Security patch

ConductionNL · Nov 2, 2024 · 119c91e · 119c91e
1 parent 02cafe4
commit 119c91e
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/lib/Service/DirectoryService.php b/lib/Service/DirectoryService.php
@@ -297,7 +297,6 @@ public function updateListing(array $newListing, array $oldListing): array{
 
 		return $newListing->jsonSerialize();
 	}
-
 	/**
 	 * Synchronize with an external directory
 	 *
@@ -309,6 +308,15 @@ public function updateListing(array $newListing, array $oldListing): array{
 	 */
 	public function syncExternalDirectory(string $url): array
 	{
+		// Check if URL contains 'local' and throw exception if it does
+		if (str_contains(strtolower($url), 'local')) {
+			throw new \Exception('Local URLs are not allowed');
+		}
+		// Validate the URL
+		if (!filter_var($url, FILTER_VALIDATE_URL)) {
+			throw new \InvalidArgumentException('Invalid URL provided');
+		}
+
 		// Get the directory data
 		$result = $this->client->get($url);
 
@@ -428,6 +436,10 @@ public function synchronise(?string $id = null): array
 	 */
 	public function syncPublicationType(string $url): array
 	{
+		// Check if URL contains 'local' and throw exception if it does
+		if (str_contains(strtolower($url), 'local')) {
+			throw new \Exception('Local URLs are not allowed');
+		}
 		// Validate the URL
 		if (!filter_var($url, FILTER_VALIDATE_URL)) {
 			throw new \InvalidArgumentException('Invalid URL provided');