Merge pull request #35 from ADmad/allowed-params

Add "allowedParams" config.

Author: ADmad

.github/workflows/ci.yml

@@ -8,7 +8,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php-version: ['7.2', '7.4', '8.0']
+        php-version: ['7.4', '8.0', '8.1']
         composer-opts: ['']
         include:
           - php-version: '7.2'
@@ -38,7 +38,7 @@ jobs:
 
     - name: Code Coverage Report
       if: matrix.php-version == '7.4'
-      uses: codecov/codecov-action@v1
+      uses: codecov/codecov-action@v2
 
   cs-stan:
       name: Coding Standard & Static Analysis
@@ -53,7 +53,7 @@ jobs:
           php-version: '7.4'
           extensions: mbstring, intl
           coverage: none
-          tools: cs2pr, psalm:^4.8
+          tools: cs2pr, vimeo/psalm:^4
 
       - name: Composer Install
         run: composer require cakephp/cakephp-codesniffer:^4.5

README.md

@@ -77,7 +77,12 @@ $routes->scope('/images', function ($routes) {
         // Any response headers you may want to set. Default null.
         'headers' => [
             'X-Custom' => 'some-value',
-        ]
+        ],
+
+        // Allowed query string params. If for e.g. you are only using glide presets
+        // then you can set allowed params as `['p']` to prevent users from using
+        // any other image manipulation params.
+        'allowedParams' => null
     ]));
 
     $routes->applyMiddleware('glide');

psalm.xml

@@ -1,6 +1,7 @@
 <?xml version="1.0"?>
 <psalm
-    totallyTyped="false"
+    errorLevel="2"
+    resolveFromConfigFile="true"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns="https://getpsalm.org/schema/config"
     xsi:schemaLocation="https://getpsalm.org/schema/config vendor/vimeo/psalm/config.xsd"
@@ -11,15 +12,4 @@
             <directory name="vendor" />
         </ignoreFiles>
     </projectFiles>
-
-    <issueHandlers>
-        <MissingClosureReturnType errorLevel="info" />
-
-        <PropertyNotSetInConstructor errorLevel="info" />
-        <MissingConstructor errorLevel="info" />
-        <MissingClosureParamType errorLevel="info" />
-
-        <DocblockTypeContradiction errorLevel="info" />
-        <RedundantConditionGivenDocblockType errorLevel="info" />
-    </issueHandlers>
 </psalm>

src/Middleware/GlideMiddleware.php

@@ -47,6 +47,7 @@ class GlideMiddleware implements MiddlewareInterface, EventDispatcherInterface
             'signKey' => null,
         ],
         'headers' => null,
+        'allowedParams' => null,
         'originalPassThrough' => false,
     ];
 
@@ -210,6 +211,10 @@ protected function _checkModified(ServerRequestInterface $request, Server $serve
     protected function _getResponse(ServerRequestInterface $request, Server $server): ?ResponseInterface
     {
         $queryParams = $request->getQueryParams();
+        $allowedParams = $this->getConfig('allowedParams');
+        if ($allowedParams) {
+            $queryParams = array_intersect_key($queryParams, array_flip($allowedParams));
+        }
 
         if (
             (empty($queryParams)
@@ -233,7 +238,7 @@ protected function _getResponse(ServerRequestInterface $request, Server $server)
         }
 
         try {
-            $response = $server->getImageResponse($this->_path, $request->getQueryParams());
+            $response = $server->getImageResponse($this->_path, $queryParams);
         } catch (Exception $exception) {
             return $this->_handleException($request, $exception);
         }

src/Response/PsrResponseFactory.php

@@ -6,6 +6,7 @@
 use ADmad\Glide\Exception\ResponseException;
 use Cake\Http\Response;
 use Laminas\Diactoros\Stream;
+use League\Flysystem\FilesystemException;
 use League\Flysystem\FilesystemOperator;
 use League\Glide\Responses\ResponseFactoryInterface;
 
@@ -20,10 +21,12 @@ class PsrResponseFactory implements ResponseFactoryInterface
      */
     public function create(FilesystemOperator $cache, $path)
     {
-        $resource = $cache->readStream($path);
-        if ($resource === false) {
-            throw new ResponseException();
+        try {
+            $resource = $cache->readStream($path);
+        } catch (FilesystemException $e) {
+            throw new ResponseException(null, null, $e);
         }
+
         $stream = new Stream($resource);
 
         $contentType = $cache->mimeType($path);

src/View/Helper/GlideHelper.php

@@ -31,7 +31,7 @@ class GlideHelper extends Helper
      * - `signKey`: Signing key to use when generating secure URLs. If empty
      *   value of `Security::salt()` will be used. Default `null`.
      *
-     * @var array
+     * @var array<string, mixed>
      */
     protected $_defaultConfig = [
         'baseUrl' => '/images/',

tests/TestCase/Middleware/GlideMiddlewareTest.php

@@ -29,9 +29,10 @@ public function setUp(): void
             ],
         ];
 
-        $this->request = ServerRequestFactory::fromGlobals([
-            'REQUEST_URI' => '/images/cake-logo.png?w=100',
-        ]);
+        $this->request = ServerRequestFactory::fromGlobals(
+            ['REQUEST_URI' => '/images/cake-logo.png'],
+            ['w' => '100']
+        );
         $this->handler = new TestRequestHandler();
 
         Security::setSalt('salt');
@@ -66,6 +67,24 @@ public function testServerCallable()
         $this->assertTrue(is_dir(TMP . 'cache/cake-logo.png'));
     }
 
+    public function testAllowedParams()
+    {
+        $this->config['allowedParams'] = ['w'];
+        $middleware = new GlideMiddleware($this->config);
+        $middleware->process($this->request, $this->handler);
+
+        $request = ServerRequestFactory::fromGlobals(
+            ['REQUEST_URI' => '/images/cake-logo.png'],
+            ['w' => '100', 'foo' => 'bar']
+        );
+
+        $middleware = new GlideMiddleware($this->config);
+        $middleware->process($request, $this->handler);
+
+        $files = glob(TMP . 'cache/cake-logo.png/*');
+        $this->assertSame(1, count($files));
+    }
+
     public function testOriginalPassThrough()
     {
         $fileSize = filesize(PLUGIN_ROOT . '/test_app/webroot/upload/cake-logo.png');
@@ -139,10 +158,13 @@ public function testCache()
         $this->assertTrue(isset($headers['Last-Modified']));
         $this->assertTrue(isset($headers['Expires']));
 
-        $request = ServerRequestFactory::fromGlobals([
-            'REQUEST_URI' => '/images/cake-logo.png?w=100',
-            'HTTP_IF_MODIFIED_SINCE' => $headers['Last-Modified'][0],
-        ]);
+        $request = ServerRequestFactory::fromGlobals(
+            [
+                'REQUEST_URI' => '/images/cake-logo.png',
+                'HTTP_IF_MODIFIED_SINCE' => $headers['Last-Modified'][0],
+            ],
+            ['w' => '100']
+        );
 
         $middleware = new GlideMiddleware($this->config);
         $response = $middleware->process($request, $this->handler);