Only allow push notifications via known whitelist of push services

iMattPro · iMattPro · commit 5973913d9971 · 2026-03-24T09:26:12.000-07:00
diff --git a/language/en/webpushnotifications_module_ucp.php b/language/en/webpushnotifications_module_ucp.php
@@ -57,4 +57,5 @@
 	'NOTIFY_WEBPUSH_POPUP_DISABLE_EXPLAIN'	=> 'We show a reminder asking you to allow browser notifications when they are not currently enabled or when we cannot detect them. Turn this off to permanently stop these reminder pop-ups on all your devices. If you turn this off, you will not be warned if your browser notifications stop working in the future.',
 	'NOTIFY_WEBPUSH_POPUP_ENABLER'	=> 'Enable reminders',
 	'NOTIFY_WEBPUSH_POPUP_DISABLER'	=> 'Disable reminders',
+	'WEBPUSH_INVALID_ENDPOINT'		=> 'The push notification endpoint is not from a recognised push service.',
 ]);
diff --git a/language/ru/webpushnotifications_module_ucp.php b/language/ru/webpushnotifications_module_ucp.php
@@ -57,4 +57,5 @@
 	'NOTIFY_WEBPUSH_POPUP_DISABLE_EXPLAIN'	=> 'Мы показываем напоминание с просьбой разрешить уведомления браузера, если они сейчас не включены или если мы не можем их обнаружить. Отключите эту функцию, чтобы навсегда убрать эти напоминания на всех ваших устройствах. Если вы отключите эту функцию, вы больше не будете получать предупреждения, если уведомления браузера перестанут работать в будущем.',
 	'NOTIFY_WEBPUSH_POPUP_ENABLER'	=> 'Включить напоминания',
 	'NOTIFY_WEBPUSH_POPUP_DISABLER'	=> 'Отключить напоминания',
+	'WEBPUSH_INVALID_ENDPOINT'		=> 'Конечная точка push-уведомления не принадлежит известному сервису push-уведомлений.',
 ]);
diff --git a/tests/controller/controller_webpush_test.php b/tests/controller/controller_webpush_test.php
@@ -392,7 +392,7 @@ public function test_sub_unsubscribe_success()
 
 		$symfony_request = $this->createMock(\phpbb\symfony_request::class);
 		$symfony_request->method('get')->willReturn(json_encode([
-			'endpoint' => 'test_endpoint',
+			'endpoint' => 'https://fcm.googleapis.com/fcm/send/test_endpoint',
 			'expiration_time' => 0,
 			'keys' => ['p256dh' => 'test_p256dh', 'auth' => 'test_auth']
 		]));
@@ -404,7 +404,7 @@ public function test_sub_unsubscribe_success()
 
 		$this->assertEquals([
 			'user_id' => '2',
-			'endpoint' => 'test_endpoint',
+			'endpoint' => 'https://fcm.googleapis.com/fcm/send/test_endpoint',
 			'p256dh' => 'test_p256dh',
 			'auth' => 'test_auth',
 			'expiration_time' => '0',
@@ -420,6 +420,77 @@ public function test_sub_unsubscribe_success()
 		$this->assertEmpty($this->get_subscription_data());
 	}
 
