Merge branch '5.x' into 6.x

# Conflicts:
#	src/Exceptions/Concerns/RendersControlPanelExceptions.php

Author: jasonvarga

src/Exceptions/Concerns/RendersControlPanelExceptions.php

@@ -6,6 +6,7 @@
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\RedirectResponse;
 use Inertia\Inertia;
+use Statamic\Facades\URL;
 use Statamic\Statamic;
 
 trait RendersControlPanelExceptions
@@ -35,7 +36,7 @@ protected function getAuthExceptionRedirectUrl()
 
         // If we came to this URL from another, we'll send them back, but not
         // if it was the login page otherwise there'd be a redirect loop.
-        if ($referrer && $referrer != cp_route('login')) {
+        if ($referrer && $referrer != cp_route('login') && ! URL::isExternalToApplication($referrer)) {
             return $referrer;
         }
 

src/Exceptions/InvalidRemoteUrlException.php

@@ -0,0 +1,7 @@
+<?php
+
+namespace Statamic\Exceptions;
+
+class InvalidRemoteUrlException extends \InvalidArgumentException
+{
+}

src/Http/Controllers/FormController.php

@@ -118,7 +118,9 @@ private function formFailure($params, $errors, $form)
 
         $redirect = Arr::get($params, '_error_redirect');
 
-        $response = $redirect ? redirect($redirect) : back();
+        $response = $redirect && ! \Statamic\Facades\URL::isExternalToApplication($redirect)
+            ? redirect($redirect)
+            : back();
 
         return $response->withInput()->withErrors($errors, 'form.'.$form);
     }
@@ -146,7 +148,9 @@ private function formSuccess($params, $submission, $silentFailure = false)
             ]);
         }
 
-        $response = $redirect ? redirect($redirect) : back();
+        $response = $redirect && ! \Statamic\Facades\URL::isExternalToApplication($redirect)
+            ? redirect($redirect)
+            : back();
 
         if (! \Statamic\Facades\URL::isExternal($redirect)) {
             session()->flash("form.{$submission->form()->handle()}.success", __('Submission successful.'));

src/Http/Controllers/GlideController.php

@@ -7,6 +7,7 @@
 use League\Glide\Server;
 use League\Glide\Signatures\SignatureException;
 use League\Glide\Signatures\SignatureFactory;
+use Statamic\Exceptions\InvalidRemoteUrlException;
 use Statamic\Exceptions\NotFoundHttpException;
 use Statamic\Facades\Asset;
 use Statamic\Facades\AssetContainer;
@@ -113,6 +114,8 @@ private function generateBy($type, $item)
 
         try {
             return $this->generator->$method($item, $this->request->all());
+        } catch (InvalidRemoteUrlException $e) {
+            abort(400, $e->getMessage());
         } catch (UnableToReadFile $e) {
             throw new NotFoundHttpException;
         }

src/Imaging/GuzzleAdapter.php

@@ -10,6 +10,7 @@
 use League\Flysystem\FileAttributes;
 use League\Flysystem\FilesystemAdapter;
 use League\Flysystem\UnableToReadFile;
+use Statamic\Exceptions\InvalidRemoteUrlException;
 
 class GuzzleAdapter implements FilesystemAdapter
 {
@@ -148,7 +149,9 @@ public function visibility(string $path): FileAttributes
     protected function get($path)
     {
         try {
-            $response = $this->client->get($this->base.$path);
+            $response = $this->client->get($this->base.$path, $this->requestOptions());
+        } catch (InvalidRemoteUrlException $e) {
+            throw $e;
         } catch (BadResponseException $e) {
             return false;
         }
@@ -173,7 +176,7 @@ protected function head($path)
         }
 
         try {
-            $response = $this->client->head($this->base.$path);
+            $response = $this->client->head($this->base.$path, $this->requestOptions());
         } catch (ClientException $e) {
             if ($e->getResponse()->getStatusCode() === 405) {
                 $this->supportsHead = false;
@@ -182,6 +185,8 @@ protected function head($path)
             }
 
             return false;
+        } catch (InvalidRemoteUrlException $e) {
+            throw $e;
         } catch (BadResponseException $e) {
             return false;
         }
@@ -192,4 +197,15 @@ protected function head($path)
 
         return $response;
     }
+
+    protected function requestOptions()
+    {
+        return [
+            'allow_redirects' => [
+                'on_redirect' => function ($request, $response, $uri) {
+                    app(RemoteUrlValidator::class)->validate((string) $uri);
+                },
+            ],
+        ];
+    }
 }

src/Imaging/ImageGenerator.php

@@ -351,12 +351,6 @@ private function guzzleSourceFilesystem($base)
 
