Merge pull request #29 from matomo-org/harden-url-check

Adds code to harden URL check, disallow ips

Author: AltamashShaikh

.gitignore

@@ -0,0 +1 @@
+.codex

CHANGELOG.md

@@ -1,5 +1,8 @@
 ## Changelog
 
+5.0.6 - 2025-04-27
+- Added code to harden the URL check for Microsoft Teams
+
 5.0.5 - 2026-03-30
 - Fixed exception when module, action and idsite is not defined when setting js variables
 

MicrosoftTeams.php

@@ -175,7 +175,7 @@ public function validateReportParameters(&$parameters, $reportType)
             throw new \Exception(Piwik::translate('MicrosoftTeams_IncomingWebhookRequiredErrorMessage'));
         } elseif (!UrlHelper::isLookLikeUrl($parameters[self::MS_TEAMS_INCOMING_WEBHOOK_URL_PARAMETER])) {
             throw new \Exception(Piwik::translate('MicrosoftTeams_IncomingWebhookInvalidErrorMessage'));
-        } elseif (filter_var(parse_url($parameters[self::MS_TEAMS_INCOMING_WEBHOOK_URL_PARAMETER], PHP_URL_HOST), FILTER_VALIDATE_IP)) {
+        } elseif ($this->isIpHost(parse_url($parameters[self::MS_TEAMS_INCOMING_WEBHOOK_URL_PARAMETER], PHP_URL_HOST))) {
             throw new \Exception(Piwik::translate('MicrosoftTeams_IncomingWebhookInvalidErrorMessage'));
         }
 
@@ -410,14 +410,25 @@ public function validateCustomAlertReportParameters($parameters, $alertMedium)
                 throw new \Exception(Piwik::translate('MicrosoftTeams_IncomingWebhookRequiredErrorMessage'));
             } elseif (!UrlHelper::isLookLikeUrl($parameters[self::MS_TEAMS_INCOMING_WEBHOOK_URL_PARAMETER])) {
                 throw new \Exception(Piwik::translate('MicrosoftTeams_IncomingWebhookInvalidErrorMessage'));
-            } elseif (filter_var(parse_url($parameters[self::MS_TEAMS_INCOMING_WEBHOOK_URL_PARAMETER], PHP_URL_HOST), FILTER_VALIDATE_IP)) {
+            } elseif ($this->isIpHost(parse_url($parameters[self::MS_TEAMS_INCOMING_WEBHOOK_URL_PARAMETER], PHP_URL_HOST))) {
                 throw new \Exception(Piwik::translate('MicrosoftTeams_IncomingWebhookInvalidErrorMessage'));
             }
 
             $parameters[self::MS_TEAMS_INCOMING_WEBHOOK_URL_PARAMETER] = htmlspecialchars_decode($parameters[self::MS_TEAMS_INCOMING_WEBHOOK_URL_PARAMETER]);
         }
     }
 
+    private function isIpHost(?string $host): bool
+    {
+        if (empty($host)) {
+            return false;
+        }
+
+        $host = trim($host, '[]');
+
+        return filter_var($host, FILTER_VALIDATE_IP) !== false || ctype_digit($host);
+    }
+
     /**
      *
      * Code to send CustomAlerts via MicrosoftTeams

plugin.json

@@ -1,7 +1,7 @@
 {
     "name": "MicrosoftTeams",
     "description": "Send Matomo reports and alerts to Microsoft Team channels, keeping your team informed and ready to act in real time.",
-    "version": "5.0.5",
+    "version": "5.0.6",
     "theme": false,
     "require": {
         "matomo": ">=5.7.0-alpha,<6.0.0-b1"

tests/Integration/CustomAlertsApiTest.php

@@ -57,6 +57,13 @@ public function testAddAlertShouldThrowExceptionIfInvalidMicrosoftTeamsWebhookUr
         $this->addAlert('webhookURL');
     }
 
+    public function testAddAlertShouldThrowExceptionIfMicrosoftTeamsWebhookUrlUsesIntegerLoopbackAlias()
+    {
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('MicrosoftTeams_IncomingWebhookInvalidErrorMessage');
+        $this->addAlert('http://2130706433:18081/hook');
+    }
+
     public function testAddAlertSuccess()
     {
         $id = $this->addAlert($msTeamsWebhookUrl = 'https://webhook.microsft.com/webhook');
@@ -82,6 +89,14 @@ public function testUpdateAlertShouldThrowExceptionIfInvalidMicrosoftTeamsWebhoo
         $this->updateAlert($idAlert, 'webhookURL');
     }
 
