feat: prevent hash collisions, add file locking and cache unit test

ironashram · ironashram · commit 473c149fc594 · 2026-02-06T09:25:06.000+01:00
Signed-off-by: Michele Palazzi &lt;sysdadmin@m1k.cloud&gt;
diff --git a/src/cache.php b/src/cache.php
@@ -15,16 +15,24 @@
 /**
  * Generate a cache key for a user's request
  *
+ * Uses structured JSON format to prevent hash collisions between different
+ * user/options combinations that could produce the same concatenated string.
+ *
  * @param string $user GitHub username
  * @param array $options Additional options that affect the stats (mode, exclude_days, starting_year)
  * @return string Cache key (filename-safe)
  */
 function getCacheKey(string $user, array $options = []): string
 {
-    // Normalize options
     ksort($options);
-    $optionsString = json_encode($options);
-    return hash("sha256", $user . $optionsString);
+    try {
+        $keyData = json_encode(["user" => $user, "options" => $options], JSON_THROW_ON_ERROR);
+    } catch (JsonException $e) {
+        // Fallback to simple concatenation if JSON encoding fails
+        error_log("Cache key JSON encoding failed: " . $e->getMessage());
+        $keyData = $user . serialize($options);
+    }
+    return hash("sha256", $keyData);
 }
 
 /**
@@ -68,17 +76,32 @@ function getCachedStats(string $user, array $options = [], int $maxAge = CACHE_D
         return null;
     }
 
-    $fileAge = time() - filemtime($filePath);
+    $mtime = @filemtime($filePath);
+    if ($mtime === false) {
+        return null;
+    }
+
+    $fileAge = time() - $mtime;
     if ($fileAge > $maxAge) {
-        // Cache expired, delete the file
-        if (file_exists($filePath)) {
-            unlink($filePath);
-        }
+        @unlink($filePath);
         return null;
     }
 
-    $contents = file_get_contents($filePath);
-    if ($contents === false) {
+    $handle = @fopen($filePath, "r");
+    if ($handle === false) {
+        return null;
+    }
+
+    if (!flock($handle, LOCK_SH)) {
+        fclose($handle);
+        return null;
+    }
+
+    $contents = @stream_get_contents($handle);
+    flock($handle, LOCK_UN);
+    fclose($handle);
+
+    if ($contents === false || $contents === "") {
         return null;
     }
 
@@ -101,18 +124,26 @@ function getCachedStats(string $user, array $options = [], int $maxAge = CACHE_D
 function setCachedStats(string $user, array $options, array $stats): bool
 {
     if (!ensureCacheDir()) {
+        error_log("Failed to create cache directory: " . CACHE_DIR);
         return false;
     }
 
     $key = getCacheKey($user, $options);
     $filePath = getCacheFilePath($key);
 
-    $data = json_encode($stats, JSON_PRETTY_PRINT);
+    $data = json_encode($stats);
     if ($data === false) {
+        error_log("Failed to encode stats to JSON for user: " . $user);
         return false;
     }
 
-    return file_put_contents($filePath, $data, LOCK_EX) !== false;
+    $result = file_put_contents($filePath, $data, LOCK_EX);
+    if ($result === false) {
+        error_log("Failed to write cache file: " . $filePath);
+        return false;
+    }
+
+    return true;
 }
 
 /**
@@ -135,9 +166,13 @@ function clearExpiredCache(int $maxAge = CACHE_DURATION): int
     }
 
     foreach ($files as $file) {
-        $fileAge = time() - filemtime($file);
+        $mtime = @filemtime($file);
+        if ($mtime === false) {
+            continue;
+        }
+        $fileAge = time() - $mtime;
         if ($fileAge > $maxAge) {
-            if (file_exists($file) && unlink($file)) {
+            if (@unlink($file)) {
                 $deleted++;
             }
         }
@@ -149,22 +184,25 @@ function clearExpiredCache(int $maxAge = CACHE_DURATION): int
 /**
  * Clear cache for a specific user
  *
+ * Note: This function only clears the cache for the user with empty/default options.
+ * Cache entries with non-empty options (starting_year, mode, exclude_days) will NOT
+ * be cleared. This is a limitation of the hash-based cache key system - we cannot
+ * enumerate all possible option combinations without storing additional metadata.
+ *
  * @param string $user GitHub username
- * @return bool True if cache was cleared
+ * @return bool True if cache was cleared (or didn't exist)
  */
 function clearUserCache(string $user): bool
 {
     if (!is_dir(CACHE_DIR)) {
         return true;
     }
 
