add extra $path validation to TenantAssetsController

archtechx · Aug 24, 2023 · 4af70d3 · 4af70d3
1 parent 3951924
commit 4af70d3
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,4 @@ coverage/
 clover.xml
 tests/Etc/tmp/queuetest.json
 docker-compose.override.yml
+.DS_Store
diff --git a/src/Controllers/TenantAssetsController.php b/src/Controllers/TenantAssetsController.php
@@ -18,12 +18,28 @@ public function __construct()
 
     public function asset($path = null)
     {
-        abort_if($path === null, 404);
+        $this->validatePath($path);
 
         try {
             return response()->file(storage_path("app/public/$path"));
         } catch (Throwable $th) {
             abort(404);
         }
     }
+
+    /**
+     * @throws \Symfony\Component\HttpKernel\Exception\HttpException
+     */
+    protected function validatePath(string|null $path): void
+    {
+        abort_if($path === null, 404);
+
+        $allowedRoot = storage_path('app/public');
+
+        // Prevent path traversal attacks. This is generally a non-issue on modern
+        // webservers but it's still worth handling on the application level as well.
+        if (! str(realpath("{$allowedRoot}/{$path}"))->startsWith($allowedRoot)) {
+            abort(403);
+        }
+    }
 }
diff --git a/tests/TenantAssetTest.php b/tests/TenantAssetTest.php
@@ -141,4 +141,17 @@ public function test_asset_controller_returns_a_404_when_no_path_is_provided()
         $response->assertNotFound();
     }
 
+    public function test_asset_controller_returns_a_403_when_an_invalid_path_is_provided()
+    {
+        TenantAssetsController::$tenancyMiddleware = InitializeTenancyByRequestData::class;
+
+        $tenant = Tenant::create();
+
+        tenancy()->initialize($tenant);
+        $response = $this->get(tenant_asset('../foo.txt'), [
+            'X-Tenant' => $tenant->id,
+        ]);
+
+        $response->assertForbidden();
+    }
 }