Fix session timeouts in overlay session (#18648)

* Ensure samesite cookie attribute is set correctly for requests coming from overlay session * Don't fetch API.getPagesComparisonsDisabledFor on Overlay page * Check for explicit overlay requests * Adds valid host check * parse referer query * use UrlHelper::getArrayFromQueryString * Adds some tests for Overlay::isOverlayRequest * apply review feedback * built vue files Co-authored-by: sgiehl <sgiehl@users.noreply.github.com>
author: Stefan Giehl <stefan@matomo.org> 2022-02-14 19:43:46 +0300
committer: GitHub <noreply@github.com> 2022-02-14 19:43:46 +0300
commit: 34e226540e69ab4b6dd82a9024d72782e1ac058a (patch)
tree: f7297830e03cbf304efe9029390a07787a4094e3 /plugins/Overlay
parent: 4350dfb18698f54f164a868c0cb6c41ed3a6e67f (diff)
2 files changed, 165 insertions, 0 deletions
diff --git a/plugins/Overlay/Overlay.php b/plugins/Overlay/Overlay.php
index 1828dfaed5..49a389f359 100644
--- a/plugins/Overlay/Overlay.php
+++ b/plugins/Overlay/Overlay.php
@@ -9,6 +9,11 @@
 
 namespace Piwik\Plugins\Overlay;
 
