mirror of
https://github.com/archtechx/tenancy.git
synced 2025-12-12 22:34:03 +00:00
reimplement TenantAssetsController::validatePath() (fixes #1143)
This commit is contained in:
Samuel Štancl
parent
4af70d302f
commit
caf2267a08
2 changed files with 92 additions and 12 deletions
|
|
@ -4,6 +4,7 @@ declare(strict_types=1);
|
|||
|
||||
namespace Stancl\Tenancy\Controllers;
|
||||
|
||||
use Exception;
|
||||
use Illuminate\Routing\Controller;
|
||||
use Throwable;
|
||||
|
||||
|
|
@ -28,18 +29,41 @@ class TenantAssetsController extends Controller
|
|||
}
|
||||
|
||||
/**
|
||||
* Prevent path traversal attacks. This is generally a non-issue on modern
|
||||
* webservers but it's still worth handling on the application level as well.
|
||||
*
|
||||
* @throws \Symfony\Component\HttpKernel\Exception\HttpException
|
||||
*/
|
||||
protected function validatePath(string|null $path): void
|
||||
{
|
||||
abort_if($path === null, 404);
|
||||
$this->abortIf($path === null, 'Empty path');
|
||||
|
||||
$allowedRoot = storage_path('app/public');
|
||||
$allowedRoot = realpath(storage_path('app/public'));
|
||||
|
||||
// Prevent path traversal attacks. This is generally a non-issue on modern
|
||||
// webservers but it's still worth handling on the application level as well.
|
||||
if (! str(realpath("{$allowedRoot}/{$path}"))->startsWith($allowedRoot)) {
|
||||
abort(403);
|
||||
// `storage_path('app/public')` doesn't exist, so it cannot contain files
|
||||
$this->abortIf($allowedRoot === false, "Storage root doesn't exist");
|
||||
|
||||
$attemptedPath = realpath("{$allowedRoot}/{$path}");
|
||||
|
||||
// User is attempting to access a nonexistent file
|
||||
$this->abortIf($attemptedPath === false, 'Accessing a nonexistent file');
|
||||
|
||||
// User is attempting to access a file outside the $allowedRoot folder
|
||||
$this->abortIf(! str($attemptedPath)->startsWith($allowedRoot), 'Accessing a file outside the storage root');
|
||||
}
|
||||
|
||||
protected function abortIf($condition, $exceptionMessage): void
|
||||
{
|
||||
if ($condition) {
|
||||
if (app()->runningUnitTests()) {
|
||||
// Makes testing the cause of the failure in validatePath() easier
|
||||
throw new Exception($exceptionMessage);
|
||||
} else {
|
||||
// We always use 404 to avoid leaking information about the cause of the error
|
||||
// e.g. when someone is trying to access a nonexistent file outside of the allowed
|
||||
// root folder, we don't want to let the user know whether such a file exists or not.
|
||||
abort(404);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue