Validate SQLite filename in databaseExists

Add validation so that a malicious tenant DB name can't be used to detect if a file exists.
2026-05-06 15:24:03 +00:00 · 2026-04-30 09:49:03 +02:00 · 2026-04-30 09:49:03 +02:00 · 322257f456
commit 322257f456
parent 75b74f2e6c
2 changed files with 17 additions and 1 deletions
--- a/src/Database/TenantDatabaseManagers/SQLiteDatabaseManager.php
+++ b/src/Database/TenantDatabaseManagers/SQLiteDatabaseManager.php
@ -128,7 +128,13 @@ class SQLiteDatabaseManager implements TenantDatabaseManager

    public function databaseExists(string $name): bool
    {
-        return $this->isInMemory($name) || file_exists($this->getPath($name));
+        if ($this->isInMemory($name)) {
+            return true;
+        }
+
+        $this->validateParameter($name);
+
+        return file_exists($this->getPath($name));
    }

    public function makeConnectionConfig(array $baseConfig, string $databaseName): array
--- a/tests/TenantDatabaseManagerTest.php
+++ b/tests/TenantDatabaseManagerTest.php
@ -623,6 +623,16 @@ test('database managers validate parameters that cannot be bound', function ($dr
    expect(fn () => $manager->deleteDatabase($validTenant))->not()->toThrow(InvalidArgumentException::class);
 })->with('database_managers');

+test('sqlite database manager validates the name in databaseExists', function () {
+    $manager = app(SQLiteDatabaseManager::class);
+
+    expect(fn () => $manager->databaseExists("../invalid-db-name.sqlite"))
+        ->toThrow(InvalidArgumentException::class);
+
+    expect(fn () => $manager->databaseExists('valid-db_name.sqlite'))
+        ->not()->toThrow(InvalidArgumentException::class);
+});
+
 // Datasets
 dataset('database_managers', [
    ['mysql', MySQLDatabaseManager::class],