improve(NO-TASK): Minor security hardening for path traversal

aaronware · aaronware · commit 9a4a492805c5 · 2025-07-18T11:50:21.000-04:00
diff --git a/includes/Core/View.php b/includes/Core/View.php
@@ -57,8 +57,12 @@ public function render( $file, $view_dir = null ) {
 			${$key} = $value;
 		}
 
-		$view_dir  = isset( $view_dir ) ? trailingslashit( $view_dir ) : COURIER_NOTICES_PATH . 'templates/';
-		$view_file = $view_dir . $file . '.php';
+		$view_dir  = isset( $view_dir ) ? $view_dir : COURIER_NOTICES_PATH . 'templates/';
+		$view_file = $this->validate_and_build_path( $file, $view_dir );
+
+		if ( false === $view_file ) {
+			wp_die( esc_html__( 'Invalid file path', 'courier-notices' ) . ': ' . esc_html( $file ) );
+		}
 
 		if ( ! file_exists( $view_file ) ) {
 			wp_die( esc_html( $view_file ) );
@@ -88,7 +92,7 @@ public function assign( $variable, $value ) {
 	 *
 	 * @since 1.0
 	 *
-	 * @param string $file File to get HTML string.
+	 * @param string $file     File to get HTML string.
 	 * @param string $view_dir View directory.
 	 *
 	 * @return string $html HTML output as string
@@ -99,7 +103,11 @@ public function get_text_view( $file, $view_dir = null ) {
 		}
 
 		$view_dir  = isset( $view_dir ) ? $view_dir : COURIER_NOTICES_PATH . 'templates/';
-		$view_file = $view_dir . $file . '.php';
+		$view_file = $this->validate_and_build_path( $file, $view_dir );
+
+		if ( false === $view_file ) {
+			return '';
+		}
 
 		if ( ! file_exists( $view_file ) ) {
 			return '';
@@ -125,4 +133,65 @@ public function get_text_view( $file, $view_dir = null ) {
 	protected function init_assignments() {
 		$this->variables = [];
 	}
+
+	/**
+	 * Validate and build secure file path
+	 *
+	 * @since 1.8.0
+	 *
+	 * @param string $file     The file name/path.
+	 * @param string $view_dir The view directory.
+	 *
+	 * @return string|false The validated file path or false if invalid.
+	 */
+	protected function validate_and_build_path( string $file, string $view_dir ) {
+		// Validate input parameters.
+		if ( ! is_string( $file ) || '' === $file ) {
+			return false;
+		}
+
+		if ( ! is_string( $view_dir ) || '' === $view_dir ) {
+			return false;
+		}
+
+		// Normalize the view directory to absolute path.
+		$view_dir = realpath( $view_dir );
+		if ( false === $view_dir ) {
+			return false;
+		}
+
+		// Ensure view directory is within the plugin directory.
+		$plugin_path = realpath( COURIER_NOTICES_PATH );
+		if ( false === $plugin_path || 0 !== strpos( $view_dir, $plugin_path ) ) {
+			return false;
+		}
+
+		// Remove any directory traversal attempts.
+		$file = str_replace( [ '../', '..\\', './', '.\\' ], '', $file );
+
+		// Remove any null bytes or other dangerous characters.
+		$file = str_replace( [ "\0", "\r", "\n" ], '', $file );
+
+		// Ensure file doesn't start with a slash or backslash.
+		$file = ltrim( $file, '/\\' );
+
+		// Validate file name - allow alphanumeric, hyphens, underscores, forward slashes, and dots
+		// but prevent directory traversal and other dangerous patterns.
+		if ( ! preg_match( '/^[a-zA-Z0-9\/_-]+$/', $file ) ) {
+			return false;
+		}
+
+		// Build the full file path with .php extension, ensuring proper path separators.
+		$view_file = rtrim( $view_dir, '/\\' ) . DIRECTORY_SEPARATOR . $file . '.php';
+
+		// Normalize the final path.
+		$real_file_path = realpath( $view_file );
+
+		// Ensure the final path is within the allowed directory.
+		if ( false === $real_file_path || 0 !== strpos( $real_file_path, $view_dir ) ) {
+			return false;
+		}
+
+		return $real_file_path;
+	}
 }
diff --git a/phpstan-baseline.neon b/phpstan-baseline.neon
@@ -1075,61 +1075,11 @@ parameters:
 			count: 1
 			path: includes/Controller/Integrations/Stream.php
 
