Merge remote-tracking branch 'origin/3.x'

src/Commands/MigrateFresh.php

@@ -20,6 +20,7 @@ class MigrateFresh extends BaseCommand
         parent::__construct();
 
         $this->addOption('--drop-views', null, InputOption::VALUE_NONE, 'Drop views along with tenant tables.', null);
+        $this->addOption('--step', null, InputOption::VALUE_NONE, 'Force the migrations to be run so they can be rolled back individually.');
 
         $this->setName('tenants:migrate-fresh');
     }
@@ -40,6 +41,7 @@ class MigrateFresh extends BaseCommand
             $this->components->task('Migrating', function () use ($tenant) {
                 $this->callSilent('tenants:migrate', [
                     '--tenants' => [$tenant->getTenantKey()],
+                    '--step' => $this->option('step'),
                     '--force' => true,
                 ]);
             });

src/Controllers/TenantAssetController.php

@@ -23,7 +23,7 @@ class TenantAssetController implements HasMiddleware // todo@docs this was renam
      */
     public function __invoke(string $path = null): BinaryFileResponse
     {
-        abort_if($path === null, 404);
+        $this->validatePath($path);
 
         try {
             return response()->file(storage_path("app/public/$path"));
@@ -31,4 +31,43 @@ class TenantAssetController implements HasMiddleware // todo@docs this was renam
             abort(404);
         }
     }
+
+    /**
+     * Prevent path traversal attacks. This is generally a non-issue on modern
+     * webservers but it's still worth handling on the application level as well.
+     *
+     * @throws \Symfony\Component\HttpKernel\Exception\HttpException
+     */
+    protected function validatePath(string|null $path): void
+    {
+        $this->abortIf($path === null, 'Empty path');
+
+        $allowedRoot = realpath(storage_path('app/public'));
+
+        // `storage_path('app/public')` doesn't exist, so it cannot contain files
+        $this->abortIf($allowedRoot === false, "Storage root doesn't exist");
+
+        $attemptedPath = realpath("{$allowedRoot}/{$path}");
+
+        // User is attempting to access a nonexistent file
+        $this->abortIf($attemptedPath === false, 'Accessing a nonexistent file');
+
+        // User is attempting to access a file outside the $allowedRoot folder
+        $this->abortIf(! str($attemptedPath)->startsWith($allowedRoot), 'Accessing a file outside the storage root');
+    }
+
+    protected function abortIf($condition, $exceptionMessage): void
+    {
+        if ($condition) {
+            if (app()->runningUnitTests()) {
+                // Makes testing the cause of the failure in validatePath() easier
+                throw new Exception($exceptionMessage);
+            } else {
+                // We always use 404 to avoid leaking information about the cause of the error
+                // e.g. when someone is trying to access a nonexistent file outside of the allowed
+                // root folder, we don't want to let the user know whether such a file exists or not.
+                abort(404);
+            }
+        }
+    }
 }

src/Resolvers/PathTenantResolver.php

@@ -31,6 +31,14 @@ class PathTenantResolver extends Contracts\CachedTenantResolver
         throw new TenantCouldNotBeIdentifiedByPathException($id);
     }
 
+    public function resolved(Tenant $tenant, ...$args): void
+    {
+        /** @var Route $route */
+        $route = $args[0];
+
+        $route->forgetParameter(static::$tenantParameterName);
+    }
+
     public function getArgsForTenant(Tenant $tenant): array
     {
         return [