From aeffcc0ae389b865f53275004bb2da58af1ba2bf Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Wed, 21 Feb 2024 22:06:25 -0500
Subject: [PATCH] Add form security token check to /babel module

- This prevents basic XSS attacks against /babel
---
 src/Module/Debug/Babel.php | 28 +++++++++++++++-------------
 view/templates/babel.tpl   |  3 ++-
 2 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/src/Module/Debug/Babel.php b/src/Module/Debug/Babel.php
index 0b7b1d779e..a67d522961 100644
--- a/src/Module/Debug/Babel.php
+++ b/src/Module/Debug/Babel.php
@@ -43,10 +43,11 @@ class Babel extends BaseModule
 		}
 
 		$results = [];
-		if (!empty($_REQUEST['text'])) {
-			switch (($_REQUEST['type'] ?? '') ?: 'bbcode') {
+		if (!empty($request['text'])) {
+			self::checkFormSecurityTokenForbiddenOnError('babel');
+			switch (($request['type'] ?? '') ?: 'bbcode') {
 				case 'bbcode':
-					$bbcode = $_REQUEST['text'];
+					$bbcode = $request['text'];
 					$results[] = [
 						'title'   => DI::l10n()->t('Source input'),
 						'content' => visible_whitespace($bbcode)
@@ -136,7 +137,7 @@ class Babel extends BaseModule
 					];
 					break;
 				case 'diaspora':
-					$diaspora = trim($_REQUEST['text']);
+					$diaspora = trim($request['text']);
 					$results[] = [
 						'title'   => DI::l10n()->t('Source input (Diaspora format)'),
 						'content' => visible_whitespace($diaspora),
@@ -144,7 +145,7 @@ class Babel extends BaseModule
 
 					$markdown = XML::unescape($diaspora);
 				case 'markdown':
-					$markdown = $markdown ?? trim($_REQUEST['text']);
+					$markdown = $markdown ?? trim($request['text']);
 
 					$results[] = [
 						'title'   => DI::l10n()->t('Source input (Markdown)'),
@@ -169,7 +170,7 @@ class Babel extends BaseModule
 					];
 					break;
 				case 'html' :
-					$html = trim($_REQUEST['text']);
+					$html = trim($request['text']);
 					$results[] = [
 						'title'   => DI::l10n()->t('Raw HTML input'),
 						'content' => visible_whitespace($html),
@@ -239,7 +240,7 @@ class Babel extends BaseModule
 					];
 					break;
 				case 'twitter':
-					$json = trim($_REQUEST['text']);
+					$json = trim($request['text']);
 
 					if (file_exists('addon/twitter/twitter.php')) {
 						require_once 'addon/twitter/twitter.php';
@@ -302,13 +303,14 @@ class Babel extends BaseModule
 		$tpl = Renderer::getMarkupTemplate('babel.tpl');
 		$o = Renderer::replaceMacros($tpl, [
 			'$title'         => DI::l10n()->t('Babel Diagnostic'),
-			'$text'          => ['text', DI::l10n()->t('Source text'), $_REQUEST['text'] ?? '', ''],
-			'$type_bbcode'   => ['type', DI::l10n()->t('BBCode'), 'bbcode', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'bbcode'],
-			'$type_diaspora' => ['type', DI::l10n()->t('Diaspora'), 'diaspora', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'diaspora'],
-			'$type_markdown' => ['type', DI::l10n()->t('Markdown'), 'markdown', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'markdown'],
-			'$type_html'     => ['type', DI::l10n()->t('HTML'), 'html', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'html'],
+			'$form_security_token' => self::getFormSecurityToken('babel'),
+			'$text'          => ['text', DI::l10n()->t('Source text'), $request['text'] ?? '', ''],
+			'$type_bbcode'   => ['type', DI::l10n()->t('BBCode'), 'bbcode', '', (($request['type'] ?? '') ?: 'bbcode') == 'bbcode'],
+			'$type_diaspora' => ['type', DI::l10n()->t('Diaspora'), 'diaspora', '', (($request['type'] ?? '') ?: 'bbcode') == 'diaspora'],
+			'$type_markdown' => ['type', DI::l10n()->t('Markdown'), 'markdown', '', (($request['type'] ?? '') ?: 'bbcode') == 'markdown'],
+			'$type_html'     => ['type', DI::l10n()->t('HTML'), 'html', '', (($request['type'] ?? '') ?: 'bbcode') == 'html'],
 			'$flag_twitter'  => file_exists('addon/twitter/twitter.php'),
-			'$type_twitter'  => ['type', DI::l10n()->t('Twitter Source / Tweet URL (requires API key)'), 'twitter', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'twitter'],
+			'$type_twitter'  => ['type', DI::l10n()->t('Twitter Source / Tweet URL (requires API key)'), 'twitter', '', (($request['type'] ?? '') ?: 'bbcode') == 'twitter'],
 			'$results'       => $results,
 			'$submit'        => DI::l10n()->t('Submit'),
 		]);
diff --git a/view/templates/babel.tpl b/view/templates/babel.tpl
index 4e8e12d5c2..ee002024b5 100644
--- a/view/templates/babel.tpl
+++ b/view/templates/babel.tpl
@@ -1,6 +1,7 @@
 <div id="babel" class="generic-page-wrapper">
 	<h2>{{$title}}</h2>
 	<form action="babel" method="post" class="panel panel-default">
+		<input type="hidden" name="form_security_token" value="{{$form_security_token}}">
 		<div class="panel-body">
 			<div class="form-group">
 				{{include file="field_textarea.tpl" field=$text}}
@@ -30,4 +31,4 @@
 		{{/foreach}}
 	</div>
 </div>
-{{/if}}
\ No newline at end of file
+{{/if}}