ExportController: fix improper authorization vulnerability

We fix the improper authorization by duplicating the check done by the private method EntryController::checkUserAction(). We also replace the ParamConverter used to get the requested Entry with an explicit call to EntryRepository in order to prevent a resource enumeration through response discrepancy. Thus, we get the same exception whether the requested resource does not exist or is not owned by the requester. Fixes GHSA-qwx8-mxxx-mg96 Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
2023-01-12 23:40:16 +01:00
parent 9e9aedee94
commit 0fdd9aa991
2 changed files with 27 additions and 4 deletions
--- a/tests/Wallabag/CoreBundle/Controller/ExportControllerTest.php
+++ b/tests/Wallabag/CoreBundle/Controller/ExportControllerTest.php
@ -57,7 +57,7 @@ class ExportControllerTest extends WallabagCoreTestCase
        $this->assertSame(404, $client->getResponse()->getStatusCode());
    }

-    public function testBadEntryId()
+    public function testNonExistingEntryId()
    {
        $this->logInAs('admin');
        $client = $this->getClient();
@ -67,6 +67,18 @@ class ExportControllerTest extends WallabagCoreTestCase
        $this->assertSame(404, $client->getResponse()->getStatusCode());
    }

+    public function testForbiddenEntryId()
+    {
+        $this->logInAs('admin');
+        $client = $this->getClient();
+
+        // Entry with id 3 is owned by the user bob
+        // See EntryFixtures
+        $client->request('GET', '/export/3.mobi');
+
+        $this->assertSame(404, $client->getResponse()->getStatusCode());
+    }
+
    public function testEpubExport()
    {
        $this->logInAs('admin');