Fix: Prevent phar:// paths from leaking to frontend assets and strictly validate URLs (#7)

Ezar101 · web-flow · commit 8ace9f845f70 · 2025-12-25T20:29:30.000+04:00
diff --git a/.gitignore b/.gitignore
@@ -9,3 +9,4 @@ litedocs.phar
 composer.lock
 /bin/litedocs.phar
 .php-cs-fixer.cache
+box.phar
diff --git a/box.json b/box.json
@@ -2,7 +2,7 @@
     "main": "bin/litedocs",
     "output": "litedocs.phar",
     "directories": ["src", "config", "vendor"],
-    "files": ["composer.json", "composer.lock"],
+    "files": ["composer.json", "composer.lock", "LICENSE", "README.md"],
     "compression": "GZ",
     "chmod": "0755"
 }
diff --git a/src/Core/Kernel.php b/src/Core/Kernel.php
@@ -20,7 +20,7 @@
 
 class Kernel
 {
-    public const string VERSION = '1.0.3';
+    public const string VERSION = '1.0.4';
 
     private array $config;
 
@@ -321,13 +321,17 @@ private function createRedirectPage(string $path, string $target): void
 
     private function processAsset(string $assetPath, string $siteDir, string $rootPath): string
     {
-        if (filter_var($assetPath, FILTER_VALIDATE_URL)) {
+        // if (filter_var($assetPath, FILTER_VALIDATE_URL)) {
+        //     return $assetPath;
+        // }
+
+        if (str_starts_with($assetPath, 'http://') || str_starts_with($assetPath, 'https://') || str_starts_with($assetPath, '//')) {
             return $assetPath;
         }
 
         if (!file_exists($assetPath)) {
-            trigger_error("Asset not found: $assetPath", E_USER_WARNING);
-            return $assetPath;
+            trigger_error("Asset not found (excluded from build?): $assetPath", E_USER_WARNING);
+            return '';
         }
 
         $extension = pathinfo($assetPath, PATHINFO_EXTENSION);
diff --git a/src/Resources/themes/lite/assets/css/style.css b/src/Resources/themes/lite/assets/css/style.css

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`"main": "bin/litedocs",`
`3`	`3`	`"output": "litedocs.phar",`
`4`	`4`	`"directories": ["src", "config", "vendor"],`
`5`		`- "files": ["composer.json", "composer.lock"],`
	`5`	`+ "files": ["composer.json", "composer.lock", "LICENSE", "README.md"],`
`6`	`6`	`"compression": "GZ",`
`7`	`7`	`"chmod": "0755"`
`8`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@`
`20`	`20`
`21`	`21`	`class Kernel`
`22`	`22`	`{`
`23`		`- public const string VERSION = '1.0.3';`
	`23`	`+ public const string VERSION = '1.0.4';`
`24`	`24`
`25`	`25`	`private array $config;`
`26`	`26`
`@@ -321,13 +321,17 @@ private function createRedirectPage(string $path, string $target): void`
`321`	`321`
`322`	`322`	`private function processAsset(string $assetPath, string $siteDir, string $rootPath): string`
`323`	`323`	`{`
`324`		`- if (filter_var($assetPath, FILTER_VALIDATE_URL)) {`
	`324`	`+ // if (filter_var($assetPath, FILTER_VALIDATE_URL)) {`
	`325`	`+ // return $assetPath;`
	`326`	`+ // }`
	`327`	`+`
	`328`	`+ if (str_starts_with($assetPath, 'http://') \|\| str_starts_with($assetPath, 'https://') \|\| str_starts_with($assetPath, '//')) {`
`325`	`329`	`return $assetPath;`
`326`	`330`	`}`
`327`	`331`
`328`	`332`	`if (!file_exists($assetPath)) {`
`329`		`- trigger_error("Asset not found: $assetPath", E_USER_WARNING);`
`330`		`- return $assetPath;`
	`333`	`+ trigger_error("Asset not found (excluded from build?): $assetPath", E_USER_WARNING);`
	`334`	`+ return '';`
`331`	`335`	`}`
`332`	`336`
`333`	`337`	`$extension = pathinfo($assetPath, PATHINFO_EXTENSION);`