-		-
-			message: "#^Call to static method add_command\\(\\) on an unknown class WP_CLI\\.$#"
-			count: 1
-			path: includes/Controller/Integrations/WP_CLI.php
-
-		-
-			message: "#^Call to static method error\\(\\) on an unknown class WP_CLI\\.$#"
-			count: 10
-			path: includes/Controller/Integrations/WP_CLI.php
-
-		-
-			message: "#^Call to static method log\\(\\) on an unknown class WP_CLI\\.$#"
-			count: 5
-			path: includes/Controller/Integrations/WP_CLI.php
-
-		-
-			message: "#^Call to static method success\\(\\) on an unknown class WP_CLI\\.$#"
-			count: 2
-			path: includes/Controller/Integrations/WP_CLI.php
-
-		-
-			message: "#^Call to static method warning\\(\\) on an unknown class WP_CLI\\.$#"
-			count: 2
-			path: includes/Controller/Integrations/WP_CLI.php
-
 		-
 			message: "#^Cannot access offset 0 on non\\-empty\\-array\\<WP_Term\\>\\|WP_Error\\.$#"
 			count: 6
 			path: includes/Controller/Integrations/WP_CLI.php
 
-		-
-			message: "#^Cannot access property \\$post_content on WP_Post\\|null\\.$#"
-			count: 1
-			path: includes/Controller/Integrations/WP_CLI.php
-
-		-
-			message: "#^Cannot access property \\$post_date on WP_Post\\|null\\.$#"
-			count: 1
-			path: includes/Controller/Integrations/WP_CLI.php
-
-		-
-			message: "#^Cannot access property \\$post_modified on WP_Post\\|null\\.$#"
-			count: 1
-			path: includes/Controller/Integrations/WP_CLI.php
-
-		-
-			message: "#^Cannot access property \\$post_status on WP_Post\\|null\\.$#"
-			count: 2
-			path: includes/Controller/Integrations/WP_CLI.php
-
-		-
-			message: "#^Cannot access property \\$post_title on WP_Post\\|null\\.$#"
-			count: 2
-			path: includes/Controller/Integrations/WP_CLI.php
-
 		-
 			message: "#^Construct empty\\(\\) is not allowed\\. Use more strict comparison\\.$#"
 			count: 4
@@ -1236,17 +1186,17 @@ parameters:
 			path: includes/Controller/Integrations/WP_CLI.php
 
 		-
-			message: "#^Parameter \\#1 \\$post of function get_the_terms expects int\\|WP_Post, bool\\|int given\\.$#"
+			message: "#^Parameter \\#1 \\$post of function get_the_terms expects int\\|WP_Post, int\\<min, \\-1\\>\\|int\\<1, max\\>\\|true given\\.$#"
 			count: 4
 			path: includes/Controller/Integrations/WP_CLI.php
 
 		-
-			message: "#^Parameter \\#1 \\$post_id of function update_post_meta expects int, bool\\|int given\\.$#"
+			message: "#^Parameter \\#1 \\$post_id of function update_post_meta expects int, int\\<min, \\-1\\>\\|int\\<1, max\\>\\|true given\\.$#"
 			count: 1
 			path: includes/Controller/Integrations/WP_CLI.php
 
 		-
-			message: "#^Parameter \\#1 \\$post_id of method CourierNotices\\\\Controller\\\\Action_Scheduler\\:\\:schedule_notice_expiration\\(\\) expects int, bool\\|int given\\.$#"
+			message: "#^Parameter \\#1 \\$post_id of method CourierNotices\\\\Controller\\\\Action_Scheduler\\:\\:schedule_notice_expiration\\(\\) expects int, int\\<min, \\-1\\>\\|int\\<1, max\\>\\|true given\\.$#"
 			count: 1
 			path: includes/Controller/Integrations/WP_CLI.php
 
@@ -1575,6 +1525,11 @@ parameters:
 			count: 1
 			path: includes/Core/Database.php
 
+		-
+			message: "#^Call to function is_string\\(\\) with string will always evaluate to true\\.$#"
+			count: 2
+			path: includes/Core/View.php
+
 		-
 			message: "#^Constructor of class CourierNotices\\\\Core\\\\View has an unused parameter \\$config\\.$#"
 			count: 1
@@ -1590,6 +1545,11 @@ parameters:
 			count: 1
 			path: includes/Core/View.php
 
+		-
+			message: "#^Only booleans are allowed in a negated boolean, int\\|false given\\.$#"
+			count: 1
+			path: includes/Core/View.php
+
 		-
 			message: "#^Property CourierNotices\\\\Core\\\\View\\:\\:\\$variables type has no value type specified in iterable type array\\.$#"
 			count: 1
