Security fix (#44)

input validation
---------

Signed-off-by: rahul <rcsofttech85@gmail.com>

Author: rcsofttech85

bin/view-csv

@@ -6,6 +6,7 @@ require 'vendor/autoload.php';
 use Rcsofttech85\FileHandler\CsvFileHandler;
 use Rcsofttech85\FileHandler\DependencyInjection\ServiceContainer;
 use Rcsofttech85\FileHandler\Exception\FileHandlerException;
+use Rcsofttech85\FileHandler\Validator\FileValidatorTrait;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\Console\Input\InputArgument;
 use Symfony\Component\Console\Input\InputInterface;
@@ -24,7 +25,11 @@ $command = (new SingleCommandApplication())
         $hiddenColumns = $input->getOption('hide-column');
         $limit = $input->getOption('limit');
 
-        if (!file_exists($csvFile)) {
+        try {
+            $csvFile = (new class {
+                use FileValidatorTrait;
+            })->validateFileName($csvFile);
+        } catch (FileHandlerException) {
             $io->error("{$csvFile} does not exists");
             return Command::FAILURE;
         }

bin/view-json

@@ -4,6 +4,7 @@
 use Rcsofttech85\FileHandler\DependencyInjection\ServiceContainer;
 use Rcsofttech85\FileHandler\Exception\FileHandlerException;
 use Rcsofttech85\FileHandler\JsonFileHandler;
+use Rcsofttech85\FileHandler\Validator\FileValidatorTrait;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\Console\Input\InputArgument;
 use Symfony\Component\Console\Input\InputInterface;
@@ -25,7 +26,11 @@ $command = (new SingleCommandApplication())
         $hiddenColumns = $input->getOption('hide-column');
         $hiddenColumns = $hiddenColumns ? explode(',', $hiddenColumns) : false;
 
-        if (!file_exists($jsonFile)) {
+        try {
+            $jsonFile = (new class {
+                use FileValidatorTrait;
+            })->validateFileName($jsonFile);
+        } catch (FileHandlerException) {
             $io->error("{$jsonFile} does not exists");
             return Command::FAILURE;
         }

src/CsvFileHandler.php

@@ -5,10 +5,12 @@
 use Generator;
 use Rcsofttech85\FileHandler\Exception\FileHandlerException;
 use Rcsofttech85\FileHandler\Utilities\RowColumnHelper;
+use Rcsofttech85\FileHandler\Validator\FileValidatorTrait;
 
 class CsvFileHandler
 {
     use RowColumnHelper;
+    use FileValidatorTrait;
 
     public function __construct(
         private readonly TempFileHandler $tempFileHandler
@@ -29,11 +31,6 @@ public function searchInCsvFile(
         string $column,
         string|null $format = null
     ): bool|array {
-        if (!file_exists($filename)) {
-            throw new FileHandlerException('file not found');
-        }
-
-
         foreach ($this->getRows($filename) as $row) {
             if ($keyword === $row[$column]) {
                 return ($format === FileHandler::ARRAY_FORMAT) ? $row : true;
@@ -42,6 +39,11 @@ public function searchInCsvFile(
         return false;
     }
 
+    /**
+     * @param string $filename
+     * @return string|false
+     * @throws FileHandlerException
+     */
 
     public function toJson(string $filename): string|false
     {
@@ -53,18 +55,23 @@ public function toJson(string $filename): string|false
     /**
      * @param string $filename
      * @param array<string> $hideColumns
+     * @param int|false $limit
      * @return array<int,array<string,string>>
      * @throws FileHandlerException
      */
     public function toArray(string $filename, array|false $hideColumns = false, int|false $limit = false): array
     {
-        if (!file_exists($filename)) {
-            throw new FileHandlerException('file not found');
-        }
-
         return iterator_to_array($this->getRows($filename, $hideColumns, $limit));
     }
 