-    // Since we use a hash, we need to check all files
-    // For simplicity, just clear the cache with empty options
     $key = getCacheKey($user, []);
     $filePath = getCacheFilePath($key);
 
     if (file_exists($filePath)) {
-        return unlink($filePath);
+        return @unlink($filePath);
     }
 
     return true;
diff --git a/src/index.php b/src/index.php
@@ -51,7 +51,7 @@
 
     if ($cachedStats !== null) {
         // Use cached stats - instant response!
-        renderOutput($cachedStats);
+        $stats = $cachedStats;
     } else {
         // Fetch fresh data from GitHub API
         $contributionGraphs = getContributionGraphs($user, $startingYear);
@@ -67,9 +67,9 @@
 
         // Cache the stats for 24 hours
         setCachedStats($user, $cacheOptions, $stats);
-
-        renderOutput($stats);
     }
+
+    renderOutput($stats);
 } catch (InvalidArgumentException | AssertionError $error) {
     error_log("Error {$error->getCode()}: {$error->getMessage()}");
     if ($error->getCode() >= 500) {
diff --git a/tests/CacheTest.php b/tests/CacheTest.php
@@ -0,0 +1,190 @@
+<?php
+
+declare(strict_types=1);
+
+use PHPUnit\Framework\TestCase;
+
+// load functions
+require_once dirname(__DIR__, 1) . "/vendor/autoload.php";
+require_once "src/cache.php";
+
+final class CacheTest extends TestCase
+{
+    private string $testCacheDir;
+
+    protected function setUp(): void
+    {
+        // Use a temp directory for tests to avoid interfering with production cache
+        $this->testCacheDir = sys_get_temp_dir() . "/github-streak-cache-test-" . uniqid();
+        if (!is_dir($this->testCacheDir)) {
+            mkdir($this->testCacheDir, 0755, true);
+        }
+    }
+
+    protected function tearDown(): void
+    {
+        // Clean up test cache directory
+        if (is_dir($this->testCacheDir)) {
+            $files = glob($this->testCacheDir . "/*.json");
+            if ($files) {
+                foreach ($files as $file) {
+                    @unlink($file);
+                }
+            }
+            @rmdir($this->testCacheDir);
+        }
+    }
+
+    /**
+     * Test cache key generation produces consistent results
+     */
+    public function testCacheKeyConsistency(): void
+    {
+        $key1 = getCacheKey("testuser", ["mode" => "weekly"]);
+        $key2 = getCacheKey("testuser", ["mode" => "weekly"]);
+        $this->assertEquals($key1, $key2, "Same inputs should produce same cache key");
+    }
+
+    /**
+     * Test cache key generation produces different results for different inputs
+     */
+    public function testCacheKeyDifferentInputs(): void
+    {
+        $key1 = getCacheKey("user1", []);
+        $key2 = getCacheKey("user2", []);
+        $this->assertNotEquals($key1, $key2, "Different users should produce different cache keys");
+
+        $key3 = getCacheKey("testuser", ["mode" => "weekly"]);
+        $key4 = getCacheKey("testuser", ["mode" => "daily"]);
+        $this->assertNotEquals($key3, $key4, "Different options should produce different cache keys");
+    }
+
+    /**
+     * Test that cache key prevents hash collisions
+     * e.g., user "ab" with options containing "cd" should not collide with user "abc" with options containing "d"
+     */
+    public function testCacheKeyNoCollisions(): void
+    {
+        // This tests the fix for the hash collision vulnerability
+        $key1 = getCacheKey("ab", ["option" => "cd"]);
+        $key2 = getCacheKey("abc", ["option" => "d"]);
+        $this->assertNotEquals($key1, $key2, "Similar concatenated strings should not produce same hash");
+
+        $key3 = getCacheKey("ab", ["x" => "cd"]);
+        $key4 = getCacheKey("abcd", []);
+        $this->assertNotEquals($key3, $key4, "User + options should not collide with user alone");
+    }
+
