $this->isValidBase64String($slides)) {
+            abort(404);
+        }
+
         dispatch(function () use ($slides) {
             DailyView::createForAdhocPresentation(slug: $slides);
         })->afterResponse();
@@ -30,4 +34,15 @@ public function show(string $slides): Response
             ],
         ]);
     }
+
+    private function isValidBase64String(string $value): bool
+    {
+        // Decode and encode the string via base64.
+        // If the string is the same, then it is valid.
+        if (base64_encode((string) base64_decode($value, true)) == $value) {
+            return true;
+        }
+
+        return false;
+    }
 }
diff --git a/tests/Feature/AdhocSlidesControllerTest.php b/tests/Feature/AdhocSlidesControllerTest.php
@@ -2,34 +2,56 @@
 
 use App\Models\DailyView;
 
-test('adhoc slides index screen can be rendered', function () {
-    $response = $this->get(route('home'));
+describe('Index', function () {
+    test('adhoc slides index screen can be rendered', function () {
+        $response = $this->get(route('home'));
 
-    $response->assertStatus(200);
-});
+        $response->assertStatus(200);
+    });
 
-test('adhoc slides index screen generate daily view', function () {
-    $response = $this->get(route('home'));
+    test('adhoc slides index screen generate daily view', function () {
+        $response = $this->get(route('home'));
 
-    $this->assertDatabaseHas(DailyView::class, [
-        'adhoc_slug' => null,
-    ]);
+        $this->assertDatabaseHas(DailyView::class, [
+            'adhoc_slug' => null,
+        ]);
+    });
 });
 
-test('adhoc slides show screen can be rendered', function () {
-    $response = $this->get(route('adhoc-slides.show', [
-        'slides' => 'foo', // Any string will work
-    ]));
-
-    $response->assertStatus(200);
-});
-
-test('adhoc slides show screen generate daily view', function () {
-    $response = $this->get(route('adhoc-slides.show', [
-        'slides' => 'foo',
-    ]));
-
-    $this->assertDatabaseHas(DailyView::class, [
-        'adhoc_slug' => 'foo',
-    ]);
+describe('Show', function () {
+    test('adhoc slides show screen can be rendered', function () {
+        $response = $this->get(route('adhoc-slides.show', [
+            'slides' => base64_encode('foo'),
+        ]));
+
+        $response->assertStatus(200);
+    });
+
+    test('adhoc slides show screen will 404 with invalid slug', function () {
+        $response = $this->get(route('adhoc-slides.show', [
+            'slides' => 'foo', // Not base64 encoded
+        ]));
+
+        $response->assertStatus(404);
+    });
+
+    test('adhoc slides show screen generate daily view', function () {
+        $response = $this->get(route('adhoc-slides.show', [
+            'slides' => base64_encode('foo'),
+        ]));
+
+        $this->assertDatabaseHas(DailyView::class, [
+            'adhoc_slug' => base64_encode('foo'),
+        ]);
+    });
+
+    test('adhoc slides show screen will not generate daily view with invalid slug', function () {
+        $response = $this->get(route('adhoc-slides.show', [
+            'slides' => 'foo', // Not base64 encoded
+        ]));
+
+        $this->assertDatabaseMissing(DailyView::class, [
+            'adhoc_slug' => 'foo',
+        ]);
+    });
 });