+use Piwik\Common;
+use Piwik\Piwik;
+use Piwik\Url;
+use Piwik\UrlHelper;
+
 class Overlay extends \Piwik\Plugin
 {
     /**
@@ -37,4 +42,37 @@ class Overlay extends \Piwik\Plugin
         $translationKeys[] = 'General_OverlayRowActionTooltipTitle';
         $translationKeys[] = 'General_OverlayRowActionTooltip';
     }
+
+    /**
+     * Returns if a request belongs to the Overlay page
+     *
+     * Whenever we change the Overlay, or any feature that is available on that page, this list needs to be adjusted
+     * Otherwise it can happen, that the session cookie is sent with samesite=lax, which might break the session in Overlay
+     * See https://github.com/matomo-org/matomo/pull/18648
+     */
+    public static function isOverlayRequest($module, $action, $method, $referer)
+    {
+        $isOverlay = $module == 'Overlay';
+        $referrerUrlQuery = parse_url($referer ?? '', PHP_URL_QUERY);
+        $referrerUrlQueryParams = UrlHelper::getArrayFromQueryString($referrerUrlQuery);
+        $referrerUrlHost = parse_url($referer ?? '', PHP_URL_HOST);
+        $comingFromOverlay = Url::isValidHost($referrerUrlHost) && !empty($referrerUrlQueryParams['module']) && $referrerUrlQueryParams['module'] === 'Overlay';
+        $isPossibleOverlayRequest = (
+            $module === 'Proxy' // JS & CSS requests
+            || ($module === 'API' && 0 === strpos($method, 'Overlay.')) // Overlay API data
+            || ($module === 'CoreHome' && $action === 'getRowEvolutionPopover') // Row evolution
+            || ($module === 'CoreHome' && $action === 'getRowEvolutionGraph') // Row evolution (graph)
+            || ($module === 'CoreHome' && $action === 'saveViewDataTableParameters') // store chart changes (within row evolution & transitions)
+            || $module === 'Annotations' // required to interact with annotations in evolution charts (within row evolution)
+            || ($module === 'Transitions' && $action === 'renderPopover') // Transitions
+            || ($module === 'API' && 0 === strpos($method, 'Transitions.')) // Transitions API data
+            || ($module === 'Live' && $action === 'indexVisitorLog') // Visits Log
+            || ($module === 'Live' && $action === 'getLastVisitsDetails') // Visits Log (pagination)
+            || ($module === 'Live' && $action === 'getVisitorProfilePopup') // Visitor Profile
+            || ($module === 'Live' && $action === 'getVisitList') // Visitor Profile (load more visits)
+            || ($module === 'UserCountryMap' && $action === 'realtimeMap') // Visitor Profile (map)
+        );
+
+        return $isOverlay || ($comingFromOverlay && $isPossibleOverlayRequest);
+    }
 }
diff --git a/plugins/Overlay/tests/Unit/OverlayTest.php b/plugins/Overlay/tests/Unit/OverlayTest.php
new file mode 100644
index 0000000000..0111f98252
--- /dev/null
+++ b/plugins/Overlay/tests/Unit/OverlayTest.php
@@ -0,0 +1,127 @@
+<?php
+/**
+ * Matomo - free/libre analytics platform
+ *
+ * @link    https://matomo.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ *
+ */
+
+namespace Piwik\Plugins\Overlay\tests\Unit;
+
+use Piwik\Plugins\Overlay\Overlay;
+
+class OverlayTest extends \PHPUnit\Framework\TestCase
+{
+    /**
+     * @dataProvider getOverlayRequestTestData
+     */
+    public function testIsOverlayRequestWithValidReferredRequests($module, $action, $method)
+    {
+        $this->assertSame(true, Overlay::isOverlayRequest($module, $action, $method, 'https://demo.matomo.cloud/index.php?module=Overlay&period=month&date=today&idSite=1'));
+        $this->assertSame(false, Overlay::isOverlayRequest($module, $action, $method, 'https://demo.matomo.org'));
+    }
+
+    public function getOverlayRequestTestData()
+    {
+        return [
+            [ // CSS
+                'Proxy',
+                'getCss',
+                '',
+            ],
+            [ // JS
+                'Proxy',
+                'getCoreJs',
+                '',
+            ],
+            [ // API request
+                'API',
+                'index',
+                'Overlay.getTranslations',
+            ],
+            [ // API request
+                'API',
+                'index',
+                'Transitions.get',
+            ],
+            [ // Row evolution
+                'CoreHome',
+                'getRowEvolutionPopover',
+                '',
+            ],
+            [ // Row evolution
+                'CoreHome',
+                'getRowEvolutionGraph',
+                '',
+            ],
+            [
+                'CoreHome',
+                'saveViewDataTableParameters',
+                '',
+            ],
+            [
+                'Transitions',
+                'renderPopover',
+                '',
+            ],
+            [
+                'Live',
+                'indexVisitorLog',
+                '',
+            ],
+            [
+                'Live',
+                'getLastVisitsDetails',
+                '',
+            ],
+            [
+                'Live',
+                'getVisitorProfilePopup',
+                '',
+            ],
+            [
+                'Live',
+                'getVisitList',
+                '',
+            ],
+            [
+                'UserCountryMap',
+                'realtimeMap',
+                '',
+            ],
+        ];
+    }
+
+    /**
+     * @dataProvider getInvalidOverlayRequestTestData
+     */
+    public function testIsOverlayRequestWithiNValidReferredRequests($module, $action, $method, $referer)
+    {
+        $this->assertSame(false, Overlay::isOverlayRequest($module, $action, $method, $referer));
+    }
+
+    public function getInvalidOverlayRequestTestData()
+    {
+        return [
+            [ // invalid module / action
+              'Referer',
+              'get',
+              '',
+              'https://demo.matomo.cloud/index.php?module=Overlay&period=month&date=today&idSite=1'
+            ],
+            [ // invalid api method
+              'API',
+              'index',
+              'VisitsSummary.get',
+              'https://demo.matomo.cloud/index.php?module=Overlay&period=month&date=today&idSite=1'
+            ],
+            [ // invalid referer
+              'API',
+              'index',
+              'Transitions.get',
+              'https://demo.matomo.cloud/index.php?module=Overlay&module=CoreHome&action=index&period=month&date=today&idSite=1'
+            ],
+        ];
+    }
+}
+\ No newline at end of file
author	Stefan Giehl <stefan@matomo.org>	2022-02-14 19:43:46 +0300
committer	GitHub <noreply@github.com>	2022-02-14 19:43:46 +0300
commit	34e226540e69ab4b6dd82a9024d72782e1ac058a (patch)
tree	f7297830e03cbf304efe9029390a07787a4094e3 /plugins/Overlay
parent	4350dfb18698f54f164a868c0cb6c41ed3a6e67f (diff)