fix(security): disallow file extensions end with html

UniSharp · Aug 9, 2024 · 6b3adbc · 6b3adbc
1 parent ec483ed
commit 6b3adbc
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/src/LfmUploadValidator.php b/src/LfmUploadValidator.php
@@ -85,6 +85,10 @@ public function extensionIsNotExcutable($excutable_extensions)
             throw new ExcutableFileException();
         }
 
+        if (preg_match('/[a-z]html/', $extension) > 0) {
+            throw new ExcutableFileException();
+        }
+
         return $this;
     }
 

diff --git a/tests/LfmUploadValidatorTest.php b/tests/LfmUploadValidatorTest.php
@@ -180,6 +180,18 @@ public function testFailsExtensionIsNotExcutableWithExtensionsStartsWithPhp()
         $validator->extensionIsNotExcutable(['php', 'html']);
     }
 
+    public function testFailsExtensionIsNotExcutableWithExtensionsEndsWithHtml()
+    {
+        $uploaded_file = m::mock(UploadedFile::class);
+        $uploaded_file->shouldReceive('getClientOriginalExtension')->andReturn('dhtml');
+
+        $validator = new LfmUploadValidator($uploaded_file);
+
+        $this->expectException(ExcutableFileException::class);
+
+        $validator->extensionIsNotExcutable();
+    }
+
     public function testFailsExtensionIsValidWithSpecialCharacters()
     {
         $uploaded_file = m::mock(UploadedFile::class);