Validate SQLite DB names in create/deleteDatabase()

Also stop skipping the validation test for sqlite.
2026-05-06 15:24:03 +00:00 · 2026-04-29 16:01:49 +02:00 · 2026-04-29 16:01:49 +02:00 · db03997339
commit db03997339
parent d5087d19c5
2 changed files with 13 additions and 4 deletions
--- a/src/Database/TenantDatabaseManagers/SQLiteDatabaseManager.php
+++ b/src/Database/TenantDatabaseManagers/SQLiteDatabaseManager.php
@ -7,12 +7,15 @@ namespace Stancl\Tenancy\Database\TenantDatabaseManagers;
 use Closure;
 use Illuminate\Database\Eloquent\Model;
 use PDO;
+use Stancl\Tenancy\Database\Concerns\ValidatesSqlParameters;
 use Stancl\Tenancy\Database\Contracts\TenantDatabaseManager;
 use Stancl\Tenancy\Database\Contracts\TenantWithDatabase;
 use Throwable;

 class SQLiteDatabaseManager implements TenantDatabaseManager
 {
+    use ValidatesSqlParameters;
+
    /**
     * SQLite database directory path.
     *
@ -57,6 +60,11 @@ class SQLiteDatabaseManager implements TenantDatabaseManager
     */
    public static Closure|null $closeInMemoryConnectionUsing = null;

+    protected static function parameterAllowlist(): string
+    {
+        return 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-.';
+    }
+
    public function createDatabase(TenantWithDatabase $tenant): bool
    {
        /** @var TenantWithDatabase&Model $tenant */
@ -84,6 +92,8 @@ class SQLiteDatabaseManager implements TenantDatabaseManager
            return true;
        }

+        $this->validateParameter($name);
+
        return file_put_contents($this->getPath($name), '') !== false;
    }

@ -99,6 +109,8 @@ class SQLiteDatabaseManager implements TenantDatabaseManager
            return true;
        }

+        $this->validateParameter($name);
+
        $path = $this->getPath($name);

        try {
--- a/tests/TenantDatabaseManagerTest.php
+++ b/tests/TenantDatabaseManagerTest.php
@ -541,10 +541,7 @@ test('partial tenant connection templates get merged into the central connection
 });

 test('database managers validate sql parameters before using them in statements', function ($driver, $databaseManager) {
-    // todo@validation passwords. also sqlite?
-    if ($driver === 'sqlite') {
-        $this->markTestSkipped('SQLiteDatabaseManager does not use SQL statements.');
-    }
+    // todo@validation passwords

    config()->set([
        "tenancy.database.template_tenant_connection" => $driver,