Allow for swoole to serve static files trough symlink

Max Eckel · Max Eckel · commit a4910b69f0b2 · 2021-04-10T21:36:29.000+02:00
diff --git a/src/Swoole/SwooleClient.php b/src/Swoole/SwooleClient.php
@@ -56,17 +56,67 @@ public function canServeRequestAsStaticFile(Request $request, RequestContext $co
 
         $publicPath = $context->publicPath;
 
+        $realpath = realpath($publicPath.'/'.$request->path());
+
+        if($this->checkSymlinkInPath($publicPath, $realpath, $request->path())) {
+            $realpath = $publicPath.'/'.$request->path();
+        }
+
         return $this->fileIsServable(
             $publicPath,
-            realpath($publicPath.'/'.$request->path()),
+            $realpath,
         );
     }
 
     /**
-     * Determine if the given file is servable.
+     * Checks whether the request path contains a Symlink.
+     * When a Symlink is found, it is checked against the the resolved real path,
+     * in order to protect against directory traversal.
      *
      * @param  string  $publicPath
-     * @param  string  $pathToFile
+     * @param  string  $realPath
+     * @param  string  $requestPath
+     * @return bool
+     */
+    private function checkSymlinkInPath(string $publicPath, string $realPath, string $requestPath): bool
+    {
+        $resolvedPathIfSymlink = $this->pathContainsSymlink($publicPath, $requestPath);
+
+        if (! $resolvedPathIfSymlink) {
+            return false;
+        }
+
+        return str_ends_with($realPath, $resolvedPathIfSymlink);
+    }
+
+    /**
+     * Determine whether the path contains a symlink.
+     * When a symlink is found, the path after it is returned.
+     *
+     * @param  string $publicPath
+     * @param  string $path
+     * @return string|bool
+     */
+    private function pathContainsSymlink(string $publicPath, string $path): string|bool
+    {
+        $dirs = explode('/', $path);
+
+        while ($dir = array_shift($dirs)) {
+            $publicPath .= '/'.$dir;
+
+            if (is_link($publicPath)) {
+                return implode('/', $dirs);
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Determine if the given file is servable.
+     *
+     * @param  string $publicPath
+     * @param  string $pathToFile
      * @return bool
      */
     protected function fileIsServable(string $publicPath, string $pathToFile): bool
diff --git a/tests/SwooleClientTest.php b/tests/SwooleClientTest.php
@@ -116,6 +116,34 @@ public function test_static_file_can_be_served()
         $client->serveStaticFile($request, $context);
     }
 
+    /** @test */
+    public function test_can_serve_static_files_through_symlink()
+    {
+        $client = new SwooleClient;
+
+        $request = Request::create('/symlink/foo.txt', 'GET');
+
+        $context = new RequestContext([
+            'publicPath' => __DIR__.'/public/files',
+        ]);
+
+        $this->assertTrue($client->canServeRequestAsStaticFile($request, $context));
+    }
+
+    /** @test */
+    public function test_cant_serve_static_files_through_symlink_using_directory_traversal()
+    {
+        $client = new SwooleClient;
+
+        $request = Request::create('/symlink/../files/bar.txt', 'GET');
+
+        $context = new RequestContext([
+            'publicPath' => __DIR__.'/public/files',
+        ]);
+
+        $this->assertFalse($client->canServeRequestAsStaticFile($request, $context));
+    }
+
     /** @doesNotPerformAssertions @test */
     public function test_respond_method_send_response_to_swoole()
     {
diff --git a/tests/public/files/symlink b/tests/public/files/symlink
@@ -0,0 +1 @@
+../symlinkedFolder
diff --git a/tests/public/symlinkedFolder/foo.txt b/tests/public/symlinkedFolder/foo.txt
