Foundational improvements to v4 (#539)

* fixes-090326-v4

* Add error handling for invalid base directory paths

Throw exceptions when realpath cannot be determined.

* Refactor test descriptions for clarity

* Updated workflows to run against v4 branch

* improve lookup

* improve checking

* 🪄 Code Style Fixes

* Removed serialize/unserialize from AccessTokenAuthenticator

* 🪄 Code Style Fixes

* Added back SoloRequest

* Improved regex

* allow solo

* amend phpstan

* Added test

* work on windows

* 🪄 Code Style Fixes

* Fixed broken test for windows

* wip

* 🪄 Code Style Fixes

* Delete tests/Fixtures/Saloon/file.json

---------

Co-authored-by: Sam Carré <29132017+Sammyjo20@users.noreply.github.com>
Co-authored-by: JonPurvis <7534029+JonPurvis@users.noreply.github.com>

Author: JonPurvis

.github/workflows/php-cs-fixer.yml

@@ -6,6 +6,7 @@ on:
       - 'v1'
       - 'v2'
       - 'v3'
+      - 'v4'
   pull_request:
     branches:
       - '*'

.github/workflows/phpstan.yml

@@ -6,6 +6,7 @@ on:
       - 'v1'
       - 'v2'
       - 'v3'
+      - 'v4'
   pull_request:
     branches:
       - '*'

.github/workflows/tests.yml

@@ -6,6 +6,7 @@ on:
       - 'v1'
       - 'v2'
       - 'v3'
+      - 'v4'
   pull_request:
     branches:
       - '*'

src/Helpers/Storage.php

@@ -4,6 +4,7 @@
 
 namespace Saloon\Helpers;
 
+use InvalidArgumentException;
 use Saloon\Exceptions\DirectoryNotFoundException;
 use Saloon\Exceptions\UnableToCreateFileException;
 use Saloon\Exceptions\UnableToCreateDirectoryException;
@@ -51,12 +52,81 @@ protected function buildPath(string $path): string
         return rtrim($this->baseDirectory, $trimRules) . DIRECTORY_SEPARATOR . ltrim($path, $trimRules);
     }
 
+    /**
+     * Normalize a path by resolving . and .. segments (no filesystem access).
+     */
+    protected function normalizePath(string $path): string
+    {
+        $leadingSlash = $path !== '' && $path[0] === DIRECTORY_SEPARATOR;
+        $leadingDrive = mb_strlen($path) >= 2 && $path[1] === ':';
+
+        $segments = [];
+        foreach (preg_split('#[/\\\\]+#', $path, -1, PREG_SPLIT_NO_EMPTY) ?: [] as $segment) {
+            if ($segment === '.') {
+                continue;
+            }
+            if ($segment === '..') {
+                array_pop($segments);
+                continue;
+            }
+            $segments[] = $segment;
+        }
+
+        $result = implode(DIRECTORY_SEPARATOR, $segments);
+        if ($leadingSlash && $result !== '') {
+            $result = DIRECTORY_SEPARATOR . $result;
+        }
+        if ($leadingDrive && $result !== '' && ! preg_match('#^[a-zA-Z]:#', $result)) {
+            $result = $path[0] . ':' . $result;
+        }
+
+        return $result;
+    }
+
+    /**
+     * Ensure the resolved path is under the base directory to prevent path traversal.
+     *
+     * @throws InvalidArgumentException
+     */
+    protected function ensurePathUnderBase(string $fullPath): void
+    {
+        $baseReal = realpath($this->baseDirectory);
+
+        if ($baseReal === false) {
+            throw new InvalidArgumentException('Unable to determine the realpath of the base directory.');
+        }
+
+        if (str_contains($fullPath, '~')) {
+            throw new InvalidArgumentException('Path must remain inside the storage base directory.');
+        }
+
+        $baseTrimmed = rtrim($this->baseDirectory, DIRECTORY_SEPARATOR . ' ');
+        $baseNorm = $this->normalizePath($baseTrimmed);
+        $fullNorm = $this->normalizePath($fullPath);
+        $baseWithSep = $baseNorm . DIRECTORY_SEPARATOR;
+
+        if ($baseTrimmed !== '' && $fullNorm !== $baseNorm && ! str_starts_with($fullNorm, $baseWithSep)) {
+            throw new InvalidArgumentException('Path must remain inside the storage base directory.');
+        }
+
+        $pathSuffix = $baseTrimmed === '' ? $fullPath : ($fullNorm === $baseNorm ? '' : mb_substr($fullNorm, mb_strlen($baseWithSep)));
+        $normalizedAbsolute = $this->normalizePath($baseReal . DIRECTORY_SEPARATOR . $pathSuffix);
+
+        $baseWithSeparator = $baseReal . DIRECTORY_SEPARATOR;
+        if ($normalizedAbsolute !== $baseReal && ! str_starts_with($normalizedAbsolute, $baseWithSeparator)) {
+            throw new InvalidArgumentException('Path must remain inside the storage base directory.');
+        }
+    }
+
     /**
      * Check if the file exists
      */
     public function exists(string $path): bool
     {
-        return file_exists($this->buildPath($path));
+        $fullPath = $this->buildPath($path);
+        $this->ensurePathUnderBase($fullPath);
+
+        return file_exists($fullPath);
     }
 