+    /**
+     * @param string $filename
+     * @param string $keyword
+     * @param string $replace
+     * @param string|null $column
+     * @return bool
+     * @throws FileHandlerException
+     */
     public function findAndReplaceInCsv(
         string $filename,
         string $keyword,
@@ -160,6 +167,7 @@ private function isValidCsvFileFormat(array $row): bool
      */
     private function getRows(string $filename, array|false $hideColumns = false, int|false $limit = false): Generator
     {
+        $filename = $this->validateFileName($filename);
         $csvFile = fopen($filename, 'r');
         if (!$csvFile) {
             throw new FileHandlerException('file not found');

src/DependencyInjection/ServiceContainer.php

@@ -5,14 +5,22 @@
 use Symfony\Component\Config\FileLocator;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Loader\YamlFileLoader;
+use Symfony\Component\Dotenv\Dotenv;
 
 class ServiceContainer
 {
     public function getContainerBuilder(): ContainerBuilder
     {
+        $dotenv = new Dotenv();
+        $dotenv->load('.env');
+
+
         $containerBuilder = new ContainerBuilder();
         $loader = new YamlFileLoader($containerBuilder, new FileLocator(__DIR__ . '/../../src/config'));
         $loader->load('services.yaml');
+
+        $containerBuilder->setParameter('FILE_NAME', $_ENV['FILE_NAME']);
+
         return $containerBuilder;
     }
 }

src/FileEncryptor.php

@@ -4,18 +4,26 @@
 
 use Exception;
 use Rcsofttech85\FileHandler\Exception\FileEncryptorException;
+use Rcsofttech85\FileHandler\Exception\FileHandlerException;
+use Rcsofttech85\FileHandler\Validator\FileValidatorTrait;
 use SensitiveParameter;
 use SodiumException;
 
 readonly class FileEncryptor
 {
+    use FileValidatorTrait;
+
+    /**
+     * @param string $filename
+     * @param string $secret
+     *
+     * @throws FileHandlerException
+     */
     public function __construct(
         private string $filename,
         #[SensitiveParameter] private string $secret
     ) {
-        if (!file_exists($this->filename)) {
-            throw new FileEncryptorException("File not found");
-        }
+        $this->validateFileName($filename);
     }
 
     /**

src/FileHandler.php

@@ -4,10 +4,13 @@
 
 use finfo;
 use Rcsofttech85\FileHandler\Exception\FileHandlerException;
+use Rcsofttech85\FileHandler\Validator\FileValidatorTrait;
 use ZipArchive;
 
 class FileHandler
 {
+    use FileValidatorTrait;
+
     public const ARRAY_FORMAT = 'array';
 
     /**
@@ -16,12 +19,16 @@ class FileHandler
     private null|array $files = [];
 
 
+    /**
+     * @throws FileHandlerException
+     */
     public function open(
         string $filename,
         string $mode = "w",
         bool $include_path = false,
         mixed $context = null
     ): self {
+        $filename = $this->sanitize($filename);
         $file = fopen($filename, $mode, $include_path, $context);
 
         if (!$file) {
@@ -58,9 +65,7 @@ public function write(string $data, ?int $length = null): void
      */
     public function compress(string $filename, string $zipFilename): void
     {
-        if (!file_exists($filename)) {
-            throw new FileHandlerException('File to compress does not exist.');
-        }
+        $filename = $this->validateFileName($filename);
 
         $zip = new ZipArchive();
 
@@ -81,9 +86,7 @@ public function compress(string $filename, string $zipFilename): void
      */
     public function getMimeType(string $filename): string
     {
-        if (!file_exists($filename)) {
-            throw new FileHandlerException('file does not exist.');
-        }
+        $filename = $this->validateFileName($filename);
 
         $fileInfo = new finfo(FILEINFO_MIME_TYPE);
         $mimeType = $fileInfo->file($filename);
@@ -99,9 +102,7 @@ public function getMimeType(string $filename): string
      */
     public function decompress(string $zipFilename, string $extractPath = "./"): void
     {
-        if (!file_exists($zipFilename)) {
-            throw new FileHandlerException('ZIP archive does not exist.');
-        }
+        $zipFilename = $this->validateFileName($zipFilename);
 
         $zip = new ZipArchive();
 
