From 3c3728d6c88291df3a911950d9b69788d26684e0 Mon Sep 17 00:00:00 2001
From: sadafrangian3 <sadaf.rangiandev3@gmail.com>
Date: Thu, 18 Feb 2021 17:16:18 +0530
Subject: [PATCH] Fix MakeViewVariableOptionalSolution to disallow stream
 wrappers and files that do not end in .blade.php

This is already fixed in 2.5.2, See https://github.com/facade/ignition/pull/334

I could not update to 2.5.2 due to some dependent package required php 7.3, currently clients site is running in php 7.2

On branch 2.4.1-branch
Changes to be committed:
	modified:   src/Solutions/MakeViewVariableOptionalSolution.php
---
 .../MakeViewVariableOptionalSolution.php       | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/Solutions/MakeViewVariableOptionalSolution.php b/src/Solutions/MakeViewVariableOptionalSolution.php
index 5e4164d..cac2ed8 100644
--- a/src/Solutions/MakeViewVariableOptionalSolution.php
+++ b/src/Solutions/MakeViewVariableOptionalSolution.php
@@ -4,6 +4,7 @@
 
 use Facade\IgnitionContracts\RunnableSolution;
 use Illuminate\Support\Facades\Blade;
+use Illuminate\Support\Str;
 
 class MakeViewVariableOptionalSolution implements RunnableSolution
 {
@@ -70,8 +71,25 @@ public function run(array $parameters = [])
         }
     }
 
+    protected function isSafePath(string $path): bool
+    {
+        if (!Str::startsWith($path, ['/', './'])) {
+            return false;
+        }
+
+        if (!Str::endsWith($path, '.blade.php')) {
+            return false;
+        }
+
+        return true;
+    }
+
     public function makeOptional(array $parameters = [])
     {
+        if (!$this->isSafePath($parameters['viewFile'])) {
+            return false;
+        }
+
         $originalContents = file_get_contents($parameters['viewFile']);
         $newContents = str_replace('$'.$parameters['variableName'], '$'.$parameters['variableName']." ?? ''", $originalContents);