a05d4e3a4b
Validate new init-script filenames against path traversal and shell metacharacters via a new validateFilenameSafe() helper, and harden the write/delete paths with basename() + escapeshellarg() so legacy rows still deploy and can be cleaned up without regressions. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
138 lines
4.8 KiB
PHP
138 lines
4.8 KiB
PHP
<?php
|
|
|
|
test('allows plain filenames without special characters', function () {
|
|
$validNames = [
|
|
'init.sql',
|
|
'01_schema.sql',
|
|
'setup-db.sql',
|
|
'create_test_db.sql',
|
|
'init-script.sh',
|
|
'UPPERCASE.SQL',
|
|
'mixed_Case-File.sql',
|
|
'file123.sql',
|
|
'a',
|
|
];
|
|
|
|
foreach ($validNames as $name) {
|
|
expect(fn () => validateFilenameSafe($name, 'init script filename'))
|
|
->not->toThrow(Exception::class, "Expected '{$name}' to pass");
|
|
}
|
|
});
|
|
|
|
test('rejects path traversal with ../', function () {
|
|
expect(fn () => validateFilenameSafe('../../../etc/cron.d/pwn', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects path traversal with .. alone', function () {
|
|
expect(fn () => validateFilenameSafe('..', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects path traversal embedded in filename', function () {
|
|
expect(fn () => validateFilenameSafe('foo..bar', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects forward slash directory separator', function () {
|
|
expect(fn () => validateFilenameSafe('foo/bar.sql', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects backslash directory separator', function () {
|
|
expect(fn () => validateFilenameSafe('foo\\bar.sql', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects absolute path starting with slash', function () {
|
|
expect(fn () => validateFilenameSafe('/etc/passwd', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects absolute Windows-style path', function () {
|
|
expect(fn () => validateFilenameSafe('C:\\Windows\\System32\\cmd.exe', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects null byte injection', function () {
|
|
expect(fn () => validateFilenameSafe("init.sql\0../../etc/passwd", 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects shell command substitution (inherits from validateShellSafePath)', function () {
|
|
expect(fn () => validateFilenameSafe('$(whoami).sql', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects backtick command substitution', function () {
|
|
expect(fn () => validateFilenameSafe('`id`.sql', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects semicolon command separator', function () {
|
|
expect(fn () => validateFilenameSafe('init.sql;rm -rf /', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects pipe operator', function () {
|
|
expect(fn () => validateFilenameSafe('init.sql|whoami', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects redirect operators', function () {
|
|
expect(fn () => validateFilenameSafe('init.sql>/etc/passwd', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects mixed traversal and shell injection', function () {
|
|
expect(fn () => validateFilenameSafe('../etc/cron.d/$(id)', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('error message contains context string', function () {
|
|
try {
|
|
validateFilenameSafe('../evil', 'init script filename');
|
|
expect(false)->toBeTrue('Should have thrown');
|
|
} catch (Exception $e) {
|
|
expect($e->getMessage())->toContain('init script filename');
|
|
}
|
|
});
|
|
|
|
test('handles empty string without throwing', function () {
|
|
expect(fn () => validateFilenameSafe('', 'init script filename'))
|
|
->not->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects whitespace inside filename (would split into extra tee arg)', function () {
|
|
expect(fn () => validateFilenameSafe('foo bar.sql', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects glob wildcards', function () {
|
|
expect(fn () => validateFilenameSafe('init*.sql', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
|
|
expect(fn () => validateFilenameSafe('init?.sql', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects glob character class brackets', function () {
|
|
expect(fn () => validateFilenameSafe('init[abc].sql', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects tilde expansion', function () {
|
|
expect(fn () => validateFilenameSafe('~/evil.sql', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
|
|
expect(fn () => validateFilenameSafe('~root', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('rejects single and double quotes', function () {
|
|
expect(fn () => validateFilenameSafe("foo'bar.sql", 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
|
|
expect(fn () => validateFilenameSafe('foo"bar.sql', 'init script filename'))
|
|
->toThrow(Exception::class);
|
|
});
|