Merge branch '1-3-fix-GHSA-8xmh-xrvp-hwrf' into 1.3.x

asgrim · asgrim · commit f5203dc103b3 · 2026-05-26T09:22:47.000+01:00
diff --git a/src/Installing/WindowsInstall.php b/src/Installing/WindowsInstall.php
@@ -5,6 +5,7 @@
 namespace Php\Pie\Installing;
 
 use Composer\IO\IOInterface;
+use FilesystemIterator;
 use Php\Pie\Downloading\DownloadedPackage;
 use Php\Pie\File\BinaryFile;
 use Php\Pie\File\WindowsDelete;
@@ -21,7 +22,11 @@
 use function file_exists;
 use function is_file;
 use function mkdir;
+use function realpath;
+use function sprintf;
+use function str_contains;
 use function str_replace;
+use function str_starts_with;
 use function strlen;
 use function substr;
 
@@ -53,14 +58,19 @@ public function __invoke(
             $io->write('<info>Copied PDB to:</info> ' . $destinationPdbName);
         }
 
-        foreach (new RecursiveIteratorIterator(new RecursiveDirectoryIterator($extractedSourcePath)) as $file) {
+        $iterator = new RecursiveIteratorIterator(
+            new RecursiveDirectoryIterator($extractedSourcePath, FilesystemIterator::SKIP_DOTS),
+        );
+
+        foreach ($iterator as $file) {
             assert($file instanceof SplFileInfo);
 
             /**
-             * Skip directories, the main DLL, PDB
+             * Skip directories, the main DLL, PDB and symlinks
              */
             if (
                 $file->isDir()
+                || $file->isLink()
                 || $this->normalisedPathsMatch($file->getPathname(), $sourceDllName)
                 || $this->normalisedPathsMatch($file->getPathname(), $sourcePdbName)
             ) {
@@ -180,17 +190,42 @@ private function copyDependencyDll(TargetPlatform $targetPlatform, SplFileInfo $
      */
     private function copyExtraFile(TargetPlatform $targetPlatform, DownloadedPackage $downloadedPackage, SplFileInfo $file): string
     {
-        $destinationFullFilename = dirname($targetPlatform->phpBinaryPath->phpBinaryPath) . DIRECTORY_SEPARATOR
+        $extrasRoot = dirname($targetPlatform->phpBinaryPath->phpBinaryPath) . DIRECTORY_SEPARATOR
             . 'extras' . DIRECTORY_SEPARATOR
-            . $downloadedPackage->package->extensionName()->name() . DIRECTORY_SEPARATOR
-            . substr($file->getPathname(), strlen($downloadedPackage->extractedSourcePath) + 1);
+            . $downloadedPackage->package->extensionName()->name();
+
+        $relativeName = substr($file->getPathname(), strlen($downloadedPackage->extractedSourcePath) + 1);
+
+        if (str_contains($relativeName, '..' . DIRECTORY_SEPARATOR) || str_starts_with($relativeName, '..')) {
+            throw new RuntimeException(sprintf(
+                'Refusing to copy extra file with traversal segment: %s',
+                $relativeName,
+            ));
+        }
+
+        $destinationFullFilename = $extrasRoot . DIRECTORY_SEPARATOR . $relativeName;
 
         $destinationPath = dirname($destinationFullFilename);
 
         if (! file_exists($destinationPath)) {
             mkdir($destinationPath, 0777, true);
         }
 
