From b7901ae2d82f8299d9adc53bacba3ce5ab11a034 Mon Sep 17 00:00:00 2001
From: Godfrey M <godmartinz@gmail.com>
Date: Wed, 20 Sep 2023 12:54:34 -0700
Subject: [PATCH] dont allow redirects, messaging applied, general webhook
 validation applied

---
 app/Http/Livewire/SlackSettingsForm.php       | 25 +++++++++----------
 .../livewire/slack-settings-form.blade.php    |  8 +++---
 2 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/app/Http/Livewire/SlackSettingsForm.php b/app/Http/Livewire/SlackSettingsForm.php
index 47f0268947..35fa0a097c 100644
--- a/app/Http/Livewire/SlackSettingsForm.php
+++ b/app/Http/Livewire/SlackSettingsForm.php
@@ -12,7 +12,7 @@ class SlackSettingsForm extends Component
     public $webhook_endpoint;
     public $webhook_channel;
     public $webhook_botname;
-    public $isDisabled ='' ;
+    public $isDisabled ='disabled' ;
     public $webhook_name;
     public $webhook_link;
     public $webhook_placeholder;
@@ -26,7 +26,7 @@ class SlackSettingsForm extends Component
 
 
     protected $rules = [
-        'webhook_endpoint'                      => 'url|required_with:webhook_channel|starts_with:http://,https://,ftp://,irc://|nullable',
+        'webhook_endpoint'                      => 'url|required_with:webhook_channel|starts_with:http://,https://,ftp://,irc://,https://hooks.slack.com/services/|nullable',
         'webhook_channel'                       => 'required_with:webhook_endpoint|starts_with:#|nullable',
         'webhook_botname'                       => 'string|nullable',
     ];
@@ -58,9 +58,7 @@ class SlackSettingsForm extends Component
         $this->webhook_botname = $this->setting->webhook_botname;
         $this->webhook_options = $this->setting->webhook_selected;
 
-        if($this->setting->webhook_selected == 'general'){
-            $this->isDisabled='';
-        }
+
         if($this->setting->webhook_endpoint != null && $this->setting->webhook_channel != null){
             $this->isDisabled= '';
         }
@@ -84,7 +82,6 @@ class SlackSettingsForm extends Component
     }
 
     private function isButtonDisabled() {
-        if($this->webhook_selected == 'slack') {
             if (empty($this->webhook_endpoint)) {
                 $this->isDisabled = 'disabled';
                 $this->save_button = trans('admin/settings/general.webhook_presave');
@@ -93,8 +90,6 @@ class SlackSettingsForm extends Component
                 $this->isDisabled = 'disabled';
                 $this->save_button = trans('admin/settings/general.webhook_presave');
             }
-        }
-
     }
 
     public function render()
@@ -110,6 +105,7 @@ class SlackSettingsForm extends Component
             'defaults' => [
                 'exceptions' => false,
             ],
+            'allow_redirects' => false,
         ]);
 
         $payload = json_encode(
@@ -118,18 +114,23 @@ class SlackSettingsForm extends Component
                 'text'       => trans('general.webhook_test_msg', ['app' => $this->webhook_name]),
                 'username'    => e($this->webhook_botname),
                 'icon_emoji' => ':heart:',
+
             ]);
 
         try {
+            $test = $webhook->post($this->webhook_endpoint, ['body' => $payload]);
 
-            $webhook->post($this->webhook_endpoint, ['body' => $payload]);
+            if($test->getStatusCode() == 302){
+                return session()->flash('error' , 'This endpoint returns a redirect. For security reasons, we don’t follow redirects. Please use the actual endpoint');
+            }
             $this->isDisabled='';
             $this->save_button = trans('general.save');
             return session()->flash('success' , 'Your '.$this->webhook_name.' Integration works!');
 
         } catch (\Exception $e) {
 
-            $this->isDisabled= 'disabled';
+            $this->isDisabled='disabled';
+            $this->save_button = trans('admin/settings/general.webhook_presave');
             return session()->flash('error' , trans('admin/settings/message.webhook.error', ['error_message' => $e->getMessage(), 'app' => $this->webhook_name]));
         }
 
