Fix | V4 - Tidy Up Tests

composer.json

@@ -66,7 +66,7 @@
         "sort-packages": true
     },
     "scripts": {
-        "fix-code": [
+        "lint": [
             "./vendor/bin/php-cs-fixer fix --allow-risky=yes"
         ],
         "test": [

src/Helpers/Storage.php

@@ -49,13 +49,79 @@
     {
         $trimRules = DIRECTORY_SEPARATOR . ' ';
 
-        return rtrim($this->baseDirectory, $trimRules) . DIRECTORY_SEPARATOR . ltrim($path, $trimRules);
+        return mb_rtrim($this->baseDirectory, $trimRules) . DIRECTORY_SEPARATOR . mb_ltrim($path, $trimRules);
+    }
+
+    /**
+     * Normalize a path by resolving . and .. segments (no filesystem access).
+     */
+    protected function normalizePath(string $path): string
+    {
+        $leadingSlash = $path !== '' && $path[0] === DIRECTORY_SEPARATOR;
+        $leadingDrive = mb_strlen($path) >= 2 && $path[1] === ':';
+
+        $segments = [];
+        foreach (preg_split('#[/\\\\]+#', $path, -1, PREG_SPLIT_NO_EMPTY) ?: [] as $segment) {
+            if ($segment === '.') {
+                continue;
+            }
+            if ($segment === '..') {
+                array_pop($segments);
+                continue;
+            }
+            $segments[] = $segment;
+        }
+
+        $result = implode(DIRECTORY_SEPARATOR, $segments);
+        if ($leadingSlash && $result !== '') {
+            $result = DIRECTORY_SEPARATOR . $result;
+        }
+        if ($leadingDrive && $result !== '' && ! preg_match('#^[a-zA-Z]:#', $result)) {
+            $result = $path[0] . ':' . $result;
+        }
+
+        return $result;
+    }
+
+    /**
+     * Ensure the resolved path is under the base directory to prevent path traversal.
+     *
+     * @throws InvalidArgumentException
+     */
+    protected function ensurePathUnderBase(string $fullPath): void
+    {
+        $baseReal = realpath($this->baseDirectory);
+
+        if ($baseReal === false) {
+            throw new InvalidArgumentException('Unable to determine the realpath of the base directory.');
+        }
+
+        if (str_contains($fullPath, '~')) {
+            throw new InvalidArgumentException('Path must remain inside the storage base directory.');
+        }
+
+        $baseTrimmed = mb_rtrim($this->baseDirectory, DIRECTORY_SEPARATOR . ' ');
+        $baseNorm = $this->normalizePath($baseTrimmed);
+        $fullNorm = $this->normalizePath($fullPath);
+        $baseWithSep = $baseNorm . DIRECTORY_SEPARATOR;
+
+        if ($baseTrimmed !== '' && $fullNorm !== $baseNorm && ! str_starts_with($fullNorm, $baseWithSep)) {
+            throw new InvalidArgumentException('Path must remain inside the storage base directory.');
+        }
+
+        $pathSuffix = $baseTrimmed === '' ? $fullPath : ($fullNorm === $baseNorm ? '' : mb_substr($fullNorm, mb_strlen($baseWithSep)));
+        $normalizedAbsolute = $this->normalizePath($baseReal . DIRECTORY_SEPARATOR . $pathSuffix);
+
+        $baseWithSeparator = $baseReal . DIRECTORY_SEPARATOR;
+        if ($normalizedAbsolute !== $baseReal && ! str_starts_with($normalizedAbsolute, $baseWithSeparator)) {
+            throw new InvalidArgumentException('Path must remain inside the storage base directory.');
+        }
     }
 
     /**
      * Normalize a path by resolving . and .. segments (no filesystem access).
      */
     protected function normalizePath(string $path): string
     {
         $leadingSlash = $path !== '' && $path[0] === DIRECTORY_SEPARATOR;
         $leadingDrive = mb_strlen($path) >= 2 && $path[1] === ':';
@@ -88,7 +154,7 @@
      *
      * @throws InvalidArgumentException
      */
     protected function ensurePathUnderBase(string $fullPath): void
     {
         $baseReal = realpath($this->baseDirectory);
 

src/Helpers/URLHelper.php

@@ -6,9 +6,6 @@
 
 use InvalidArgumentException;
 
