Simplify implementation by removing blockedPatterns

dereuromark · dereuromark · commit 591ec19e8ef3 · 2025-11-20T17:56:15.000+01:00
Address maintainer feedback from @markstory and @ADmad: - Remove blockedPatterns configuration option - Remove pattern-based validation logic - Update documentation to show custom pattern validation in subclass - Remove 2 pattern-based tests (testGetLoginRedirectValidationBlockedPatterns, testGetLoginRedirectValidationCustomPatterns) Result: Simpler, focused implementation covering the core security issues: - Nested redirect detection - Deep encoding detection - URL length limits Custom pattern blocking can still be achieved by overriding validateRedirect(). All tests pass: 310 tests, 920 assertions Code style checks pass
diff --git a/docs/en/redirect-validation.rst b/docs/en/redirect-validation.rst
@@ -66,12 +66,6 @@ maxLength
     Maximum allowed length of the redirect URL in characters. This helps prevent DOS attacks
     via excessively long URLs.
 
-blockedPatterns
-    **Type:** ``array`` | **Default:** ``['#/login#i', '#/logout#i', '#/register#i']``
-
-    Array of regular expressions to match against redirect URLs. Matching URLs will be rejected.
-    This prevents redirects to authentication-related pages that could cause loops.
-
 Example Configuration
 =====================
 
@@ -88,12 +82,6 @@ Here's a complete example with custom configuration:
             'maxDepth' => 1,
             'maxEncodingLevels' => 1,
             'maxLength' => 2000,
-            'blockedPatterns' => [
-                '#/admin#i',       // Block admin areas
-                '#/login#i',       // Block login page
-                '#/logout#i',      // Block logout page
-                '#/register#i',    // Block registration page
-            ],
         ],
     ]);
 
@@ -118,15 +106,14 @@ The validation performs the following checks in order:
 1. **Redirect Depth**: Counts occurrences of ``redirect=`` in the decoded URL
 2. **Encoding Level**: Counts occurrences of ``%25`` (percent-encoded percent sign)
 3. **URL Length**: Checks total character count
-4. **Blocked Patterns**: Matches against configured regex patterns
 
 If any check fails, the URL is rejected.
 
 Custom Validation
 =================
 
 You can extend ``AuthenticationService`` and override the ``validateRedirect()`` method
-to implement custom validation logic:
+to implement custom validation logic, such as blocking specific URL patterns:
 
 .. code-block:: php
 
@@ -146,8 +133,14 @@ to implement custom validation logic:
             }
 
             // Add your custom validation
-            if (str_contains($redirect, 'forbidden')) {
-                return null;  // Reject this URL
+            // Example: Block redirects to authentication pages
+            if (preg_match('#/(login|logout|register)#i', $redirect)) {
+                return null;
+            }
+
+            // Example: Block redirects to admin areas
+            if (str_contains($redirect, '/admin')) {
+                return null;
             }
 
             return $redirect;
diff --git a/src/AuthenticationService.php b/src/AuthenticationService.php
@@ -93,10 +93,6 @@ class AuthenticationService implements AuthenticationServiceInterface, Impersona
      *     'maxDepth' => 1,                // Max nested "redirect=" parameters (default: 1)
      *     'maxEncodingLevels' => 1,       // Max percent-encoding levels (default: 1)
      *     'maxLength' => 2000,            // Max URL length in characters (default: 2000)
-     *     'blockedPatterns' => [          // Regex patterns to reject (default: auth pages)
-     *         '#/login#i',
-     *         '#/logout#i',
-     *     ],
      * ]
      * ```
      *
@@ -126,11 +122,6 @@ class AuthenticationService implements AuthenticationServiceInterface, Impersona
             'maxDepth' => 1,
             'maxEncodingLevels' => 1,
             'maxLength' => 2000,
-            'blockedPatterns' => [
-                '#/login#i',
-                '#/logout#i',
-                '#/register#i',
-            ],
         ],
     ];
 
@@ -526,13 +517,6 @@ protected function validateRedirect(string $redirect): ?string
             return null;
         }
 
-        // Check against blocked patterns
-        foreach ($config['blockedPatterns'] as $pattern) {
-            if (preg_match($pattern, $decodedUrl)) {
-                return null;
-            }
-        }
-
         return $redirect;
     }
 
diff --git a/tests/TestCase/AuthenticationServiceTest.php b/tests/TestCase/AuthenticationServiceTest.php
@@ -1046,53 +1046,6 @@ public function testGetLoginRedirectValidationEncodingLevels()
         $this->assertNull($service->getLoginRedirect($request));
     }
 
-    /**
-     * testGetLoginRedirectValidationBlockedPatterns
-     *
-     * @return void
-     */
-    public function testGetLoginRedirectValidationBlockedPatterns()
-    {
-        $service = new AuthenticationService([
-            'unauthenticatedRedirect' => '/users/login',
-            'queryParam' => 'redirect',
-            'redirectValidation' => [
-                'enabled' => true,
-            ],
-        ]);
-
-        // Redirect to login page (should be blocked)
-        $request = ServerRequestFactory::fromGlobals(
-            ['REQUEST_URI' => '/secrets'],
-            ['redirect' => '/users/login'],
-        );
-        $this->assertNull($service->getLoginRedirect($request));
-
-        // Redirect to logout page (should be blocked)
-        $request = ServerRequestFactory::fromGlobals(
-            ['REQUEST_URI' => '/secrets'],
-            ['redirect' => '/users/logout'],
-        );
-        $this->assertNull($service->getLoginRedirect($request));
-
-        // Redirect to register page (should be blocked)
-        $request = ServerRequestFactory::fromGlobals(
-            ['REQUEST_URI' => '/secrets'],
-            ['redirect' => '/users/register'],
-        );
-        $this->assertNull($service->getLoginRedirect($request));
-
-        // Valid redirect to non-auth page
-        $request = ServerRequestFactory::fromGlobals(
-            ['REQUEST_URI' => '/secrets'],
-            ['redirect' => '/articles/index'],
-        );
-        $this->assertSame(
-            '/articles/index',
-            $service->getLoginRedirect($request),
-        );
-    }
-
     /**
      * testGetLoginRedirectValidationMaxLength
      *
@@ -1128,43 +1081,6 @@ public function testGetLoginRedirectValidationMaxLength()
         $this->assertNull($service->getLoginRedirect($request));
     }
 
-    /**
-     * testGetLoginRedirectValidationCustomPatterns
-     *
-     * @return void
-     */
-    public function testGetLoginRedirectValidationCustomPatterns()
-    {
-        $service = new AuthenticationService([
-            'unauthenticatedRedirect' => '/users/login',
-            'queryParam' => 'redirect',
-            'redirectValidation' => [
-                'enabled' => true,
-                'blockedPatterns' => [
-                    '#/admin#i',
-                    '#/secret#i',
-                ],
-            ],
-        ]);
-
-        // Redirect to admin area (should be blocked by custom pattern)
-        $request = ServerRequestFactory::fromGlobals(
-            ['REQUEST_URI' => '/articles'],
-            ['redirect' => '/admin/dashboard'],
-        );
-        $this->assertNull($service->getLoginRedirect($request));
-
-        // Redirect to normal page (should pass)
-        $request = ServerRequestFactory::fromGlobals(
-            ['REQUEST_URI' => '/articles'],
-            ['redirect' => '/public/articles'],
-        );
-        $this->assertSame(
-            '/public/articles',
-            $service->getLoginRedirect($request),
-        );
-    }
-
     /**
      * testGetLoginRedirectValidationWithQueryParameters
      *
