added HTTP_Origin validation (app_save_paste path)

Author: lukasbecvar

.env.dev

@@ -3,6 +3,9 @@ APP_SECRET=6514635062ba34f218535f9f106fd20b
 # allow access only with https protocol
 SSL_ONLY=false
 
+# allowed origin
+ALLOWED_ORIGIN=localhost
+
 # enable maintenance mode
 MAINTENANCE_MODE=false
 

.env.test

@@ -3,6 +3,9 @@ APP_SECRET=0ec3c0e9ae0961bb9e1d7ae47f458f3f
 # allow access only with https protocol
 SSL_ONLY=false
 
+# allowed origin
+ALLOWED_ORIGIN=localhost
+
 # enable maintenance mode
 MAINTENANCE_MODE=false
 

src/Controller/PasteController.php

@@ -3,6 +3,7 @@
 namespace App\Controller;
 
 use Exception;
+use App\Util\AppUtil;
 use App\Util\SecurityUtil;
 use App\Manager\PasteManager;
 use Symfony\Component\HttpFoundation\Request;
@@ -19,11 +20,13 @@
  */
 class PasteController extends AbstractController
 {
+    private AppUtil $appUtil;
     private SecurityUtil $securityUtil;
     private PasteManager $pasteManager;
 
-    public function __construct(SecurityUtil $securityUtil, PasteManager $pasteManager)
+    public function __construct(AppUtil $appUtil, SecurityUtil $securityUtil, PasteManager $pasteManager)
     {
+        $this->appUtil = $appUtil;
         $this->securityUtil = $securityUtil;
         $this->pasteManager = $pasteManager;
     }
@@ -53,6 +56,16 @@ public function save(Request $request): Response
         $content = (string) $request->request->get('paste-content');
         $token = (string) $request->request->get('token');
 
+        // check if origin is allowed
+        $origin = $request->headers->get('Origin');
+        if ($origin == null || !str_contains($origin, $this->appUtil->getEnvValue('ALLOWED_ORIGIN'))) {
+            return $this->json([
+                'code' => Response::HTTP_FORBIDDEN,
+                'status' => 'error',
+                'message' => 'Invalid origin'
+            ], Response::HTTP_FORBIDDEN);
+        }
+
         try {
             // save paste
             $this->pasteManager->savePaste($token, $content);

tests/Controller/PasteControllerTest.php

@@ -37,6 +37,24 @@ public function testLoadIndexPage(): void
         $this->assertResponseStatusCodeSame(Response::HTTP_OK);
     }
 
+    /**
+     * Test save paste when origin is invalid
+     *
+     * @return void
+     */
+    public function testSavePasteWhenOriginIsInvalid(): void
+    {
+        $_ENV['ALLOWED_ORIGIN'] = 'http://localhost';
+
+        $this->client->request('POST', '/save', [
+            'paste-content' => 'test content',
+            'token' => ByteString::fromRandom(16)
+        ], server: ['HTTP_Origin' => 'http://invalid.origin']);
+
+        // assert response
+        $this->assertResponseStatusCodeSame(Response::HTTP_FORBIDDEN);
+    }
+
     /**
      * Test save empty paste
      *
@@ -47,7 +65,7 @@ public function testSaveEmptyPaste(): void
         $this->client->request('POST', '/save', [
             'paste-content' => '',
             'token' => ByteString::fromRandom(16)
-        ]);
+        ], server: ['HTTP_Origin' => 'http://localhost']);
 
         // assert response
         $this->assertResponseStatusCodeSame(Response::HTTP_BAD_REQUEST);
@@ -63,7 +81,7 @@ public function testSaveNewPasteSuccess(): void
         $this->client->request('POST', '/save', [
             'paste-content' => 'test content',
             'token' => ByteString::fromRandom(16)
-        ]);
+        ], server: ['HTTP_Origin' => 'http://localhost']);
 
         // assert response
         $this->assertResponseStatusCodeSame(Response::HTTP_OK);