rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coolify/tests/Unit/DatabaseBackupSecurityTest.php
Andras Bacsai 99043600ee fix(backup): validate MongoDB collection names in backup input 
Add validateDatabasesBackupInput() helper that properly parses all
database backup formats including MongoDB's "db:col1,col2|db2:col3"
and validates each component individually.

- Validate and escape collection names in DatabaseBackupJob
- Replace comma-only split in BackupEdit with format-aware validation
- Add input validation in API create_backup and update_backup endpoints
- Add unit tests for collection name and multi-format validation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-25 16:52:06 +01:00

144 lines
5.3 KiB
PHP
Raw Blame History

<?php
/**
* Database Backup Security Tests
*
* Tests to ensure database backup functionality is protected against
* command injection attacks via malicious database names.
*
* Related Issues: #2 in security_issues.md
* Related Files: app/Jobs/DatabaseBackupJob.php, app/Livewire/Project/Database/BackupEdit.php
*/
test('database backup rejects command injection in database name with command substitution', function () {
expect(fn () => validateShellSafePath('test$(whoami)', 'database name'))
->toThrow(Exception::class);
});
test('database backup rejects command injection with semicolon separator', function () {
expect(fn () => validateShellSafePath('test; rm -rf /', 'database name'))
->toThrow(Exception::class);
});
test('database backup rejects command injection with pipe operator', function () {
expect(fn () => validateShellSafePath('test | cat /etc/passwd', 'database name'))
->toThrow(Exception::class);
});
test('database backup rejects command injection with backticks', function () {
expect(fn () => validateShellSafePath('test`whoami`', 'database name'))
->toThrow(Exception::class);
});
test('database backup rejects command injection with ampersand', function () {
expect(fn () => validateShellSafePath('test & whoami', 'database name'))
->toThrow(Exception::class);
});
test('database backup rejects command injection with redirect operators', function () {
expect(fn () => validateShellSafePath('test > /tmp/pwned', 'database name'))
->toThrow(Exception::class);
expect(fn () => validateShellSafePath('test < /etc/passwd', 'database name'))
->toThrow(Exception::class);
});
test('database backup rejects command injection with newlines', function () {
expect(fn () => validateShellSafePath("test\nrm -rf /", 'database name'))
->toThrow(Exception::class);
});
test('database backup escapes shell arguments properly', function () {
$database = "test'db";
$escaped = escapeshellarg($database);
expect($escaped)->toBe("'test'\\''db'");
});
test('database backup escapes shell arguments with double quotes', function () {
$database = 'test"db';
$escaped = escapeshellarg($database);
expect($escaped)->toBe("'test\"db'");
});
test('database backup escapes shell arguments with spaces', function () {
$database = 'test database';
$escaped = escapeshellarg($database);
expect($escaped)->toBe("'test database'");
});
test('database backup accepts legitimate database names', function () {
expect(fn () => validateShellSafePath('postgres', 'database name'))
->not->toThrow(Exception::class);
expect(fn () => validateShellSafePath('my_database', 'database name'))
->not->toThrow(Exception::class);
expect(fn () => validateShellSafePath('db-prod', 'database name'))
->not->toThrow(Exception::class);
expect(fn () => validateShellSafePath('test123', 'database name'))
->not->toThrow(Exception::class);
});
// --- MongoDB collection name validation tests ---
test('mongodb collection name rejects command substitution injection', function () {
expect(fn () => validateShellSafePath('$(touch /tmp/pwned)', 'collection name'))
->toThrow(Exception::class);
});
test('mongodb collection name rejects backtick injection', function () {
expect(fn () => validateShellSafePath('`id > /tmp/pwned`', 'collection name'))
->toThrow(Exception::class);
});
test('mongodb collection name rejects semicolon injection', function () {
expect(fn () => validateShellSafePath('col1; rm -rf /', 'collection name'))
->toThrow(Exception::class);
});
test('mongodb collection name rejects ampersand injection', function () {
expect(fn () => validateShellSafePath('col1 & whoami', 'collection name'))
->toThrow(Exception::class);
});
test('mongodb collection name rejects redirect injection', function () {
expect(fn () => validateShellSafePath('col1 > /tmp/pwned', 'collection name'))
->toThrow(Exception::class);
});
test('validateDatabasesBackupInput validates mongodb format with collection names', function () {
// Valid MongoDB formats should pass
expect(fn () => validateDatabasesBackupInput('mydb'))
->not->toThrow(Exception::class);
expect(fn () => validateDatabasesBackupInput('mydb:col1,col2'))
->not->toThrow(Exception::class);
expect(fn () => validateDatabasesBackupInput('db1:col1,col2|db2:col3'))
->not->toThrow(Exception::class);
expect(fn () => validateDatabasesBackupInput('all'))
->not->toThrow(Exception::class);
});
test('validateDatabasesBackupInput rejects injection in collection names', function () {
// Command substitution in collection name
expect(fn () => validateDatabasesBackupInput('mydb:$(touch /tmp/pwned)'))
->toThrow(Exception::class);
// Backtick injection in collection name
expect(fn () => validateDatabasesBackupInput('mydb:`id`'))
->toThrow(Exception::class);
// Semicolon in collection name
expect(fn () => validateDatabasesBackupInput('mydb:col1;rm -rf /'))
->toThrow(Exception::class);
});
test('validateDatabasesBackupInput rejects injection in database name within mongo format', function () {
expect(fn () => validateDatabasesBackupInput('$(whoami):col1,col2'))
->toThrow(Exception::class);
});
Reference in a new issue View git blame Copy permalink