     private function parseUrl($url)
     {
-        $parsed = parse_url($url);
-
-        return [
-            'path' => Str::after($parsed['path'], '/'),
-            'base' => $parsed['scheme'].'://'.$parsed['host'],
-            'query' => $parsed['query'] ?? null,
-        ];
+        return app(RemoteUrlValidator::class)->parse($url);
     }
 }

src/Imaging/RemoteUrlValidator.php

@@ -0,0 +1,103 @@
+<?php
+
+namespace Statamic\Imaging;
+
+use Statamic\Exceptions\InvalidRemoteUrlException;
+use Statamic\Support\Str;
+
+class RemoteUrlValidator
+{
+    protected $resolver;
+
+    public function __construct(?callable $resolver = null)
+    {
+        $this->resolver = $resolver ?? fn ($host) => dns_get_record($host, DNS_A + DNS_AAAA) ?: [];
+    }
+
+    public function parse($url)
+    {
+        $parsed = parse_url($url);
+
+        if (! is_array($parsed)) {
+            throw new InvalidRemoteUrlException('Invalid URL.');
+        }
+
+        $scheme = strtolower($parsed['scheme'] ?? '');
+
+        if (! in_array($scheme, ['http', 'https'])) {
+            throw new InvalidRemoteUrlException('Only http and https URLs are allowed.');
+        }
+
+        if (isset($parsed['user']) || isset($parsed['pass'])) {
+            throw new InvalidRemoteUrlException('URLs with credentials are not allowed.');
+        }
+
+        $host = $parsed['host'] ?? null;
+
+        if (! is_string($host) || $host === '') {
+            throw new InvalidRemoteUrlException('URL host is required.');
+        }
+
+        $host = Str::lower(trim($host));
+
+        if ($host !== trim($host, '.')) {
+            throw new InvalidRemoteUrlException('Invalid URL host.');
+        }
+
+        if (! $this->isValidHost($host)) {
+            throw new InvalidRemoteUrlException('Invalid URL host.');
+        }
+
+        $this->ensureHostResolvesToPublicIps($host);
+
+        $port = isset($parsed['port']) ? ':'.$parsed['port'] : '';
+
+        return [
+            'path' => Str::after($parsed['path'] ?? '/', '/'),
+            'base' => $scheme.'://'.$host.$port,
+            'query' => $parsed['query'] ?? null,
+        ];
+    }
+
+    public function validate($url)
+    {
+        $this->parse($url);
+    }
+
+    protected function isValidHost($host)
+    {
+        return filter_var($host, FILTER_VALIDATE_IP)
+            || filter_var($host, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME);
+    }
+
+    protected function ensureHostResolvesToPublicIps($host)
+    {
+        if (filter_var($host, FILTER_VALIDATE_IP)) {
+            $this->assertPublicIp($host);
+
+            return;
+        }
+
+        $records = call_user_func($this->resolver, $host);
+        $ips = collect($records)->flatMap(function ($record) {
+            return [$record['ip'] ?? null, $record['ipv6'] ?? null];
+        })->filter()->values()->all();
+
+        if (empty($ips)) {
+            throw new InvalidRemoteUrlException('Unable to resolve URL host.');
+        }
+
+        foreach ($ips as $ip) {
+            $this->assertPublicIp($ip);
+        }
+    }
+
+    protected function assertPublicIp($ip)
+    {
+        $result = filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE);
+
+        if (! $result) {
+            throw new InvalidRemoteUrlException('Destination IP is not publicly routable.');
+        }
+    }
+}

tests/CP/AuthRedirectTest.php

@@ -68,6 +68,20 @@ public function it_redirects_somewhere_if_the_referrer_was_the_login_page()
             ->assertSessionHas(['error' => "Can't touch this."]);
     }
 
+    #[Test]
+    public function it_does_not_redirect_to_external_referrer()
+    {
+        $this->setTestRoles(['test' => ['access cp']]);
+        $user = tap(User::make()->assignRole('test'))->save();
+
+        $this
+            ->actingAs($user)
+            ->withHeaders(['referer' => 'https://external.com'])
+            ->get('/cp/hammertime')
+            ->assertRedirect(cp_route('index'))
+            ->assertSessionHas(['error' => "Can't touch this."]);
+    }
+
     #[Test]
     public function it_redirects_to_unauthorized_view_if_there_would_be_a_redirect_loop()
     {

