rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coolify/tests/Unit/WindowsPathVolumeTest.php
Andras Bacsai a219f2e80e fix: use canonical parser for Windows path validation 
Problem:
- validateVolumeStringForInjection used explode(':') to parse volume strings
- This incorrectly splits Windows paths like "C:\host\path:/container" at the drive letter colon
- Could lead to false positives/negatives in injection detection

Solution:
- Replace custom parsing in validateVolumeStringForInjection with call to parseDockerVolumeString
- parseDockerVolumeString already handles Windows paths, environment variables, and performs validation
- Eliminates code duplication and uses single source of truth for volume string parsing

Tests:
- All 77 existing security tests pass (211 assertions)
- Added 6 new Windows path tests (8 assertions)
- Fixed pre-existing test bug: preg_match returns int 1, not boolean true

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-16 09:51:37 +02:00

64 lines
1.9 KiB
PHP
Raw Blame History

<?php
test('parseDockerVolumeString correctly handles Windows paths with drive letters', function () {
$windowsVolume = 'C:\\host\\path:/container';
$result = parseDockerVolumeString($windowsVolume);
expect((string) $result['source'])->toBe('C:\\host\\path');
expect((string) $result['target'])->toBe('/container');
});
test('validateVolumeStringForInjection correctly handles Windows paths via parseDockerVolumeString', function () {
$windowsVolume = 'C:\\Users\\Data:/app/data';
// Should not throw an exception
validateVolumeStringForInjection($windowsVolume);
// If we get here, the test passed
expect(true)->toBeTrue();
});
test('validateVolumeStringForInjection rejects malicious Windows-like paths', function () {
$maliciousVolume = 'C:\\host\\`whoami`:/container';
expect(fn () => validateVolumeStringForInjection($maliciousVolume))
->toThrow(\Exception::class);
});
test('validateDockerComposeForInjection handles Windows paths in compose files', function () {
$dockerComposeYaml = <<<'YAML'
services:
web:
image: nginx
volumes:
- C:\Users\Data:/app/data
YAML;
// Should not throw an exception
validateDockerComposeForInjection($dockerComposeYaml);
expect(true)->toBeTrue();
});
test('validateDockerComposeForInjection rejects Windows paths with injection', function () {
$dockerComposeYaml = <<<'YAML'
services:
web:
image: nginx
volumes:
- C:\Users\$(whoami):/app/data
YAML;
expect(fn () => validateDockerComposeForInjection($dockerComposeYaml))
->toThrow(\Exception::class);
});
test('Windows paths with complex paths and spaces are handled correctly', function () {
$windowsVolume = 'C:\\Program Files\\MyApp:/app';
$result = parseDockerVolumeString($windowsVolume);
expect((string) $result['source'])->toBe('C:\\Program Files\\MyApp');
expect((string) $result['target'])->toBe('/app');
});
Reference in a new issue View git blame Copy permalink