fix: use canonical parser for Windows path validation

Problem: - validateVolumeStringForInjection used explode(':') to parse volume strings - This incorrectly splits Windows paths like "C:\host\path:/container" at the drive letter colon - Could lead to false positives/negatives in injection detection Solution: - Replace custom parsing in validateVolumeStringForInjection with call to parseDockerVolumeString - parseDockerVolumeString already handles Windows paths, environment variables, and performs validation - Eliminates code duplication and uses single source of truth for volume string parsing Tests: - All 77 existing security tests pass (211 assertions) - Added 6 new Windows path tests (8 assertions) - Fixed pre-existing test bug: preg_match returns int 1, not boolean true 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-04-20 07:21:01 +00:00 · 2025-10-16 09:02:26 +02:00
parent 3700f78355
commit a219f2e80e
3 changed files with 67 additions and 48 deletions
--- a/bootstrap/helpers/parsers.php
+++ b/bootstrap/helpers/parsers.php
@@ -104,53 +104,8 @@ function validateDockerComposeForInjection(string $composeYaml): void
 */
 function validateVolumeStringForInjection(string $volumeString): void
 {
-    // Parse the volume string to extract source and target
-    $parts = explode(':', $volumeString);
-    if (count($parts) < 2) {
-        // Named volume without target - only validate the name
-        try {
-            validateShellSafePath($parts[0], 'volume name');
-        } catch (\Exception $e) {
-            throw new \Exception(
-                'Invalid Docker volume definition: '.$e->getMessage().
-                ' Please use safe names without shell metacharacters.',
-                0,
-                $e
-            );
-        }
-
-        return;
-    }
-
-    $source = $parts[0];
-    $target = $parts[1];
-
-    // Validate source (but allow simple environment variables)
-    $isSimpleEnvVar = preg_match('/^\$\{[a-zA-Z_][a-zA-Z0-9_]*\}$/', $source);
-    if (! $isSimpleEnvVar) {
-        try {
-            validateShellSafePath($source, 'volume source');
-        } catch (\Exception $e) {
-            throw new \Exception(
-                'Invalid Docker volume definition: '.$e->getMessage().
-                ' Please use safe path names without shell metacharacters.',
-                0,
-                $e
-            );
-        }
-    }
-
-    // Validate target
-    try {
-        validateShellSafePath($target, 'volume target');
-    } catch (\Exception $e) {
-        throw new \Exception(
-            'Invalid Docker volume definition: '.$e->getMessage().
-            ' Please use safe path names without shell metacharacters.',
-            0,
-            $e
-        );
-    }
+    // Canonical parsing also validates and throws on unsafe input
+    parseDockerVolumeString($volumeString);
 }

 function parseDockerVolumeString(string $volumeString): array