Add validateFilename()

Use validateFilename instead of validateParameter in SQLiteDatabaseManager. Directories are no longer considered valid SQLite database names.
2026-05-06 18:04:03 +00:00 · 2026-05-01 09:03:50 +02:00 · 2026-05-01 09:03:50 +02:00 · 76c324d758
commit 76c324d758
parent 2bd3a868ec
3 changed files with 37 additions and 18 deletions
--- a/src/Database/Concerns/ValidatesDatabaseParameters.php
+++ b/src/Database/Concerns/ValidatesDatabaseParameters.php
@ -28,6 +28,16 @@ trait ValidatesDatabaseParameters
        return 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-';
    }

+    /**
+     * Characters allowed in filenames (SQLite databases).
+     *
+     * Allows dots to support file extensions (e.g. '.sqlite').
+     */
+    protected static function filenameAllowlist(): string
+    {
+        return 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-.';
+    }
+
    /**
     * Characters allowed in database user passwords.
     *
@ -66,7 +76,7 @@ trait ValidatesDatabaseParameters

            foreach (str_split($parameter) as $char) {
                if (! str_contains($allowlist, $char)) {
-                    throw new InvalidArgumentException("Forbidden character '{$char}' in database parameter.");
+                    throw new InvalidArgumentException("Forbidden character '{$char}' in parameter.");
                }
            }
        }
@ -75,8 +85,8 @@ trait ValidatesDatabaseParameters
    /**
     * Ensure password only contains allowed characters before used in SQL statements.
     *
-     * Used as a shorthand for calling validateParameter() with the less strict allowlist
-     * to validate database user passwords.
+     * Used in permission controlled managers as a shorthand for calling validateParameter()
+     * with the less strict allowlist to validate database user passwords.
     *
     * @throws InvalidArgumentException
     */
@ -84,4 +94,20 @@ trait ValidatesDatabaseParameters
    {
        $this->validateParameter($password, static::passwordAllowlist());
    }
+
+    /**
+     * Ensure filename only contains allowed characters and is not a directory name
+     * before used in file paths (e.g. SQLite databases).
+     *
+     * @throws InvalidArgumentException
+     * @see Stancl\Tenancy\Database\TenantDatabaseManagers\SQLiteDatabaseManager
+     */
+    protected function validateFilename(string|null $filename): void
+    {
+        if (is_dir($filename)) {
+            throw new InvalidArgumentException("Filename '{$filename}' is a directory.");
+        }
+
+        $this->validateParameter($filename, static::filenameAllowlist());
+    }
 }