@@ -142,9 +143,8 @@ public function resetFiles(): void
      */
     public function delete(string $filename): void
     {
-        if (!file_exists($filename)) {
-            throw new FileHandlerException('file does not exists');
-        }
+        $filename = $this->validateFileName($filename);
+
         unlink($filename);
     }
 }

src/FileHashChecker.php

@@ -3,22 +3,23 @@
 namespace Rcsofttech85\FileHandler;
 
 use Rcsofttech85\FileHandler\Exception\HashException;
+use Rcsofttech85\FileHandler\Validator\FileValidatorTrait;
 
 class FileHashChecker
 {
+    use FileValidatorTrait;
+
     public const ALGO_256 = 'sha3-256';
     public const ALGO_512 = 'sha3-512';
 
     /**
      * @param string $filename
      * @param CsvFileHandler $csvFileHandler
-     * @throws HashException
+     * @throws Exception\FileHandlerException
      */
-    public function __construct(private readonly string $filename, private readonly CsvFileHandler $csvFileHandler)
+    public function __construct(private string $filename, private readonly CsvFileHandler $csvFileHandler)
     {
-        if (!file_exists($this->filename)) {
-            throw new HashException('file not found');
-        }
+        $this->filename = $this->validateFileName($filename);
     }
 
     /**

src/JsonFileHandler.php

@@ -5,10 +5,12 @@
 use Generator;
 use Rcsofttech85\FileHandler\Exception\FileHandlerException;
 use Rcsofttech85\FileHandler\Utilities\RowColumnHelper;
+use Rcsofttech85\FileHandler\Validator\FileValidatorTrait;
 
 class JsonFileHandler
 {
     use RowColumnHelper;
+    use FileValidatorTrait;
 
     /**
      * @param string $filename
@@ -35,7 +37,7 @@ public function toArray(
 
     private function validateFile(string $filename): array
     {
-        $this->checkFileExistence($filename);
+        $filename = $this->validateFileName($filename);
         $jsonContents = $this->getFileContents($filename);
         $contents = $this->parseJson($jsonContents);
         if (!$contents) {
@@ -45,17 +47,6 @@ private function validateFile(string $filename): array
         return $contents;
     }
 
-    /**
-     * @param string $filename
-     * @return void
-     * @throws FileHandlerException
-     */
-    private function checkFileExistence(string $filename): void
-    {
-        if (!file_exists($filename)) {
-            throw new FileHandlerException('File not found');
-        }
-    }
 
     /**
      * @param string $filename

src/Validator/FileValidatorTrait.php

@@ -0,0 +1,53 @@
+<?php
+
+namespace Rcsofttech85\FileHandler\Validator;
+
+use Rcsofttech85\FileHandler\DependencyInjection\ServiceContainer;
+use Rcsofttech85\FileHandler\Exception\FileHandlerException;
+
+trait FileValidatorTrait
+{
+    /**
+     * @param string $filename
+     * @param string|null $path
+     * @return string
+     * @throws FileHandlerException
+     */
+    public function validateFileName(string $filename, string|null $path = null): string
+    {
+        $container = (new ServiceContainer())->getContainerBuilder();
+
+        $stored_hash_file = $container->getParameter('FILE_NAME');
+
+        if ($filename != $stored_hash_file) {
+            self::sanitize($filename);
+        }
+
+
+        if ($path) {
+            $absolutePath = realpath($path);
+            $absolutePath ?:
+                throw new FileHandlerException("path {$path} is not valid')");
+            $filename = $absolutePath . DIRECTORY_SEPARATOR . $filename;
+        }
+
+
+        if (!file_exists($filename)) {
+            throw new FileHandlerException('file not found');
+        }
+        return $filename;
+    }
+
+    /**
+     * @throws FileHandlerException
+     */
+    public function sanitize(string $filename): string
+    {
+        $pattern = '/^[a-zA-Z0-9_.-]+$/';
+        if (!preg_match($pattern, $filename)) {
+            throw new FileHandlerException('file not found');
+        }
+
+        return $filename;
+    }
+}