fix: address security review findings
This commit is contained in:
@@ -8,6 +8,7 @@ test('cleanup deletes only expired login urls matching local mail-login state',
|
||||
'timestamp' => 1782810000,
|
||||
'expires' => 1782810030,
|
||||
'correlation' => 'autologin-h4-mxtest-1782810000',
|
||||
'id' => 'HASHURLMATCH',
|
||||
'redirect_path' => '/',
|
||||
'client_ip' => '198.51.100.10',
|
||||
'ip_bound' => 1,
|
||||
@@ -31,5 +32,17 @@ test('cleanup deletes only expired login urls matching local mail-login state',
|
||||
assert_true(mailLoginCleanupShouldDelete($matching, [$state], strtotime('2026-06-30T10:01:00Z')));
|
||||
assert_false(mailLoginCleanupShouldDelete($wrongRedirect, [$state], strtotime('2026-06-30T10:01:00Z')));
|
||||
assert_false(mailLoginCleanupShouldDelete($notExpired, [$state], strtotime('2026-06-30T10:01:00Z')));
|
||||
|
||||
$stateWithoutId = $state;
|
||||
unset($stateWithoutId['id']);
|
||||
assert_false(mailLoginCleanupShouldDelete($matching, [$stateWithoutId], strtotime('2026-06-30T10:01:00Z')));
|
||||
});
|
||||
|
||||
test('cleanup rejects non-https directadmin api base url', function (): void {
|
||||
try {
|
||||
mailLoginCleanupValidateBaseUrl('http://127.0.0.1:2222');
|
||||
throw new RuntimeException('Expected http base URL to fail');
|
||||
} catch (InvalidArgumentException $e) {
|
||||
assert_contains('https', strtolower($e->getMessage()));
|
||||
}
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user