+    /**
+     * Test cache key generation sorts options for consistency
+     */
+    public function testCacheKeyOptionOrdering(): void
+    {
+        $key1 = getCacheKey("testuser", ["a" => "1", "b" => "2"]);
+        $key2 = getCacheKey("testuser", ["b" => "2", "a" => "1"]);
+        $this->assertEquals($key1, $key2, "Option order should not affect cache key");
+    }
+
+    /**
+     * Test cache key is filename-safe (SHA256 hex)
+     */
+    public function testCacheKeyFormat(): void
+    {
+        $key = getCacheKey("testuser", ["mode" => "weekly"]);
+        $this->assertMatchesRegularExpression("/^[a-f0-9]{64}$/", $key, "Cache key should be 64-character hex string");
+    }
+
+    /**
+     * Test cache file path generation
+     */
+    public function testGetCacheFilePath(): void
+    {
+        $key = "abc123";
+        $path = getCacheFilePath($key);
+        $this->assertStringEndsWith("/cache/abc123.json", $path);
+    }
+
+    /**
+     * Test setCachedStats and getCachedStats roundtrip
+     */
+    public function testCacheRoundtrip(): void
+    {
+        $user = "roundtripuser";
+        $options = ["mode" => "weekly", "starting_year" => 2020];
+        $stats = [
+            "totalContributions" => 100,
+            "currentStreak" => ["start" => "2024-01-01", "end" => "2024-01-10", "length" => 10],
+            "longestStreak" => ["start" => "2023-06-01", "end" => "2023-07-15", "length" => 45],
+            "firstContribution" => "2020-01-15",
+        ];
+
+        // Write to cache
+        $result = setCachedStats($user, $options, $stats);
+        $this->assertTrue($result, "setCachedStats should return true on success");
+
+        // Read back from cache
+        $cached = getCachedStats($user, $options);
+        $this->assertNotNull($cached, "getCachedStats should return cached data");
+        $this->assertEquals($stats, $cached, "Cached data should match original");
+    }
+
+    /**
+     * Test getCachedStats returns null for non-existent cache
+     */
+    public function testGetCachedStatsNotFound(): void
+    {
+        $result = getCachedStats("nonexistentuser12345", []);
+        $this->assertNull($result, "getCachedStats should return null for non-existent cache");
+    }
+
+    /**
+     * Test setCachedStats handles invalid data gracefully
+     */
+    public function testSetCachedStatsWithEmptyStats(): void
+    {
+        $result = setCachedStats("emptyuser", [], []);
+        $this->assertTrue($result, "setCachedStats should handle empty stats array");
+
+        $cached = getCachedStats("emptyuser", []);
+        $this->assertEquals([], $cached, "Empty stats should be cached and retrieved");
+    }
+
+    /**
+     * Test clearUserCache clears cache for user with default options
+     */
+    public function testClearUserCache(): void
+    {
+        $user = "clearableuser";
+        $stats = ["totalContributions" => 50];
+
+        // Set cache
+        setCachedStats($user, [], $stats);
+        $this->assertNotNull(getCachedStats($user, []));
+
+        // Clear cache
+        $result = clearUserCache($user);
+        $this->assertTrue($result);
+
+        // Verify cleared
+        $this->assertNull(getCachedStats($user, []));
+    }
+
+    /**
+     * Test clearUserCache returns true for non-existent user
+     */
+    public function testClearUserCacheNonExistent(): void
+    {
+        $result = clearUserCache("definitelynotauser999");
+        $this->assertTrue($result, "clearUserCache should return true for non-existent cache");
+    }
+
+    /**
+     * Test ensureCacheDir creates directory
+     */
+    public function testEnsureCacheDir(): void
+    {
+        $result = ensureCacheDir();
+        $this->assertTrue($result);
+        $this->assertTrue(is_dir(CACHE_DIR));
+    }
+}
