Merge branch '5.x' into 6.x

Author: jasonvarga

src/Data/DataCollection.php

@@ -7,9 +7,9 @@
 use Illuminate\Support\Collection as IlluminateCollection;
 use Statamic\Exceptions\MethodNotFoundException;
 use Statamic\Facades\Compare;
+use Statamic\Query\ResolveValue;
 use Statamic\Search\PlainResult;
 use Statamic\Search\Result;
-use Statamic\Support\Str;
 
 /**
  * An abstract collection of data types.
@@ -100,15 +100,7 @@ protected function getSortableValue($sort, $item)
             $item = $item->getSearchable() ?? $item;
         }
 
-        if (method_exists($item, $method = Str::camel($sort))) {
-            return $this->normalizeSortableValue(call_user_func([$item, $method]));
-        }
-
-        if (method_exists($item, 'value')) {
-            return $this->normalizeSortableValue($item->value($sort));
-        }
-
-        return $this->normalizeSortableValue($item->get($sort));
+        return $this->normalizeSortableValue((new ResolveValue)($item, $sort));
     }
 
     /**

src/Tokens/FileTokenRepository.php

@@ -11,11 +11,19 @@ class FileTokenRepository extends TokenRepository
 {
     public function make(?string $token, string $handler, array $data = []): TokenContract
     {
+        if ($token && ! $this->isValidTokenName($token)) {
+            throw new \InvalidArgumentException("Invalid token name [{$token}].");
+        }
+
         return app()->makeWith(TokenContract::class, compact('token', 'handler', 'data'));
     }
 
     public function find(string $token): ?TokenContract
     {
+        if (! $this->isValidTokenName($token)) {
+            return null;
+        }
+
         $path = storage_path('statamic/tokens/'.$token.'.yaml');
 
         if (! File::exists($path)) {
@@ -55,6 +63,11 @@ public function collectGarbage(): void
             ->each->delete();
     }
 
+    private function isValidTokenName(string $token): bool
+    {
+        return (bool) preg_match('/^[A-Za-z0-9_-]+\z/', $token);
+    }
+
     private function makeFromPath(string $path): FileToken
     {
         $yaml = YAML::file($path)->parse();

tests/Data/DataCollectionTest.php

@@ -3,7 +3,9 @@
 namespace Tests\Data;
 
 use PHPUnit\Framework\Attributes\Test;
+use Statamic\Contracts\Search\Searchable;
 use Statamic\Data\DataCollection;
+use Statamic\Search\Result;
 use Tests\TestCase;
 
 class DataCollectionTest extends TestCase
@@ -31,4 +33,69 @@ public function it_sorts_by_first_item_in_arrays()
 
         $this->assertEquals([1, 3, 2], $collection->multisort('foos')->pluck('id')->all());
     }
+
+    #[Test]
+    public function sorting_by_unsafe_method_does_not_invoke_it()
+    {
+        $a = new DataCollectionTestObject('alfa');
+        $b = new DataCollectionTestObject('bravo');
+
+        $collection = new DataCollection([$a, $b]);
+
+        $collection->multisort('delete');
+
+        $this->assertFalse($a->deleted);
+        $this->assertFalse($b->deleted);
+    }
+
+    #[Test]
+    public function sorting_search_results_by_unsafe_method_does_not_invoke_it()
+    {
+        $a = new DataCollectionTestObject('alfa');
+        $b = new DataCollectionTestObject('bravo');
+
+        $collection = new DataCollection([
+            new Result($a, 'test'),
+            new Result($b, 'test'),
+        ]);
+
+        $collection->multisort('delete');
+
+        $this->assertFalse($a->deleted);
+        $this->assertFalse($b->deleted);
+    }
+}
+
+class DataCollectionTestObject implements Searchable
+{
+    public bool $deleted = false;
+
+    public function __construct(public string $title)
+    {
+    }
+
+    public function delete()
+    {
+        $this->deleted = true;
+    }
+
+    public function get($key)
+    {
+        return $this->{$key} ?? null;
+    }
+
+    public function getSearchValue(string $field)
+    {
+        return $this->{$field} ?? null;
+    }
+
+    public function getSearchReference(): string
+    {
+        return 'test::'.$this->title;
+    }
+
+    public function toSearchResult(): Result
+    {
+        return new Result($this, 'test');
+    }
 }

tests/Tokens/TokenRepositoryTest.php

@@ -5,6 +5,7 @@
 use Facades\Statamic\Tokens\Generator;
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Collection;
+use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Test;
 use Statamic\Contracts\Tokens\Token;
 use Statamic\Facades\File;
@@ -129,6 +130,37 @@ public function attempting_to_find_a_non_existent_token_returns_null()
         $this->assertNull($this->tokens->find('missing-token'));
     }
 
+    #[Test]
+    public function it_prevents_path_traversal_in_find()
+    {
+        File::put(storage_path('statamic/evil.yaml'), "handler: 'Handler'\nexpires_at: 9999999999\ndata: []");
+
+        $this->assertNull($this->tokens->find('../evil'));
+    }
+
+    #[Test]
+    #[DataProvider('invalidTokenNameProvider')]
+    public function it_throws_when_making_a_token_with_an_invalid_name($token)
+    {
+        $this->expectException(\InvalidArgumentException::class);
+
+        $this->tokens->make($token, 'Handler');
+    }
+
+    public static function invalidTokenNameProvider()
+    {
+        return [
+            'parent traversal' => ['../evil'],
+            'backslash traversal' => ['..\\evil'],
+            'nested traversal' => ['foo/../../evil'],
+            'forward slash' => ['foo/evil'],
+            'dots only' => ['..'],
+            'absolute path' => ['/etc/passwd'],
+            'windows drive' => ['C:\\evil'],
+            'trailing newline' => ["evil\n"],
+        ];
+    }
+
     #[Test]
     public function it_deletes_expired_tokens()
     {