Fix MakeViewVariableOptionalSolution to disallow stream wrappers and …

…files that do not end in .blade.php This is already fixed in 2.5.2, See #334 I could not update to 2.5.2 due to some dependent package required php 7.3, currently clients site is running in php 7.2 On branch 2.4.1-branch Changes to be committed: modified: src/Solutions/MakeViewVariableOptionalSolution.php
facade · Feb 18, 2021 · 11ffca1 · 11ffca1
1 parent 9fc6c3d
commit 11ffca1
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/src/Solutions/MakeViewVariableOptionalSolution.php b/src/Solutions/MakeViewVariableOptionalSolution.php
@@ -4,6 +4,7 @@
 
 use Facade\IgnitionContracts\RunnableSolution;
 use Illuminate\Support\Facades\Blade;
+use Illuminate\Support\Str;
 
 class MakeViewVariableOptionalSolution implements RunnableSolution
 {
@@ -70,8 +71,25 @@ public function run(array $parameters = [])
         }
     }
 
+    protected function isSafePath(string $path): bool
+    {
+        if (!Str::startsWith($path, ['/', './'])) {
+            return false;
+        }
+
+        if (!Str::endsWith($path, '.blade.php')) {
+            return false;
+        }
+
+        return true;
+    }
+
     public function makeOptional(array $parameters = [])
     {
+        if (!$this->isSafePath($parameters['viewFile'])) {
+            return false;
+        }
+
         $originalContents = file_get_contents($parameters['viewFile']);
         $newContents = str_replace('$'.$parameters['variableName'], '$'.$parameters['variableName']." ?? ''", $originalContents);