archtechx/tenancy
1
0
Fork 0
mirror of https://github.com/archtechx/tenancy.git synced 2026-05-06 15:24:03 +00:00
Code Activity

Use 'allowedCharacters' instead of 'allowlist', code quality

Browse source
This commit is contained in:
lukinovec 2026-05-01 09:11:55 +02:00
parent 76c324d758
commit d3607f84bf
1 changed files with 16 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

31
src/Database/Concerns/ValidatesDatabaseParameters.php
View file

@ -23,7 +23,7 @@ trait ValidatesDatabaseParameters
* Used as the default allowlist for validateParameter(), which validates non-password * Used as the default allowlist for validateParameter(), which validates non-password
* parameters such as database names or usernames. * parameters such as database names or usernames.
*/ */
protected static function parameterAllowlist(): string protected static function allowedParameterCharacters(): string
{ {
return 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-'; return 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-';
} }
@ -31,9 +31,9 @@ trait ValidatesDatabaseParameters
/** /**
* Characters allowed in filenames (SQLite databases). * Characters allowed in filenames (SQLite databases).
* *
* Allows dots to support file extensions (e.g. '.sqlite'). * Includes dots to support file extensions (e.g. '.sqlite').
*/ */
protected static function filenameAllowlist(): string protected static function allowedFilenameCharacters(): string
{ {
return 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-.'; return 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-.';
} }
@ -46,7 +46,7 @@ trait ValidatesDatabaseParameters
* characters that can break out of the quoted SQL strings (so e.g. * characters that can break out of the quoted SQL strings (so e.g.
* ', ", \, and ` aren't allowed). * ', ", \, and ` aren't allowed).
*/ */
protected static function passwordAllowlist(): string protected static function allowedPasswordCharacters(): string
{ {
return ' !#$%&()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{|}~'; return ' !#$%&()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{|}~';
} }
@ -56,15 +56,15 @@ trait ValidatesDatabaseParameters
* only contain allowed characters before used in SQL statements * only contain allowed characters before used in SQL statements
* (or file names in the case of SQLiteDatabaseManager). * (or file names in the case of SQLiteDatabaseManager).
* *
* By default, only the characters in static::parameterAllowlist() are allowed. * By default, only the characters in static::allowedParameterCharacters() are allowed.
* *
* Null parameters are skipped. * Null parameters are skipped.
* *
* @throws InvalidArgumentException * @throws InvalidArgumentException
*/ */
protected function validateParameter(string|array|null $parameters, string|null $allowlist = null): void protected function validateParameter(string|array|null $parameters, string|null $allowedCharacters = null): void
{ {
$allowlist = $allowlist ?? static::parameterAllowlist(); $allowedCharacters ??= static::allowedParameterCharacters();
foreach ((array) $parameters as $parameter) { foreach ((array) $parameters as $parameter) {
if (! is_string($parameter)) { if (! is_string($parameter)) {
@ -74,16 +74,17 @@ trait ValidatesDatabaseParameters
continue; continue;
} }
foreach (str_split($parameter) as $char) { foreach (str_split($parameter) as $character) {
if (! str_contains($allowlist, $char)) { if (! str_contains($allowedCharacters, $character)) {
throw new InvalidArgumentException("Forbidden character '{$char}' in parameter."); throw new InvalidArgumentException("Forbidden character '{$character}' in parameter.");
} }
} }
} }
} }
/** /**
* Ensure password only contains allowed characters before used in SQL statements. * Ensure password only contains allowed characters (static::allowedPasswordCharacters())
* before used in SQL statements.
* *
* Used in permission controlled managers as a shorthand for calling validateParameter() * Used in permission controlled managers as a shorthand for calling validateParameter()
* with the less strict allowlist to validate database user passwords. * with the less strict allowlist to validate database user passwords.
@ -92,12 +93,12 @@ trait ValidatesDatabaseParameters
*/ */
protected function validatePassword(string|null $password): void protected function validatePassword(string|null $password): void
{ {
$this->validateParameter($password, static::passwordAllowlist()); $this->validateParameter($password, static::allowedPasswordCharacters());
} }
/** /**
* Ensure filename only contains allowed characters and is not a directory name * Ensure filename only contains allowed characters (static::allowedFilenameCharacters())
* before used in file paths (e.g. SQLite databases). * and is not a directory name before used in file paths (e.g. SQLite database names).
* *
* @throws InvalidArgumentException * @throws InvalidArgumentException
* @see Stancl\Tenancy\Database\TenantDatabaseManagers\SQLiteDatabaseManager * @see Stancl\Tenancy\Database\TenantDatabaseManagers\SQLiteDatabaseManager
@ -108,6 +109,6 @@ trait ValidatesDatabaseParameters
throw new InvalidArgumentException("Filename '{$filename}' is a directory."); throw new InvalidArgumentException("Filename '{$filename}' is a directory.");
} }
$this->validateParameter($filename, static::filenameAllowlist()); $this->validateParameter($filename, static::allowedFilenameCharacters());
} }
} }