diff --git a/src/CorruptedPathDetected.php b/src/CorruptedPathDetected.php new file mode 100644 index 000000000..70631ccc7 --- /dev/null +++ b/src/CorruptedPathDetected.php @@ -0,0 +1,13 @@ +removeFunkyWhiteSpace($path); + $this->rejectFunkyWhiteSpace($path); return $this->normalizeRelativePath($path); } - private function removeFunkyWhiteSpace(string $path): string + private function rejectFunkyWhiteSpace(string $path): void { - // Remove unprintable characters and invalid unicode characters. - // We do this check in a loop, since removing invalid unicode characters - // can lead to new characters being created. - while (preg_match('#\p{C}+|^\./#u', $path)) { - $path = (string) preg_replace('#\p{C}+|^\./#u', '', $path); + if (preg_match('#\p{C}+#u', $path)) { + throw CorruptedPathDetected::forPath($path); } - - return $path; } private function normalizeRelativePath(string $path): string diff --git a/src/WhitespacePathNormalizerTest.php b/src/WhitespacePathNormalizerTest.php index 62c185abd..a0288f795 100644 --- a/src/WhitespacePathNormalizerTest.php +++ b/src/WhitespacePathNormalizerTest.php @@ -55,7 +55,6 @@ public function pathProvider(): array ['example/path/..txt', 'example/path/..txt'], ['\\example\\path.txt', 'example/path.txt'], ['\\example\\..\\path.txt', 'path.txt'], - ["some\0/path.txt", 'some/path.txt'], ]; } @@ -69,6 +68,21 @@ public function guarding_against_path_traversal(string $input): void $this->normalizer->normalizePath($input); } + /** + * @test + * @dataProvider dpFunkyWhitespacePaths + */ + public function rejecting_funky_whitespace(string $path): void + { + self::expectException(CorruptedPathDetected::class); + $this->normalizer->normalizePath($path); + } + + public function dpFunkyWhitespacePaths(): iterable + { + return [["some\0/path.txt"], ["s\x09i.php"]]; + } + /** * @return array> */