-/**
- * @internal
- */
 class URLHelper
 {
     /**

src/Http/Auth/TokenAuthenticator.php

@@ -22,6 +22,6 @@ public function __construct(
      */
     public function set(PendingRequest $pendingRequest): void
     {
-        $pendingRequest->headers()->add('Authorization', trim($this->prefix . ' ' . $this->token));
+        $pendingRequest->headers()->add('Authorization', mb_trim($this->prefix . ' ' . $this->token));
     }
 }

src/Traits/OAuth2/AuthorizationCodeGrant.php

@@ -58,7 +58,7 @@ public function getAuthorizationUrl(array $scopes = [], ?string $state = null, s
         ]);
 
         $query = http_build_query($queryParameters, '', '&', PHP_QUERY_RFC3986);
-        $query = trim($query, '?&');
+        $query = mb_trim($query, '?&');
 
         $url = URLHelper::join($this->resolveBaseUrl(), $config->getAuthorizeEndpoint());
 

tests/Feature/Mocking/FixturePathTraversalTest.php

@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+
+use Saloon\Helpers\Storage;
+use Saloon\Http\Faking\Fixture;
+use Saloon\Data\RecordedResponse;
+use Saloon\Exceptions\FixtureException;
+
+beforeEach(function () {
+    $this->fixtureBaseDir = sys_get_temp_dir() . '/saloon_fixture_traversal_' . uniqid('', true);
+    mkdir($this->fixtureBaseDir, 0777, true);
+});
+
+afterEach(function () {
+    if (isset($this->fixtureBaseDir) && is_dir($this->fixtureBaseDir)) {
+        array_map('unlink', glob($this->fixtureBaseDir . '/*') ?: []);
+        rmdir($this->fixtureBaseDir);
+    }
+    $escapeWritePath = sys_get_temp_dir() . '/traversal_write_test.json';
+    if (file_exists($escapeWritePath)) {
+        unlink($escapeWritePath);
+    }
+    $escapeReadPath = sys_get_temp_dir() . '/traversal_read_target.json';
+    if (file_exists($escapeReadPath)) {
+        unlink($escapeReadPath);
+    }
+});
+
+test('fixture name with path traversal throws when getting mock response and does not read outside base', function () {
+    $storage = new Storage($this->fixtureBaseDir, true);
+
+    $externalPath = sys_get_temp_dir() . '/traversal_read_target.json';
+    $secretContent = 'read_from_outside';
+    file_put_contents($externalPath, json_encode([
+        'statusCode' => 200,
+        'headers' => [],
+        'data' => '{"secret":"' . $secretContent . '"}',
+        'context' => [],
+    ]));
+
+    $traversalName = '..' . DIRECTORY_SEPARATOR . 'traversal_read_target';
+    $fixture = new Fixture($traversalName, $storage);
+
+    expect(fn () => $fixture->getMockResponse())
+        ->toThrow(FixtureException::class, 'The fixture name must not contain directory traversal components or invalid characters. Only alphanumeric characters, hyphens, slashes, and underscores are allowed.');
+
+    expect(file_get_contents($externalPath))->toContain($secretContent);
+});
+
+test('fixture name with path traversal throws when storing and does not write outside base', function () {
+    $storage = new Storage($this->fixtureBaseDir, true);
+
+    $traversalName = '..' . DIRECTORY_SEPARATOR . 'traversal_write_test';
+    $fixture = new Fixture($traversalName, $storage);
+
+    $recordedResponse = new RecordedResponse(200, [], '{"pwned":true}');
+
+    expect(fn () => $fixture->store($recordedResponse))
+        ->toThrow(FixtureException::class, 'The fixture name must not contain directory traversal components or invalid characters. Only alphanumeric characters, hyphens, slashes, and underscores are allowed.');
+
+    $escapePath = sys_get_temp_dir() . DIRECTORY_SEPARATOR . 'traversal_write_test.json';
+    expect(file_exists($escapePath))->toBeFalse();
+});