better cookie value validation

cappuc · cappuc · commit a00ebf33baea · 2025-04-14T11:13:11.000+02:00
diff --git a/phpstan-baseline.neon b/phpstan-baseline.neon
@@ -0,0 +1,13 @@
+parameters:
+	ignoreErrors:
+		-
+			message: '#^Dead catch \- JsonException is never thrown in the try block\.$#'
+			identifier: catch.neverThrown
+			count: 1
+			path: src/CookieSolution.php
+
+		-
+			message: '#^Parameter \#1 \$view of function view expects view\-string\|null, string given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/CookieSolution.php
diff --git a/src/CookieSolution.php b/src/CookieSolution.php
@@ -3,12 +3,15 @@
 namespace Keepsuit\CookieSolution;
 
 use Carbon\Carbon;
+use DateTimeInterface;
 use Illuminate\Support\Arr;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\File;
+use Illuminate\Support\Facades\Validator;
 use Illuminate\Support\HtmlString;
 use Illuminate\Support\Str;
 use Illuminate\Support\Stringable;
+use Illuminate\Validation\ValidationException;
 
 class CookieSolution
 {
@@ -41,22 +44,44 @@ public function status(): CookieSolutionStatus
 
         $json = \Illuminate\Support\Facades\Cookie::get(config('cookie-solution.cookie_name'));
 
-        if ($json === null) {
+        if (! is_string($json)) {
             return $this->status = CookieSolutionStatus::default();
         }
 
         try {
             $value = json_decode($json, true, JSON_THROW_ON_ERROR);
+        } catch (\JsonException) {
+            return $this->status = CookieSolutionStatus::default();
+        }
 
-            if ($this->configDigest() !== ($value['digest'] ?? null)) {
+        try {
+            $validator = Validator::make($value, [
+                'digest' => ['required', 'string'],
+                'timestamp' => ['required', sprintf('date_format:%s', DateTimeInterface::ATOM)],
+                'purposes' => ['required', 'array'],
+                'purposes.*' => ['required', 'boolean'],
+            ]);
+
+            /**
+             * @var array{
+             *    digest: string,
+             *    timestamp: string,
+             *    purposes: array<string, bool>
+             * } $validated
+             */
+            $validated = $validator->validated();
+
+            if ($this->configDigest() !== $validated['digest']) {
                 return $this->status = CookieSolutionStatus::default();
             }
 
             return $this->status = new CookieSolutionStatus(
-                timestamp: Carbon::parse($value['timestamp']),
-                purposes: $value['purposes'],
+                timestamp: Carbon::createFromFormat(DateTimeInterface::ATOM, $validated['timestamp']),
+                purposes: collect($validated['purposes'])
+                    ->filter(fn (bool $active, string $key) => CookiePurpose::tryFrom($key) !== null)
+                    ->all(),
             );
-        } catch (\JsonException $e) {
+        } catch (ValidationException) {
             return $this->status = CookieSolutionStatus::default();
         }
     }
diff --git a/tests/CookieSolutionStatus.php b/tests/CookieSolutionStatus.php
@@ -83,3 +83,53 @@
         ->purposeStatus(CookiePurpose::NECESSARY)->toBeNull()
         ->purposeStatus(CookiePurpose::PREFERENCES)->toBeNull();
 });
+
+it('load default status when config date is malformed', function () {
+    \Spatie\TestTime\TestTime::freeze();
+
+    $request = app('request');
+    assert($request instanceof \Illuminate\Http\Request);
+    $request->cookies->set('laravel_cookie_solution', json_encode([
+        'timestamp' => sprintf('%s<script>alert(1)</script>', now()->subHour()->toIso8601String()),
+        'digest' => CookieSolution::getConfig()['digest'],
+        'purposes' => [
+            'statistics' => true,
+            'marketing' => false,
+        ],
+    ]));
+
+    $status = CookieSolution::status();
+
+    expect($status)
+        ->toBeInstanceOf(CookieSolutionStatus::class)
+        ->timestamp->toIso8601String()->toBe(now()->toIso8601String())
+        ->purposeStatus(CookiePurpose::STATISTICS)->toBeNull()
+        ->purposeStatus(CookiePurpose::MARKETING)->toBeNull()
+        ->purposeStatus(CookiePurpose::NECESSARY)->toBeNull()
+        ->purposeStatus(CookiePurpose::PREFERENCES)->toBeNull();
+});
+
+it('load default status when config purposes are malformed', function () {
+    \Spatie\TestTime\TestTime::freeze();
+
+    $request = app('request');
+    assert($request instanceof \Illuminate\Http\Request);
+    $request->cookies->set('laravel_cookie_solution', json_encode([
+        'timestamp' => now()->subHour()->toIso8601String(),
+        'digest' => CookieSolution::getConfig()['digest'],
+        'purposes' => [
+            'statistics' => true,
+            'marketing' => 'invalid',
+        ],
+    ]));
+
+    $status = CookieSolution::status();
+
+    expect($status)
+        ->toBeInstanceOf(CookieSolutionStatus::class)
+        ->timestamp->toIso8601String()->toBe(now()->toIso8601String())
+        ->purposeStatus(CookiePurpose::STATISTICS)->toBeNull()
+        ->purposeStatus(CookiePurpose::MARKETING)->toBeNull()
+        ->purposeStatus(CookiePurpose::NECESSARY)->toBeNull()
+        ->purposeStatus(CookiePurpose::PREFERENCES)->toBeNull();
+});
