oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-08-26 18:21:02 +00:00
Code Wiki Activity

ConfigController: move OTP endpoints to POST method only

Browse source 
Fixes GHSA-56fm-hfp3-x3w3

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
This commit is contained in:
Kevin Decherf 2023-09-27 11:08:08 +02:00
parent 9ec351e8b6
commit 5240684be9
5 changed files with 101 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

58
tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
View file

@ -1174,14 +1174,13 @@ class ConfigControllerTest extends WallabagCoreTestCase
$this->logInAs('admin');
$client = $this->getTestClient();
$crawler = $client->request('GET', '/config/otp/email');
$crawler = $client->request('GET', '/config');
$form = $crawler->filter('form[name=config_otp_email]')->form();
$client->submit($form);
$this->assertSame(302, $client->getResponse()->getStatusCode());
$crawler = $client->followRedirect();
$this->assertGreaterThan(1, $alert = $crawler->filter('body')->extract(['_text']));
$this->assertStringContainsString('flashes.config.notice.otp_enabled', $alert[0]);
$this->assertStringContainsString('flashes.config.notice.otp_enabled', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
// restore user
$em = $this->getEntityManager();
@ -1201,14 +1200,23 @@ class ConfigControllerTest extends WallabagCoreTestCase
$this->logInAs('admin');
$client = $this->getTestClient();
$crawler = $client->request('GET', '/config/otp/email/disable');
$em = $this->getEntityManager();
$user = $em
->getRepository(User::class)
->findOneByUsername('admin');
$user->setEmailTwoFactor(true);
$em->persist($user);
$em->flush();
$crawler = $client->request('GET', '/config');
$form = $crawler->filter('form[name=disable_otp_email]')->form();
$client->submit($form);
$this->assertSame(302, $client->getResponse()->getStatusCode());
$crawler = $client->followRedirect();
$this->assertGreaterThan(1, $alert = $crawler->filter('body')->extract(['_text']));
$this->assertStringContainsString('flashes.config.notice.otp_disabled', $alert[0]);
$this->assertStringContainsString('flashes.config.notice.otp_disabled', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
// restore user
$em = $this->getEntityManager();
@ -1224,7 +1232,10 @@ class ConfigControllerTest extends WallabagCoreTestCase
$this->logInAs('admin');
$client = $this->getTestClient();
$crawler = $client->request('GET', '/config/otp/app');
$crawler = $client->request('GET', '/config');
$form = $crawler->filter('form[name=config_otp_app]')->form();
$client->submit($form);
$this->assertSame(200, $client->getResponse()->getStatusCode());
@ -1278,14 +1289,23 @@ class ConfigControllerTest extends WallabagCoreTestCase
$this->logInAs('admin');
$client = $this->getTestClient();
$crawler = $client->request('GET', '/config/otp/app/disable');
$em = $this->getEntityManager();
$user = $em
->getRepository(User::class)
->findOneByUsername('admin');
$user->setGoogleAuthenticatorSecret("Google2FA");
$em->persist($user);
$em->flush();
$crawler = $client->request('GET', '/config');
$form = $crawler->filter('form[name=disable_otp_app]')->form();
$client->submit($form);
$this->assertSame(302, $client->getResponse()->getStatusCode());
$crawler = $client->followRedirect();
$this->assertGreaterThan(1, $alert = $crawler->filter('body')->extract(['_text']));
$this->assertStringContainsString('flashes.config.notice.otp_disabled', $alert[0]);
$this->assertStringContainsString('flashes.config.notice.otp_disabled', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
// restore user
$em = $this->getEntityManager();