-
Notifications
You must be signed in to change notification settings - Fork 143
Expand file tree
/
Copy pathIntercomClientNextPageTest.php
More file actions
122 lines (97 loc) · 4.32 KB
/
Copy pathIntercomClientNextPageTest.php
File metadata and controls
122 lines (97 loc) · 4.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
<?php
namespace Intercom\Tests\Legacy;
use GuzzleHttp\Client;
use GuzzleHttp\Handler\MockHandler;
use GuzzleHttp\HandlerStack;
use GuzzleHttp\Psr7\Response;
use Intercom\Legacy\IntercomClient;
use InvalidArgumentException;
use PHPUnit\Framework\TestCase;
use stdClass;
class IntercomClientNextPageTest extends TestCase
{
private IntercomClient $client;
private MockHandler $mockHandler;
protected function setUp(): void
{
$this->mockHandler = new MockHandler();
$handlerStack = HandlerStack::create($this->mockHandler);
$httpClient = new Client(['handler' => $handlerStack]);
$this->client = new IntercomClient('test_token');
$this->client->setHttpClient($httpClient);
}
// Happy path — legitimate https://api.intercom.io URL must be followed with credentials attached.
public function testNextPageFollowsLegitimateUrl(): void
{
$this->mockHandler->append(new Response(200, [], json_encode(['data' => []])));
$pages = new stdClass();
$pages->next = 'https://api.intercom.io/contacts?page=2&per_page=50';
$result = $this->client->nextPage($pages);
$this->assertIsObject($result);
$lastRequest = $this->mockHandler->getLastRequest();
$this->assertNotNull($lastRequest);
$this->assertEquals(
'https://api.intercom.io/contacts?page=2&per_page=50',
(string) $lastRequest->getUri()
);
$this->assertStringStartsWith('Bearer ', $lastRequest->getHeaderLine('Authorization'));
}
// Vulnerability closed — attacker-controlled host must be rejected before any HTTP call.
// If the guard were absent MockHandler would throw OutOfBoundsException (no queued response),
// so receiving InvalidArgumentException proves the check fires first.
public function testNextPageRejectsAttackerControlledHost(): void
{
$pages = new stdClass();
$pages->next = 'https://attacker.com/steal';
$this->expectException(InvalidArgumentException::class);
$this->client->nextPage($pages);
}
// SSRF vector — AWS instance metadata endpoint must be rejected.
public function testNextPageRejectsAwsMetadataServiceUrl(): void
{
$pages = new stdClass();
$pages->next = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/';
$this->expectException(InvalidArgumentException::class);
$this->client->nextPage($pages);
}
// Scheme enforcement — http:// to the correct host must still be rejected (no downgrade).
public function testNextPageRejectsPlainHttpEvenForApiIntercomIo(): void
{
$pages = new stdClass();
$pages->next = 'http://api.intercom.io/contacts?page=2';
$this->expectException(InvalidArgumentException::class);
$this->client->nextPage($pages);
}
// EU region — api.eu.intercom.io must be allowed without any configuration.
public function testNextPageAllowsEuRegionalUrl(): void
{
$this->mockHandler->append(new Response(200, [], json_encode(['data' => []])));
$pages = new stdClass();
$pages->next = 'https://api.eu.intercom.io/contacts?page=2&per_page=50';
$result = $this->client->nextPage($pages);
$this->assertIsObject($result);
$lastRequest = $this->mockHandler->getLastRequest();
$this->assertNotNull($lastRequest);
$this->assertEquals(
'https://api.eu.intercom.io/contacts?page=2&per_page=50',
(string) $lastRequest->getUri()
);
}
// AU region — api.au.intercom.io must be allowed without any configuration.
public function testNextPageAllowsAuRegionalUrl(): void
{
$this->mockHandler->append(new Response(200, [], json_encode(['data' => []])));
$pages = new stdClass();
$pages->next = 'https://api.au.intercom.io/contacts?page=2&per_page=50';
$result = $this->client->nextPage($pages);
$this->assertIsObject($result);
}
// Domain suffix bypass — evilintercom.io must not match (requires the dot).
public function testNextPageRejectsDomainThatMerelySuffixesIntercomIo(): void
{
$pages = new stdClass();
$pages->next = 'https://evilintercom.io/steal';
$this->expectException(InvalidArgumentException::class);
$this->client->nextPage($pages);
}
}