Skip to content

[FEATURE] Add optional base-directory allowlist for parseFromFile#184

Merged
mteu merged 2 commits into
mainfrom
feature/add-path-allowlist
May 12, 2026
Merged

[FEATURE] Add optional base-directory allowlist for parseFromFile#184
mteu merged 2 commits into
mainfrom
feature/add-path-allowlist

Conversation

@mteu
Copy link
Copy Markdown
Owner

@mteu mteu commented May 12, 2026
edited
Loading

Adds an optional path-allowlist to parseFromFile() so callers that pass user-influenced paths can restrict reads to one or more directories.

CycloneDxParserOptions gains a third field alongside maxFileSize and maxNodes:

public function __construct(
    public int $maxFileSize = self::DEFAULT_MAX_FILE_SIZE,
    public int $maxNodes = self::DEFAULT_MAX_NODES,
    public array $allowedBaseDirectories = [],
)

Override the loose default with:

$parser = new CycloneDxParser(
    new CycloneDxParserOptions(allowedBaseDirectories: ['/srv/sboms']),
);

@mteu mteu added the enhancement New feature or request label May 12, 2026
@mteu mteu merged commit 35bc657 into main May 12, 2026
9 checks passed
@coveralls
Copy link
Copy Markdown

coveralls commented May 12, 2026

Coverage Status

coverage: 99.013% (+0.1%) from 98.893% — feature/add-path-allowlist into main

@mteu mteu deleted the feature/add-path-allowlist branch May 12, 2026 12:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mteu @coveralls