+        $destinationReal = realpath($destinationPath);
+        $extrasReal      = realpath($extrasRoot);
+
+        if (
+            $destinationReal === false
+            || $extrasReal === false
+            || ! str_starts_with($destinationReal . DIRECTORY_SEPARATOR, $extrasReal . DIRECTORY_SEPARATOR)
+        ) {
+            throw new RuntimeException(sprintf(
+                'Refusing to copy extra file: destination %s escapes extras root %s',
+                $destinationPath,
+                $extrasRoot,
+            ));
+        }
+
         if (! copy($file->getPathname(), $destinationFullFilename) || ! file_exists($destinationFullFilename) && ! is_file($destinationFullFilename)) {
             throw new RuntimeException('Failed to copy to ' . $destinationFullFilename);
         }
diff --git a/test/unit/Installing/WindowsInstallTest.php b/test/unit/Installing/WindowsInstallTest.php
@@ -0,0 +1,198 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Php\PieUnitTest\Installing;
+
+use Composer\IO\BufferIO;
+use Composer\Package\CompletePackageInterface;
+use Php\Pie\DependencyResolver\Package;
+use Php\Pie\Downloading\DownloadedPackage;
+use Php\Pie\ExtensionName;
+use Php\Pie\ExtensionType;
+use Php\Pie\Installing\SetupIniFile;
+use Php\Pie\Installing\WindowsInstall;
+use Php\Pie\Platform\Architecture;
+use Php\Pie\Platform\OperatingSystem;
+use Php\Pie\Platform\OperatingSystemFamily;
+use Php\Pie\Platform\TargetPhp\PhpBinaryPath;
+use Php\Pie\Platform\TargetPlatform;
+use Php\Pie\Platform\ThreadSafetyMode;
+use Php\Pie\Platform\WindowsCompiler;
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\TestCase;
+use ReflectionClass;
+use RuntimeException;
+use SplFileInfo;
+
+use function mkdir;
+use function symlink;
+use function sys_get_temp_dir;
+use function touch;
+use function uniqid;
+
+#[CoversClass(WindowsInstall::class)]
+final class WindowsInstallTest extends TestCase
+{
+    public function testCopyExtraFileWithTraversalThrowsException(): void
+    {
+        $tempDir = sys_get_temp_dir() . '/' . uniqid('pie_test_', true);
+        mkdir($tempDir);
+        mkdir($tempDir . '/source');
+
+        $setupIniFile = $this->createMock(SetupIniFile::class);
+        $installer    = new WindowsInstall($setupIniFile);
+
+        $package = new Package(
+            $this->createMock(CompletePackageInterface::class),
+            ExtensionType::PhpModule,
+            ExtensionName::normaliseFromString('test'),
+            'foo/bar',
+            '1.2.3',
+            null,
+        );
+
+        $downloadedPackage = DownloadedPackage::fromPackageAndExtractedPath($package, $tempDir . '/source');
+
+        $phpBinaryPath = $this->createMock(PhpBinaryPath::class);
+        /** @phpstan-ignore property.notFound */
+        (fn () => $this->phpBinaryPath = $tempDir . '/bin/php.exe')
+            ->bindTo($phpBinaryPath, PhpBinaryPath::class)();
+        $phpBinaryPath->method('majorMinorVersion')->willReturn('8.5');
+        $phpBinaryPath->method('extensionPath')->willReturn($tempDir . '/ext');
+        mkdir($tempDir . '/ext', 0777, true);
+
+        $targetPlatform = new TargetPlatform(
+            OperatingSystem::Windows,
+            OperatingSystemFamily::Windows,
+            $phpBinaryPath,
+            Architecture::x86_64,
+            ThreadSafetyMode::ThreadSafe,
+            1,
+            WindowsCompiler::VS16,
+        );
+
+        mkdir($tempDir . '/bin', 0777, true);
+        touch($tempDir . '/bin/php.exe');
+
+        $file = $this->createMock(SplFileInfo::class);
+        $file->method('getPathname')->willReturn($tempDir . '/source/../escape.txt');
+
+        $reflection = new ReflectionClass(WindowsInstall::class);
+        $method     = $reflection->getMethod('copyExtraFile');
+        $method->setAccessible(true);
+
+        $this->expectException(RuntimeException::class);
+        $this->expectExceptionMessage('Refusing to copy extra file with traversal segment');
+
+        $method->invoke($installer, $targetPlatform, $downloadedPackage, $file);
+    }
+
+    public function testCopyExtraFileWithDestinationEscapeThrowsException(): void
+    {
