fix: validates custom provided policies (#3254)

* fix: validates custom provided policies

Validates any customer provided json policy document for CloudFront\Signer.php to avoid any non allowed symbols.

* chore: add changelog entry

Author: yenfryherrerafeliz

.changes/nextrelease/fix-validates-custom-policy.json

@@ -0,0 +1,7 @@
+[
+    {
+        "type": "enhancement",
+        "category": "",
+        "description": "Add a validation for custom policies to make sure the property `Resource` has not a non allowed character."
+    }
+]

src/CloudFront/Signer.php

@@ -81,6 +81,7 @@ public function getSignature($resource = null, $expires = null, $policy = null)
         $signatureHash = [];
         if ($policy) {
             $policy = preg_replace('/\s/s', '', $policy);
+            self::validatePolicy($policy);
             $signatureHash['Policy'] = $this->encode($policy);
         } elseif ($resource && $expires) {
             $expires = (int) $expires; // Handle epoch passed as string
@@ -136,4 +137,35 @@ private function encode($policy)
     {
         return strtr(base64_encode($policy), '+=/', '-_~');
     }
+
+    /**
+     * Validates a customer provided json document.
+     *
+     * @param string $jsonPolicy
+     *
+     * @return void
+     */
+    private static function validatePolicy(string $jsonPolicy): void
+    {
+        $policy = json_decode($jsonPolicy, true);
+        foreach ($policy['Statement'] ?? [] as $statement) {
+            if (isset($statement['Resource'])) {
+                self::validateResourceUrl($statement['Resource']);
+            }
+        }
+    }
+
+    /**
+     * @param string $url
+     *
+     * @return void
+     */
+    private static function validateResourceUrl(string $url): void
+    {
+        if (preg_match('/["\\\\\x00-\x1F]/', $url)) {
+            throw new \InvalidArgumentException(
+                'URL contains invalid characters: ", \\, or control characters'
+            );
+        }
+    }
 }

tests/CloudFront/SignerTest.php

@@ -173,6 +173,34 @@ public function cannedPolicyParameterProvider()
         ];
     }
 
+    /**
+     * @dataProvider invalidResourceUrlProvider
+     */
+    public function testValidatesCustomPolicy(string $resourceUrl)
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        $this->expectExceptionMessage('URL contains invalid characters: ", \\, or control characters');
+        $policy = json_encode([
+            'Statement' => [
+                ['Resource' => $resourceUrl]
+            ]
+        ], JSON_UNESCAPED_SLASHES);
+        $this->instance->getSignature(null, null, $policy);
+    }
+
+    public static function invalidResourceUrlProvider(): array
+    {
+        return [
+            'json_injection' => ["https://example.com/file\",\"Resource\":\"*\",\"x\":\""],
+            'double_quote' => ['test"invalid.mp4'],
+            'backslash' => ['test\\invalid.mp4'],
+            'newline' => ["test\ninvalid.mp4"],
+            'carriage_return' => ["test\rinvalid.mp4"],
+            'null_byte' => ["test\x00invalid.mp4"],
+            'tab' => ["test\tinvalid.mp4"],
+        ];
+    }
+
     private function getCustomPolicy()
     {
         return json_encode([