+    public function testUpdateAlertShouldThrowExceptionIfMicrosoftTeamsWebhookUrlUsesIntegerLoopbackAlias()
+    {
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('MicrosoftTeams_IncomingWebhookInvalidErrorMessage');
+        $idAlert = $this->addAlert('https://webhook.microsft.com/webhook');
+        $this->updateAlert($idAlert, 'http://2130706433:18081/hook');
+    }
+
     public function testUpdateAlertSuccess()
     {
         $idAlert = $this->addAlert($msTeamsWebhookUrl = 'https://webhook.microsft.com/webhook');

tests/Integration/MicrosoftTeamsTest.php

@@ -164,6 +164,30 @@ public function testValidateReportParametersShouldThrowMicrosoftTeamsWebhookUrlE
         Piwik::postEvent('ScheduledReports.validateReportParameters', [&$parameters, 'teams']);
     }
 
+    public function testValidateReportParametersShouldThrowMicrosoftTeamsWebhookUrlExceptionForIntegerLoopbackAlias()
+    {
+        $this->setRequiredFields();
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('MicrosoftTeams_IncomingWebhookInvalidErrorMessage');
+        $parameters = [ScheduledReports::DISPLAY_FORMAT_PARAMETER => ScheduledReports::DISPLAY_FORMAT_GRAPHS_ONLY, MicrosoftTeams::MS_TEAMS_INCOMING_WEBHOOK_URL_PARAMETER => 'http://2130706433:18081/hook'];
+        Piwik::postEvent('ScheduledReports.validateReportParameters', [&$parameters, 'teams']);
+    }
+
+    /**
+     * @dataProvider provideWebhookUrlsWithIpHosts
+     */
+    public function testValidateReportParametersShouldThrowMicrosoftTeamsWebhookUrlExceptionForIpHosts($webhookUrl)
+    {
+        $this->setRequiredFields();
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('MicrosoftTeams_IncomingWebhookInvalidErrorMessage');
+        $parameters = [
+            ScheduledReports::DISPLAY_FORMAT_PARAMETER => ScheduledReports::DISPLAY_FORMAT_GRAPHS_ONLY,
+            MicrosoftTeams::MS_TEAMS_INCOMING_WEBHOOK_URL_PARAMETER => $webhookUrl,
+        ];
+        Piwik::postEvent('ScheduledReports.validateReportParameters', [&$parameters, 'teams']);
+    }
+
     public function testValidateCustomAlertReportParametersShouldThrowMicrosoftTeamsWebhookUrInvalidException()
     {
         $this->setRequiredFields();
@@ -200,6 +224,27 @@ public function testValidateCustomAlertReportParametersShouldThrowMicrosoftTeams
         Piwik::postEvent('CustomAlerts.validateReportParameters', [$parameters, 'teams']);
     }
 
+    public function testValidateCustomAlertReportParametersShouldThrowMicrosoftTeamsWebhookUrlExceptionForIntegerLoopbackAlias()
+    {
+        $this->setRequiredFields();
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('MicrosoftTeams_IncomingWebhookInvalidErrorMessage');
+        $parameters = [MicrosoftTeams::MS_TEAMS_INCOMING_WEBHOOK_URL_PARAMETER => 'http://2130706433:18081/hook'];
+        Piwik::postEvent('CustomAlerts.validateReportParameters', [$parameters, 'teams']);
+    }
+
+    /**
+     * @dataProvider provideWebhookUrlsWithIpHosts
+     */
+    public function testValidateCustomAlertReportParametersShouldThrowMicrosoftTeamsWebhookUrlExceptionForIpHosts($webhookUrl)
+    {
+        $this->setRequiredFields();
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('MicrosoftTeams_IncomingWebhookInvalidErrorMessage');
+        $parameters = [MicrosoftTeams::MS_TEAMS_INCOMING_WEBHOOK_URL_PARAMETER => $webhookUrl];
+        Piwik::postEvent('CustomAlerts.validateReportParameters', [$parameters, 'teams']);
+    }
+
     public function testValidateReportParametersMicrosoftTeamsShouldNotThrowAnyException()
     {
         $this->setRequiredFields();
@@ -224,6 +269,15 @@ public function testValidateReportParametersMicrosoftTeamsShouldNotThrowAnyExcep
         $this->assertNotEmpty($parameters);
     }
 
+    public function provideWebhookUrlsWithIpHosts()
+    {
+        return [
+            'ipv4' => ['https://8.8.8.8/hook'],
+            'ipv4' => ['https://10.6.4.2'],
+            'ipv6' => ['https://[2001:4860:4860::8888]/hook'],
+        ];
+    }
+
     private function assertHasReport($login, $idSite)
     {
         $report = $this->getReport($login, $idSite);