     /**
@@ -72,7 +142,10 @@ public function missing(string $path): bool
      */
     public function get(string $path): bool|string
     {
-        return file_get_contents($this->buildPath($path));
+        $fullPath = $this->buildPath($path);
+        $this->ensurePathUnderBase($fullPath);
+
+        return file_get_contents($fullPath);
     }
 
     /**
@@ -85,6 +158,7 @@ public function get(string $path): bool|string
     public function put(string $path, string $contents): static
     {
         $fullPath = $this->buildPath($path);
+        $this->ensurePathUnderBase($fullPath);
 
         $directoryWithoutFilename = implode(DIRECTORY_SEPARATOR, explode(DIRECTORY_SEPARATOR, $fullPath, -1));
 

src/Helpers/URLHelper.php

@@ -4,6 +4,8 @@
 
 namespace Saloon\Helpers;
 
+use InvalidArgumentException;
+
 /**
  * @internal
  */
@@ -19,10 +21,23 @@ public static function matches(string $pattern, string $value): bool
 
     /**
      * Join a base url and an endpoint together.
+     *
+     * When the connector has a base URL, the endpoint must be a relative path (e.g. "/users" or "users").
+     * Absolute URLs in the endpoint are not allowed in that case (SSRF / credential leakage).
+     * When the base URL is empty (e.g. Solo Request), the endpoint may be an absolute URL.
+     *
+     * @throws InvalidArgumentException When the endpoint is an absolute URL and the base URL is not empty
      */
     public static function join(string $baseUrl, string $endpoint): string
     {
-        if (static::isValidUrl($endpoint)) {
+        $baseTrimmed = trim($baseUrl, '/ ');
+        if ($baseTrimmed !== '' && static::isValidUrl($endpoint)) {
+            throw new InvalidArgumentException(
+                'Absolute URLs are not allowed in the endpoint. The endpoint must be a relative path to prevent SSRF and credential leakage. To request a different host, use a connector with that host as the base URL.'
+            );
+        }
+
+        if ($baseTrimmed === '' && static::isValidUrl($endpoint)) {
             return $endpoint;
         }
 

src/Http/Auth/AccessTokenAuthenticator.php

@@ -88,20 +88,4 @@ public function isNotRefreshable(): bool
     {
         return ! $this->isRefreshable();
     }
-
-    /**
-     * Serialize the access token.
-     */
-    public function serialize(): string
-    {
-        return serialize($this);
-    }
-
-    /**
-     * Unserialize the access token.
-     */
-    public static function unserialize(string $string): static
-    {
-        return unserialize($string, ['allowed_classes' => true]);
-    }
 }

src/Http/Faking/Fixture.php

@@ -5,6 +5,7 @@
 namespace Saloon\Http\Faking;
 
 use Saloon\MockConfig;
+use function preg_match;
 use Saloon\Helpers\Storage;
 use Saloon\Helpers\ArrayHelpers;
 use Saloon\Data\RecordedResponse;
@@ -155,6 +156,9 @@ public function store(RecordedResponse $recordedResponse): static
     /**
      * Get the fixture path
      *
+     * The fixture name must not contain path components (/, \, ..) to prevent path traversal.
+     * Only alphanumeric characters, hyphens, and underscores are allowed.
+     *
      * @throws \Saloon\Exceptions\FixtureException
      */
     public function getFixturePath(): string
@@ -169,6 +173,11 @@ public function getFixturePath(): string
             throw new FixtureException('The fixture must have a name');
         }
 
