From 4161a65e0be5d9605b102161571549ef0e986224 Mon Sep 17 00:00:00 2001
From: Matej Baco <matejbacocom@gmail.com>
Date: Mon, 31 Jan 2022 16:04:30 +0100
Subject: [PATCH] Path validator + tests

---
 app/controllers/general.php             | 10 +++-
 src/Appwrite/Storage/Validator/Path.php | 78 +++++++++++++++++++++++++
 tests/e2e/Client.php                    | 17 +++++-
 tests/e2e/General/HTTPTest.php          | 17 ++++++
 4 files changed, 119 insertions(+), 3 deletions(-)
 create mode 100644 src/Appwrite/Storage/Validator/Path.php

diff --git a/app/controllers/general.php b/app/controllers/general.php
index 7f82c36a3..64e122ff8 100644
--- a/app/controllers/general.php
+++ b/app/controllers/general.php
@@ -2,6 +2,7 @@
 
 require_once __DIR__.'/../init.php';
 
+use Appwrite\Storage\Validator\Path;
 use Utopia\App;
 use Utopia\Logger\Log;
 use Utopia\Logger\Log\User;
@@ -525,8 +526,15 @@ App::get('/.well-known/acme-challenge')
     ->inject('request')
     ->inject('response')
     ->action(function ($request, $response) {
+        $filePath = $request->getURI();
+
+        $validator = new Path();
+        if (!$validator->isValid($filePath)) {
+            throw new Exception('Invalid file path. Please use relative path without \'../\'', 400);
+        }
+
         $base = \realpath(APP_STORAGE_CERTIFICATES);
-        $path = \str_replace('/.well-known/acme-challenge/', '', $request->getURI());
+        $path = \str_replace('/.well-known/acme-challenge/', '', $filePath);
         $absolute = \realpath($base.'/.well-known/acme-challenge/'.$path);
 
         if (!$base) {
diff --git a/src/Appwrite/Storage/Validator/Path.php b/src/Appwrite/Storage/Validator/Path.php
new file mode 100644
index 000000000..110ab47d8
--- /dev/null
+++ b/src/Appwrite/Storage/Validator/Path.php
@@ -0,0 +1,78 @@
+<?php
+
+namespace Appwrite\Network\Validator;
+
+use Utopia\Validator;
+
+/**
+ * Domain
+ *
+ * Validate that an variable is a valid domain address
+ *
+ * @package Utopia\Validator
+ */
+class Path extends Validator
+{
+    /**
+     * Get Description
+     *
+     * Returns validator description
+     *
+     * @return string
+     */
+    public function getDescription(): string
+    {
+        return 'Value must be a relative path without \'../\'';
+    }
+
+    /**
+     * Is valid
+     *
+     * Validation will pass when $value is valid domain.
+     *
+     * Validates domain names against RFC 1034, RFC 1035, RFC 952, RFC 1123, RFC 2732, RFC 2181, and RFC 1123.
+     *
+     * @param  mixed $value
+     * @return bool
+     */
+    public function isValid($value): bool
+    {
+        if (empty($value)) {
+            return false;
+        }
+
+        if (!is_string($value)) {
+            return false;
+        }
+
+        if(\str_contains($value, '..')) {
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Is array
+     *
+     * Function will return true if object is array.
+     *
+     * @return bool
+     */
+    public function isArray(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Get Type
+     *
+     * Returns validator type.
+     *
+     * @return string
+     */
+    public function getType(): string
+    {
+        return self::TYPE_STRING;
+    }
+}
diff --git a/tests/e2e/Client.php b/tests/e2e/Client.php
index 4e0c138b9..c6c4ff83c 100644
--- a/tests/e2e/Client.php
+++ b/tests/e2e/Client.php
@@ -3,6 +3,10 @@
 namespace Tests\E2E;
 
 use Exception;
+use function curl_setopt;
+use function http_build_query;
+use const CURLOPT_PATH_AS_IS;
+use const CURLOPT_TIMEOUT;
 
 class Client
 {
@@ -119,7 +123,7 @@ class Client
     }
 
     /**
-     * @param mixed $endpoint
+     * @param string $endpoint
      * @return self $this
      */
     public function setEndpoint($endpoint): self
@@ -129,6 +133,14 @@ class Client
         return $this;
     }
 
+    /**
+     * @return string
+     */
+    public function getEndpoint(): string
+    {
+        return $this->endpoint;
+    }
+
     /**
      * @param string $key
      * @param string $value
@@ -183,12 +195,13 @@ class Client
             unset($headers[$i]);
         }
 
+        curl_setopt($ch, CURLOPT_PATH_AS_IS, 1);
         curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
         curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36');
         curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
-        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 0); 
+        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 0);
         curl_setopt($ch, CURLOPT_TIMEOUT, 15);
         curl_setopt($ch, CURLOPT_HEADERFUNCTION, function ($curl, $header) use (&$responseHeaders) {
             $len = strlen($header);
diff --git a/tests/e2e/General/HTTPTest.php b/tests/e2e/General/HTTPTest.php
index a83237928..4e2647f31 100644
--- a/tests/e2e/General/HTTPTest.php
+++ b/tests/e2e/General/HTTPTest.php
@@ -94,6 +94,23 @@ class HTTPTest extends Scope
         $this->assertStringContainsString('# robotstxt.org/', $response['body']);
     }
 
+    public function testAcmeChallenge()
+    {
+        $previousEndpoint = $this->client->getEndpoint();
+        $this->client->setEndpoint("http://localhost");
+
+        /**
+         * Test for FAILURE
+         */
+        $response = $this->client->call(Client::METHOD_GET, '/.well-known/acme-challenge/../../../../../../../etc/passwd', \array_merge([
+            'origin' => 'http://localhost',
+        ]), []);
+
+        $this->client->setEndpoint($previousEndpoint);
+
+        $this->assertEquals(400, $response['headers']['status-code']);
+    }
+
     // public function testSpecSwagger2()
     // {
     //     $response = $this->client->call(Client::METHOD_GET, '/specs/swagger2?platform=client', [