+        $tempDir = sys_get_temp_dir() . '/' . uniqid('pie_test_', true);
+        mkdir($tempDir);
+        mkdir($tempDir . '/source');
+        mkdir($tempDir . '/bin', 0777, true);
+        touch($tempDir . '/bin/php.exe');
+
+        $setupIniFile = $this->createMock(SetupIniFile::class);
+        $installer    = new WindowsInstall($setupIniFile);
+
+        $package = new Package(
+            $this->createMock(CompletePackageInterface::class),
+            ExtensionType::PhpModule,
+            ExtensionName::normaliseFromString('test'),
+            'foo/bar',
+            '1.2.3',
+            null,
+        );
+
+        $downloadedPackage = DownloadedPackage::fromPackageAndExtractedPath($package, $tempDir . '/source');
+
+        $phpBinaryPath = $this->createMock(PhpBinaryPath::class);
+        /** @phpstan-ignore property.notFound */
+        (fn () => $this->phpBinaryPath = $tempDir . '/bin/php.exe')
+            ->bindTo($phpBinaryPath, PhpBinaryPath::class)();
+        $phpBinaryPath->method('majorMinorVersion')->willReturn('8.5');
+        $phpBinaryPath->method('extensionPath')->willReturn($tempDir . '/ext');
+        mkdir($tempDir . '/ext', 0777, true);
+
+        $targetPlatform = new TargetPlatform(
+            OperatingSystem::Windows,
+            OperatingSystemFamily::Windows,
+            $phpBinaryPath,
+            Architecture::x86_64,
+            ThreadSafetyMode::ThreadSafe,
+            1,
+            WindowsCompiler::VS16,
+        );
+
+        $extrasRoot = $tempDir . '/bin/extras/test';
+        mkdir($extrasRoot, 0777, true);
+        mkdir($tempDir . '/outside');
+        symlink($tempDir . '/outside', $extrasRoot . '/escape');
+
+        $file = $this->createMock(SplFileInfo::class);
+        $file->method('getPathname')->willReturn($tempDir . '/source/escape/file.txt');
+
+        $reflection = new ReflectionClass(WindowsInstall::class);
+        $method     = $reflection->getMethod('copyExtraFile');
+        $method->setAccessible(true);
+
+        $this->expectException(RuntimeException::class);
+        $this->expectExceptionMessage('escapes extras root');
+
+        $method->invoke($installer, $targetPlatform, $downloadedPackage, $file);
+    }
+
+    public function testInvokeSkipsSymlinks(): void
+    {
+        $tempDir = sys_get_temp_dir() . '/' . uniqid('pie_test_', true);
+        mkdir($tempDir);
+        mkdir($tempDir . '/source');
+        mkdir($tempDir . '/outside');
+        touch($tempDir . '/outside/danger.txt');
+        symlink($tempDir . '/outside/danger.txt', $tempDir . '/source/danger.link');
+
+        $setupIniFile = $this->createMock(SetupIniFile::class);
+        $installer    = new WindowsInstall($setupIniFile);
+
+        $package = new Package(
+            $this->createMock(CompletePackageInterface::class),
+            ExtensionType::PhpModule,
+            ExtensionName::normaliseFromString('test'),
+            'foo/bar',
+            '1.2.3',
+            null,
+        );
+
+        $downloadedPackage = DownloadedPackage::fromPackageAndExtractedPath($package, $tempDir . '/source');
+
+        $phpBinaryPath = $this->createMock(PhpBinaryPath::class);
+        /** @phpstan-ignore property.notFound */
+        (fn () => $this->phpBinaryPath = $tempDir . '/bin/php.exe')
+            ->bindTo($phpBinaryPath, PhpBinaryPath::class)();
+        $phpBinaryPath->method('majorMinorVersion')->willReturn('8.5');
+        $phpBinaryPath->method('extensionPath')->willReturn($tempDir . '/ext');
+        mkdir($tempDir . '/ext', 0777, true);
+
+        $targetPlatform = new TargetPlatform(
+            OperatingSystem::Windows,
+            OperatingSystemFamily::Windows,
+            $phpBinaryPath,
+            Architecture::x86_64,
+            ThreadSafetyMode::ThreadSafe,
+            1,
+            WindowsCompiler::VS16,
+        );
+
+        touch($tempDir . '/source/php_test-1.2.3-8.5-ts-vs16-x86_64.dll');
+
+        $output = new BufferIO();
+
+        $installer->__invoke($downloadedPackage, $targetPlatform, $output, false);
+
+        self::assertStringNotContainsString('danger.link', $output->getOutput());
+    }
+}
