Skip to content

[5.x] Fix token path traversal #14700

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jasonvarga merged 10 commits into from
May 21, 2026
+45 −0
Merged

[5.x] Fix token path traversal #14700

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
68330c3
Add failing test
duncanmcclean May 21, 2026
a5ad9f0
Tweak tests
duncanmcclean May 21, 2026
0e9bddf
Prevent path traversal in token repository
duncanmcclean May 21, 2026
4f4351e
Handle race condition in `LivePreview::tokenize()`
duncanmcclean May 21, 2026
151ac7e
Skip token lookup when token is empty
duncanmcclean May 21, 2026
8d0a82c
Use unique token name in test
duncanmcclean May 21, 2026
efe7f59
keep the race condition fix out of this pr
jasonvarga May 21, 2026
e3e770c
Validate token names against an allowlist
jasonvarga May 21, 2026
0b75e1c
Throw when making a token with an invalid name
jasonvarga May 21, 2026
19e1eaf
Use \z anchor so a trailing newline is rejected
jasonvarga May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions src/Tokens/FileTokenRepository.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,19 @@ class FileTokenRepository extends TokenRepository
{
public function make(?string $token, string $handler, array $data = []): TokenContract
{
if ($token && ! $this->isValidTokenName($token)) {
throw new \InvalidArgumentException("Invalid token name [{$token}].");
}

return app()->makeWith(TokenContract::class, compact('token', 'handler', 'data'));
}

public function find(string $token): ?TokenContract
{
if (! $this->isValidTokenName($token)) {
return null;
}

$path = storage_path('statamic/tokens/'.$token.'.yaml');

if (! File::exists($path)) {
Expand Down Expand Up @@ -55,6 +63,11 @@ public function collectGarbage(): void
->each->delete();
}

private function isValidTokenName(string $token): bool
{
return (bool) preg_match('/^[A-Za-z0-9_-]+\z/', $token);
}

private function makeFromPath(string $path): FileToken
{
$yaml = YAML::file($path)->parse();
Expand Down
32 changes: 32 additions & 0 deletions tests/Tokens/TokenRepositoryTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
use Facades\Statamic\Tokens\Generator;
use Illuminate\Support\Carbon;
use Illuminate\Support\Collection;
use PHPUnit\Framework\Attributes\DataProvider;
use PHPUnit\Framework\Attributes\Test;
use Statamic\Contracts\Tokens\Token;
use Statamic\Facades\File;
Expand Down Expand Up @@ -129,6 +130,37 @@ public function attempting_to_find_a_non_existent_token_returns_null()
$this->assertNull($this->tokens->find('missing-token'));
}

#[Test]
public function it_prevents_path_traversal_in_find()
{
File::put(storage_path('statamic/evil.yaml'), "handler: 'Handler'\nexpires_at: 9999999999\ndata: []");

$this->assertNull($this->tokens->find('../evil'));
}

#[Test]
#[DataProvider('invalidTokenNameProvider')]
public function it_throws_when_making_a_token_with_an_invalid_name($token)
{
$this->expectException(\InvalidArgumentException::class);

$this->tokens->make($token, 'Handler');
}

public static function invalidTokenNameProvider()
{
return [
'parent traversal' => ['../evil'],
'backslash traversal' => ['..\\evil'],
'nested traversal' => ['foo/../../evil'],
'forward slash' => ['foo/evil'],
'dots only' => ['..'],
'absolute path' => ['/etc/passwd'],
'windows drive' => ['C:\\evil'],
'trailing newline' => ["evil\n"],
];
}

#[Test]
public function it_deletes_expired_tokens()
{
Expand Down
Loading