+        if (str_contains($name, "\0") || str_contains($name, '..') || str_contains($name, '~')
+            || ! preg_match('/^[a-zA-Z0-9\/_\-\\\\]+$/', $name)) {
+            throw new FixtureException('The fixture name must not contain directory traversal components or invalid characters. Only alphanumeric characters, hyphens, slashes, and underscores are allowed.');
+        }
+
         return sprintf('%s.%s', $name, $this::$fixtureExtension);
     }
 

tests/Feature/FixturePathTraversalTest.php

@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+
+use Saloon\Helpers\Storage;
+use Saloon\Http\Faking\Fixture;
+use Saloon\Data\RecordedResponse;
+use Saloon\Exceptions\FixtureException;
+
+beforeEach(function () {
+    $this->fixtureBaseDir = sys_get_temp_dir() . '/saloon_fixture_traversal_' . uniqid('', true);
+    mkdir($this->fixtureBaseDir, 0777, true);
+});
+
+afterEach(function () {
+    if (isset($this->fixtureBaseDir) && is_dir($this->fixtureBaseDir)) {
+        array_map('unlink', glob($this->fixtureBaseDir . '/*') ?: []);
+        rmdir($this->fixtureBaseDir);
+    }
+    $escapeWritePath = sys_get_temp_dir() . '/traversal_write_test.json';
+    if (file_exists($escapeWritePath)) {
+        unlink($escapeWritePath);
+    }
+    $escapeReadPath = sys_get_temp_dir() . '/traversal_read_target.json';
+    if (file_exists($escapeReadPath)) {
+        unlink($escapeReadPath);
+    }
+});
+
+test('fixture name with path traversal throws when getting mock response and does not read outside base', function () {
+    $storage = new Storage($this->fixtureBaseDir, true);
+
+    $externalPath = sys_get_temp_dir() . '/traversal_read_target.json';
+    $secretContent = 'read_from_outside';
+    file_put_contents($externalPath, json_encode([
+        'statusCode' => 200,
+        'headers' => [],
+        'data' => '{"secret":"' . $secretContent . '"}',
+        'context' => [],
+    ]));
+
+    $traversalName = '..' . DIRECTORY_SEPARATOR . 'traversal_read_target';
+    $fixture = new Fixture($traversalName, $storage);
+
+    expect(fn () => $fixture->getMockResponse())
+        ->toThrow(FixtureException::class, 'The fixture name must not contain directory traversal components or invalid characters. Only alphanumeric characters, hyphens, slashes, and underscores are allowed.');
+
+    expect(file_get_contents($externalPath))->toContain($secretContent);
+});
+
+test('fixture name with path traversal throws when storing and does not write outside base', function () {
+    $storage = new Storage($this->fixtureBaseDir, true);
+
+    $traversalName = '..' . DIRECTORY_SEPARATOR . 'traversal_write_test';
+    $fixture = new Fixture($traversalName, $storage);
+
+    $recordedResponse = new RecordedResponse(200, [], '{"pwned":true}');
+
+    expect(fn () => $fixture->store($recordedResponse))
+        ->toThrow(FixtureException::class, 'The fixture name must not contain directory traversal components or invalid characters. Only alphanumeric characters, hyphens, slashes, and underscores are allowed.');
+
+    $escapePath = sys_get_temp_dir() . DIRECTORY_SEPARATOR . 'traversal_write_test.json';
+    expect(file_exists($escapePath))->toBeFalse();
+});

tests/Feature/MockRequestTest.php

@@ -739,3 +739,13 @@ function (PendingRequest $pendingRequest): MockResponse {
 
     $mockClient->assertSent(UserRequest::class);
 });
+
+test('fixtures can be created in sub directories', function () {
+    $mockClient = new MockClient([
+        MockResponse::fixture('my-integration' . DIRECTORY_SEPARATOR .'user'), // Test Exact Route
+    ]);
+
+    connector()->send(new UserRequest, $mockClient);
+
+    $mockClient->assertSent(UserRequest::class);
+});

tests/Fixtures/Requests/AbsoluteEndpointRequest.php

@@ -0,0 +1,27 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Saloon\Tests\Fixtures\Requests;
+
+use Saloon\Enums\Method;
+use Saloon\Http\Request;
+
+/**
+ * Request whose endpoint is an absolute URL - used to replicate SSRF
+ * (absolute URL override of baseUrl) in security tests.
+ */
+class AbsoluteEndpointRequest extends Request
+{
+    protected Method $method = Method::GET;
+
+    public function __construct(
+        private readonly string $endpoint = 'https://attacker.example.com/steal'
+    ) {
+    }
+
+    public function resolveEndpoint(): string
+    {
+        return $this->endpoint;
+    }
+}