Adding global middleware

chris · January 26, 2024, 4:16pm

To prevent some XSS attack, I’d like to add a middleware to my routes.php file in the plugin to clean up any potential malicious url such as http://yourapp.dev//combine/a<img%20src%3da%20onerror%3dalert(1)>

I cant find a way to add a middleware for every cms routes, maybe this is the wrong way to do this?

anyone any idea please?

apinard · January 26, 2024, 4:42pm

Documentation about Global Middleware.

marco.grueter · January 26, 2024, 5:07pm

To add to this:
in OctoberCMS V3 you also have the app directory with a Provider.php file, which I think is a great place for site/installation-wide modifications.

In your case, I’d go for pushing the middleware directly into the kernel in Provider.php, as I’m not sure the CMSController would be hit for a route as /combine.
I’m not a 100% sure about the request life cycle though, but I think the main difference is that by extending the CMS or BackendController you can choose for which part you want the middleware to apply, while the kernel middlewares get hit for every request.

chris · January 26, 2024, 6:23pm

excellent, thanks guys! working on it with this info.

On a side note, not sure why Laravel is not XSS attack proof already…

daft · January 27, 2024, 1:27am

Adding some more here. The backend.middleware_group and cms.middleware_group configuration files allow you to change the default middleware group for all relevant routes.

/*
|--------------------------------------------------------------------------
| Middleware Group
|--------------------------------------------------------------------------
|
| The name of the middleware group to apply to all CMS application routes.
| You may use this to apply your own middleware definition, or use some
| of the defaults: web, api
|
*/

'middleware_group' => 'web',

chris · January 27, 2024, 8:30am

I don’t find a way so far to sanitize those sort of annoying urls through the middleware.

I have this so far

public function handle(\Illuminate\Http\Request $request, Closure $next)
  {
    try {
      $userUri = $request->getUri();
      $safeUrl = strip_tags($userUri);
      $safeUrl = filter_var($safeUrl, FILTER_SANITIZE_URL);

      if ($safeUrl != $userUri) {
        App::abort(404);
      }
     return $next($request);
}

chris · January 31, 2024, 3:12pm

setting the APP_DEBUG env var to false will mitigate this XSS potential attack.