archtechx/tenancy
1
0
Fork 0
mirror of https://github.com/archtechx/tenancy.git synced 2026-05-06 16:24:03 +00:00
Code Activity

Validate SQLite DB names in create/deleteDatabase()

Browse source 
Also stop skipping the validation test for sqlite.
This commit is contained in:
lukinovec 2026-04-29 16:01:49 +02:00
parent d5087d19c5
commit db03997339
2 changed files with 13 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/Database/TenantDatabaseManagers/SQLiteDatabaseManager.php
View file

@ -7,12 +7,15 @@ namespace Stancl\Tenancy\Database\TenantDatabaseManagers;
use Closure; use Closure;
use Illuminate\Database\Eloquent\Model; use Illuminate\Database\Eloquent\Model;
use PDO; use PDO;
use Stancl\Tenancy\Database\Concerns\ValidatesSqlParameters;
use Stancl\Tenancy\Database\Contracts\TenantDatabaseManager; use Stancl\Tenancy\Database\Contracts\TenantDatabaseManager;
use Stancl\Tenancy\Database\Contracts\TenantWithDatabase; use Stancl\Tenancy\Database\Contracts\TenantWithDatabase;
use Throwable; use Throwable;
class SQLiteDatabaseManager implements TenantDatabaseManager class SQLiteDatabaseManager implements TenantDatabaseManager
{ {
use ValidatesSqlParameters;
/** /**
* SQLite database directory path. * SQLite database directory path.
* *
@ -57,6 +60,11 @@ class SQLiteDatabaseManager implements TenantDatabaseManager
*/ */
public static Closure|null $closeInMemoryConnectionUsing = null; public static Closure|null $closeInMemoryConnectionUsing = null;
protected static function parameterAllowlist(): string
{
return 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-.';
}
public function createDatabase(TenantWithDatabase $tenant): bool public function createDatabase(TenantWithDatabase $tenant): bool
{ {
/** @var TenantWithDatabase&Model $tenant */ /** @var TenantWithDatabase&Model $tenant */
@ -84,6 +92,8 @@ class SQLiteDatabaseManager implements TenantDatabaseManager
return true; return true;
} }
$this->validateParameter($name);
return file_put_contents($this->getPath($name), '') !== false; return file_put_contents($this->getPath($name), '') !== false;
} }
@ -99,6 +109,8 @@ class SQLiteDatabaseManager implements TenantDatabaseManager
return true; return true;
} }
$this->validateParameter($name);
$path = $this->getPath($name); $path = $this->getPath($name);
try { try {

5
tests/TenantDatabaseManagerTest.php
View file

@ -541,10 +541,7 @@ test('partial tenant connection templates get merged into the central connection
}); });
test('database managers validate sql parameters before using them in statements', function ($driver, $databaseManager) { test('database managers validate sql parameters before using them in statements', function ($driver, $databaseManager) {
// todo@validation passwords. also sqlite? // todo@validation passwords
if ($driver === 'sqlite') {
$this->markTestSkipped('SQLiteDatabaseManager does not use SQL statements.');
}
config()->set([ config()->set([
"tenancy.database.template_tenant_connection" => $driver, "tenancy.database.template_tenant_connection" => $driver,