tests/Imaging/GuzzleAdapterTest.php

@@ -0,0 +1,76 @@
+<?php
+
+namespace Tests\Imaging;
+
+use GuzzleHttp\ClientInterface;
+use GuzzleHttp\Psr7\Request;
+use GuzzleHttp\Psr7\Response;
+use GuzzleHttp\Psr7\Uri;
+use Mockery;
+use PHPUnit\Framework\Attributes\Test;
+use Statamic\Exceptions\InvalidRemoteUrlException;
+use Statamic\Imaging\GuzzleAdapter;
+use Statamic\Imaging\RemoteUrlValidator;
+use Tests\TestCase;
+
+class GuzzleAdapterTest extends TestCase
+{
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        $this->app->bind(RemoteUrlValidator::class, function () {
+            return new RemoteUrlValidator(function ($host) {
+                return match ($host) {
+                    'example.com' => [['ip' => '93.184.216.34']],
+                    default => [],
+                };
+            });
+        });
+    }
+
+    #[Test]
+    public function it_allows_redirects_when_every_hop_is_public()
+    {
+        $client = Mockery::mock(ClientInterface::class);
+        $client->shouldReceive('get')->once()->andReturnUsing(function ($url, $options) {
+            $this->assertEquals('https://example.com/foo.jpg', $url);
+            $this->assertArrayHasKey('allow_redirects', $options);
+            $this->assertArrayHasKey('on_redirect', $options['allow_redirects']);
+
+            $options['allow_redirects']['on_redirect'](
+                new Request('GET', 'https://example.com/foo.jpg'),
+                new Response(302, ['Location' => 'https://example.com/redirected/foo.jpg']),
+                new Uri('https://example.com/redirected/foo.jpg')
+            );
+
+            return new Response(200, [], 'image-bytes');
+        });
+
+        $adapter = new GuzzleAdapter('https://example.com', $client);
+
+        $this->assertSame('image-bytes', $adapter->read('foo.jpg'));
+    }
+
+    #[Test]
+    public function it_blocks_redirects_to_non_public_destinations()
+    {
+        $client = Mockery::mock(ClientInterface::class);
+        $client->shouldReceive('get')->once()->andReturnUsing(function ($url, $options) {
+            $options['allow_redirects']['on_redirect'](
+                new Request('GET', 'https://example.com/foo.jpg'),
+                new Response(302, ['Location' => 'http://169.254.169.254/latest/meta-data/']),
+                new Uri('http://169.254.169.254/latest/meta-data/')
+            );
+
+            return new Response(200, [], 'should-not-return');
+        });
+
+        $adapter = new GuzzleAdapter('https://example.com', $client);
+
+        $this->expectException(InvalidRemoteUrlException::class);
+        $this->expectExceptionMessage('Destination IP is not publicly routable.');
+
+        $adapter->read('foo.jpg');
+    }
+}

tests/Imaging/ImageGeneratorTest.php

@@ -16,11 +16,13 @@
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Test;
 use Statamic\Events\GlideImageGenerated;
+use Statamic\Exceptions\InvalidRemoteUrlException;
 use Statamic\Facades\AssetContainer;
 use Statamic\Facades\File;
 use Statamic\Facades\Glide;
 use Statamic\Imaging\GuzzleAdapter;
 use Statamic\Imaging\ImageGenerator;
+use Statamic\Imaging\RemoteUrlValidator;
 use Statamic\Support\Str;
 use Tests\PreventSavingStacheItemsToDisk;
 use Tests\TestCase;
@@ -34,6 +36,16 @@ public function setUp(): void
         parent::setUp();
 
         $this->clearGlideCache();
+
+        $this->app->bind(RemoteUrlValidator::class, function () {
+            return new RemoteUrlValidator(function ($host) {
+                return match ($host) {
+                    'example.com' => [['ip' => '93.184.216.34']],
+                    'internal.test' => [['ip' => '127.0.0.1']],
+                    default => [],
+                };
+            });
+        });
     }
 
     #[Test]
@@ -278,6 +290,24 @@ public function it_generates_an_image_by_external_url_with_query_string()
         Event::assertDispatchedTimes(GlideImageGenerated::class, 1);
     }
 
+    #[Test]
+    public function it_blocks_external_urls_that_target_non_public_ip_ranges()
+    {
+        $this->expectException(InvalidRemoteUrlException::class);
+        $this->expectExceptionMessage('Destination IP is not publicly routable.');
+
+        $this->makeGenerator()->generateByUrl('http://169.254.169.254/latest/meta-data/', ['w' => 100]);
+    }
+
+    #[Test]
+    public function it_blocks_watermark_urls_that_target_non_public_ip_ranges()
+    {
+        $this->expectException(InvalidRemoteUrlException::class);
+        $this->expectExceptionMessage('Destination IP is not publicly routable.');
+
+        $this->makeGenerator()->setParams(['mark' => 'http://127.0.0.1/watermark.png']);
+    }
+
     #[Test]
     public function the_watermark_disk_is_the_public_directory_by_default()
     {