Merge pull request from GHSA-j74q-mv2c-rxmp

Author: bergmania

src/Umbraco.Tests/Routing/WebPathTests.cs

@@ -0,0 +1,97 @@
+using NUnit.Framework;
+using System;
+using Umbraco.Web.Routing;
+
+namespace Umbraco.Tests.Routing
+{
+
+    [TestFixture]
+    public class WebPathTests 
+    {
+
+        [Test]
+        [TestCase("ftp://hello.com/", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("file:///hello.com/", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("ws://hello.com/", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("wss://hello.com/", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("https://hello.com:8080/", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("http://hello.com:8080/", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("https://hello.com/path", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("http://hello.com/path", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("https://hello.com/path?query=param", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("http://hello.com/path?query=param", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("https://hello.com/path#fragment", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("http://hello.com/path#fragment", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("https://hello.com/path?query=param#fragment", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("http://hello.com/path?query=param#fragment", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("https://hello.com:8080/path?query=param#fragment", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("http://hello.com:8080/path?query=param#fragment", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("//hello.com:8080/path?query=param#fragment", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("//hello.com:8080/path", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("//hello.com:8080", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("//hello.com", UriKind.Absolute, ExpectedResult = true)]
+        [TestCase("/test/test.jpg", UriKind.Absolute, ExpectedResult = false)]
+        [TestCase("/test", UriKind.Absolute, ExpectedResult = false)]
+        [TestCase("test", UriKind.Absolute, ExpectedResult = false)]
+        [TestCase("", UriKind.Absolute, ExpectedResult = false)]
+        [TestCase(null, UriKind.Absolute, ExpectedResult = false)]
+        [TestCase("this is not welformed", UriKind.Absolute, ExpectedResult = false)]
+        [TestCase("ftp://hello.com/", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("file:///hello.com/", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("ws://hello.com/", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("wss://hello.com/", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("https://hello.com:8080/", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("http://hello.com:8080/", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("https://hello.com/path", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("http://hello.com/path", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("https://hello.com/path?query=param", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("http://hello.com/path?query=param", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("https://hello.com/path#fragment", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("http://hello.com/path#fragment", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("https://hello.com/path?query=param#fragment", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("http://hello.com/path?query=param#fragment", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("https://hello.com:8080/path?query=param#fragment", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("http://hello.com:8080/path?query=param#fragment", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("//hello.com:8080/path?query=param#fragment", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("//hello.com:8080/path", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("//hello.com:8080", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("//hello.com", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("/test/test.jpg", UriKind.Relative, ExpectedResult = true)]
+        [TestCase("/test", UriKind.Relative, ExpectedResult = true)]
+        [TestCase("test", UriKind.Relative, ExpectedResult = true)]
+        [TestCase("", UriKind.Relative, ExpectedResult = false)]
+        [TestCase(null, UriKind.Relative, ExpectedResult = false)]
+        [TestCase("this is not welformed", UriKind.Relative, ExpectedResult = false)]
+        [TestCase("ftp://hello.com/", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("file:///hello.com/", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("ws://hello.com/", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("wss://hello.com/", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("https://hello.com:8080/", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("http://hello.com:8080/", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("https://hello.com/path", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("http://hello.com/path", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("https://hello.com/path?query=param", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("http://hello.com/path?query=param", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("https://hello.com/path#fragment", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("http://hello.com/path#fragment", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("https://hello.com/path?query=param#fragment", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("http://hello.com/path?query=param#fragment", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("https://hello.com:8080/path?query=param#fragment", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("http://hello.com:8080/path?query=param#fragment", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("//hello.com:8080/path?query=param#fragment", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("//hello.com:8080/path", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("//hello.com:8080", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("//hello.com", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("/test/test.jpg", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("/test", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("test", UriKind.RelativeOrAbsolute, ExpectedResult = true)]
+        [TestCase("", UriKind.RelativeOrAbsolute, ExpectedResult = false)]
+        [TestCase(null, UriKind.RelativeOrAbsolute, ExpectedResult = false)]
+        [TestCase("this is not welformed", UriKind.RelativeOrAbsolute, ExpectedResult = false)]
+        public bool IsWellFormedWebPath(string? webPath, UriKind uriKind)
+        {
+            return WebPath.IsWellFormedWebPath(webPath, uriKind);
+        }
+
+    }
+}

src/Umbraco.Tests/Umbraco.Tests.csproj

@@ -170,6 +170,7 @@
     <Compile Include="PublishedContent\NuCacheTests.cs" />
     <Compile Include="Routing\MediaUrlProviderTests.cs" />
     <Compile Include="Routing\RoutableDocumentFilterTests.cs" />
+    <Compile Include="Routing\WebPathTests.cs" />
     <Compile Include="Runtimes\StandaloneTests.cs" />
     <Compile Include="Routing\GetContentUrlsTests.cs" />
     <Compile Include="Scheduling\ContentVersionCleanup_Tests_UnitTests.cs" />

src/Umbraco.Web/Editors/ImagesController.cs

@@ -8,6 +8,7 @@
 using Umbraco.Core.IO;
 using Umbraco.Core.Models;
 using Umbraco.Web.Mvc;
+using Umbraco.Web.Routing;
 using Umbraco.Web.WebApi;
 
 namespace Umbraco.Web.Editors
@@ -102,7 +103,7 @@ public HttpResponseMessage GetResized(string imagePath, int width)
         private bool IsAllowed(string encodedImagePath)
         {
 
-            if(Uri.IsWellFormedUriString(encodedImagePath, UriKind.Relative))
+            if(WebPath.IsWellFormedWebPath(encodedImagePath, UriKind.Relative))
             {
                 return true;
             }

src/Umbraco.Web/Routing/WebPath.cs

@@ -0,0 +1,34 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Umbraco.Web.Routing
+{
+    public class WebPath
+    {
+        /// <summary>
+        /// Determines whether the provided web path is well-formed according to the specified UriKind.
+        /// </summary>
+        /// <param name="webPath">The web path to check. This can be null.</param>
+        /// <param name="uriKind">The kind of Uri (Absolute, Relative, or RelativeOrAbsolute).</param>
+        /// <returns>
+        /// true if <paramref name="webPath"/> is well-formed; otherwise, false.
+        /// </returns>
+        public static bool IsWellFormedWebPath(string? webPath, UriKind uriKind)
+        {
+            if (string.IsNullOrWhiteSpace(webPath))
+            {
+                return false;
+            }
+
+            if (webPath.StartsWith("//"))
+            {
+                return uriKind is not UriKind.Relative;
+            }
+
+            return Uri.IsWellFormedUriString(webPath, uriKind);
+        }
+    }
+}

src/Umbraco.Web/Umbraco.Web.csproj

@@ -325,6 +325,7 @@
     <Compile Include="Routing\IPublishedRouter.cs" />
     <Compile Include="Routing\MediaUrlProviderCollection.cs" />
     <Compile Include="Routing\MediaUrlProviderCollectionBuilder.cs" />
+    <Compile Include="Routing\WebPath.cs" />
     <Compile Include="Scheduling\ContentVersionCleanup.cs" />
     <Compile Include="Scheduling\SimpleTask.cs" />
     <Compile Include="Scheduling\TempFileCleanup.cs" />