Fix MakeViewVariableOptionalSolution to disallow stream wrappers and …

…files that do not end in .blade.php (#334) * Disallow paths with a scheme in MakeViewVariableOptionalSolution * Added a test unit for the solution * Refactored code into a isSafePath() method * Update MakeViewVariableOptionalSolution.php Co-authored-by: cfreal <folcharles@ŋmail.com> Co-authored-by: Freek Van der Herten <freek@spatie.be>
facade · Nov 17, 2020 · 03a8aa1 · 03a8aa1
1 parent 3b3403f
commit 03a8aa1
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 0 deletions.
diff --git a/src/Solutions/MakeViewVariableOptionalSolution.php b/src/Solutions/MakeViewVariableOptionalSolution.php
@@ -4,6 +4,7 @@
 
 use Facade\IgnitionContracts\RunnableSolution;
 use Illuminate\Support\Facades\Blade;
+use Illuminate\Support\Str;
 
 class MakeViewVariableOptionalSolution implements RunnableSolution
 {
@@ -70,8 +71,24 @@ public function run(array $parameters = [])
         }
     }
 
+    protected function isSafePath(string $path): bool
+    {
+        if (!Str::startsWith($path, ['/', './'])) {
+            return false;
+        }
+        if (!Str::endsWith($path, '.blade.php')) {
+            return false;
+        }
+
+        return true;
+    }
+
     public function makeOptional(array $parameters = [])
     {
+        if (!$this->isSafePath($parameters['viewFile'])) {
+            return false;
+        }
+
         $originalContents = file_get_contents($parameters['viewFile']);
         $newContents = str_replace('$'.$parameters['variableName'], '$'.$parameters['variableName']." ?? ''", $originalContents);
 

diff --git a/tests/Solutions/MakeViewVariableOptionalSolutionTest.php b/tests/Solutions/MakeViewVariableOptionalSolutionTest.php
@@ -0,0 +1,53 @@
+<?php
+
+namespace Facade\Ignition\Tests\Solutions;
+
+use Facade\Ignition\Exceptions\ViewException;
+use Facade\Ignition\Solutions\MakeViewVariableOptionalSolution;
+use Facade\Ignition\Support\ComposerClassMap;
+use Facade\Ignition\Tests\TestCase;
+use Illuminate\Support\Facades\View;
+use Illuminate\Support\Str;
+
+class MakeViewVariableOptionalSolutionTest extends TestCase
+{
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        View::addLocation(__DIR__.'/../stubs/views');
+
+        $this->app->bind(
+            ComposerClassMap::class,
+            function () {
+                return new ComposerClassMap(__DIR__.'/../../vendor/autoload.php');
+            }
+        );
+    }
+
+    /** @test */
+    public function it_does_not_open_scheme_paths()
+    {
+        $solution = $this->getSolutionForPath('php://filter/resource=./tests/stubs/views/blade-exception.blade.php');
+        $this->assertFalse($solution->isRunnable());
+    }
+
+    /** @test */
+    public function it_does_open_relative_paths()
+    {
+        $solution = $this->getSolutionForPath('./tests/stubs/views/blade-exception.blade.php');
+        $this->assertTrue($solution->isRunnable());
+    }
+
+    /** @test */
+    public function it_does_not_open_other_extentions()
+    {
+        $solution = $this->getSolutionForPath('./tests/stubs/views/php-exception.php');
+        $this->assertFalse($solution->isRunnable());
+    }
+
+    protected function getSolutionForPath($path): MakeViewVariableOptionalSolution
+    {
+        return new MakeViewVariableOptionalSolution('notSet', $path);
+    }
+}