Merge branch 'archtechx:3.x' into 3.x

icaliman · Aug 30, 2023 · f4b501d · f4b501d
2 parents a56c707 + 4af70d3
commit f4b501d
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 2 deletions.
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,7 +1,7 @@
 blank_issues_enabled: false
 contact_links:
   - name: Support Questions & Other
-    url: https://github.com/stancl/tenancy/blob/3.x/SUPPORT.md
+    url: https://archte.ch/discord
     about: 'If you have a question or need help using the package.'
   - name: Documentation Issue
     url: https://github.com/stancl/tenancy-docs/issues

diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,4 @@ coverage/
 clover.xml
 tests/Etc/tmp/queuetest.json
 docker-compose.override.yml
+.DS_Store
diff --git a/src/Controllers/TenantAssetsController.php b/src/Controllers/TenantAssetsController.php
@@ -18,12 +18,28 @@ public function __construct()
 
     public function asset($path = null)
     {
-        abort_if($path === null, 404);
+        $this->validatePath($path);
 
         try {
             return response()->file(storage_path("app/public/$path"));
         } catch (Throwable $th) {
             abort(404);
         }
     }
+
+    /**
+     * @throws \Symfony\Component\HttpKernel\Exception\HttpException
+     */
+    protected function validatePath(string|null $path): void
+    {
+        abort_if($path === null, 404);
+
+        $allowedRoot = storage_path('app/public');
+
+        // Prevent path traversal attacks. This is generally a non-issue on modern
+        // webservers but it's still worth handling on the application level as well.
+        if (! str(realpath("{$allowedRoot}/{$path}"))->startsWith($allowedRoot)) {
+            abort(403);
+        }
+    }
 }
diff --git a/src/Middleware/InitializeTenancyByRequestData.php b/src/Middleware/InitializeTenancyByRequestData.php
@@ -6,6 +6,7 @@
 
 use Closure;
 use Illuminate\Http\Request;
+use Stancl\Tenancy\Contracts\TenantResolver;
 use Stancl\Tenancy\Resolvers\RequestDataTenantResolver;
 use Stancl\Tenancy\Tenancy;
 

diff --git a/tests/TenantAssetTest.php b/tests/TenantAssetTest.php
@@ -141,4 +141,17 @@ public function test_asset_controller_returns_a_404_when_no_path_is_provided()
         $response->assertNotFound();
     }
 
+    public function test_asset_controller_returns_a_403_when_an_invalid_path_is_provided()
+    {
+        TenantAssetsController::$tenancyMiddleware = InitializeTenancyByRequestData::class;
+
+        $tenant = Tenant::create();
+
+        tenancy()->initialize($tenant);
+        $response = $this->get(tenant_asset('../foo.txt'), [
+            'X-Tenant' => $tenant->id,
+        ]);
+
+        $response->assertForbidden();
+    }
 }