Merge remote-tracking branch 'origin/3.x'

2025-12-13 06:14:04 +00:00 · 2024-02-10 23:34:47 +01:00 · 2024-02-10 23:34:47 +01:00 · 7c29764d81
commit 7c29764d81
parent fe4ee6336f 8db27a358e
10 changed files with 165 additions and 4 deletions
--- a/src/Controllers/TenantAssetController.php
+++ b/src/Controllers/TenantAssetController.php
@ -23,7 +23,7 @@ class TenantAssetController implements HasMiddleware // todo@docs this was renam
     */
    public function __invoke(string $path = null): BinaryFileResponse
    {
-        abort_if($path === null, 404);
+        $this->validatePath($path);

        try {
            return response()->file(storage_path("app/public/$path"));
@ -31,4 +31,43 @@ class TenantAssetController implements HasMiddleware // todo@docs this was renam
            abort(404);
        }
    }
+
+    /**
+     * Prevent path traversal attacks. This is generally a non-issue on modern
+     * webservers but it's still worth handling on the application level as well.
+     *
+     * @throws \Symfony\Component\HttpKernel\Exception\HttpException
+     */
+    protected function validatePath(string|null $path): void
+    {
+        $this->abortIf($path === null, 'Empty path');
+
+        $allowedRoot = realpath(storage_path('app/public'));
+
+        // `storage_path('app/public')` doesn't exist, so it cannot contain files
+        $this->abortIf($allowedRoot === false, "Storage root doesn't exist");
+
+        $attemptedPath = realpath("{$allowedRoot}/{$path}");
+
+        // User is attempting to access a nonexistent file
+        $this->abortIf($attemptedPath === false, 'Accessing a nonexistent file');
+
+        // User is attempting to access a file outside the $allowedRoot folder
+        $this->abortIf(! str($attemptedPath)->startsWith($allowedRoot), 'Accessing a file outside the storage root');
+    }
+
+    protected function abortIf($condition, $exceptionMessage): void
+    {
+        if ($condition) {
+            if (app()->runningUnitTests()) {
+                // Makes testing the cause of the failure in validatePath() easier
+                throw new Exception($exceptionMessage);
+            } else {
+                // We always use 404 to avoid leaking information about the cause of the error
+                // e.g. when someone is trying to access a nonexistent file outside of the allowed
+                // root folder, we don't want to let the user know whether such a file exists or not.
+                abort(404);
+            }
+        }
+    }
 }