Merge pull request #6 from BrianHenryIE/master

Bugfix: Escape spaces in directory path.
kporras07 · Nov 22, 2019 · 2e9a3a6 · 2e9a3a6
2 parents 75a4774 + b9c18a3
commit 2e9a3a6
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 0 deletions.
diff --git a/src/ScriptHandler.php b/src/ScriptHandler.php
@@ -20,6 +20,9 @@ public static function createSymlinks(Event $event, Filesystem $filesystem = nul
         $filesystem = $filesystem ?: new Filesystem;
 
         foreach ($symlinks as $sourceRelativePath => $targetRelativePath) {
+            // Remove trailing slash that can cause the target to be deleted by ln.
+            $targetRelativePath = rtrim($targetRelativePath, '/');
+
             $sourceAbsolutePath = sprintf('%s/%s', $rootPath, $sourceRelativePath);
             $targetAbsolutePath = sprintf('%s/%s', $rootPath, $targetRelativePath);
             if (!file_exists($sourceAbsolutePath)) {
@@ -44,6 +47,9 @@ public static function createSymlinks(Event $event, Filesystem $filesystem = nul
                 $command = 'cp -r';
             }
 
+            // Escape spaces in path.
+            $targetDirname = preg_replace('/(?<!\\))[ ]/', '\\ ', $targetDirname);
+
             // Build and execute final command.
             $mkdirCmd = 'mkdir -p ' . $targetDirname;
             exec($mkdirCmd);

diff --git a/tests/ScriptHandlerTest.php b/tests/ScriptHandlerTest.php
@@ -54,4 +54,45 @@ function test_symlinks_creation()
         ]);
         ScriptHandler::createSymlinks($this->event, $this->filesystem);
     }
+
+    /**
+     * As the `ln` command is executed, it first `cd`s into the destination directory. If there is a space
+     * anywhere in the path, the `cd` command fails to run properly and the operation fails.
+     *
+     * @see https://www.phpliveregex.com/p/uaf#tab-preg-replace
+     */
+    function test_escape_spaces_in_target_dir()
+    {
+        $sampledir = '/users/BrianHenryIE/Sites/foo bar/';
+
+        $expected = '/users/BrianHenryIE/Sites/foo\ bar/';
+
+        $actual = preg_replace('/(?<!\\))[ ]/', '\\ ', $sampledir);
+
+        $this->assertSame($expected, $actual);
+    }
+
+    /**
+     * When the location of the new symlink contained a trailing slash, the original data would be deleted.
+     *
+     * e.g. the config "trunk": "wp-content/plugins/bh-wp-technique-gym/" would delete trunk.
+     */
+    function test_input_sanitization()
+    {
+        $this->io
+            ->expects($this->exactly(1))
+            ->method('write')
+            ->withConsecutive(
+                ['<info>Creating symlink for "foo" into "bar"</info>'],
+                ['<info>Creating symlink for "foo2" into "bar"</info>']
+            );
+
+        $this->package->setExtra([
+            'symlinks' => [
+                'foo' => 'bar/',
+                'foo2' => 'bar',
+            ],
+        ]);
+        ScriptHandler::createSymlinks($this->event, $this->filesystem);
+    }
 }