From 1d71996f83c9a5a7807331b8986ac890352b7a0c Mon Sep 17 00:00:00 2001
From: Christian Weiske <cweiske+github.com@cweiske.de>
Date: Wed, 23 Feb 2022 19:31:24 +0100
Subject: [PATCH] Fix E_NOTICE when requesting invalid script (#449)

It is possible to trigger an exception by requesting an invalid script path.

The following URL path leads to XSS on the exception page,
showing two nice popups:

  http://myapp/_ignition/scripts/--><svg onload=alert(1337)>

The exception is:

  ErrorException
  Undefined index: --><svg onload=alert(1337)>

  Illuminate\Foundation\Bootstrap\HandleExceptions::handleError
  vendor/facade/ignition/src/Http/Controllers/ScriptController.php:14

This happens with facade/ignition 1.18.0 (the last with laravel 6 support)
and should be fixed there.
The error probably also occurs in all later versions.
---
 src/Http/Controllers/ScriptController.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Http/Controllers/ScriptController.php b/src/Http/Controllers/ScriptController.php
index ccb70fef..aced6ce9 100644
--- a/src/Http/Controllers/ScriptController.php
+++ b/src/Http/Controllers/ScriptController.php
@@ -9,6 +9,9 @@ class ScriptController
 {
     public function __invoke(Request $request)
     {
+        if (!isset(Ignition::scripts()[$request->script])) {
+            abort(404, 'Script not found');
+        }
         return response(
             file_get_contents(
                 Ignition::scripts()[$request->script]