+	public function data_subscribe_invalid_endpoint(): array
+	{
+		return [
+			'no_host'				=> ['not_a_url'],
+			'disallowed_host'		=> ['https://evil.example.com/push/endpoint'],
+			'disallowed_subdomain'	=> ['https://evil.fcm.googleapis.com.attacker.com/push'],
+			'empty_string'			=> [''],
+		];
+	}
+
+	/**
+	 * @dataProvider data_subscribe_invalid_endpoint
+	 */
+	public function test_subscribe_invalid_endpoint(string $endpoint): void
+	{
+		$this->form_helper->method('check_form_tokens')->willReturn(true);
+		$this->request->method('is_ajax')->willReturn(true);
+		$this->user->data['user_id'] = 2;
+		$this->user->data['is_bot'] = false;
+		$this->user->data['user_type'] = USER_NORMAL;
+
+		$symfony_request = $this->createMock(\phpbb\symfony_request::class);
+		$symfony_request->method('get')->willReturn(json_encode([
+			'endpoint' => $endpoint,
+			'expiration_time' => 0,
+			'keys' => ['p256dh' => 'test_p256dh', 'auth' => 'test_auth']
+		]));
+
+		$this->expectException(http_exception::class);
+		$this->expectExceptionMessage('WEBPUSH_INVALID_ENDPOINT');
+
+		$this->controller->subscribe($symfony_request);
+	}
+
+	public function data_is_valid_endpoint(): array
+	{
+		return [
+			// Exact whitelist matches
+			['https://android.googleapis.com/gcm/send/test', true],
+			['https://fcm.googleapis.com/fcm/send/test', true],
+			['https://updates.push.services.mozilla.com/push/v1/test', true],
+			['https://updates-autopush.stage.mozaws.net/push/v1/test', true],
+			['https://updates-autopush.dev.mozaws.net/push/v1/test', true],
+			// Wildcard *.notify.windows.com
+			['https://am-0.notify.windows.com/throttledthirdparty/test', true],
+			['https://db5.notify.windows.com/push/test', true],
+			// Wildcard *.push.apple.com
+			['https://api.push.apple.com/3/device/test', true],
+			['https://api.development.push.apple.com/3/device/test', true],
+			// Invalid: disallowed host
+			['https://evil.example.com/push/endpoint', false],
+			// Invalid: subdomain spoofing
+			['https://evil.fcm.googleapis.com.attacker.com/push', false],
+			// Invalid: not a URL
+			['not_a_url', false],
+			// Invalid: bare wildcard domain without subdomain
+			['https://notify.windows.com/push', false],
+			['https://push.apple.com/push', false],
+			// Invalid: empty string
+			['', false],
+		];
+	}
+
+	/**
+	 * @dataProvider data_is_valid_endpoint
+	 */
+	public function test_is_valid_endpoint(string $endpoint, bool $expected): void
+	{
+		$this->assertEquals($expected, $this->controller->is_valid_endpoint($endpoint));
+	}
+
 	public function test_toggle_popup_enable_to_disable()
 	{
 		$this->form_helper->method('check_form_tokens')->willReturn(true);
diff --git a/ucp/controller/webpush.php b/ucp/controller/webpush.php
@@ -36,6 +36,21 @@ class webpush
 	/** @var string UCP form token name */
 	public const FORM_TOKEN_UCP = 'ucp_webpush';
 
+	/** @var array Allowed push service endpoint hosts https://github.com/pushpad/known-push-services */
+	public const PUSH_SERVICE_WHITELIST = [
+		'android.googleapis.com',
+		'fcm.googleapis.com',
+		'updates.push.services.mozilla.com',
+		'updates-autopush.stage.mozaws.net',
+		'updates-autopush.dev.mozaws.net',
+	];
+
+	/** @var array Allowed push service endpoint host wildcard suffixes (e.g. *.notify.windows.com) https://github.com/pushpad/known-push-services */
+	public const PUSH_SERVICE_WILDCARD_SUFFIXES = [
+		'.notify.windows.com',
+		'.push.apple.com',
+	];
+
 	/** @var config */
 	protected $config;
 
@@ -279,6 +294,37 @@ public function worker(): Response
 		return $response;
 	}
 
+	/**
+	 * Check if a push subscription endpoint belongs to an allowed push service
+	 *
+	 * @param string $endpoint The push subscription endpoint URL
+	 * @return bool True if the endpoint host matches a known/allowed push service
+	 */
+	public function is_valid_endpoint(string $endpoint): bool
+	{
+		$host = parse_url($endpoint, PHP_URL_HOST);
+
+		if (empty($host))
+		{
+			return false;
+		}
+
+		if (in_array($host, self::PUSH_SERVICE_WHITELIST, true))
+		{
+			return true;
+		}
+
+		foreach (self::PUSH_SERVICE_WILDCARD_SUFFIXES as $suffix)
+		{
+			if (substr($host, -strlen($suffix)) === $suffix)
+			{
+				return true;
+			}
+		}
+
+		return false;
+	}
+
 	/**
 	 * Check (un)subscribe form for valid link hash
 	 *
@@ -312,6 +358,11 @@ public function subscribe(symfony_request $symfony_request): JsonResponse
 
 		$data = json_sanitizer::decode($symfony_request->get('data', ''));
 
+		if (!$this->is_valid_endpoint($data['endpoint']))
+		{
+			throw new http_exception(Response::HTTP_BAD_REQUEST, 'WEBPUSH_INVALID_ENDPOINT');
+		}
+
 		$sql = 'INSERT INTO ' . $this->push_subscriptions_table . ' ' . $this->db->sql_build_array('INSERT', [
 			'user_id'			=> $this->user->id(),
 			'endpoint'			=> $data['endpoint'],
