From c50371fdfa5ca86dba41c103f8c0f79b866c753b Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Sat, 15 May 2021 13:45:20 -0700 Subject: [PATCH 1/4] Provide origin for stylesheet URLs which are absolute paths --- .../sanitizers/class-amp-style-sanitizer.php | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/includes/sanitizers/class-amp-style-sanitizer.php b/includes/sanitizers/class-amp-style-sanitizer.php index 28658d89112..c5b284d297a 100644 --- a/includes/sanitizers/class-amp-style-sanitizer.php +++ b/includes/sanitizers/class-amp-style-sanitizer.php @@ -1469,6 +1469,22 @@ private function process_link_element( DOMElement $element ) { * @return string|WP_Error Stylesheet string on success, or WP_Error on failure. */ private function get_stylesheet_from_url( $stylesheet_url ) { + // For absolute paths, provide the origin (host and port). + if ( '/' === substr( $stylesheet_url, 0, 1 ) && '//' !== substr( $stylesheet_url, 0, 2 ) ) { + $parsed_home_url = wp_parse_url( home_url() ); + if ( ! isset( $parsed_home_url['host'] ) ) { + // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized + $parsed_home_url['host'] = isset( $_SERVER['HTTP_HOST'] ) ? $_SERVER['HTTP_HOST'] : 'localhost'; + } + + $stylesheet_origin = '//' . $parsed_home_url['host']; + if ( isset( $parsed_home_url['port'] ) ) { + $stylesheet_origin .= ':' . $parsed_home_url['port']; + } + + $stylesheet_url = $stylesheet_origin . $stylesheet_url; + } + $stylesheet = false; $css_file_path = $this->get_validated_url_file_path( $stylesheet_url, [ 'css', 'less', 'scss', 'sass' ] ); if ( ! is_wp_error( $css_file_path ) ) { From 55c93ebfbc7fc7d3fe3dcf4efc95f1395c9c9011 Mon Sep 17 00:00:00 2001 From: thelovekesh Date: Wed, 25 Jan 2023 16:09:07 +0530 Subject: [PATCH 2/4] Add test cases for AMP_Style_Sanitizer_Test::get_stylesheet_from_url() --- tests/php/test-amp-style-sanitizer.php | 33 ++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/tests/php/test-amp-style-sanitizer.php b/tests/php/test-amp-style-sanitizer.php index d8f2bc2765e..1086846fbde 100644 --- a/tests/php/test-amp-style-sanitizer.php +++ b/tests/php/test-amp-style-sanitizer.php @@ -19,6 +19,7 @@ use AmpProject\Exception\FailedToGetFromRemoteUrl; use AmpProject\AmpWP\Tests\TestCase; use AmpProject\AmpWP\ValidationExemption; +use SebastianBergmann\Environment\Console; /** * Test AMP_Style_Sanitizer. @@ -945,6 +946,38 @@ static function( $preempt, $request, $url ) { } } + /** + * Test get_stylesheet_from_url with a bad URL. + * + * @covers AMP_Style_Sanitizer::get_stylesheet_from_url() + */ + public function test_get_stylesheet_from_url_bad_url() { + $dom = Document::fromHtml( '', Options::DEFAULTS ); + + $sanitizer = new AMP_Style_Sanitizer( $dom, [] ); + + $css_url = 'https://example.com/style.css'; + $stylesheet = $this->call_private_method( $sanitizer, 'get_stylesheet_from_url', [ $css_url ] ); + + $this->assertTrue( is_wp_error( $stylesheet ) ); + $this->assertInstanceOf( WP_Error::class, $stylesheet ); + $this->assertStringStartsWith( 'Failed to fetch:', $stylesheet->get_error_message() ); + + $css_url = amp_get_asset_url( 'css/amp-default.css' ); + $stylesheet = $this->call_private_method( $sanitizer, 'get_stylesheet_from_url', [ $css_url ] ); + + $this->assertIsString( $stylesheet ); + $this->assertNotEmpty( $stylesheet ); + $this->assertFalse( is_wp_error( $stylesheet ) ); + + $css_url = '/wp-includes/css/admin-bar.css'; + $stylesheet = $this->call_private_method( $sanitizer, 'get_stylesheet_from_url', [ $css_url ] ); + + $this->assertIsString( $stylesheet ); + $this->assertNotEmpty( $stylesheet ); + $this->assertFalse( is_wp_error( $stylesheet ) ); + } + /** * Add test coverage for the property_allowlist condition in process_css_declaration_block which is not currently reachable given the spec. * From 20c1bc24428c9ed53b2789eebfa3e6b74dd463a5 Mon Sep 17 00:00:00 2001 From: thelovekesh Date: Wed, 25 Jan 2023 16:12:07 +0530 Subject: [PATCH 3/4] Remove unused namespace alias --- tests/php/test-amp-style-sanitizer.php | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/php/test-amp-style-sanitizer.php b/tests/php/test-amp-style-sanitizer.php index 1086846fbde..66807bbdba8 100644 --- a/tests/php/test-amp-style-sanitizer.php +++ b/tests/php/test-amp-style-sanitizer.php @@ -19,7 +19,6 @@ use AmpProject\Exception\FailedToGetFromRemoteUrl; use AmpProject\AmpWP\Tests\TestCase; use AmpProject\AmpWP\ValidationExemption; -use SebastianBergmann\Environment\Console; /** * Test AMP_Style_Sanitizer. From 6c23c46349beaa49d2a147065ea1da8c56752ca7 Mon Sep 17 00:00:00 2001 From: thelovekesh Date: Thu, 26 Jan 2023 20:25:50 +0530 Subject: [PATCH 4/4] Add pre_http_request filter to avoid external http request in tests --- tests/php/test-amp-style-sanitizer.php | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/tests/php/test-amp-style-sanitizer.php b/tests/php/test-amp-style-sanitizer.php index 66807bbdba8..fade834bfd0 100644 --- a/tests/php/test-amp-style-sanitizer.php +++ b/tests/php/test-amp-style-sanitizer.php @@ -955,7 +955,21 @@ public function test_get_stylesheet_from_url_bad_url() { $sanitizer = new AMP_Style_Sanitizer( $dom, [] ); - $css_url = 'https://example.com/style.css'; + $css_url = 'https://example.com/style.css'; + + add_filter( + 'pre_http_request', + static function( $preempt, $request, $url ) use ( $css_url ) { + if ( $css_url === $url ) { + return new WP_Error( 'http_request_failed', 'Failed to fetch URL.' ); + } + + return $preempt; + }, + 10, + 3 + ); + $stylesheet = $this->call_private_method( $sanitizer, 'get_stylesheet_from_url', [ $css_url ] ); $this->assertTrue( is_wp_error( $stylesheet ) );