From 6d56cfb2b0256ec169dd4dd3bc4bb1d77435861c Mon Sep 17 00:00:00 2001 From: Antoine Lelaisant Date: Fri, 17 Mar 2023 15:38:20 +0100 Subject: [PATCH] fix: security issue GHSA-gq6w-q6wh-jggc --- src/Knp/Snappy/AbstractGenerator.php | 4 ++++ tests/Knp/Snappy/AbstractGeneratorTest.php | 24 ++++++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/src/Knp/Snappy/AbstractGenerator.php b/src/Knp/Snappy/AbstractGenerator.php index dba98737..eb8ae858 100644 --- a/src/Knp/Snappy/AbstractGenerator.php +++ b/src/Knp/Snappy/AbstractGenerator.php @@ -625,6 +625,10 @@ protected function executeCommand($command) */ protected function prepareOutput($filename, $overwrite) { + if (strpos($filename, 'phar://') === 0) { + throw new InvalidArgumentException('The output file cannot be a phar archive.'); + } + $directory = \dirname($filename); if ($this->fileExists($filename)) { diff --git a/tests/Knp/Snappy/AbstractGeneratorTest.php b/tests/Knp/Snappy/AbstractGeneratorTest.php index 803ccd89..5b766f89 100644 --- a/tests/Knp/Snappy/AbstractGeneratorTest.php +++ b/tests/Knp/Snappy/AbstractGeneratorTest.php @@ -969,4 +969,28 @@ private function getPHPExecutableFromPath(): ?string return null; // not found } + + public function testFailingGenerateWithOutputContainingPharPrefix(): void + { + $media = $this->getMockBuilder(AbstractGenerator::class) + ->setMethods([ + 'configure', + 'prepareOutput', + ]) + ->setConstructorArgs(['the_binary', [], ['PATH' => '/usr/bin']]) + ->getMock() + ; + + $media->setTimeout(2000); + + $media + ->expects($this->once()) + ->method('prepareOutput') + ->with($this->equalTo('phar://the_output_file')) + ; + + $this->expectException(InvalidArgumentException::class); + + $media->generate('the_input_file', 'phar://the_output_file', ['foo' => 'bar']); + } }