Merge pull request #7010 from nupplaphil/task/basepath_hardening

Basepath Hardening
2019-04-14 10:46:06 -04:00 · 2019-04-14 10:46:06 -04:00 · e01cb50892
parent e0911efc87 b93db8ec2e
commit e01cb50892
2 changed files with 63 additions and 13 deletions
--- a/src/Util/BasePath.php
+++ b/src/Util/BasePath.php
@ -19,15 +19,21 @@ class BasePath
 	 */
 	public static function create($basePath, array $server = [])
 	{
-		if (!$basePath && !empty($server['DOCUMENT_ROOT'])) {
+		if ((!$basePath || !is_dir($basePath)) && !empty($server['DOCUMENT_ROOT'])) {
 			$basePath = $server['DOCUMENT_ROOT'];
 		}

-		if (!$basePath && !empty($server['PWD'])) {
+		if ((!$basePath || !is_dir($basePath)) && !empty($server['PWD'])) {
 			$basePath = $server['PWD'];
 		}

-		return self::getRealPath($basePath);
+		$basePath = self::getRealPath($basePath);
+
+		if (!is_dir($basePath)) {
+			throw new \Exception(sprintf('\'%s\' is not a valid basepath', $basePath));
+		}
+
+		return $basePath;
 	}

 	/**
--- a/tests/src/Util/BasePathTest.php
+++ b/tests/src/Util/BasePathTest.php
@ -6,24 +6,68 @@ use Friendica\Util\BasePath;

 class BasePathTest extends MockedTest
 {
+	public function dataPaths()
+	{
+		return [
+			'fullPath' => [
+				'server' => [],
+				'input' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config',
+				'output' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config',
+			],
+			'relative' => [
+				'server' => [],
+				'input' => 'config',
+				'output' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config',
+			],
+			'document_root' => [
+				'server' => [
+					'DOCUMENT_ROOT' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config',
+				],
+				'input' => '/noooop',
+				'output' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config',
+			],
+			'pwd' => [
+				'server' => [
+					'PWD' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config',
+				],
+				'input' => '/noooop',
+				'output' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config',
+			],
+			'no_overwrite' => [
+				'server' => [
+					'DOCUMENT_ROOT' => dirname(__DIR__, 3),
+					'PWD' => dirname(__DIR__, 3),
+				],
+				'input' => 'config',
+				'output' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config',
+			],
+			'no_overwrite_if_invalid' => [
+				'server' => [
+					'DOCUMENT_ROOT' => '/nopopop',
+					'PWD' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config',
+				],
+				'input' => '/noatgawe22fafa',
+				'output' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config',
+			]
+		];
+	}
+
 	/**
 	 * Test the basepath determination
+	 * @dataProvider dataPaths
 	 */
-	public function testDetermineBasePath()
+	public function testDetermineBasePath(array $server, $input, $output)
 	{
-		$serverArr = ['DOCUMENT_ROOT' => '/invalid', 'PWD' => '/invalid2'];
-		$this->assertEquals('/valid', BasePath::create('/valid', $serverArr));
+		$this->assertEquals($output, BasePath::create($input, $server));
 	}

 	/**
-	 * Test the basepath determination with DOCUMENT_ROOT and PWD
+	 * Test the basepath determination with a complete wrong path
+	 * @expectedException \Exception
+	 * @expectedExceptionMessageRegExp /(.*) is not a valid basepath/
 	 */
-	public function testDetermineBasePathWithServer()
+	public function testFailedBasePath()
 	{
-		$serverArr = ['DOCUMENT_ROOT' => '/valid'];
-		$this->assertEquals('/valid', BasePath::create('', $serverArr));
-
-		$serverArr = ['PWD' => '/valid_too'];
-		$this->assertEquals('/valid_too', BasePath::create('', $serverArr));
+		BasePath::create('/now23452sgfgas', []);
 	}
 }