Fix FLEXIAPI-242 Add stricter validation for the AccountCreationToken Push Notification endpoint

2026-01-17 01:58:07 +00:00 · 2024-12-09 15:52:37 +01:00 · 2024-12-09 15:52:37 +01:00 · 749fe0586d
commit 749fe0586d
parent bb58cd7347
11 changed files with 107 additions and 25 deletions
--- a/.gitlab-ci-files/deploy.yml
+++ b/.gitlab-ci-files/deploy.yml
@ -14,13 +14,13 @@ rocky9-deploy:
    - rocky9-package
    - rocky9-test

-debian11-deploy:
-  extends: .deploy
-  script:
-    - ./deploy_packages.sh debian bullseye
-  needs:
-    - debian11-package
-    - debian11-test
+#debian11-deploy:
+#  extends: .deploy
+#  script:
+#    - ./deploy_packages.sh debian bullseye
+#  needs:
+#    - debian11-package
+#    - debian11-test

 debian12-deploy:
  extends: .deploy
--- a/.gitlab-ci-files/package.yml
+++ b/.gitlab-ci-files/package.yml
@ -16,9 +16,9 @@ rocky9-package:
  script:
    - make rpm-el9

-debian11-package:
-  extends: .debian_package
-  image: gitlab.linphone.org:4567/bc/public/docker/debian11-php:$DEBIAN_11_IMAGE_VERSION
+#debian11-package:
+#  extends: .debian_package
+#  image: gitlab.linphone.org:4567/bc/public/docker/debian11-php:$DEBIAN_11_IMAGE_VERSION

 debian12-package:
  extends: .debian_package
--- a/.gitlab-ci-files/test.yml
+++ b/.gitlab-ci-files/test.yml
@ -21,11 +21,11 @@ rocky9-test:
    - php artisan key:generate
    - vendor/bin/phpunit --log-junit $CI_PROJECT_DIR/flexiapi_phpunit.log

-debian11-test:
-  extends: .debian-test
-  image: gitlab.linphone.org:4567/bc/public/docker/debian11-php:$DEBIAN_11_IMAGE_VERSION
-  needs:
-    - debian11-package
+#debian11-test:
+#  extends: .debian-test
+#  image: gitlab.linphone.org:4567/bc/public/docker/debian11-php:$DEBIAN_11_IMAGE_VERSION
+#  needs:
+#    - debian11-package

 debian12-test:
  extends: .debian-test
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,8 +1,5 @@
 # Flexisip Account Manager Changelog

-v1.6 (master)
-------------
-
 v1.5
 ---
 - Fix FLEXIAPI-202 Add account parameter to the redirection in the destroy admin route
@ -66,6 +63,7 @@ v1.5
 - Fix #133 Make the MySQL connection unstrict
 - Fix #132 Move the provisioning_tokens and recovery_codes to dedicated table
 - Fix #130 Drop the group column in the Accounts table
+- Fix FLEXIAPI-242 Add stricter validation for the AccountCreationToken Push Notification endpoint

 v1.4.9
 ------
--- a/flexiapi/app/AccountCreationToken.php
+++ b/flexiapi/app/AccountCreationToken.php
@ -19,6 +19,7 @@

 namespace App;

+use Illuminate\Validation\Rule;
 use Illuminate\Database\Eloquent\Factories\HasFactory;

 class AccountCreationToken extends Consommable
--- a/flexiapi/app/Http/Controllers/Api/Account/CreationTokenController.php
+++ b/flexiapi/app/Http/Controllers/Api/Account/CreationTokenController.php
@ -26,6 +26,9 @@ use Carbon\Carbon;

 use App\AccountCreationToken;
 use App\AccountCreationRequestToken;
+use App\Rules\PnParam;
+use App\Rules\PnPrid;
+use App\Rules\PnProvider;
 use App\Http\Controllers\Controller;
 use App\Http\Controllers\Account\AuthenticateController as WebAuthenticateController;
 use App\Libraries\FlexisipPusherConnector;
@ -36,9 +39,9 @@ class CreationTokenController extends Controller
    public function sendByPush(Request $request)
    {
        $request->validate([
-            'pn_provider' => 'required',
-            'pn_param' => 'required',
-            'pn_prid' => 'required',
+            'pn_provider' => ['required', new PnProvider],
+            'pn_param' => [new PnParam],
+            'pn_prid' => [new PnPrid],
        ]);

