rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coolify/tests/Unit/ValidateFilenameSafeTest.php

139 lines
4.8 KiB
PHP
Raw Normal View History

fix(database): tighten Postgres init script filename handling Validate new init-script filenames against path traversal and shell metacharacters via a new validateFilenameSafe() helper, and harden the write/delete paths with basename() + escapeshellarg() so legacy rows still deploy and can be cleaned up without regressions. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-20 19:26:34 +00:00
<?php
test('allows plain filenames without special characters', function () {
$validNames = [
'init.sql',
'01_schema.sql',
'setup-db.sql',
'create_test_db.sql',
'init-script.sh',
'UPPERCASE.SQL',
'mixed_Case-File.sql',
'file123.sql',
'a',
];
foreach ($validNames as $name) {
expect(fn () => validateFilenameSafe($name, 'init script filename'))
->not->toThrow(Exception::class, "Expected '{$name}' to pass");
}
});
test('rejects path traversal with ../', function () {
expect(fn () => validateFilenameSafe('../../../etc/cron.d/pwn', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects path traversal with .. alone', function () {
expect(fn () => validateFilenameSafe('..', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects path traversal embedded in filename', function () {
expect(fn () => validateFilenameSafe('foo..bar', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects forward slash directory separator', function () {
expect(fn () => validateFilenameSafe('foo/bar.sql', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects backslash directory separator', function () {
expect(fn () => validateFilenameSafe('foo\\bar.sql', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects absolute path starting with slash', function () {
expect(fn () => validateFilenameSafe('/etc/passwd', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects absolute Windows-style path', function () {
expect(fn () => validateFilenameSafe('C:\\Windows\\System32\\cmd.exe', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects null byte injection', function () {
expect(fn () => validateFilenameSafe("init.sql\0../../etc/passwd", 'init script filename'))
->toThrow(Exception::class);
});
test('rejects shell command substitution (inherits from validateShellSafePath)', function () {
expect(fn () => validateFilenameSafe('$(whoami).sql', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects backtick command substitution', function () {
expect(fn () => validateFilenameSafe('`id`.sql', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects semicolon command separator', function () {
expect(fn () => validateFilenameSafe('init.sql;rm -rf /', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects pipe operator', function () {
expect(fn () => validateFilenameSafe('init.sql|whoami', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects redirect operators', function () {
expect(fn () => validateFilenameSafe('init.sql>/etc/passwd', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects mixed traversal and shell injection', function () {
expect(fn () => validateFilenameSafe('../etc/cron.d/$(id)', 'init script filename'))
->toThrow(Exception::class);
});
test('error message contains context string', function () {
try {
validateFilenameSafe('../evil', 'init script filename');
expect(false)->toBeTrue('Should have thrown');
} catch (Exception $e) {
expect($e->getMessage())->toContain('init script filename');
}
});
test('handles empty string without throwing', function () {
expect(fn () => validateFilenameSafe('', 'init script filename'))
->not->toThrow(Exception::class);
});
test('rejects whitespace inside filename (would split into extra tee arg)', function () {
expect(fn () => validateFilenameSafe('foo bar.sql', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects glob wildcards', function () {
expect(fn () => validateFilenameSafe('init*.sql', 'init script filename'))
->toThrow(Exception::class);
expect(fn () => validateFilenameSafe('init?.sql', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects glob character class brackets', function () {
expect(fn () => validateFilenameSafe('init[abc].sql', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects tilde expansion', function () {
expect(fn () => validateFilenameSafe('~/evil.sql', 'init script filename'))
->toThrow(Exception::class);
expect(fn () => validateFilenameSafe('~root', 'init script filename'))
->toThrow(Exception::class);
});
test('rejects single and double quotes', function () {
expect(fn () => validateFilenameSafe("foo'bar.sql", 'init script filename'))
->toThrow(Exception::class);
expect(fn () => validateFilenameSafe('foo"bar.sql', 'init script filename'))
->toThrow(Exception::class);
});
Reference in a new issue Copy permalink