enable tests to pass

The path is only optional when it is / and the very last element, otherwise it is required. As soon as it is in the middle of a URL it helps the parser to identify which part is the username and domain and what is path and GET parameters. The @ sign is legitimate, if unusual, in the latter two.

.devcontainer/postCreateCommand.sh

@@ -8,8 +8,8 @@ ln -s ./conf.sample.php cfg/conf.php
 composer install --no-dev --optimize-autoloader
 
 # for PHP unit testing
-composer require google/cloud-storage
-composer install --optimize-autoloader
+# composer require google/cloud-storage
+# composer install --optimize-autoloader
 
 sudo chmod a+x "$(pwd)" && sudo rm -rf /var/www/html && sudo ln -s "$(pwd)" /var/www/html
 

lib/Proxy/AbstractProxy.php

@@ -49,14 +49,14 @@ abstract class AbstractProxy
      */
     public function __construct(Configuration $conf, string $link)
     {
-        if (!filter_var($link, FILTER_VALIDATE_URL, FILTER_FLAG_PATH_REQUIRED & FILTER_FLAG_QUERY_REQUIRED)) {
+        if (!filter_var($link, FILTER_VALIDATE_URL, FILTER_FLAG_PATH_REQUIRED | FILTER_FLAG_QUERY_REQUIRED)) {
             $this->_error = 'Invalid URL given.';
             return;
         }
-        
+
         if (!str_starts_with($link, $conf->getKey('basepath') . '?') ||
             parse_url($link, PHP_URL_HOST) != parse_url($conf->getKey('basepath'), PHP_URL_HOST)
-           ) {
+        ) {
             $this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.';
             return;
         }

tst/YourlsProxyTest.php

@@ -45,28 +45,33 @@ class YourlsProxyTest extends TestCase
         $yourls = new YourlsProxy($this->_conf, 'https://example.com/?foo#bar');
         $this->assertFalse($yourls->isError());
         $this->assertEquals($yourls->getUrl(), 'https://example.com/1');
+
+        $yourls = new YourlsProxy($this->_conf, 'https://example.com/?@foreign.malicious.example?foo#bar');
+        $this->assertFalse($yourls->isError());
+        $this->assertEquals($yourls->getUrl(), 'https://example.com/1');
     }
 
     /**
      * @dataProvider providerInvalidUrl
      */
-    public function testImvalidUrl($uri)
+    public function testImvalidUrl($url): void
     {
-        $yourls = new YourlsProxy($this->_conf, $uri);
+        $yourls = new YourlsProxy($this->_conf, $url);
         $this->assertTrue($yourls->isError());
         $this->assertEquals($yourls->getError(), 'Invalid URL given.');
     }
 
-    public function providerInvalidUrl() {
+    public function providerInvalidUrl(): array
+    {
         return array(
             array(''),
             array(' '),
             array('foo'),
             array('https://'),
-            array('ftp://example.com/?n=np'),
             array('https://example.com'), // missing path and query parameter,
             array('https://example.com/'), // missing query parameter
             array('https://example.com?paste=something'), // missing path parameter
+            array('https://example.com@foreign.malicious.example?foo#bar'), // missing path parameter
         );
     }
 
@@ -74,27 +79,40 @@ class YourlsProxyTest extends TestCase
      * This tests for a trick using username of an URI, see:
      * {@see https://cloud.google.com/blog/topics/threat-intelligence/url-obfuscation-schema-abuse/?hl=en}
      *
-     * @return void
+     * @dataProvider providerForeignUrlUsernameTrick
      */
-    public function testForeignUrlUsingUsernameTrick()
+    public function testForeignUrlUsingUsernameTrick($url): void
     {
-        $yourls = new YourlsProxy($this->_conf, 'https://example.com/@foreign.malicious.example?foo#bar');
+        $yourls = new YourlsProxy($this->_conf, $url);
         $this->assertTrue($yourls->isError());
         $this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
     }
 
-    public function testForeignUrl()
+    public function providerForeignUrlUsernameTrick(): array
     {
-        $yourls = new YourlsProxy($this->_conf, 'https://other.example.com/?foo#bar');
+        return array(
+            array('https://example.com@foreign.malicious.example/?foo#bar'),
+            array('https://example.com/@foreign.malicious.example?foo#bar'),
+        );
+    }
+
+    /**
+     * @dataProvider providerForeignUrl
+     */
+    public function testForeignUrl($url): void
+    {
+        $yourls = new YourlsProxy($this->_conf, $url);
         $this->assertTrue($yourls->isError());
         $this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
     }
 
-    public function testSneakyForeignUrl()
+    public function providerForeignUrl(): array
     {
-        $yourls = new YourlsProxy($this->_conf, 'https://other.example.com/?q=https://example.com/?foo#bar');
-        $this->assertTrue($yourls->isError());
-        $this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
+        return array(
+            array('ftp://example.com/?n=np'), // wrong protocol
+            array('https://other.example.com/?foo#bar'), // wrong domain
+            array('https://other.example.com/?q=https://example.com/?foo#bar'), // domain included inside string
+        );
     }
 
     public function testYourlsError()