fix: enhance validation for database names and filenames to prevent command injection

2026-04-18 01:20:31 +00:00 · 2025-11-27 14:51:23 +01:00
parent 0073d045fb
commit 281a706231
2 changed files with 17 additions and 2 deletions
--- a/app/Livewire/Project/Database/BackupEdit.php
+++ b/app/Livewire/Project/Database/BackupEdit.php
@@ -111,8 +111,18 @@ class BackupEdit extends Component
            // Validate databases_to_backup to prevent command injection
            if (filled($this->databasesToBackup)) {
                $databases = str($this->databasesToBackup)->explode(',');
-                foreach ($databases as $db) {
-                    validateShellSafePath(trim($db), 'database name');
+                foreach ($databases as $index => $db) {
+                    $dbName = trim($db);
+                    try {
+                        validateShellSafePath($dbName, 'database name');
+                    } catch (\Exception $e) {
+                        // Provide specific error message indicating which database failed validation
+                        $position = $index + 1;
+                        throw new \Exception(
+                            "Database #{$position} ('{$dbName}') validation failed: ".
+                            $e->getMessage()
+                        );
+                    }
                }
            }