Fix/tighten Folder::inPath() checks.

The current checks are way too relaxed, and are more like testing for a substring, which makes it easy for invalid paths to slip trough, for example `/foo/var/www` is falsely tested to reside in `/var/www`.
cakephp · Aug 24, 2016 · 949bde9 · 949bde9
1 parent 8a3b47f
commit 949bde9
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 17 deletions.
diff --git a/src/Filesystem/Folder.php b/src/Filesystem/Folder.php
@@ -401,7 +401,7 @@ public static function addPathElement($path, $element)
     }
 
     /**
-     * Returns true if the File is in a given CakePath.
+     * Returns true if the Folder is in the given Cake path.
      *
      * @param string $path The path to check.
      * @return bool
@@ -416,10 +416,10 @@ public function inCakePath($path = '')
     }
 
     /**
-     * Returns true if the File is in given path.
+     * Returns true if the Folder is in the given path.
      *
-     * @param string $path The path to check that the current pwd() resides with in.
-     * @param bool $reverse Reverse the search, check that pwd() resides within $path.
+     * @param string $path The absolute path to check that the current `pwd()` resides within.
+     * @param bool $reverse Reverse the search, check if the given `$path` resides within the current `pwd()`.
      * @return bool
      */
     public function inPath($path = '', $reverse = false)
@@ -428,9 +428,9 @@ public function inPath($path = '', $reverse = false)
         $current = Folder::slashTerm($this->pwd());
 
         if (!$reverse) {
-            $return = preg_match('/^(.*)' . preg_quote($dir, '/') . '(.*)/', $current);
+            $return = preg_match('/^' . preg_quote($dir, '/') . '(.*)/', $current);
         } else {
-            $return = preg_match('/^(.*)' . preg_quote($current, '/') . '(.*)/', $dir);
+            $return = preg_match('/^' . preg_quote($current, '/') . '(.*)/', $dir);
         }
 
         return (bool)$return;

diff --git a/tests/TestCase/Filesystem/FolderTest.php b/tests/TestCase/Filesystem/FolderTest.php
@@ -95,28 +95,64 @@ public function testBasic()
      */
     public function testInPath()
     {
-        $path = dirname(__DIR__);
-        $inside = dirname($path) . DS;
+        // "/tests/base/"
+        $basePath = TMP . 'tests' . DS . 'base' . DS;
+        $Base = new Folder($basePath, true);
 
-        $Folder = new Folder($path);
+        $result = $Base->pwd();
+        $this->assertEquals($basePath, $result);
 
-        $result = $Folder->pwd();
-        $this->assertEquals($path, $result);
 
-        $result = Folder::isSlashTerm($inside);
+        // is "/" in "/tests/base/"
+        $result = $Base->inPath();
+        $this->assertFalse($result, true);
+
+        // is "/tests/base/" in "/tests/base/"
+        $result = $Base->inPath($basePath, true);
         $this->assertTrue($result);
 
-        $result = $Folder->realpath('tests' . DS);
-        $this->assertEquals($path . DS . 'tests' . DS, $result);
+        // is "/tests/base" in "/tests/base/"
+        $result = $Base->inPath(mb_substr($basePath, 0, -1), true);
+        $this->assertTrue($result);
 
-        $result = $Folder->inPath('tests' . DS);
+        // is "/tests/base/sub" in "/tests/base/"
+        $result = $Base->inPath($basePath . 'sub', true);
         $this->assertTrue($result);
 
-        $result = $Folder->inPath(DS . 'non-existing' . $inside);
+        // is "/tests" in "/tests/base/"
+        $result = $Base->inPath(dirname($basePath), true);
+        $this->assertFalse($result);
+
+        // is "/tests/other/(...)tests/base" in "/tests/base/"
+        $result = $Base->inPath(TMP . 'tests' . DS . 'other' . DS . $basePath, true);
+        $this->assertFalse($result);
+
+
+        // is "/tests/base/" in "/"
+        $result = $Base->inPath();
         $this->assertFalse($result);
 
-        $result = $Folder->inPath($path . DS . 'Model', true);
+        // is "/tests/base/" in "/tests/base/"
+        $result = $Base->inPath($basePath);
+        $this->assertTrue($result);
+
+        // is "/tests/base/" in "/tests/base"
+        $result = $Base->inPath(mb_substr($basePath, 0, -1));
+        $this->assertTrue($result);
+
+        // is "/tests/base/" in "/tests"
+        $result = $Base->inPath(dirname($basePath));
         $this->assertTrue($result);
+
+        // is "/tests/base/" in "/tests/base/sub"
+        $result = $Base->inPath($basePath . 'sub');
+        $this->assertFalse($result);
+
+        // is "/other/tests/base/" in "/tests/base/"
+        $VirtualBase = new Folder();
+        $VirtualBase->path = '/other/tests/base';
+        $result = $VirtualBase->inPath('/tests/base/');
+        $this->assertFalse($result);
     }
 
     /**