Showing with 72 additions and 0 deletions.

+4 −0 CHANGELOG.md

+17 −0 src/Solutions/MakeViewVariableOptionalSolution.php

+51 −0 tests/Solutions/MakeViewVariableOptionalSolutionTest.php
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 All notable changes to `ignition` will be documented in this file
 
+## 2.5.2 - 2020-11-14
+
+- fix `MakeViewVariableOptionalSolution` to disallow stream wrappers and files that do not end in ".blade.php" (#334)
+
 ## 2.5.1 - 2020-11-13
 
 - add support for LiveWire component urls

diff --git a/src/Solutions/MakeViewVariableOptionalSolution.php b/src/Solutions/MakeViewVariableOptionalSolution.php
@@ -4,6 +4,7 @@
 
 use Facade\IgnitionContracts\RunnableSolution;
 use Illuminate\Support\Facades\Blade;
+use Illuminate\Support\Str;
 
 class MakeViewVariableOptionalSolution implements RunnableSolution
 {
@@ -70,8 +71,24 @@ public function run(array $parameters = [])
         }
     }
 
+    protected function isSafePath(string $path): bool
+    {
+        if (! Str::startsWith($path, ['/', './'])) {
+            return false;
+        }
+        if (! Str::endsWith($path, '.blade.php')) {
+            return false;
+        }
+
+        return true;
+    }
+
     public function makeOptional(array $parameters = [])
     {
+        if (! $this->isSafePath($parameters['viewFile'])) {
+            return false;
+        }
+
         $originalContents = file_get_contents($parameters['viewFile']);
         $newContents = str_replace('$'.$parameters['variableName'], '$'.$parameters['variableName']." ?? ''", $originalContents);
 

diff --git a/tests/Solutions/MakeViewVariableOptionalSolutionTest.php b/tests/Solutions/MakeViewVariableOptionalSolutionTest.php
@@ -0,0 +1,51 @@
+<?php
+
+namespace Facade\Ignition\Tests\Solutions;
+
+use Facade\Ignition\Solutions\MakeViewVariableOptionalSolution;
+use Facade\Ignition\Support\ComposerClassMap;
+use Facade\Ignition\Tests\TestCase;
+use Illuminate\Support\Facades\View;
+
+class MakeViewVariableOptionalSolutionTest extends TestCase
+{
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        View::addLocation(__DIR__.'/../stubs/views');
+
+        $this->app->bind(
+            ComposerClassMap::class,
+            function () {
+                return new ComposerClassMap(__DIR__.'/../../vendor/autoload.php');
+            }
+        );
+    }
+
+    /** @test */
+    public function it_does_not_open_scheme_paths()
+    {
+        $solution = $this->getSolutionForPath('php://filter/resource=./tests/stubs/views/blade-exception.blade.php');
+        $this->assertFalse($solution->isRunnable());
+    }
+
+    /** @test */
+    public function it_does_open_relative_paths()
+    {
+        $solution = $this->getSolutionForPath('./tests/stubs/views/blade-exception.blade.php');
+        $this->assertTrue($solution->isRunnable());
+    }
+
+    /** @test */
+    public function it_does_not_open_other_extentions()
+    {
+        $solution = $this->getSolutionForPath('./tests/stubs/views/php-exception.php');
+        $this->assertFalse($solution->isRunnable());
+    }
+
+    protected function getSolutionForPath($path): MakeViewVariableOptionalSolution
+    {
+        return new MakeViewVariableOptionalSolution('notSet', $path);
+    }
+}