        $last = AccountCreationToken::where('pn_provider', $request->get('pn_provider'))
--- a/flexiapi/app/Rules/PnParam.php
+++ b/flexiapi/app/Rules/PnParam.php
@ -0,0 +1,19 @@
+<?php
+
+namespace App\Rules;
+
+use Illuminate\Contracts\Validation\Rule;
+use Respect\Validation\Validator;
+
+class PnParam implements Rule
+{
+    public function passes($attribute, $value)
+    {
+        return $value == null || Validator::regex('/^\w+$/')->validate($value);
+    }
+
+    public function message()
+    {
+        return 'The :attribute should be null or contain only alphanumeric and underscore characters';
+    }
+}
--- a/flexiapi/app/Rules/PnPrid.php
+++ b/flexiapi/app/Rules/PnPrid.php
@ -0,0 +1,19 @@
+<?php
+
+namespace App\Rules;
+
+use Illuminate\Contracts\Validation\Rule;
+use Respect\Validation\Validator;
+
+class PnPrid implements Rule
+{
+    public function passes($attribute, $value)
+    {
+        return $value == null || Validator::regex('/^[\w\-\:]+$/')->validate($value);
+    }
+
+    public function message()
+    {
+        return 'The :attribute should be null or contain only alphanumeric, dashes and colon characters';
+    }
+}
--- a/flexiapi/app/Rules/PnProvider.php
+++ b/flexiapi/app/Rules/PnProvider.php
@ -0,0 +1,21 @@
+<?php
+
+namespace App\Rules;
+
+use Illuminate\Contracts\Validation\Rule;
+use Respect\Validation\Validator;
+
+class PnProvider implements Rule
+{
+    private $values = ['apns.dev', 'apns', 'fcm'];
+
+    public function passes($attribute, $value)
+    {
+        return in_array($value, $this->values);
+    }
+
+    public function message()
+    {
+        return 'The :attribute should be in ' . implode(', ', $this->values);
+    }
+}
--- a/flexiapi/resources/views/api/documentation_markdown.blade.php
+++ b/flexiapi/resources/views/api/documentation_markdown.blade.php
@ -179,9 +179,9 @@ Return `503` if the token was not successfully sent.

 JSON parameters:

-* `pn_provider` the push notification provider
-* `pn_param` the push notification parameter
-* `pn_prid` the push notification unique id
+* `pn_provider` **required**, the push notification provider, must be in apns.dev, apns or fcm
+* `pn_param` the push notification parameter, can be null or contain only alphanumeric and underscore characters
+* `pn_prid` the push notification unique id, can be null or contain only alphanumeric, dashes and colon characters

 ### `POST /account_creation_tokens/using-account-creation-request-token`
 <span class="badge badge-success">Public</span>
--- a/flexiapi/tests/Feature/ApiAccountCreationTokenTest.php
+++ b/flexiapi/tests/Feature/ApiAccountCreationTokenTest.php
@ -35,12 +35,33 @@ class ApiAccountCreationTokenTest extends TestCase
    protected $adminRoute = '/api/account_creation_tokens';
    protected $method = 'POST';

-    protected $pnProvider = 'provider';
+    protected $pnProvider = 'fcm';
    protected $pnParam = 'param';
    protected $pnPrid = 'id';

    public function testCorrectParameters()
    {
+        $this->assertSame(AccountCreationToken::count(), 0);
+        $this->json($this->method, $this->tokenRoute, [
+            'pn_provider' => 'wrong',
+            'pn_param' => $this->pnParam,
+            'pn_prid' => $this->pnPrid,
+        ])->assertJsonValidationErrors(['pn_provider']);
+
+        $this->assertSame(AccountCreationToken::count(), 0);
+        $this->json($this->method, $this->tokenRoute, [
+            'pn_provider' => $this->pnProvider,
+            'pn_param' => '@wrong',
+            'pn_prid' => $this->pnPrid,
+        ])->assertJsonValidationErrors(['pn_param']);
+
+        $this->assertSame(AccountCreationToken::count(), 0);
+        $this->json($this->method, $this->tokenRoute, [
+            'pn_provider' => $this->pnProvider,
+            'pn_param' => $this->pnParam,
+            'pn_prid' => '@wrong',
+        ])->assertJsonValidationErrors(['pn_prid']);
+
        $this->assertSame(AccountCreationToken::count(), 0);
        $this->json($this->method, $this->tokenRoute, [
            'pn_provider' => $this->pnProvider,