@@ -160,9 +161,7 @@ class SlackSettingsForm extends Component
         if (Helper::isDemoMode()) {
             session()->flash('error',trans('general.feature_disabled'));
         } else {
-            if ($this->webhook_selected != 'general') {
-                $this->validate($this->rules);
-            }
+            $this->validate($this->rules);
 
             $this->setting->webhook_selected = $this->webhook_selected;
             $this->setting->webhook_endpoint = $this->webhook_endpoint;
diff --git a/resources/views/livewire/slack-settings-form.blade.php b/resources/views/livewire/slack-settings-form.blade.php
index a3c6ddc0fa..0c67ca067e 100644
--- a/resources/views/livewire/slack-settings-form.blade.php
+++ b/resources/views/livewire/slack-settings-form.blade.php
@@ -79,7 +79,7 @@
                                 {{ Form::label('webhook_endpoint', trans('admin/settings/general.webhook_endpoint',['app' => $webhook_name ])) }}
                             </div>
                             <div class="col-md-9 required">
-                                    <input type="text" wire:model="webhook_endpoint" class="form-control" placeholder="{{$webhook_placeholder}}" value="{{old('webhook_endpoint', $webhook_endpoint)}}"{{ Helper::isDemoMode() ? ' disabled' : ''}}>
+                                    <input type="text" wire:model.lazy="webhook_endpoint" class="form-control" placeholder="{{$webhook_placeholder}}" value="{{old('webhook_endpoint', $webhook_endpoint)}}"{{ Helper::isDemoMode() ? ' disabled' : ''}}>
                                 {!! $errors->first('webhook_endpoint', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
                             </div>
                         </div>
@@ -95,7 +95,7 @@
                                 {{ Form::label('webhook_channel', trans('admin/settings/general.webhook_channel',['app' => $webhook_name ])) }}
                             </div>
                             <div class="col-md-9 required">
-                                    <input type="text" wire:model="webhook_channel" class="form-control" placeholder="#IT-Ops" value="{{ old('webhook_channel', $webhook_channel) }}"{{ Helper::isDemoMode() ? ' disabled' : ''}}>
+                                    <input type="text" wire:model.lazy="webhook_channel" class="form-control" placeholder="#IT-Ops" value="{{ old('webhook_channel', $webhook_channel) }}"{{ Helper::isDemoMode() ? ' disabled' : ''}}>
 
                                 {!! $errors->first('webhook_channel', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
                             </div>
@@ -111,7 +111,7 @@
                                 {{ Form::label('webhook_botname', trans('admin/settings/general.webhook_botname',['app' => $webhook_name ])) }}
                             </div>
                             <div class="col-md-9">
-                                    <input type="text" wire:model="webhook_botname" class='form-control' placeholder="Snipe-Bot" {{ old('webhook_botname', $webhook_botname)}}{{ Helper::isDemoMode() ? ' disabled' : ''}}>
+                                    <input type="text" wire:model.lazy="webhook_botname" class='form-control' placeholder="Snipe-Bot" {{ old('webhook_botname', $webhook_botname)}}{{ Helper::isDemoMode() ? ' disabled' : ''}}>
                                 {!! $errors->first('webhook_botname', '<span class="alert-msg" aria-hidden="true">:message</span>') !!}
                             </div><!--col-md-10-->
                         </div>
@@ -121,7 +121,6 @@
                         @endif
 
                         <!--Webhook Integration Test-->
-                        @if($webhook_selected == 'slack')
                             @if($webhook_endpoint != null && $webhook_channel != null)
                                 <div class="form-group">
                                     <div class="col-md-offset-2 col-md-9">
@@ -138,7 +137,6 @@
                                     </div>
                                 </div>
                             @endif
-                        @endif
                     </div><!-- /.col-md-12 -->
                </div><!-- /.box-body -->