Merge commit from fork

anicho123 · web-flow · commit 47555b615b3c · 2025-10-01T13:33:48.000+05:30
fix: Enhance file validation in HttpRequest to prevent arbitrary file read vulnerabilities
diff --git a/src/Utility/Assert.php b/src/Utility/Assert.php
@@ -3937,6 +3937,7 @@ public static function file($value, $message = ''): void
 
     /**
      * Will also pass if $value is a directory, use Assert::file() instead if you need to be sure it is a file.
+     * Prevents arbitrary file read vulnerabilities by rejecting paths with protocol separators.
      *
      * @param mixed  $value
      * @param string $message
@@ -3947,6 +3948,14 @@ public static function fileExists($value, $message = ''): void
     {
         self::string($value);
 
+        // Reject paths containing protocol separators to prevent arbitrary file read
+        if (str_contains((string) $value, '://')) {
+            self::reportInvalidArgument(sprintf(
+                $message ?: 'File paths with protocol separators ("://") are not allowed: %s',
+                self::valueToString($value),
+            ));
+        }
+
         if (! file_exists($value)) {
             self::reportInvalidArgument(sprintf(
                 $message ?: 'The file %s does not exist.',
diff --git a/src/Utility/HttpRequest.php b/src/Utility/HttpRequest.php
@@ -10,6 +10,7 @@
 use Exception;
 use Http\Message\MultipartStream\MultipartStreamBuilder;
 use Psr\Http\Client\ClientExceptionInterface;
+
 use Psr\Http\Message\{RequestInterface, ResponseInterface, StreamInterface};
 
 use function defined;
@@ -130,6 +131,8 @@ public function addFile(
         ?string $file_path,
     ): self {
         if (null !== $file_path) {
+            Assert::fileExists($file_path);
+            Assert::readable($file_path);
             $this->files[$field] = $file_path;
         }
 
diff --git a/tests/Unit/Utility/HttpRequestTest.php b/tests/Unit/Utility/HttpRequestTest.php
@@ -176,6 +176,56 @@ function(): HttpRequest {
     fn() => new HttpRequest($this->configuration, HttpClient::CONTEXT_GENERIC_CLIENT, 'get', '/' . uniqid())
 ]]);
 
+it('rejects file paths with protocol separators', function(): void {
+    $client = new HttpRequest($this->configuration, HttpClient::CONTEXT_GENERIC_CLIENT, 'post', '/');
+    
+    expect(fn() => $client->addFile('test', 'file:///etc/passwd'))
+        ->toThrow(\InvalidArgumentException::class, 'File paths with protocol separators ("://") are not allowed: "file:///etc/passwd"');
+        
+    expect(fn() => $client->addFile('test', 'http://example.com/file.txt'))
+        ->toThrow(\InvalidArgumentException::class, 'File paths with protocol separators ("://") are not allowed: "http://example.com/file.txt"');
+        
+    expect(fn() => $client->addFile('test', 'php://filter/convert.base64-encode/resource=/etc/passwd'))
+        ->toThrow(\InvalidArgumentException::class, 'File paths with protocol separators ("://") are not allowed: "php://filter/convert.base64-encode/resource=/etc/passwd"');
+});
+
+it('rejects file paths for non-existent or unreadable files', function(): void {
+    $client = new HttpRequest($this->configuration, HttpClient::CONTEXT_GENERIC_CLIENT, 'post', '/');
+    
+    // Non-existent file
+    expect(fn() => $client->addFile('test', '/non/existent/file.txt'))
+        ->toThrow(\InvalidArgumentException::class, 'The file "/non/existent/file.txt" does not exist.');
+    
+    // Create a temp file with no read permissions to test unreadable file
+    $tempFile = sys_get_temp_dir() . '/' . uniqid('auth0_test_');
+    file_put_contents($tempFile, 'test content');
+    chmod($tempFile, 0000); // Remove all permissions
+    
+    try {
+        expect(fn() => $client->addFile('test', $tempFile))
+            ->toThrow(\InvalidArgumentException::class);
+    } finally {
+        chmod($tempFile, 0666); // Restore permissions so we can delete it
+        @unlink($tempFile);
+    }
+});
+
+it('allows valid local file paths', function(): void {
+    $client = new HttpRequest($this->configuration, HttpClient::CONTEXT_GENERIC_CLIENT, 'post', '/');
+    
+    // Create a temporary file that exists and is readable
+    $tempFile = sys_get_temp_dir() . '/' . uniqid('auth0_test_');
+    file_put_contents($tempFile, 'test content');
+    
+    try {
+        // This should not throw an exception
+        $result = $client->addFile('test', $tempFile);
+        expect($result)->toBeInstanceOf(HttpRequest::class);
+    } finally {
+        @unlink($tempFile);
+    }
+});
+
 it('throws a NetworkException when the underlying client raises a ClientExceptionInterface', function(HttpRequest $client): void {
     $client->call();
 })->with(['mocked client' => [
